Human resources administrators now have less than a week to bring their privacy practices and notifications, into compliance with new HIPAA regulations issued in early this year.

The good news for most HR professionals and benefits administrators is that perhaps the most sweeping change to HIPAA with the rules effective Monday doesn’t apply directly to them, but to their third-party administrators and business associates. That can, however, require new contracts and agreements with them.

“HIPAA is this really big statute, but what we think of as HIPAA, when we use the term, are really just the privacy and security rules,” reminds Edward I. Leeds, an employee benefits and health care attorney with Ballard Spahr LLP. Leeds says more of those rules are now trickling down to outside vendors and subcontractors, with a legislative goal of improving security for the individual.

So in addition to privacy practices, your business associates agreements need to be updated. In many cases, they should be by Sept. 23, but, should the agreement have last been amended or signed before Jan. 22, 2013, employers have another year to bring their contracts and paperwork up to code.

Perhaps the biggest potential HIPAA change for intra-office concerns are the new standards concerning breaches of PHI. In short: the standard for a breach is lower, the response is larger and penalties for non-compliance now have teeth.

“We have a different standard for what a breach is, and therefore, when we need to notify people when there’s been a breach,” says A. Melinda Maher, who focuses on benefits and compensation at Dorsey & Whitney LLP.

Under HITECH’s 2009 standards, a breach was considered a user disclosure of PHI that was not permitted under HIPAA and carried a substantial risk of financial (such as credit card or Social Security information), reputational (the disclosure of an illness) or other harm. That was the standard for three years.

“The actual, final rules, are active Sept. 23,” Maher says. “And it’s more likely that you’ll have a breach now. What happened was, the standard that the secretary issued … Congress said they didn’t like it. They thought it was too lax, basically. So we have this new standard and we have to presume there’s a breach” until a risk analysis is done.

To read more about the new HIPAA regulations, and what they mean for benefits long-term, pick up EBN on Oct. 1.

Register or login for access to this item and much more

All Employee Benefit News content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access