When the feds recently issued its massive 563-page Omnibus Final Rule, which modifies HIPAA Privacy, Security and Enforcement Rules and adds the HIPAA Breach Notification Rule, benefits pros were left with one key question: How much of this really applies to me?
That’s a fair question. After all, HIPAA compliance has always been a strange animal for HR and benefits professionals.
True, HIPAA is really geared toward health care providers — and the vast majority of the its rules and guidance are meant for those organizations. But employers sponsor HIPAA-covered health plans — known as covered entities under the law — so they have certain responsibilities under HIPAA as well.
So then what should employers know about the new Omnibus Final Rule?
Obligations and security breaches
First off, despite the sheer size of missive the U.S. Department of Health and Human Services just rolled out, employers’ obligations are basically the same. What’s more, plan participants (your employees) generally have the same rights when it comes to their protected health information (PHI).
In terms of the HIPAA Breach Notification Rule, the feds made it a point to let plans know they have certain options in the event of unauthorized use or disclosure of participants’ PHI — and that not all HIPAA violations would be considered a security breach.
If a violation occurs, plans don’t have to provide notice of a security breach in certain situations. However, they must conduct a risk assessment that addresses a minimum of four factors that were spelled out in the Omnibus Final Rule to determine that there is a “low probability” participants’ PHI has been compromised. The four factors include:
- The nature and extend of the PHI involved
- The unauthorized person who used the PHI or to whom the disclosure was made
- Whether the PHI was actually acquired or viewed, and
- The extent to which the risk to the PHI has been mitigated.
Revised HIPAA privacy notices
One thing employers will definitely want to make a note of: Changes in the Omnibus Final Rule do make it necessary for employers to distribute a revised notice of privacy practices under HIPAA. The updated notices must inform participants of:
- their right to receive security breach notification
- HIPPA’s new prohibition on the use of genetic info for underwriting purposes, and
- the requirement that the employer obtain the subject’s authorization before using PHI for marketing purposes and before selling PHI.
Employers with a benefits website must post the revised notice by Sept. 23, 2013, and must include the revised notice in the next annual mailing to plan participants. Firms without a benefits site — and who wait until Sept. 23, 2013, for their revised privacy notice to take effect — will have until December 22, 2013, to distribute the revised privacy notice.