The Health Insurance Portability and Accountability Act was initially enacted in 1996 to protect patient privacy. Recently the U.S. Department of Health and Human Services updated the law to account for new challenges caused by the digitization of health information. HHS Secretary Kathleen Sebelius noted that the update was necessitated by the medical community's growing reliance on technology.
"Much has changed in health care since HIPAA was enacted over fifteen years ago. The new rule will help protect patient privacy and safeguard patients' health information in an ever expanding digital age," Sebelius said in a statement.
There are now numerous provisions that affect how employers handle their group health insurance plans. Companies will need to update their practices and policies to avoid legal issues. The following is an examination of the HIPAA's new mandates that businesses need to comply with by September 23, 2013.
Agreements
According to HR Hero, the new version of the HIPAA stipulates that business associate agreements have to be in place by the September deadline. The HSS explains that these agreements are for any professional outside of a company's staff who handles or has access to health information. Further, the updates state that anyone who "creates, receives, maintains or transmits" must be part of the agreements. Timothy Stanton and Timothy Verrall, two attorneys of Ogletree Deakins, told the Society for Human Resource Management that the way the law is worded will affect compliance.
"The key addition in this part of the regulation is to be found in the word 'maintains,' because any entity that 'maintains' [personal health information] on behalf of a covered entity – even if no access to that information is required or expected – will be a business associate," they said.
Essentially, this means that anyone who has access to your employees' health information is an associate. Your insurance provider is obviously top among these partners, but there are others to consider. For instance, if you store employee records in a cloud service, the provider is a business associate that you must enter into an agreement with.
New privacy notices
Perhaps most important is that the HIPPA requires employers to distribute new privacy notices to staff members, according to HR Hero. All Notices of Privacy Practices must be updated to include new procedures regarding how the company secures health information.
Additionally, the law mandates that companies notify employees when their health information is accessed by a party other than a health care provider or business associate.