Boardman Law Firm

Affiliate of the network
skip to content

Reading Room

Contact Cindy

phone: (608) 283-7543

fax: (608) 283-1709

Email

FYI: HIPAA Privacy - GINA and Stimulus Law Changes

By Cindy Van Bogaert
February 27, 2009

Here is your latest FYI: Employee Benefits Update from Cindy Van Bogaert, Partner and Chair of the Employee Benefits Practice Group at Boardman Law Firm LLP.

This FYI provides information about some of the HIPAA privacy changes for employer health plans due to the American Recovery and Reinvestment Act of 2009 ("ARRA") which was signed into law on February 17, 2009. It also addresses changes made by the Genetic Information Nondiscrimination Act of 2008 ("GINA") which was signed into law on May 21, 2008. ("HIPAA" stands for the Health Insurance Portability and Accountability Act of 1996, as amended.)

Here are some of the main changes for HIPAA privacy for employer plans due to these laws:

  • ARRA increases enforcement of HIPAA privacy provisions effective immediately. One of the changes is to substantially increase the penalties for violations. For example, violations which are due to reasonable cause and not to willful neglect, are now subject to a penalty for each violation of at least $1,000 per violation, not to exceed $50,000 per violation. The law includes a cap on penalties.
  • ARRA changes the "minimum necessary" standard under the privacy rules.
  • ARRA includes new accounting requirements for disclosures of protected health information.
  • ARRA adds significant new notice obligations for a breach of HIPAA privacy obligations.
  • ARRA provides that business associates have direct responsibility for HIPAA privacy under the law, rather than only through business associate agreements. For business associates, this means gearing up for HIPAA compliance.

There are many other changes to HIPAA privacy in ARRA. Some of these provisions are effective immediately and some have delayed effective dates.

  • GINA includes health plan limitations regarding use of genetic information. For purposes of HIPAA privacy, the privacy regulations will be revised to treat genetic information as health information under the privacy law. In addition, use of genetic information for underwriting purposes is not permitted. The provisions of GINA relating to HIPAA privacy policies of employer health plans generally are effective May 21, 2009.

What should employers do?

  • Check with your attorney to update your HIPAA compliance and documentation.
  • Revise systems and internal operations to reflect the requirements of the new laws.
  • Arrange for HIPAA training for those working with employer-sponsored health plans to cover the new laws. (I will be sending a separate email regarding our HIPAA training seminar.)
  • If you are also a business associate, check with your attorney to prepare for the major changes that will be required to implement the new HIPAA requirements.

Please contact me if you would like more information or assistance.

This FYI is not legal advice. Individuals should seek advice based on their particular circumstances from their own counsel. Nothing in this FYI is intended to be used, and no information can be used, for the purpose of avoiding penalties under the Internal Revenue Code, or promoting, marketing, or recommending to another party any transaction or matter addressed in this FYI.

If you have any questions or need assistance, please contact Cindy Van Bogaert at (608) 283-7543 or Email.

Would you like to have FYI: Employee Benefits Update sent directly to your e-mail inbox? If so, please send your request, with e-mail address, to Cindy Van Bogaert at Email.