FYI: New HIPAA Breach Notification Regulations Effective Sept. 23
By Cindy Van Bogaert
September 1, 2009
Here is your latest FYI: Employee Benefits Update from Cindy Van Bogaert, Partner and Chair of the Employee Benefits Practice Group at Boardman Law Firm LLP. This FYI provides information about new HIPAA ("Health Insurance Portability and Accountability Act") breach notification requirements for protected health information ("PHI").
Regulations were issued August 24th regarding notification requirements for breaches of unsecured PHI. The regulations are effective September 23, 2009. The regulations generally affect "covered entities" such as employer health plans (e.g., medical, dental, vision, and health flexible spending accounts) and their business associates under the HIPAA privacy and security rules.
Under the new regulations, certain breaches of unsecured PHI that may cause financial, reputational, or other harm to an individual must be reported to the individual and to the Federal government. Covered entities will need to determine if the breach falls under an exception under the rule, evaluate whether the affected PHI was "unsecured" within the meaning of the regulation, assess whether the HIPAA privacy rule was violated, and conduct a risk assessment to determine if there is a significant risk of financial, reputational, or other harm to the individual. If the breach meets the standards, covered entities must notify the individual and the Department of Health and Human Services of the breach. If the breach involves more than 500 residents of a State or jurisdiction, covered entities also must notify media outlets. A covered entity is required to train its workforce with respect to the new breach notice requirements, provide for a complaint procedure, set up breach notification policies and procedures, and meet other requirements in the new regulations.
Employers with group health plans should act now to:
- Update written HIPAA policies and procedures.
- Revise business associate agreements.
- Conduct training (for one training option, see "HIPAA Privacy Training Seminars" below).
Upcoming seminars:
- HIPAA Privacy Training Seminars, September 10, 2009, in Madison, WI. The seminars include a basics seminar as well as a seminar focusing on new developments, including the new breach notice regulations. For more information and to register: http://www.boardmanlawfirm.com/events/HIPAAseminar.php
- 401(k) Training Seminar, September 23, 2009, in Madison, WI. For more information and to register: http://www.boardmanlawfirm.com/events/401kSeminar.php
- "Benefits in Hard Times," Wisconsin State SHRM Conference, October 16, 2009 in Wisconsin Dells, WI. To register: http://www.wishrm.org/Conferences/StateConference2009.aspx
Please contact me if you would like more information or assistance.
This FYI is not legal advice. Individuals should seek advice based on their particular circumstances from their own counsel.
If you have any questions or need assistance, please contact Cindy Van Bogaert at (608) 283-7543 or Email.
Would you like to have FYI: Employee Benefits Update sent directly to your e-mail inbox? If so, please send your request, with e-mail address, to Cindy Van Bogaert at Email.