This coming September, final regulations under The Health Insurance Portability and Accountability Act (HIPAA) take effect. There is no reason to panic. Employers have time to make necessary changes, which are minimal in scope for most organizations.
The revisions to HIPAA rules that originally went into effect in 1996 translate into several changes to the current HIPAA privacy, security, breach notification and enforcement requirements, but these tweaks don’t necessarily affect employers all that much. The greater responsibility falls to brokers, lawyers and third party administrators. As of September 23, 2013, these service providers are subject to heightened standards.
Let’s say your broker (as a HIPAA business associate of your organization) loses your employees’ health information for whatever reason. This business associate will be subject to heightened standards, according to the final HIPAA regulations.
As an employer, you will need to indicate the changes in confidentiality standards on general notices of privacy practices, such as an assurance that you will not share information.
More importantly, you should amend any business associate agreements to ensure that these third parties explicitly agree and are compliant with the heightened standards in the final regulations. These regulations do not introduce new rules or make wholesale changes to the existing laws. Rather, they strengthen what is already in place.
If you are still concerned about compliance with HIPAA final regulations, make sure those employees who deal with your business associates get the training they need to meet the new standards.