The Office for Civil Rights (“OCR”) at the Department of Health and Human Services (“HHS”) recently issued final regulations (“Reproductive Health Care Rule”) under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) that narrow the permitted uses and disclosures of protected health information (“PHI”) in the context of an individual seeking, obtaining, providing

In clear and unambiguous terms, the U.S. Departments of Labor (“DOL”) and Health and Human Services and the Internal Revenue Service (“IRS”) (the “Agencies”) drove a stake into the heart of two suspect health insurance strategies that have been promoted to business owners across the country.    In addition, the guidance may spell trouble for a common reimbursement strategy used by employers for executives and other key employees.

For much of 2013, group health plan sponsors have been gearing up for the compliance challenges associated with the Affordable Care Act. There is no doubt that much of the planning, focus and energy trained on the next round of effective dates under the Affordable Care Act is warranted. Nevertheless, plan sponsors must be certain not to overlook the other compliance challenge for 2013 – HIPAA/HITECH. On January 25, 2013, the Department of Health and Human Services (“HHS”) issued fairly significant regulations modifying the HIPAA Privacy, Security and Enforcement rules (the “Final Rule”). The Final Rule is generally effective March 26, 2013. However, covered entities (including group health plans) and business associates (i.e., service providers that conduct business with a covered entity that involves the use or disclosure of individually identifiable health information) must comply with the new provisions by September 23, 2013. Although the Final Rule includes a multitude of signification changes, some of the most pressing compliance obligations facing plan sponsors of group health plans and their business associates impact the security breach notification rules, business associate agreements, limitations on protected health information (“PHI”), and HIPAA Notice of Privacy Practices (“NPPs”).

On May 29, 2013, the Departments of Health and Human Services, Labor and Treasury (the “Departments”) issued final regulations on implementing and expanding employment-based wellness programs. The rules set forth in the final regulations remain largely unchanged from the proposed rules issued on November 20, 2012. For example, as provided for in the proposed rules, the final regulations increase the maximum permissible reward under a health-contingent wellness program offered in connection with a group health plan from 20 percent to 30 percent of the cost of coverage. The final regulations also increase the maximum permissible reward to 50 percent for wellness programs designed to prevent or reduce tobacco use. http://www.proskauer.com/publications/client-alert/new-guidance-on-wellness-programs-issued/.  However, a few points and clarifications are particularly noteworthy:

“Sweeping changes” is how Leon Rodriquez, of the Department of Health and Human Services Office of Civil Rights (OCR), characterized the effect of the final omnibus Health Insurance Portability and Accountability Act (HIPAA) rule published in the Federal Register on January 25, 2013 at 78 Fed. Reg. 5566 (Omnibus Rule). There can be no disputing that statement. Indeed the 563-page Omnibus Rule makes a long list of significant changes to existing regulations. These include, among others:

  • modification to the standard for reporting breaches of unsecured personal health information (PHI);
  • extension of HHS enforcement authority over business associates;
  • expansion of the definition of the term business associate to include Health Information Organizations, E-prescribing Gateways, entities that provide data transmission services for PHI and which require routine access to such PHI, and personal health record vendors;
  • modifications to the requirements for business associate agreements;
  • new obligations for business associates to enter into business associate agreements with their own subcontractors;
  • the removal of limitations on the liability of covered entities for the acts and omissions of business associates;
  • changes to the requirements for notices of privacy practices;
  • new limitations on the sale of PHI;
  • new limitations on and clarifications concerning the use and disclosure of PHI for marketing;
  • relaxation of certain limitations on the use of PHI for fundraising; and
  • improvement to the regulations concerning authorizations for the use or disclosure of PHI for research.

Except as noted below with respect to provisions related to the requirements for business associate agreements and arrangements relating to the sale of PHI, the deadline for complying with the amended HIPAA regulations is September 23, 2013. Accordingly, covered entities, business associates, and business associate subcontractors will have to act expeditiously to come into compliance with the Omnibus Rule.

Below, we review the changes implemented in the Omnibus Rule in greater detail, and address some of the action steps that covered entities and business associates should take to comply.