August 5, 2010

More HIPAA Privacy Rules Proposed

The American Recovery and Reinvestment Act of 2009 (ARRA) included a law known as the Health Information Technology for Economic and Clinical Health (HITECH) Act.   The HITECH Act made several changes to the HIPAA privacy and security rules. 

On July 14, 2010, the Department of Health and Human Services issued proposed regulations to toughen and reinforce the HIPAA standards relating to protected health information (PHI).  Importantly, these are only proposed regulations, and not reliance regulations.  Employers sponsoring health plans will be interested in these regulations, once they are finalized for a couple reasons.

Business Associate Agreements

First, the regulations specify the kinds of changes that will need to be made to a business associate agreement.  Specifically, a business associate agreement is a written agreement between the covered entity (health plan, health care provider, or health care clearinghouse) and its business partner.  If these regulations are finalized in their current form, the business associate agreement would have to include, in addition to the information currently required, provisions that the business associate will:

  1. Comply with the HIPAA security rules;,
  2. Report any breach of unsecured PHI; 
  3. Ensure that any subcontractor agrees to the same restrictions as the business associate; and
  4. Comply with the HIPAA privacy rules, to the same extent as the covered entity, if the business associate performs any of the covered entity’s functions.

Notice of Privacy Practices

Also important to note is that a covered entity’s Notice of Privacy Practices may need to be updated to reflect the restricted rules relating to:

  1. Written authorizations for any disclosure of psychotherapy notes;
  2. The use and disclosure of PHI for marketing purposes; and
  3. The receipt of any compensation for such disclosures. 

The Notice of Privacy Practices would also have to explain that the plan participant has the right to restrict disclosure from the health provider, to the plan, for services paid directly by the participant and not reimbursed by the plan. 

Unrelated to these regulations, the Genetic Information Nondiscrimination Act of 2008 may also require further amendment of the Notice of Privacy Practices, clarifying that genetic information is included in PHI. 

Until these regulations are finalized, no changes need be made.  Stay tuned for further developments.


The information contained in this Benefit Beat is not intended to be legal, accounting, or other professional advice, nor are these comments directed to specific situations.

As required by U.S. Treasury rules, we inform you that, unless expressly stated otherwise, any U.S. federal tax advice contained in this Benefit Beat is not intended or written to be used, and cannot be used, by any person for the purpose of avoiding any penalties that may be imposed by the Internal Revenue Service.



Accelerated Recovery Resources

Access articles and tools to help your business generate cash, improve leverage, and align & transform as you recover from the pandemic.

COVID-19 Resources

Access all COVID-19 related articles to help your business respond to the pandemic.

Insights in Your Inbox