While many employers have been challenged by the new health care reform mandates, we don’t want you to lose sight of another very important mandate – HIPAA. 

In 2009, HIPAA privacy and security rules were expanded by the HITECH Act. Now the agency responsible for overseeing the law – the US Department of Health & Human Services (HHS) – is stepping up HIPAA enforcement with significantly increased penalties and enforcement activities.

Recent HHS Enforcement Activities

The most significant enforcement activity -- and potentially most damaging to employers -- deals with the improper use of personal health information (PHI) or “breach” of PHI. During the last 18 months, more than 265 breach incidents were reported to HHS, with the majority of those violations due to compromises of electronic devices and theft. Under HIPAA, if there is breach, an employer’s obligations can include a notice to major media outlets. 

For example: 

• One large employer agreed to pay a $1 million penalty for the loss of PHI data. Several local and national news articles and periodicals ran the story.

• Another employer compiled a penalty totaling more than $4 million for several violations and made headlines in several news agencies.

This ongoing regulatory activity, coupled with an increased public interest in personal privacy, it isn’t likely to diminish. Now is the time to revisit your HIPAA privacy and security policies.

Depending on what actions you may have recently taken to comply with privacy and security requirements, here are some steps for you to consider:

• Update privacy and security policies to reflect new HITECH Act provisions and advances in IT protections for e-PHI within the organization
• Train staff on new HIPAA requirements and plan procedures
• Update notices of privacy practices and business agreements to reflect new requirements and any changes to procedures
• Put yourself on a schedule to periodically re-evaluate HIPAA privacy and security practices and written policies, and update as required

In short, take the necessary steps to avoid any breaches, and thereby avoid the need to send any notices

HIPAA Update

• Now it is time to revisit HIPAA privacy and security (Oct 14, 2010)

While employers are focused this year on complying with the new health care reform mandates, they shouldn’t overlook other basic requirements affecting health plans. After several years of relative quiet, privacy and security rules under the Health Insurance Portability and Accountability Act (HIPAA) were expanded in 2009. Now, the agency responsible for overseeing the law – the US Department of Health & Human Services (HHS) – is stepping up enforcement. HIPAA also requires covered entities to periodically reassess and update their security safeguards, taking into account technology and environmental changes. For these reasons, many employers should revisit their plans’ privacy and security compliance.

 Download the full Update (PDF)

Additional resources

• Mercer Select members can review HIPAA-related GRIST updates: Mercer Select

• If you are not yet a Mercer Select member, please find more information about this specific resource site and information about the Premium or Basic subscription.