The HIPAA privacy rules restrict the use or disclosure of protected health information by covered entities – including employer group health plans - without express authorization, except when necessary for treatment, payment or health care operations, or certain other permitted purposes. The privacy rules include standards for individuals' privacy rights to understand and control how their health information is used. The HIPAA security rules set standards to protect the confidentiality, integrity, and availability of electronic protected health information. Employers with self-insured group health plans, including medical, dental, vision, health flexible spending accounts or health reimbursement arrangements and certain employee assistance programs, as well as those sponsoring on-site medical clinics or using data warehousing in conjunction with their group health plans, will have HIPAA obligations. In general, employers with insured group health plans that don’t have access to protected health information will have only limited HIPAA obligations. The final regulations implement the amendments to HIPAA made by the Health Information Technology for Economic and Clinical Health Act (the HITECH Act) and the Genetic Information Nondiscrimination Act (GINA).
Generally, the final regulations:
- Modify the HIPAA privacy, security, and enforcement rules, to:
- incorporate increased and tiered monetary penalties and expanded enforcement structure of the HITECH Act
- make business associates directly liable for compliance with certain privacy and security rules
- modify the rules for breach notification
- require modifications to notices of privacy practices
- strengthen limits on use and sale of protected health information
- expand rights to electronic copies of health information and restrict disclosures to health plans where the individual has paid for the treatment
- adopt additional HITECH Act provisions.
- Modify the HIPAA privacy rule to strengthen and implement the privacy protections for genetic information under GINA There are numerous changes in the final rules from earlier interim and proposed rules; however, employers will find that the general compliance framework for satisfying their HIPAA privacy and security obligations was not significantly altered by this recent round of regulatory guidance. HHS did not finalize other proposed regulations (published in May 2011) affecting accounting for disclosures and access reports.