Resource:

Special HIPAA Requirements for Group Health Plans and their Sponsors

This whitepaper provides outstanding information regarding how Group Health Plans and Plan Sponsors can achieve compliance with the HIPAA Omnibus Rule


IN SUM,there are lots of ways to get into trouble if your GHP is not HIPAA compliant.

Why Bother?

Group Health Plans (“GHPs”) have a lot of regulations with which to comply: ERISA (the Employee Retirement Income Security Act), MHPA (the Mental Health Parity Act), Newborns’ Act (the Newborns’ and Mothers’ Health Protection Act), WHCRA (the Women’s Health and Cancer Rights Act) and HIPAA (the Health Insurance Portability and Accountability Act). And while HIPAA isn’t new, there is certainly a renewed energy around enforcement. After all, fines, penalties and settlement dollars associated with HIPAA violations go back into the coffers of the Office for Civil Rights (“OCR”) for more enforcement activities in a year when government budgets are tight. Therefore, there is reason to believe that OCR will step up enforcement activities significantly in 2014 and beyond.

Penalties for non-compliance have increased with the enactment of the Omnibus Rule which details and implements significant changes called for in the 2009 HITECH Act. The HITECH Act mandates that the U.S. Department of Health and Human Services (DHHS) OCR conduct periodic audits of both Covered Entities and Business Associates for compliance with HIPAA. As Covered Entities, GHPs are subject to these same audits and other enforcement actions.

Following on the heels of the 2012 “compliance” audits (OCR acknowledged to be looking for weaknesses and best practices, with no punishments handed out for non-compliance), the 2014 OCR HIPAA Audits are expected to be about enforcement and disciplinary action. OCR officials have indicated that GHPs will be on the audit list again this year (as they were in 2012), along with their service providers. And with the newly available on-line complaint form, it’s easier than ever for someone to report to the Secretary of DHHS suspected violations of their, or anyone else’s, HIPAA privacy or security rights. This is a particularly sensitive allegation when employers and colleagues have access to an individual’s health information. State attorneys general are also granted jurisdiction to file civil suits on behalf of their citizens for HIPAA violations.

In sum, there are lots of ways to get into trouble if your GHP is not HIPAA compliant. Download the full whitepaper to learn what to avoid.