Action Steps for Meeting HIPAA’S September 23, 2013 Deadline

June 26, 2013

With all of the activity surrounding the Patient Protection and Affordable Care Act, it has been easy for group health plans to lose sight of the September 23, 2013 deadline set forth in the final rules implemented under the Health Insurance Portability and Accountability Act (“HIPAA”) as updated by the Health Information Technology for Economic and Clinical Health Act (“HITECH”).  The September 23, 2013 deadline applies to group health plans and business associates alike.

The following is a summary of the most significant changes to HIPAA:

Business Associates Directly Liable

Prior to HITECH, business associates were only contractually obligated, through business associate agreements with the group health plans they worked with, to comply with HIPAA.  Now, business associates – like group health plans and other covered entities – are directly liable for non-compliance with certain HIPAA provisions.  As a result, business associates are now required to:

  • Ensure that PHI is not used or disclosed in a manner that would violate HIPAA.
  • Disclose PHI to the Department of Health and Human Services (“HHS”) upon request.
  • Disclose PHI to the group health plan or directly to the individual upon request.
  • Limit the use and disclosure of PHI to the “minimum amount necessary.”
  • Use or disclose PHI consistent with the business associate agreement or applicable law.
  • Enter into business associate agreements with their vendors and/or subcontractors.

A business associate is subject to direct enforcement by the HHS for failure to satisfy any of these requirements.

Definition of “Business Associate” Expanded

The definition of “business associate” is expanded to include the vendors and subcontractors of business associates, if they have access to PHI.  For this purpose, “access” means routine access to PHI.  An entity that is merely a conduit of PHI might not be deemed a business associate.  Access is determined on a case-by-case basis.

Heightened Duty to Notify of Breach

A group health plan must now notify affected individuals of any breach, unless a risk assessment shows a “low probability” that the PHI will be compromised as a result of the breach.  Before HITECH, the duty to notify was only triggered where there was a “significant risk of financial, reputation, or other harm” to the affected individuals.

Restrictions on Use of PHI for Sales and Marketing

The sale or marketing of PHI by either a group health plan or its business associate is prohibited unless the individual to whom the PHI relates provides written authorization for the sale or marketing.

GINA Compliance

Under the new rules, HIPAA is also updated to incorporate provisions under the Genetic Information Nondiscrmination Act (“GINA”).  Any PHI that is or contains genetic information may not be used or disclosed for purposes of plan underwriting.

Enhanced Rights to Access PHI

Individuals have enhanced rights to access PHI.  Individuals can make reasonable requests for PHI to be provided to them in certain forms and format.  If a group health plan or a business associate is unable to produce the PHI in the requested format, another form must be agreed upon.  In addition, individuals can now expect to have their requests for access to their PHI addressed within 30 days.


While not necessarily contained in the new rules, HHS has made it clear that it is transitioning from educating covered entities on HIPAA compliance to more aggressively enforcing HIPAA.  This transition can be seen in the recent uptick in HIPAA enforcement activity.  Now is the time for sponsors of group health plans to ensure that they are HIPAA compliant.


Because of the September 23, 2013 deadline, the following action steps should be addressed immediately:

  • Update Business Associate Agreements. Sponsors of group health plans should review and revise their business associate agreements to reflect (1) the fact that the business associate is also directly liable to HHS, (2) the business associate’s obligation to enter into business associate agreements with its vendors/subcontractors, (3) the business associate’s enhanced responsibility to notify individuals and the group health plan of any HIPAA breach, (4) the new standard for notification of a breach, and (5) that PHI is not to be sold or marketed in a manner that violates the new HIPAA provisions.

Current business associate agreements that are not modified between January 25, 2013 and September 23, 2013 will be considered compliant until they are renewed or modified or, if earlier, September 22, 2014.  Business associate agreements that are modified during this period must be in compliance by September 23, 2013.

  • Update Notices of Privacy Practices. The Privacy Notice that must be furnished to individuals at least once every three years must be updated to reflect the enhanced rights to access PHI that individuals now have. It should also notify individuals of the restrictions placed on the group health plan in the sale and marketing of PHI.
  • Revise HIPAA Training Materials. The HIPAA training that all new employees with access to PHI must undergo should be reviewed and updated to incorporate the new HIPAA rules.
  • Update HIPAA Policies and Procedures. A group health plan’s HIPAA policies and procedures must be reviewed and revised to reflect the new HIPAA rules.
  • Confirm No GINA Issue. Group health plan sponsors must confirm and document that genetic information is not being used for underwriting purposes.

These are just some of the issues that sponsors of group health plans must address in connection with the new HIPAA rules. Plan sponsors should review this Benefit Alert and address all of the action steps listed above as soon as possible.  Please contact a member of the Employee Benefits Group to discuss further or to help schedule a meeting.