Notice of Privacy Practices
As this publication noted in March
, plan sponsors must review and update the HIPAA Notice of Privacy Practices as a result of the Omnibus Final Rule
. Plan sponsors are reminded of the following publication requirements:
1. If the plan sponsor maintains a benefits website, the notice of the changes or the revised notice must be posted on that website no later than September 23, 2013. Thereafter, the revised notice or information about the change must be included in the next annual mailing to individuals then covered by the plan (e.g., beginning of plan year or open enrollment period).
2. If the plan sponsor does not maintain a benefits website, the revised notice (or information about the changes and instructions for obtaining a revised notice) must be distributed to individuals then covered by the plan no later than 60 days after the date of the revision.
For insured plans, the insurance company generally has the responsibility for preparation and mailing of the notice. It could happen with plans having a combination of insured and self-insured coverage, that employees will receive more than one notice. For example, the plan sponsor might send a layered notice including self-insured medical and fully insured dental, and the dental vendor would prepare and send a separate notice.
The Department of Health and Human Services has not published a model for the notice, stating that information practices vary widely among covered entities.
For assistance with compliance, please contact your BSG account manager.
Just what does remain in effect after the one-year delay of penalties for employers who don't meet the PPACA coverage requirement? Here's what the national law firm, Bryan Cave, has to say about which PPACA provisions remain in effect for employers in the year ahead.
to read the article.
Business Associate Agreements (BAAs)
In January 2013, regulations were published, which extended statutory requirements of HIPAA's privacy and security rules to business associates and their subcontractors and, at the same time, expanded the definition of a business associate. The regulations were effective in March 2013. BAAs must be updated to comply with the new statutory requirements and business associates need to take steps (if not already in place) to have BAAs with subcontractors. The compliance due dates that plan sponsors, business associates, and subcontractors should note may fluctuate depending upon factors specific to the contractual relationship between parties. The following rules apply:
1. The compliance date is September 22, 2014 (or the date such BAA is renewed or modified on or after September 23, 2013, if earlier) for any BAA that meets all three of the following requirements:
a. The BAA was in place prior to January 25, 2013;
b. The BAA was otherwise in compliance with the rules applicable to BAAs immediately prior to the publication date of the new final regulations (January 25, 2013), including HITECH provisions that were released in earlier regulations (particularly breach notification requirements), and
c. The BAA was not renewed or modified between March 23, 2013 and September 23, 2013.
2. The compliance date is September 23, 2013 for all other BAAs.
Some vendors have already begun the process of updating BAAs. At BSG, account managers and the compliance department are working together to ensure that all of our BAAs are updated according to the deadlines, and we're available to assist our clients.
Click here to read more about the new requirements.
ERRP Operational Processes to Terminate July 31
U.S. Department of Health & Human Services
In preparation for the January 1, 2014 Early Retirement Reimbursement Program (ERRP) sunset date, CMS will phase down the ERRP Secure Website so that it can be taken offline and archived in mid-2014.
Click here for more information.