CBG Logo



Compliance Alert

# 2013-11


 Compliance Alert 2013-09  

HIPAA Privacy and Security Changes Are Effective Soon



Final privacy and security regulations were published early this year and are generally effective as of September 23, 2013. The most significant changes are summarized below.




Self-funded health plans are most affected by the HIPAA privacy and security requirements.   This includes self-funded medical, dental and vision plans, health flexible spending accounts, health reimbursement arrangements and many employee assistance programs. The requirements apply to all kinds of self-funded plans, including government and church plans, and generally apply regardless of the employer's size. (Most insured plans do not receive individually identifiable health information and therefore do not have many obligations under this law.)


Needed Action


In order to meet the new requirements, affected plans must:

  • Revise and distribute the updated notice of privacy practices;
  • Update business associate agreements to clarify that business associates are directly liable for meeting certain parts of the HIPAA privacy and security rules;
  • Revise policies and procedures, particularly those that address impermissible disclosures of information; and
  • Train workforce members on the new requirements.

Privacy Notice


The plan's Notice of Privacy Practices must be updated to include:

  • A statement that PHI that is genetic information may not be used for underwriting;
  • A statement that the individual is entitled to notice of a breach of PHI;
  • A statement that the individual's authorization is required for most uses and disclosures of psychotherapy notes, uses and disclosures of PHI for marketing purposes, disclosures that constitute a sale of PHI, and other uses and disclosures not described in the Notice.

 Business Associate Agreements


Under a transition rule, existing Business Associate Agreements do not need to be amended until September 22, 2014. The transition rule applies only to updating the agreements; the parties must operate as required under the updated HIPAA rules beginning in September 2013. Any new Business Associate Agreement must include the new requirements.


Information Breaches


The new HIPAA rule assumes that all impermissible uses and disclosures of protected health information (PHI) are breaches which require notification to various parties. However, if the plan can show that after completing a risk assessment it is confident that there is a low probability that PHI has been compromised notification is not required.


A risk assessment would look at:

  • The nature and extent of the PHI involved, including the types of identifiers disclosed and the likelihood of re-identification;
  • The unauthorized person(s) who used the PHI or to whom the disclosure was made;
  • Whether the PHI was actually acquired or viewed; and
  • The extent to which the risk to the PHI has been mitigated.

If the plan cannot demonstrate that there is a low probability of compromise to the PHI, notification is required. Notification is always required to the affected individuals, and may be required to the Department of Health and Human Services (HHS) and the media if the breach is significant enough. Note that the government believes that many forms of health information can be sensitive, not just information about sexually transmitted diseases, mental health diseases or substance abuse. In addition, violations of the minimum necessary rules could result in breaches requiring notification. Encryption generally means there is a low probability of exposure.


The obligation to determine whether a breach has occurred and to notify individuals remains with the plan. However, the plan can delegate these functions to a BA (such as a third party administrator).


Written notification by first-class mail is the general, default rule. However, individuals who affirmatively agree to receive notice by e-mail may be notified accordingly. In limited cases, individuals may be notified orally or by telephone.




The updated penalties are large:

  • "Did not know" penalty - amount not less than $100 or more than $50,000 per violation when it is established the plan or BA did not know and, by exercising reasonable diligence would not have known, of a violation;
  • "Reasonable cause" penalty - amount not less than $1,000 or more than $50,000 per violation when it is established the violation was due to reasonable cause and not to willful neglect;
  • "Willful neglect-corrected" penalty - amount not less than $10,000 or more than $50,000 per violation when it is established the violation was due to willful neglect and was timely corrected;
  • "Willful neglect-not corrected" penalty - amount not less than $50,000 for each violation when it is established the violation was due to willful neglect and was not timely corrected.

Willful neglect includes extreme carelessness. Examples include:

  • A plan disposed of several hard drives containing electronic PHI in an unsecured dumpster. An HHS investigation reveals the plan had failed to implement any policies and procedures to reasonably and appropriately safeguard PHI during the disposal process.
  • An employee lost an unencrypted laptop or smart phone that contained unsecured PHI. An HHS investigation reveals the employer feared its reputation would be harmed if information about the incident became public and, therefore, decided not to provide notification as required.

The maximum penalty per violation type is $1,500,000 in a calendar year.


United Benefit Administrators


This information is general and is provided for educational purposes only.  It reflects UBA's understanding of the available guidance as of the date shown and is subject to change.  It is not intended to provide legal advice.  You should not act on this information consulting legal counsel or other knowledgeable advisors



In This Issue
An Employer's Guide to Annual Group Health Plan Notices
Resource Library
Resource Library
Click HERE to link to the Compliance Alert Library.


Click HERE to link to the Healthcare Reform Update Library.
Click HERE to link to the Benefits & Employment Briefings Library.
Gordon M. Graffius, CLU, CEO
Bradly W. Graffius, CLU, RHU, President
Commonwealth Benefits Group
This notification is brought to you by your Partner Firm of United Benefit Advisors - the nation's leading indpendent employee benefits advisory organization with more than 200 Partner offices in 46 states, Canada and the United Kingdom - and Jackson Lewis, founded in 1958, and dedicated to representing management exclusively in workplace law, is one of the fastest growing workplace law firms in the U.S., with over 700 attorneys practicing in 49 locations nationwide.  This Update is proivded for informational purposes only.  It is not intended as legal advice nor does it create an attorney/client relationship between Jackson Lewis LLP and any readers or recipients.  Readers should consult counsel of their own choosing to discuss how these matters relate to their individual circumstances.  Reproduction in whole or in part is prohibited without the express written consent of Jackson Lewis LLP.  This Update may be considered attorney advertising i some states.  Furthermore, prior results do not guarantee a similar outcome. 
CBG LogoUBA Logo
Jackson Lewis