HITECH Act – What Should An Employer Worry About?

Contributed by Rebecca Dobbs Bush

On January 25, 2013, the Federal Register published final rules issued by Health and Human Services (HHS) to modify the HIPAA Privacy, Security and Breach Notification and Enforcement Rules.  The compliance deadline for almost every provision of these rules is September 23, 2013. 

The bulk of the provisions of HITECH do not have much implication on the average employer that is only worried about HIPAA Privacy with regard to how it may implicate the administration of their group health plan.  Primarily, employers (in their capacity as group health plan administrators) would need to become familiar with the slight changes HITECH imposes for privacy notices.

Before getting too worried about what’s in your Privacy Notice, remember that a group health plan that provides benefits only through one or more contracts of insurance with health insurance issuers or HMOs, and that does not create or receive protected health information other than summary health information or enrollment or disenrollment information is not required to develop a Privacy Notice.  See 45 CFR 164.520(a).

For those that are required to distribute Privacy Notices in the administration of their group health plans, HITECH regulations impose the following additions to the privacy notice:

  • A description of the types of disclosure that require an individual authorization, such as a release of PHI for sale, and marketing activities, or if the information that is released is psychotherapy notes.
  • A statement that other uses and disclosures of PHI not mentioned in the privacy notice will only be made with the individual’s authorization.
  • A statement of the right to restrict disclosures of protected health information to a health plan where the individual pays out of pocket in full for the healthcare item or service (only applies to notices from health providers, not health plans).
  • A statement of the obligation to notify affected individuals following a breach of unsecured PHI.

To the extent that a plan’s privacy notice already meets the regulations requirements, HHS has clarified that the plan is not required to revise and distribute another privacy notice on account of the final rules.  This is good news for employers who have already updated their privacy notices in response to the proposed version of the regulations which were issued in 2010.