A week before the September 23, 2013 deadline for all health care providers, health plans, health care clearinghouses (Covered Entities) and their business associates to have updated their business associate agreements to comply with the Final Omnibus HIPAA Rule, the Department of Health & Human Services Office of the National Coordinator for Health Information Technology (ONC) and the Office for Civil Rights (OCR) today (September 16, 2013) released Model Notices of Privacy Practices (Notices) for health care providers and health plans to use to communicate with their patients and plan members. With penalties and enforcement continuing to rise, Covered Entities and their business associates should take appropriate steps to review and update their privacy and breach notification policies and procedures, privacy officer appointments, notices of privacy practices, business associate agreements and other HIPAA compliance and risk management documentation, practices, procedures and coverage, breach notification and other HIPAA compliance and risk management practice.

Model HIPAA Notices

Developed collaboratively by ONC and OCR the Notices available here designed in the following three different styles are designed for users to customize to fit their specific needs and practices:

• A notice in the form of a booklet;
• A layered notice with a summary of the information on the first page and full content on the following pages; and
• A notice with the design elements of the booklet, but that is formatted for full-page presentation.

Use of these model Notices is optional.  While the agencies designed the Notices to let Covered Entities to use these models by entering some of their own information into the model, such as contact information, and then printing for distribution and posting on their websites, Covered Entities should consult with legal counsel to determine the suitability of the Notices generally for their entity’s use and any customization, if any, that may be recommended or required to a Notice if the Covered Entity decides rely upon a model Notice to prepare its Notice of Privacy Practices.  To facilitate any tailoring, the agencies provided a text-only version for Covered Entities wishing only wish to use the content with or without tailoring.

September 23 Business Associate Agreement Update Deadline

September 23, 2013 also is the final deadline established in the Final Omnibus HIPAA Rule for Covered Entities and their business associations to update the business associate agreements required by HIPAA to reflect application of the breach notification, business associate, and many of HIPAA’s requirements to directly cover business associates and other aspects of the Health Information Technology for Economic and Clinical Health (HITECH) Act enacted as part of the American Recovery and Reinvestment Act of 2009.  While HHS published a Sample Business Associate Agreement last June to aid Covered Entities and their business associates with understanding the business associate agreement requirements as impacted by the Omnibus Final HIPAA Rule, it also made clear that Covered Entities and their business associates should tailor their business associate agreements to fit their specific circumstances and relationships.  OCR National Office and regional officials speaking about their findings about past business associate agreement compliance have indicated that their audit and enforcement activities show widespread compliance issues among Covered Entities and business associates with the original business associate agreements.  OCR clearly expects Covered Entities and their business associates to address and resolve these compliance issues going forward.

Covered Entities and their business associates are increasingly at peril if caught violating HIPAA’s Privacy, Security or Breach Notification rules.  With the HITECH Act Breach Notification rules now requiring Covered Entities to self-disclose breaches, OCR becomes aware of breaches much more easily.  Coupled with the HITECH Act’s increase in sanctions for HIPAA violations, Covered Entities and, beginning September 23, 2013, their business associates face rising risks for violating HIPAA.  See, e.g. HHS Settles with Health Plan in Photocopier Breach Case; WellPoint Settles HIPAA Security Case for $1,700,000; Shasta Regional Medical Center Settles HIPAA Security Case for $275,000; Idaho State University Settles HIPAA Security Case for $400,000; and HHS announces first HIPAA breach settlement involving less than 500 patients.

In response to the updated Final Regulations and these expanding HIPAA enforcement and exposures, all Covered Entities should review critically and carefully the adequacy of their current HIPAA Privacy and Security compliance policies, monitoring, training, breach notification and other practices taking into consideration OCR’s investigation and enforcement actions, emerging litigation and other enforcement data; their own and reports of other security and privacy breaches and near misses; and other developments to decide if additional steps are necessary or advisable.   In response to these expanding exposures, all covered entities and their business associates should review critically and carefully the adequacy of their current HIPAA Privacy and Security compliance policies, monitoring, training, breach notification and other practices taking into consideration OCR’s investigation and enforcement actions, emerging litigation and other enforcement data; their own and reports of other security and privacy breaches and near misses, and other developments to decide if tightening their policies, practices, documentation or training is necessary or advisable.

For Help or More Information

If you need assistance responding to HIPAA or other health industry regulatory, enforcement or other developments, reviewing or tightening your policies and procedures, conducting training or audits, responding to or defending an investigation or other enforcement actions; with 2014 health plan decision-making, or with reviewing and updating, administering or defending your group health or other employee benefit, human resources, insurance, health care matters or related documents or practices, please contact the author of this update, Cynthia Marcotte Stamer for help.

A Fellow in the American College of Employee Benefit Council, immediate past Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Group and current Co-Chair of its Welfare Benefit Committee, Vice-Chair of the ABA TIPS Employee Benefits Committee, a council member of the ABA Joint Committee on Employee Benefits, and past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Ms. Stamer is recognized, internationally, nationally and locally for her more than 25 years of work, advocacy, education and publications on cutting edge health and managed care, employee benefit, human resources and related workforce, insurance and financial services, and health care matters.

A board certified labor and employment attorney widely known for her extensive and creative knowledge and experienced with these and other employment, employee benefit and compensation matters, Ms. Stamer is widely recognized for her extensive work, publications, and thought leadership on HIPAA and other privacy and data security issues.  Scribe for the ABA JCEB annual Technical Sessions meeting with OCR for the past three years, Ms. Stamer’s experience includes extensive work advising, representing and training health plan, health insurance, health IT, health care and other clients on HIPAA and other privacy, data protection and breach and other related matters and represents and advises these and other clients in responding to OCR Privacy and Civil Rights and other HHS agencies, Labor Department, IRS regulations, investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns.  She also is recognized for her extensive publications and programs including numerous highly regarding publications and programs on HIPAA and other privacy and data security concerns as well as a wide range of other workshops, programs and publications.

Beyond her HIPAA involvement, Ms. Stamer also continuously advises and assists employers, employee benefit plans, their sponsoring employers, fiduciaries, insurers, administrators, service providers, insurers and others to monitor and respond to evolving legal and operational requirements and to design, administer, document and defend medical and other welfare benefit, qualified and non-qualified deferred compensation and retirement, severance and other employee benefit, compensation, and human resources, management and other programs and practices tailored to the client’s human resources, employee benefits or other management goals.  A primary drafter of the Bolivian Social Security pension privatization law, Ms. Stamer also works extensively with management, service provider and other clients to monitor legislative and regulatory developments and to deal with Congressional and state legislators, regulators, and enforcement officials concerning regulatory, investigatory or enforcement concerns.

Recognized in Who’s Who In American Professionals and both an American Bar Association (ABA) and a State Bar of Texas Fellow, Ms. Stamer serves on the Editorial Advisory Board of Employee Benefits News, HR.com, Insurance Thought Leadership, Solutions Law Press, Inc. and other publications, and active in a multitude of other employee benefits, human resources and other professional and civic organizations.   She also is a widely published author and highly regarded speaker on these matters. Her insights on these and other matters appear in the Bureau of National Affairs, Spencer Publications, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, Modern and many other national and local publications.   You can learn more about Ms. Stamer and her experience, review some of her other training, speaking, publications and other resources, and register to receive future updates about developments on these and other concerns from Ms. Stamer here.

Other Resources

If you found this update of interest, you also may be interested in reviewing some of the other updates and publications authored by Ms. Stamer available including:

• CMS Hosts Webinar Celebrating National Health IT Week 9/16-20
• New DOL Guidance Makes Many Employers Rethink Giving FLSA 18B Exchange Notices
• Tell HHS What You Think About Obamacare & Other Rules
• Insist President & Congress Get Real About Health Care Reform
• Employers Beware! DOL-Model FLSA Section 18B Exchange Notice Requires Tailoring!
• IRS Publishes Final Health Reform Individual Shared Responsibility Rules
• Cascom Inc. Owner Must Pay Nearly $1.5 M After Company Misclassified Employees As Independent Contractors
• Government Contractors To Face Hiring “Targets” for Vets & Disabled Under Impending Rules.
• Impending 10/1 Exchange Notice & Other New Notice Deadlines Cut Time Short For Employers To Finalize 2014 Health Plan Terms & Contracts
• Health Plan Pays $1.2M+ HIPAA Settlement For Not Protecting PHI On Copiers
• Report Questions Security As HHS Invites Consumers To Set Up Personal Accounts To Prepare For Exchange Enrollment Period
• Justice Department Sues Texas Bus Company For Illegal Discrimination Against Citizens When Hiring H-2B Program Workers
• Legislation Proposes To Change Obama Care Full-Time Employee Definition
• IRS Releases Updated Healthcare Law Online Resources Publication
• IRS Extends Remedial Amendment On Cycle Opinion Deadline For Some Defined Benefit Plans
• Self-Dealing Or Other Mishandling of Employee Benefit Plan Funds Risky For Fiduciaries & Those Appointing Them
• Employers & Insurers Reminded Of July 31 Deadline To Pay New ACA-Required PCORI Fees
• Use New Government Health Care Reform Resources With Care
• OCR Warns Others Learn From WellPoint’s $1.7 M HIPAA Settlement
• “Pay Or Play” Reprieve Still Leaves Employers Facing Challenging 2014 Health Care Reform Deadlines
• HHS Continues Preparations For New Health Insurance Marketplace By Awarding Grants To Promote Kids Enrollment
• HHS Touts Enrollment Tools, Says Exchange Enrollment Ready Despite GAO Concerns
• HIPAA Sanctions Triggered From Covered Entity Statements To Media, Workforce
• Consider OCR Technical Corrections When Updating Privacy Practices & Agreements For Omnibus Restatement of HIPAA Privacy, Security, Breach Notification & Enforcement Rules
• Id & Manage Hidden Employee Benefit Exposures In Business Insolvency Or Other Transactions
• Final Regulations Update HIPAA Health Plan Wellness Program Rules
• Beware:  Not All Products Marketed As “Fixed Indemnity Coverage” Products Are HIPAA/ACA Exempt
• CMS Publishes FY 2014 Final Inpatient Rehabilitation Facility Prospective Payment Rule
• Tighten Disability Compliance To Avoid ADA Suits, Program Disqualification & Other Risks
• Doc Caught Submitting Conflicting Patient Records to Private Payer Versus Medicare Criminally Sentence, Pays Civil Settlement
• OCR To Covered Entities:  Learn From WellPoint $1.7 Settlement
• Improper Billing Of Private Payers Increasing Source Of Liability & Risk For Providers
• Ambulatory Care Orgs Face New Joint Commission Standards Beginning January 1, 2014
• Hollywood Pavillion & Other Fraud Convictions Show Individuals Risk Prison Time For Health Care Fraud Involvement
• 55 Hospitals To Pay $35M+ To Settle FCA Claims Charges On Kyphoplasty Procedures
• Whistleblower Collects $2.7 M of $14.5M Sound Inpatient Physicians Overbilling Settlement
• OIG Urges CMS To Step Up Efforts To Recover “Overpayments”
• HHS Continues Preparations For Health Care Marketplace By Awarding $32M Of Grants To Up CHIP & Medicaid Enrollment
• Hospital Pay $275K To Settle HIPAA Charges After Sharing PHI With Press, Workforce In Response To Fraud Reports
• OCR Makes Technical Corrections To HIPAA Omnibus Final Rule;  September 2013 Enforcement Deadline Looming
• Updated Kaiser Family Foundation Tool May Help Project Which Employees Will Get Exchange Subsidies
• New IRS Guidance On ESOP Investment Diversification Reminder To Tighten Compliance, Risk Management
• EBSA Releases Model ACA Notices Discussing Coverage Options
• Group Health Plans &No-Fault & Worker’s Comp Ruled Primary Plans When Coordinating With Medicare Advantage Plans
• Changing Plan Years Won’t Extend Health Plan’s Affordable Care Act Annual Limit Waiver Eligibility
• Deadline To Send ACA Summary of Benefits & Coverage Adds Pressure To Finalize 2014 Plan Designs As Agencies Add MEC & MV Disclosures To SBC
• Study Finds Down Economy, Not Health Care Reform Accounts For Slower Health Care Cost Increases; Projects Renewed Costs When Economy Improves
• IRS Witholding Calculator Can Help Avoid Over & Underwithholding
• Responding To West, Texas, Boston & Other Tragedies: Information and Reassurance Resources
• Justice Department Charges Employer, Pension Plan With Violating USERRA Reemployment Rights
• Administration Proposes To Let PBGC Board Set Premiums In Effort To Shore Up Finances
• Administration Proposes Expanding Eligibility, Simplifying Small Employer Health Care Tax Credit
• Health Care Transparency Effectiveness & Value Depends On Data Quality, Understanding & Awareness
• Test Your Health Care Reform Knowledge On 3rd Anniversary of Reform Passage
• Insured “Expatriate Plans” Get Temporary Reprieve From Affordable Care Act Compliance Thru 2015 If Meet Other Health Plan Mandates
• Insured “Expatriate Plans” Get Temporary Reprieve From Affordable Care Act Compliance Thru 2015 If Meet Other Health Plan Mandates
• OCR Plans To Survey Health Plans, Other Covered Entities Hit With HIPAA Audits in 2012
• Businesses Urged To Strengthen Their Worker Classification Defenses As IRS, Other Agencies Step Up Audits & Enforcement
• Alert Employees Claiming Qualified Adoption Expenses and Education Credits About Changed IRS Procedures
• 13 Employer Tips For Coping With Health Care Reform Now!
• Sequester Will Cut ACA Small Businesses Health Care Tax Credits

For important information about this communication see here. THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS.  ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

©2013 Cynthia Marcotte Stamer, P.C. 

Nonexclusive license to republish granted to Solutions Law Press, Inc.  All other rights reserved.

This entry was posted on Monday, September 16th, 2013 at 5:21 PM and is filed under ADA, Affordable Care Act, Claims Administration, Corporate Compliance, Data Security, Disability, EEOC, Employee Benefits, Employers, ERISA, Excise Tax, Fiduciary Responsibility, GINA, Health Care Reform, Health Plans, HIPAA, Human Resources, Insurance, MEWA, Patient Protection and Affordable Care Act, Reporting & Disclosure, Tax, Uncategorized, Wellness Programs. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.