Benefits Law Update
        Practical advice from Verrill attorneys

        HIPAA Compliance for Group Health Plans – Next Steps for Employers

        by Eric D. Altholz on April 15, 2013

        In three previous posts devoted to the new Final Omnibus Rule under HIPAA we highlighted important changes regarding privacy breach notifications, business associates and business associate arrangements, and increased penalties and enforcement activity. We will complete our series regarding these significant new rules by suggesting steps that employers should begin to take now in order to meet the compliance deadline of September 23, 2013. While these steps are most relevant for employers that sponsor self-funded group health plans, which are considered “covered entities” for HIPAA purposes, we note that employers who provide health benefits to employees through fully insured arrangements must also be mindful of HIPAA requirements.

        Review and Update Policies and Procedures

        Employers should review their existing privacy and security policies and procedures and update them as necessary to reflect the new rules. Although the new rules do not expand the scope of employers’ obligations in material ways, they do make changes that are likely to affect the way employers (and their group health plan service providers) handle certain existing obligations. At a minimum, health plan sponsors will have to change the way potential privacy breaches are handled. Policies and procedures adopted after the enactment of the HITECH Act (in 2010) focus on the “harm standard” that is eliminated under the new rules. Updated policies and procedures should reflect the presumption that a breach has occurred and should guide the performance of a risk assessment that takes into account the four factors described in the Final Omnibus Rule, which may allow an employer to conclude there is “low probability” that the PHI has been compromised. Since the plan sponsor (acting for the plan) will have the burden of proof to show that a breach did not occur, updated policies should facilitate the documentation of all aspects of the breach analysis.

        Inventory Business Associates and Prepare for New BAAs

        Employers should review their group health plan service provider relationships in light of the expanded definition of “business associate” under the Final Omnibus Rule. Given the new definition it is possible that service providers who were not considered business associates in the past should now be treated as such. Business associate agreements must also reflect the affirmative, direct compliance obligations described in the new rules. Most well drafted business associate agreements already impose those obligations on business associates, so employers may not see a need for many changes in this regard. Note that the Final Omnibus Rule allows a covered entity to be held liable for the acts of a business associate that is considered its “agent” under common law standards. Employers should be mindful of this and consider adding protective language to affirmatively disavow any agency relationship with a business associate in appropriate cases. (Of course, this will only increase the need to pay close attention to indemnification provisions in business associate agreements.) Employers that do not use their own form of business associate agreement for health plan contracting may find the sample language developed by HHS to be a useful benchmark against which to evaluate the agreements that health plan service providers will inevitably begin to distribute over the next few months.

        Update and Distribute the Notice of Privacy Practices

        A new Notice of Privacy Practices will have to be prepared and distributed (or posted electronically) by September 23, 2013, in order to inform individuals covered by the group health plan of certain new rights as well as any changes in the employer’s privacy policies and procedures. The new Notices will have to include, among other things, changes in the breach notification rules, new prohibitions against the use or disclosure of genetic information by a health plan for underwriting purposes, and new rights to restrict disclosures of PHI to a health plan where the service was paid in full by the individual as an out of pocket expense.

        (Re)Train Your Workforce

        The Final Omnibus Rule does not modify the core responsibility of a covered entity to train its “workforce” regarding the privacy and security requirements of HIPAA and the content of the covered entity’s own HIPAA policies and procedures. The changes discussed above, however, all justify retraining the workforce. Since the workforce of most self-funded group health plans is made up of employees of the sponsoring employer, employers must devote the time and effort necessary to provide adequate training to their employers who work with the health plan. Note that an employer is not required to bring in outside resources to conduct training, though many employers find that partnering with their employee benefits legal counsel or other professional consultants is an effective way to accomplish the desired results.

        A Word About the “Compliance Deadline”

        As noted above, employers should aim to complete their HIPAA compliance efforts by no later than September 23, 2013. That is the date as of which the Office of Civil Rights of HHS will begin its HIPAA enforcement activities. But it’s worth mentioning that the Final Omnibus Rule officially took effect March 26, 2013 (90 days after the publication of the rule in the Federal Register). While a failure to achieve full compliance by September 23, 2013 is not likely to be fatal, we strongly advise all employers to make a substantial and good faith effort to comply within that time frame.

        Benefits Law Update

        Verrill’s Benefits Law Update blog delivers timely insights and practical guidance on the ever-evolving landscape of employee benefits and executive compensation. Our blog provides up-to-date analysis and commentary on a wide range of topics, including timely updates on developments in law affecting employee benefit plans and executive compensation arrangements.

        Key Contacts

        Subscribe

        Looking for more great content? Subscribe for regular legal updates and information delivered right to your inbox.

        Firm Highlights

        Alerts and Newsletters

        Maine’s New Employer Surveillance Law, 26 M.R.S. § 620-A

        Effective July 14, 2026 Maine employers that electronically monitor employees must comply with a new disclosure law effective July 14, 2026. Under...
        Press Releases

        Verrill Recognized by U.S. News as One of the Best Law Firms to Work for in 2026

        BOSTON, Mass., BANGOR and PORTLAND, Maine, GREENWICH and WESTPORT, Conn., – Verrill has been featured on U.S. News’ 2026 Best Companies to Work...
        Blog

        SECURE 2.0 Roth Catch-Up Rules and the 403(b) 15-Year Catch-Up: What Tax-Exempt Employers Need to Know

        Tax-exempt employers whose 403(b) plans offer catch-up contributions for participants age 50 and above should be well on their way to compliance with...
        Media Mentions

        Robert Keach Quoted in Law360 on SIMAD Summer Camp Bankruptcy Sale

        Verrill attorney Robert Keach was recently quoted in a Law360 article examining the Chapter 11 bankruptcy proceedings involving SIMAD Holdings and...
        Media Mentions

        Chris Tsouros Featured in Law360’s Coverage of Sports Real Estate Deals

        Verrill Partner Chris Tsouros was recently recognized in a Law360 article highlighting law firms involved in significant sports real estate projects...
        Blog

        What Maine’s New Employer Surveillance Law Means for Maine Employers

        Maine employers who monitor their workforce, whether through productivity software, GPS, call recording, or cameras, have a new compliance obligation...
        Blog

        Run Don’t Walk: The Implication of “While Supplies Last” Prize Promotions

        This month a big-chain grocery store has been offering daily mystery boxes during specific timed drops on a first-come, first-served basis, to users...
        Blog

        Maine’s Noncompete Statute is Reshaped for Health Care Workers: What You Need to Know

        Employers of individuals who are licensed under state law to perform, or provide, health care services in the State of Maine should be prepared for...
        Media Mentions

        Steven Davis Featured in the Environmental Business Journal

        Steven Davis, President of Verrill Strategic Consulting, was recently interviewed and featured in the Environmental Business Journal, Volume 39...
        Blog

        What is a Bonus for Purposes of ERISA?

        An ongoing dispute about a Department of Labor advisory opinion published last September raises a basic but unanswered question under the ERISA: What...
        Media Mentions

        Verrill Recognized by WMTW for Partnership Supporting Hunger Relief in Maine

        Verrill was recently featured in coverage by WMTW News 8 for its role in a collaborative effort to combat food insecurity across southern...
        Press Releases

        33 Verrill Attorneys, Across Four Offices, Recognized in the 2026 Chambers USA Guide

        BOSTON, Massachusetts, PORTLAND, Maine, WESTPORT, Connecticut, and WASHINGTON, D.C. – Verrill has been recognized as a Leading Firm in 14...