by Lexi Garcia | Sep 26, 2024 | Blog
As the deadline for the 2024 HIPAA Privacy Rule approaches, companies sponsoring ERISA group health plans must take specific actions to ensure compliance. This rule introduces new prohibitions on the use and disclosure of protected health information (PHI) related to reproductive health care, along with new attestation requirements and updates to privacy practices. Here’s a comprehensive guide to help your company navigate these changes.
Modify HIPAA Policies and Procedures
Review and update your HIPAA policies and procedures to align with the 2024 Privacy Rule. Key updates include:
- Definitions: Add or revise definitions of reproductive health care, person, and public health.
- Prohibited Uses and Disclosures: Include language prohibiting the use or disclosure of PHI for:
- Investigations against individuals seeking or providing lawful reproductive health care.
- Identifying individuals for investigation or liability purposes related to lawful reproductive health care.
- Attestation Process: Describe the attestation process and required content for requests related to reproductive health care PHI. Utilize the model attestation form provided by HHS.
- Reporting and Requests: Revise provisions for reporting abuse, neglect, or domestic violence, and for law enforcement administrative requests.
- Personal Representatives: Clarify when to treat a person as an individual’s personal representative.
Conduct Training
Update your HIPAA training programs to incorporate the 2024 Privacy Rule requirements. Ensure that workforce members understand the new processes for handling PHI requests related to reproductive health care.
Review Business Associate Agreements
Examine and update business associate agreements to ensure compliance with the 2024 Privacy Rule. Verify that business associates are adhering to the new requirements.
Update Risk Analysis and Risk Management Plans
- Risk Analysis: Review and update the risk analysis to address the risk of impermissible disclosures of ePHI related to reproductive health care.
- Risk Management Plans: Evaluate and update risk management plans to address identified risks and vulnerabilities.
Conclusion
By taking these steps, your company can ensure compliance with the 2024 HIPAA Privacy Rule to Protect Reproductive Health Care. Staying proactive and informed will help safeguard PHI and uphold the privacy rights of individuals seeking reproductive health care.
Source: Thomson Reuters
by Lexi Garcia | Jun 22, 2023 | Blog
QUESTION: Is an opt-out election still available to exempt self-insured state and local governmental plans from compliance obligations under certain group health plan mandates?
ANSWER: Originally, self-insured group health plans of state and local governments could opt out of a wide range of group health plan mandates, including certain HIPAA portability requirements (e.g., special enrollment periods and health status nondiscrimination), the mental health parity rules, standards related to newborns and mothers, reconstructive surgery following mastectomies, and coverage for dependent students on medically necessary leaves of absence (Michelle’s Law). The opt-out right has since been eliminated for certain group health plan mandates, but it is still available for others.
The Affordable Care Act (ACA) eliminated the ability of self-insured plans of state and local governments to opt out of the HIPAA portability requirements for plan years beginning on or after September 23, 2010. And the Consolidated Appropriations Act, 2023 eliminated the election to opt out of compliance with the mental health parity requirements as of December 29, 2022. (No new mental health parity opt-out elections may be made on or after that date, and elections expiring on or after June 27, 2023, may not be renewed. Limited extensions are available for plans subject to multiple collective bargaining agreements.) Still, the opt-out election remains available with respect to three other group health plan mandates: standards related to newborns and mothers, reconstructive surgery following mastectomies, and Michelle’s Law (now obsolete for most plans due to the ACA’s requirement to cover dependent children to age 26). Detailed election and notification requirements apply for plans wishing to rely on the opt-out.
Source: Thomson Reuters
by Lexi Garcia | Mar 9, 2023 | Blog
HHS has proposed regulations that would adopt a set of standards for the electronic exchange of clinical and administrative data to support prior authorizations and health care claims adjudication. As background, HIPAA requires that covered entities (and their business associates) comply with rules designed to standardize the format and content of specified electronic transactions. Specifically, the proposed regulations would adopt standards for “health care attachments” transactions that would support both health care claims and prior authorization transactions, along with a standard for electronic signatures. Regulations proposed in September 2005 would have adopted certain standards for health care attachments but were never finalized.
Explaining that the prior regulations were not finalized due to comments about the standards’ “lack of technical maturity and stakeholders’ lack of readiness to implement electronic capture of clinical data,” the preamble to the new proposed regulations notes that despite the subsequent widespread deployment of electronic health records and greater industry experience with the HIPAA standards, transmitting health care attachments is still primarily a manual process. The preamble provides detailed information about the organizations responsible for developing and maintaining the transactions standards and advises that the timing for implementation is right because the industry consensus-based standards are now mature, and covered entities are ready to implement them. The regulations do not propose to adopt attachments standards for all health care transaction business needs. Instead, the approach is for covered entities to gain experience with several standard electronic attachment types so that technical and business issues can be identified to inform potential future rulemaking for other electronic attachments standards.
Source: Thomson Reuters
