The deadline for compliance with the Health Insurance Portability and Accountability Act's new notification standards has passed, but employers are just starting to comply with the latest privacy and security regulations. Companies had until September 23 to update their notices of privacy practices.

Ballard Spahr employee benefits attorney Edward I. Leeds told Employee Benefit News: "HIPAA is this really big statute, but what we think of as HIPAA, when we use the term, are really just the privacy and security rules." He added that more of those rules are now trickling down to outside vendors and subcontractors. "HIPAA traditionally applied only to 'covered entities,' like a health plan, but it didn't directly apply to the vendors of the health plan or the third-party administrator. It's a hard concept to understand. A health plan is really just a bundle of rights to get care. The employer sponsors the health plan, but the employer isn't the health plan itself. So when an employer gets information that an employee wants to take a leave of absence or something, that's not subject to HIPAA. That's the employer acting as the employer, not as the health plan."

Mr. Leeds also emphasized that employers should consider how to train relevant members of their workforces in the new requirements as part of their ongoing compliance efforts.

Related Practices

Employee Benefits and Executive Compensation
Health Care
Health Care Reform