Interim final regulations were issued to implement part of the health care reform provision to improve the utility of existing HIPAA transactions and reduce administrative costs. Health care reform requires HHS to adopt a single set of operating rules for the transaction standards issued under HIPAA, with the goal of creating uniformity in the implementation of the electronic standards.

The regulations require compliance by Jan. 1, 2013 and put in place operating rules for two electronic health care transactions, making it easier for providers to determine:

The final regulations under Title II of the Genetic Information Nondiscrimination Act issued by the Equal Employment Opportunity Commission went into effect Jan. 10, 2011. After GINA Title I left employers wanting more clarification, specifically in regard to wellness programs, the final regulations issued Nov. 9, 2010 provided better guidance on handling sensitive health information.

GINA provides regulations to govern the gathering and use of genetic information and generally:

• Bars the use of genetic information in employment decision-making
• Restricts deliberate acquisition of genetic information
• Requires the genetic information be maintained as a confidential medical record
• Places strict limits on disclosure of genetic information

The final ruling provides clear and specific guidelines for compliance. The most critical may have been for those who offer or are considering offering health and wellness programs. The clarification comes in that while employers may not offer an inducement for individuals to provide genetic information, they may offer financial incentives to encourage participation in health or genetic services and request family health history information if certain requirements are met.

Another major contribution to GINA II included redefining numerous terms such as genetic information, genetic services, deliberate acquisition and inadvertent discovery, that were difficult to understand in the first round of guidance.

To read GINA Title II, click here.

The Equal Employment Opportunity Commission (EEOC) issued final regulations on GINA’s Employment Nondiscrimination Provisions under Title II, which prohibits employment discrimination based on genetic information, and restricts acquisition and disclosure of genetic information by employers.

As background, Title II applies to state and local government and private employers with 15 or more employees, employment agencies, labor unions, and joint labor-management training programs. It also covers Congress and federal executive branch agencies. Title II of GINA prohibits use of genetic information in making decisions related to any terms, conditions, or privileges of employment, prohibits covered entities from intentionally acquiring genetic information, requires confidentiality with respect to genetic information (with limited exceptions), and prohibits retaliation.

Although the EEOC issued proposed rules under Title II in March 2009 (and GINA Title II was effective Nov. 21, 2009), the final regulations do not take effect until Jan. 10, 2011.

The final regulations in regard to employee benefits include:

• Prohibits using genetic information in employment decisions, including those concerning hiring, firing, compensation, and terms and conditions of employment;
• Prevents employers from requesting, requiring, or purchasing genetic information, other than to comply with the Family and Medical Leave Act or similar laws, for use in genetic monitoring related to toxic substances in the workplace, or for DNA analysis for law enforcement purposes;
• Permits employers to request genetic information in connection with a wellness program, provided, among other things, that an employee consents to receive such request, and any financial incentive for providing such information is also available to employees participating in the program who do not provide genetic information;
• Requires that genetic information be maintained as a confidential medical record, strictly limiting its disclosure;
• Provides broad remedies for individuals whose genetic information is acquired, used, or disclosed in violation of GINA, and protects employees from retaliation for exercising rights under GINA.

Click here to read the regulations.

HHS has temporarily pulled a final breach notification rule until further consideration. The Interim Final Rule for Breach Notification for Unsecured Protected Health Information issued pursuant to the HITECH Act was published in the Federal Register Aug. 24, 2009 and became effective Sept. 23, 2009. After the 60-day public comment period, HHS is withdrawing the rule and intends to publish a final rule in the Federal Register in the coming months, according to a notice issued by HHS.

"This is a complex issue and the Administration is committed to ensuring that individuals’ health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur,” according to the notice.

The Department of Health & Human Services has proposed modification to the HIPAA Privacy, Security and Enforcement Rules. The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, is designed to promote the widespread adoption and standardization of health information technology, and requires HHS to modify the HIPAA Privacy, Security, and Enforcement Rules to strengthen the privacy and security protections for health information and to improve the workability and effectiveness of the HIPAA Rules.

• expand individuals’ rights to access their information and to restrict certain types of disclosures of protected health information to health plans.
• require business associates of HIPAA-covered entities to be under most of the same rules as the covered entities;
• set new limitations on the use and disclosure of protected health information for marketing and fundraising; and
• prohibit the sale of protected health information without patient authorization.

In addition, the proposed rule adopts provisions designed to strengthen and expand HIPAA’s enforcement provisions.

Click here to view the proposed rule.

The Department of Health and Human Services Office for Civil Rights (OCR) has an announcement on its website that it is working on regulations on the privacy and security provisions of the HITECH Act. (The HITECH Act was passed as part of the American Recovery and Reinvestment Act of 2009.)

The new regulations to be issued will focus on:

• business associate liability;
• limitations on marketing, fundraising communications, and the sale of PHI; and
• stronger individual rights to access electronic medical records and restrict the disclosure of certain information.

The effective date (Feb. 17, 2010) for many of these HITECH Act provisions has already passed; therefore OCR has stated that the regulations will provide specific information regarding the expected date of compliance and enforcement of these new requirements.

The announcement contains a reminder to covered entities (including health plans) and business associates that regulations implementing the HITECH Act’s breach notification and enforcement provisions have already been issued and are currently in effect. Under those rules, covered entities are required to provide notification of a breach of unsecured PHI to HHS, affected individuals, and, in certain circumstances, the media. In addition, increased civil monetary penalties apply to both covered entities and business associates for violations of HIPAA's privacy and security rules.

The announcement does not indicate when OCR expects to issue the new regulations under the HITECH Act. Because of this and in light of the strengthened enforcement provisions, health plans (and their business associates) should comply with the statutory requirements of the HITECH Act while they await issuance of the regulations.

Click here to view HITECH Act Rulemaking and Implementation Update on the HHS-OCR webpage.

Under these requirements, covered entities must report breaches affecting 500 or more individuals to HHS without unreasonable delay and in no case later than 60 days following the breach. The information is to be reported using an online form available on the OCR website.

The HHS is required to make publicly available some of the information from the submitted form, including:

• Name of covered entity (or business associate involved),
• State where the covered entity is located,
• Approximate number of individuals affected,
• Date of the breach,
• Type of breach (e.g., theft, unauthorized access), and
• Location of the breached information (e.g., computer, paper records, portable electronic device).

Click here to view the unsecured private health information (PHI) that covered entities have reported.

A new rule will protect patients' genetic information and will help ensure that genetic information is not used adversely in determining health care coverage was issued Oct. 1 by the U.S. Departments of Health and Human Services, Labor and the Treasury.

The rule proposed modifies the HIPAA Privacy Rule pursuant to Genetic Information Nondiscrimination Act of 2008 (GINA) Title I to clarify that genetic information is health information and to prohibit the use and disclosure of genetic information by covered health plans for eligibility determinations, premium computations, applications of any pre-existing condition exclusions, and any other activities related to the creation, renewal or replacement of a contract of health insurance or health benefits.

For details about the interim final rule of the GINA, click here.

The IRS has published final regulations on the HSA comparability rules and how to report and pay excise taxes for failure to comply with comparability requirements or various group health plan mandates (including COBRA and HIPAA). You will find few differences between these final regulations and the proposed regulations issued in 2008. (These comparability provisions apply to employer contributions made for calendar years beginning on or after Jan. 1, 2010.)

The following are comments on excise tax reporting and the HSA comparability requirements.

Excise Tax Reporting. Persons can be liable for an excise tax for failure to meet the Code's requirements regarding

• COBRA
• HIPAA portability (including GINA mandates)
• Mental health parity, and
• Minimum hospital stays for newborns and mothers or Michelle's Law.

Individuals liable for an excise tax generally must file IRS Form 8928 and pay the tax by the due date for filing their federal income tax returns (without extensions). Take note of this provision eliminating extensions for filing the Form 8928 because it may be a surprise for companies routinely filing extensions.

A Form 8928 must be filed by employers liable for an excise tax for noncomparable HSA or Archer MSA contributions by the April 15th following the calendar year in which the noncomparable contributions were made. (Form 8928 has not been released yet, but a version has been released requesting comments.)

The excise tax reporting provisions apply to any Form 8928 due on or after Jan. 1, 2010.

HSA Comparability Requirements.

The final regulations reflect changes to the HSA comparability rules made by the Tax Relief and Health Care Act of 2008 (TRHCA). Some of the changes result in the following:

• The regulations clarify that comparable contributions are required for all non-HCEs who are within the same group and for all HCEs who are within the same group even if an employer may make larger annual HSA contributions for non-HCEs than for HCEs who are within the same group of comparable participating employees. (This is permitted under TRHCA).
• An employer may make a full year's worth of HSA contributions under TRHCA's full-contribution rule for mid-year eligible individuals, so long as contributions are made on an equal and uniform basis for all comparable mid-year eligible individuals.
• An employer can make a larger HSA contribution for employees in a higher tier of family HDHP coverage than to those in a lower tier even if the employees in the higher tier are all HCEs and the employees in the lower tier are all non-HCEs. (For instance, self-plus-two is a higher tier than self-plus-one.)
• An employer can offer qualified HSA distributions (i.e., direct rollovers to HSAs from health FSAs or HRAs) to any eligible employee covered under any HDHP if the employer offers qualified HSA distributions to all such employees. Alternatively, an employer may limit qualified HSA distributions to eligible employees covered under the employer's HDHP.

Click here to view copy of pertinent regulations. (Treas. Reg. Secs. 54.4980B-2, 54.4980D-1, 54.4980E-1, 54.4980G-1, 54.4980G-3, 54.4980G-4, 54.4980G-6, 54.4980G-7, 54.6011-2, 54.6061-1, 54.6071-1, 54.6091-1, and 54.6151-1, 74 Fed. Reg. 45994 (Sept. 8, 2009)