Latest Compliance News
MIB Authorization Change is Now Effective
Throughout 2012, MIB published numerous memos explaining the need for the MIB Authorization change, as well as describing certain application filing exceptions (NY, NJ, NE, and Interstate Compact). MIB also provided separate Fact Sheets for members and insurance regulators. Effective January 1, 2013, MIB now requires its members to supplement their authorizations with the following sentence in order to elicit an applicant's express written consent to report information to MIB:
"I authorize XYZ Insurance Company, or its reinsurers, to make a brief report of my personal health information to MIB." [Members may substitute substantially similar language, including "Protected Health Information."]
For those Members that have not completed the authorization amendment process, including their re-filing efforts, they may be interested to learn that MIB succeeded in obtaining a few re-filing waivers (NY, NJ, NE, and Interstate Compact) as well as a special offer for its members from First Consulting & Administration, Inc., a highly respected and experienced industry leader in policy form filings and other insurance regulatory compliance services. For information about this special offer and First Consulting's services, history and qualifications, please go to First Consulting's website.
HHS Issues Long-Awaited Final HIPAA Omnibus Rule
On January 17, 2013, the Office for Civil Rights ("OCR") of the U.S. Department of Health and Human Services ("HHS") released its much-anticipated and long-awaited final HIPAA omnibus rule (the "Final Rule") modifying certain aspects of the Privacy Rule, the Security Rule and the Enforcement Rule under the Health Insurance Portability and Accountability Act ("HIPAA"), as well as the Breach Notification for Unsecured Protected Health Information Rule ("Breach Notification Rule") under the Health Information Technology for Economic and Clinical Health Act ("HITECH Act"). The Omnibus Final Rule is comprised of four final rules as follows:
Final modifications to the HIPAA Privacy, Security, and Enforcement Rules mandated by HITECH that make business associates of covered entities (namely, MIB) directly liable for compliance with certain requirements of the HIPAA Privacy and Security Rules.
Final rule adopting changes to the HIPAA Enforcement Rule to incorporate the increased and tiered civil money penalty structure provided by the HITECH Act, originally published as an interim final rule on October 30, 2009.
Final rule on Breach Notification for Unsecured Protected Health Information under the HITECH Act, which replaces the breach notification rule's "harm" threshold with a more objective standard and supplants an interim final rule published on August 24, 2009.
Final rule modifying the HIPAA Privacy Rule as required by the Genetic Information Nondiscrimination Act (GINA) to prohibit most health plans from using or disclosing genetic information for underwriting purposes, which was published as a proposed rule on October 7, 2009.
MIB's Law Dept. (Jon Sager and Allyson Roklan) has been reviewing the lengthy Final Rule and assessing the impact on MIB's operations as well as its 3-year old HIPAA/HITECH Readiness & Compliance Project.
Updated Business Associate Agreement Now Available to Member Covered Entities
MIB has modified its Business Associate Agreement to reflect the changes required by the HITECH Act and the Final HIPAA Omnibus Rule, and to account for the unique relationship that exists between MIB and our valued member companies. To view MIB's new BAA announcement, visit Compliance Guidance Documents. To obtain access, please contact: Nancy Donofrio, MIB Group, Inc., 781-751-6303, firstname.lastname@example.org.
MA Regulation on Protection of Personal Information
MIB has also made available an agreement for those Members who find it necessary to comply with the new MA regulation (eff. 3-1-10) on Protection of Personal Information.
Guidance documents are available from a protected library. To obtain access, please contact us at: email@example.com