The economic stimulus legislation signed into law in February could be onerous for employers and their health care partners. The law now requires “covered entities”, which in the past typically included employers and insurers who sponsor health plans, to notify individuals in writing if their personal health information is compromised. Notification of a breach in privacy must be made within 60 days of the breach.
For the first time, the law extends direct HIPPA enforcement to “business associates” which include consultants, pharmacy benefit managers, third party administrators and other vendors. The legislation gives state attorney generals the authority to bring lawsuits seeking statutory damages and attorney fees for HIPPA violations.
This law will have a direct impact on employer’s relationships with their vendors, including consultants. If, for example, a consultant breaches HIPPA, he/she must notify the insured within 60 days of the breach. The state attorney general can then bring suit against the consultant for damages.
E&O coverage needs to be amended, in some cases, to cover this liability.