Blue Links for Employers

Updates to Our Notice of Privacy Practices and Business Associate Agreements

Earlier this year, the U.S. Department of Health and Human Services published the Health Insurance Portability and Accountability Act (HIPAA) Omnibus Final Rule (the "Omnibus Rule" at 78 F.R. 5566) to implement the Health Information Technology for Economic and Clinical Health (HITECH) Act and further strengthen existing HIPAA provisions. The Omnibus Rule established new requirements that impact our Notice of Privacy Practices and Business Associate Agreements.

Business Associate Agreements Amendment
The Omnibus Rule provides that Business Associate Agreements that have not been renewed or modified between March 26, 2013, and September 23, 2013, will be deemed compliant until the date the Business Associate Agreement is renewed or modified or until September 22, 2014, whichever is earlier.

We are currently preparing an amendment to our existing self-funded account Business Associate Agreements to reflect a few minor changes that we need to make as a result of the Omnibus Rule. We expect to distribute the amended language shortly.

Changes to Our Commitment to Confidentiality
Our HIPAA Notice of Privacy Practices, entitled "Our Commitment to Confidentiality," has gone through minor modifications in keeping with the requirements of the Omnibus Rule. The new version, which we will post to our website shortly, is effective September 23, 2013, and contains statements concerning the following:

  • Blue Cross Blue Shield of Massachusetts must have written authorization in order to use or disclose member information for marketing activities or to sell personal health information.
  • Members have a right to notice in the event of a breach of their unsecured personal health information.
  • Blue Cross Blue Shield of Massachusetts is prohibited from using or disclosing genetic information for underwriting purposes.
  • Most uses and disclosures of psychotherapy notes require a member's written authorization.
  • Other uses and disclosures of personal health information not described in the notice will be made only with a member's authorization.

As of September 23, 2013, we will update our HIPAA Notice of Privacy Practices at begin including copies in our annual Evidence of Coverage mailings to our members with fully insured employers.

If you have any questions, please contact your account executive.

Blue Cross Blue Shield of Massachusetts

Blue Cross Blue Shield of Massachusetts is an Independent Licensee of the Blue Cross and Blue Shield Association.
® Registered Marks of the Blue Cross and Blue Shield Association.
© Blue Cross and Blue Shield of Massachusetts, Inc.
101 Huntington Avenue, Suite 1300, Boston, MA 02199-7611 | 1-800-262-BLUE (2583)