HIPAA Privacy Requirements

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that was originally enacted by Congress in August 1996. Additional regulations found in the Code of Federal Regulations, Title 45, Parts 160 protecting the privacy of health information became effective in 2003, and security protections found in Title 45, Part 164 were added in 2004.

The law was amended by the Health Information Technology for Economic & Clinical Health Act of 2009, or “HITECH ACT.” The American Recovery and Reinvestment Act of 2009 (ARRA), included a section called the Health Information and Technology for Economic and Clinical Health Act (HITECH Act) that changes the way HIPAA is administered. The HITECH Act expanded the jurisdiction of the government so that it can regulate Business Associates directly and significantly increased the penalty amounts that may be imposed on violators of the HIPAA rules. The HITECH Act requires entities covered by HIPAA to notify individuals when their health information is breached and encourages prompt corrective action by those responsible for the breach. In cases where a breach affects more than 500 individual’s notification must also be provided to federal regulators and the media.

and the Department of Health and Human Services finalized certain modifications to the Privacy and Security Rules via a final rule known as the “Omnibus Rule” which was promulgated in 2013.


The HIPAA Privacy and Security Rules protect individuals’ rights and impose restrictions on the use, disclosure and transmission of Protected Health Information (PHI). PHI includes any personally identifiable information connected with an individual’s health care that involves past, present and future health conditions, social security numbers, contact information, claims information and other information that can be used to identify a person.


The Boon Group®, and its wholly owned subsidiaries, are committed to protecting the personally identifiable health information of all plan participants and their dependents; and adhere to the requirements of the federal HIPAA Privacy and Security Rules as well as state privacy laws. The Boon Group has its own designated in-house counsel and Privacy and Security Officer to oversee compliance with these laws and regulations.

The Boon Group’s subsidiaries serve as business associates to group health plans, including insurance issuers. The Boon Group has entered into the necessary agreements with such entities to protect all personally identifiable health information that it may receive, and to treat such information in a confidential manner. The Boon Group also utilizes strong encryption technologies to ensure that protected health information being transmitted through electronic communication networks is always sent securely.

The Boon Group has developed privacy and security policies and procedures, which are enforced by the Privacy and Security Officer. All Boon Group employees are required to undergo Privacy and Security Training, which includes the enhanced Security enforcement guidelines within 60 days of their date of hire and annually thereafter.

If you have any questions or need additional information concerning the compliance efforts of The Boon Group as related to the HIPAA Privacy and Security Rules or state privacy laws, or any information as to how these laws and regulations may affect your group health plan, please contact us.