Headlines about "Health plan admin - HIPAA"
Gathered from the web by the editors at BenefitsLink.com.
[Guidance Overview] Employers Offering Health Benefits Can No Longer Ignore HIPAA
Excerpt: "If you are an employer offering health insurance to your employees (a Health Plan Sponsor), you know that your group health plan (including any medical, dental, vision and health FSA benefits) is considered a 'covered entity' under the HIPAA privacy and security rules. For many of you who are Health Plan Sponsors, HIPAA privacy and security compliance was a one-time event involving a plan amendment, a few changes to vendor agreements, a notice to plan participants and some training. Unfortunately, Health Plan Sponsors can no longer ignore HIPAA." (DrinkerBiddle)
E-Health Privacy Regulations Draw Congressional Fire
Excerpt: "The U.S. Department of Health and Human Services issued an interim final rule to beef up penalties for violations of the Health Insurance Portability and Accounting Act (HIPAA), as several Congressmen criticize the agency for leaving dangerous loopholes in the law." (Information Week)
[Guidance Overview] HHS Issues Interim Final Rule to Conform HIPAA Enforcement Regulations to HITECH Act Penalty Revisions
Excerpt: "The enforcement is tougher and the penalties that may be imposed are potentially higher under the HITECH Act than under the prior statutory language. Now that the currently effective HITECH Act enforcement provisions are incorporated into the regulations, more aggressive enforcement of HIPAA's administrative simplification rules (including privacy and security) seems likely." (Employee Benefits Institute of America)
[Guidance Overview] New Treasury Regulations Require Group Health Plans to Self-Report Excise Tax Liability
Excerpt: "Beginning January 1, 2010, plan sponsors (plan administrators for multiemployer plans) will need to self-report excise tax liabilities for failure to meet certain health plan requirements, including requirements under: * COBRA; * HIPAA's portability and nondiscrimination rules; * Newborns' and Mothers' Health Protection Act; * Mental Health Parity and Addiction Equity Act; * Health savings account comparability provisions; * Michelle's Law; * Genetic Information Nondiscrimination Act (GINA)" (Ballard Spahr)
HHS Unveils Online Form for Reporting HIPAA Health Information Breaches
Excerpt: "To report breaches of protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA), health plans and other covered entities subject to the law's privacy requirements must use a new online form on the HHS website. HIPAA changes enacted by the 2009 HITECH Act require group health plans to report PHI breaches to HHS, even if the breach originated with a vendor or elsewhere. Initial reports of breaches affecting fewer than 500 people are due March 1, 2010." (Mercer LLC)
[Opinion] HHS Breach Notification Rules Again Under Fire
Excerpt: "The Center for Democracy and Technology is the latest to find fault with the Department of Health and Human Services' data breach rules for personal health records. Under the current interim rules health care organizations that use encryption or destruction, no breach notification is necessary, but for those who don't, the health organization makes the call on whether the breach is harmful enough to trigger a breach notification. The Department of Health and Human Services should replace its controversial harm standard for triggering a personal health record data breach notification with a risk assessment approach that requires organizations to determine whether the data was actually viewed or acquired by an unauthorized person, according to the Center for Democracy and Technology." (eWEEK.com)
[Opinion] American Benefits Council Comments on Interim Final Rule on Breach Notification for Unsecured Protected Health Information (PDF)
4 pages. Excerpt: "The Council strongly supports the 'harm threshold' HHS adopted in its Interim Final Rule, requiring a covered entity to consider a number of factors to determine whether a particular disclosure poses a 'significant risk of financial, reputational, or other harm to the individual.' 45 CFR 164.402 (definition of 'breach'). If a disclosure meets the 'harm threshold,' the covered entity is required to provide notice to the affected individuals, the media (where applicable) and HHS." (American Benefits Council)
[Guidance Overview] Health Risk Assessments Face Bias Hurdle
Excerpt: "Under IRS rules associated with the Genetic Information Nondiscrimination Act, employers are prohibited from collecting genetic information -- defined as family medical history -- in health risk assessments if that information will be used for 'underwriting' purposes. That includes offering employees discounts on their monthly premium contributions or lowering deductibles for completing a health risk assessment." (Workforce Management; free registration required)
[Guidance Overview] Requirement that Employees Complete Health Risk Assessments in Order to Receive HRA Reimbursements Violates the ADA
Excerpt: "The broadened scope of the definition of 'disability' under recent amendments to the ADA . . . may cause more inquiries in health risk assessments to be viewed as disability-related and thus subject to scrutiny under the ADA. Formal guidance from the EEOC on the ADA's application to wellness programs is sorely needed. It also bears repeating that in addition to the ADA, wellness programs must also meet applicable HIPAA requirements and comply with GINA." (Employee Benefits Institute of America)
[Guidance Overview] Does Your Wellness Program Need to Revise Its Health Risk Assessment?
Excerpt: "The new rules clarify that your health risk assessment can still seek genetic information if no reward is provided, completing the HRA is voluntary, and the HRA is not completed until after a new participant is covered under your health plan. But if your plan offers a reward, then the HRA may not directly or indirectly seek genetic information (although you could put questions seeking genetic information into a separate, voluntary HRA for which there is no reward.)" (Warner Norcross & Judd LLP)
[Guidance Overview] New HIPAA Breach Notification Rules
Excerpt: "Rather than waiting for a breach to occur and then reacting in a panic, best practice is to proactively act now to establish notice procedures, maintain breach logs, revise business associate agreements, train employees and update privacy procedures." (Briggs and Morgan P.A.)
[Guidance Overview] GINA Interim Final Regulations: Wellness and Disease Management Programs Impacted
Excerpt: "Title I of GINA, as interpreted by the interim final regulations, prohibits plans from ? Increasing group premiums or contributions based on genetic information; Requesting or requiring an individual or family member to undergo a genetic test (other than for certain limited exceptions, including a plan's right to condition payment for a medical service on medical appropriateness which may in turn depend on the genetic information of the individual); and Requesting, requiring or purchasing genetic information prior to or in connection with enrollment, or at any time for underwriting purposes. It is also important to note that unlike the other provisions of the HIPAA portability and nondiscrimination rules, GINA does apply to group health plans with fewer than two participants who are current employees. In other words, GINA does apply to a separate retiree medical plan." (Kilpatrick Stockton LLP)
[Guidance Overview] HHS GINA Proposed Regulations: HIPAA Covered Entities Impacted
Excerpt: "Based on the proposed regulations, other documents should also be updated to reflect the new GINA provisions, including the health plan's policies and procedures. Depending on the services that are provided by a business associate and the language of existing business associate agreements, applicable business associate agreements may also need to be updated. Last, health plan sponsors should also consider whether adding protective language in their health plan documents is also appropriate." (Kilpatrick Stockton LLP)
It's Time for HIPAA Covered Entities to Update Their Policies on the Use of Cell Phones and Cameras
Excerpt: "Covered entities (CEs) should review and update their policies on cell phones and cameras and make the rules clear and highly visible to employees, patients and visitors . . . . Technology and social networking sites are simple to use and very widespread. A person can take a picture with an iPhone and post it to his or her Facebook page in an instant." (AISHealth.com)
Congressmen Want HIPAA Harm Threshold Eliminated
Excerpt: "Six members of the House of Representatives signed a letter written to HHS Secretary Kathleen Sebelius that urges HHS to repeal or revise the harm standard provision in HHS' interim final rule on breach notification. . . . The Congressmen, all but one of whom are Democrats, wrote they are 'deeply concerned' about the harm provision because it gives covered entities and business associates (BAs) a 'breadth of discretion' as they determine the level of harm to an individual whose PHI was inappropriately disclosed." (HealthLeaders Media)
[Guidance Overview] HHS's Reporting Form for HIPAA Breaches
Excerpt: "[The Department of Health and Human Services] has now published an online form for reporting breaches of unsecured PHI. The HHS form provides a checklist for plan sponsors who experience a breach of unsecured PHI. Plan sponsors can use the form to help them track breaches and to assure that appropriate preventive measures are in place." (The Segal Group, Inc.)
[Guidance Overview] Breach Notification Under the HITECH Act: Action Points for Employers Who Sponsor Self-Insured Group Health Plans (PDF)
Excerpt: "Because the Rule is currently effective and because sanctions will be imposed by HHS for failure to provide required notifications for breaches that are discovered on or after February 22, 2010, what should employers who sponsor self-insured group health plans begin doing now to comply?" (Porter Wright Morris & Arthur LLP)
[Guidance Overview] GINA Regulations: Prohibiting Discrimination in Health Plans Based on Genetic Information and Revising Privacy Rules (PDF)
4 pages. Excerpt: "The proposed regulations would require plans and insurance issuers to revise their Notices of Privacy Practices to include a statement that genetic information cannot be used or disclosed for underwriting purposes. The Privacy Rule generally requires plans to issue an updated notice within 60 days of a material change to the notice. HHS indicated that it understands that this timing may be burdensome and that distributing revised notices may be costly. Thus, HHS solicited comments on ways to mitigate these burdens, such as by allowing a revised notice to be distributed with annual open enrollment materials or allowing a specific extension of time in this instance. The amendments to the Privacy Rule are proposed to be effective 180 days after final regulations are published in the Federal Register. Comments are due on the proposed regulations within 60 days after publication in the Federal Register." (Sutherland Asbill & Brennan LLP)
[Guidance Overview] HIPAA Obligations Create Legal Challenges
Excerpt: "Until Sept. 23, when consumers' health information was accidentally disclosed, they might not have known about it. But under the new regulation, breaches must be reported to the Department of Health and Human Services and to the individuals affected. If providers cannot locate them, they must report the violation on their Web site and to the local media. The media must also be notified if a breach affects more than 500 individuals. Here's where the regulation gets a little murky . . . . It's left up to the businesses themselves to make fact-based determinations as to whether notification is necessary, based on whether there has been a 'significant risk of financial, reputational, or other harm' to the patient. 'It's a bit of a judgment call. We're waiting to see what that turns out as,' . . . ." (Wisconsin Law Journal)
[Official Guidance] Text of Proposed HHS Regs on GINA Changes to HIPAA Privacy Rule (PDF)
13 pages. Excerpt: "In accordance with section 105 of GINA 2 and the Department's general authority under sections 262 and 264 of HIPAA, the Department proposes to modify the HIPAA Privacy Rule to: (1) Explicitly provide that genetic information is health information for purposes of the Rule; (2) prohibit health plans from using or disclosing protected health information that is genetic information for underwriting purposes; (3) revise the provisions relating to the Notice of Privacy Practices for health plans that perform underwriting; (4) make a number of conforming modifications to definitions and other provisions of the Rule; and (5) make technical corrections to update the definition of 'health plan.'" (U.S. Department of Health and Human Services)
[Official Guidance] Text of GINA Regulations from U.S. Department of Health and Human Services, IRS, DOL (PDF)
35 pages, from Federal Register of October 7, 2009; 'Prohibiting Discrimination Based on Genetic Information; Interim Final Rules; HIPAA Administrative Simplification; Genetic Information Nondiscrimination Act; Proposed Rules" (U.S. Department of Health and Human Services, Internal Revenue Service, U.S. Department of Labor)
[Guidance Overview] IRS Final Regs on COBRA, HIPAA and HSA Penalty Reporting, Clarifies HSA Comparability Rules
Excerpt: "Final IRS rules require filing Form 8928 to report and pay excise taxes for violations of HIPAA portability, COBRA, or comparability rules for employer contributions to health savings accounts (HSA) outside of a cafeteria plan or to Archer medical savings accounts. The regulations also clarify certain HSA comparability rules, including the allowance for some higher-paid employees and contributions for midyear plan entrants. The new requirements and clarifications apply to filings due and employer HSA contributions made on or after Jan. 1, 2010." (Mercer LLC)
[Guidance Overview] HITECH Breach Notification Guidance and Employer Next Steps (PDF)
7 pages. Excerpt: "Significant new data security obligations apply to employer health plans under the Health Information Technology for Economic and Clinical Health Act (HITECH) that was enacted February 17, 2009 as part of the American Recovery and Reinvestment Act of 2009. . . . To avoid potentially significant notice requirements, plan sponsors will need to review their current policies, procedures, and safeguards under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and decide how best to proceed." (Aon Consulting)
HHS Officials Provide Informal Views on Upcoming HIPAA Guidance and More
Excerpt: "The Joint Committee on Employee Benefits (JCEB) of the American Bar Association has reported on its May 2009 Q&A session with officials from HHS's Office for Civil Rights (OCR). Highlights include the following informal, nonbinding remarks regarding HIPAA privacy rule issues . . . ." (Employee Benefits Institute of America)
[Guidance Overview] Online Form and Instructions Available for Reporting Breaches of Unsecured PHI to HHS
Excerpt: "EBIA Comment: Covered entities (including health plans) will likely appreciate this relatively straightforward form, as well as the ability to complete and file it online. It is worth noting that, for breaches affecting more than 500 individuals, ARRA requires that some of the information provided on this form be made publicly available by posting on the HHS website. ARRA also requires that OCR provide an annual report to Congress regarding the number and nature of breaches that are reported each year and the actions taken to respond to such breaches." (Employee Benefits Institute of America)
[Guidance Overview] Mental Health Parity: Is Your Health Plan Ready?
Excerpt: "A number of legislative and regulatory changes affecting group health plans recently have or soon will become effective in the 15 months between October 1, 2008, and January 1, 2010 [including]: * The COBRA subsidy; * Michelle's Law; * Genetic Information Nondiscrimination Act; * Special enrollment rights for persons losing CHIP or Medicare coverage or obtaining premium assistance from a state under a CHIP or Medicare program; * HIPAA privacy and security changes, including a breach notification requirement; * Final cafeteria plan regulations; and * Changes in state health insurance laws, such as the expansion of the available continuation coverage period from 18 to 36 months (New York) and modifications to the Massachusetts Health Care Reform Act. [In addition, the] Mental Health Parity and Addiction Equity Act of 2008 . . . becomes effective for plan years beginning after October 3, 2009 (a special rule applies to collectively bargained plans). Thus, the effective date is January 1, 2010, for calendar year plans." (Jackson Lewis)
[Guidance Overview] Insurer Not Liable for Discontinuing Small Group Supplemental Medical Policy
Excerpt: "We agree with this court's conclusion that the policy's termination did not violate HIPAA's prohibition on health status discrimination (which also applies to employer-sponsored health plans). HIPAA does not prohibit employers from making changes to their group health plan eligibility, benefits, or coverage provisions, so long as similarly situated individuals are treated the same and the change is not directed at individual participants or beneficiaries." (Employee Benefits Institute of America)
[Guidance Overview] Data Mining Coalition Battles for Prescription Data
Excerpt: "In IMS Health Inc. v. Ayotte, 550 F.3d 42 (1st Cir. N.H. 2008), cert. den., 129 S. Ct. 2864 (2009) the First Circuit upheld a Hampshire law that among other things prohibited certain transfers of physicians' prescribing histories for use in marketing drugs to physicians. A similar battle is now underway in the Second Circuit Court of Appeals over a Vermont statute. In IMS et al v. Sorrells a coalition of data mining entities seek to overturn an decision by the district court (IMS Health Inc. v. Sorrell, 2009 U.S. Dist. LEXIS 35594 (D. Vt.) (2009)) upholding the Vermont law. The Electronic Privacy Information Center (EPIC) has filed an amicus brief urging the Second Circuit to affirm the decision." (Roy Harmon III via Health Plan Law)
[Guidance Overview] Governance and Compliance Advisory Update: September 2009
Excerpt: "Most of these developments relate to health and welfare plans, particularly IRS guidance on over-the-counter items for FSAs. The HHS released final regulations covering security breaches under new HIPAA rules; Ohio initiated required health care coverage for uninsured and older dependent children, and Massachusetts clarified rules under its 'pay or play' mandate." (Towers Perrin)
With New Authority, HHS Office for Civil Rights Vows 'Vigorous Enforcement' of HIPAA Security as Well As Privacy
Excerpt: "Covered entities, as well as business associates, should expect stepped-up federal enforcement of both the privacy and security rules now that the HHS Office for Civil Rights was granted authority for investigating alleged violations of the HIPAA security rule, complementing its role as the enforcer of the privacy rule. Since 2005, the security rule had been enforced by the Centers for Medicare and Medicaid Services, while privacy was OCR's job. That changed on August 4 when incoming HHS Secretary Katherine Sebelius re-delegated that authority to OCR." (AISHealth.com)
[Guidance Overview] The Four Things You Need to Know and Do to Comply with the New HIPAA Breach Notification Rules
Excerpt: "Special note for entities that provide personal health record services as Covered Entities: Comply with HIPAA, not the new FTC Rules. One day after the Rule takes effect, new Federal Trade Commission breach notification requirements will require personal health record (PHR) vendors and their third-party service providers to notify affected individuals of breaches.2 The intent of the FTC Rule is to govern entities that do not have to comply with HIPAA, such as occupational health vendors that host employee health records and vendors who sell devices that areable to upload data to a personal record. If an entity is subject to both the HHS and FTC rules, such as vendors that offer PHRs to customers of a Covered Entity as a Business Associate and also offer PHRs directly to the public, the FTC will deem compliance with certain provisions of the HIPAA breach notification rule as compliance with the FTC's Rule." (von Briesen & Roper, s.c.)
[Guidance Overview] HIPPA Privacy Breach Notification Regulations
9 pages. (Gallagher Benefit Services, Inc.)
[Guidance Overview] New HITECH Changes to HIPAA Require Action by Group Health Plans: September 23, 2009 Effective Date
Excerpt: "The Health Information Technology for Economic and Clinical Health Act ('HITECH'), a part of the American Recovery and Reinvestment Act of 2009, imposes a new duty on covered entities (including group health plans) to notify affected individuals and, in some cases, the media and the Department of Health and Human Services ('HHS'), of a breach of unsecured protected health information ('PHI'). As required by HITECH, HHS issued regulations on August 24, 2009 providing more detail regarding this new duty. The regulations are effective September 23, 2009 but, as noted . . ., HHS will not impose sanctions for breaches discovered during the 180-day period beginning on the issue date." (Sonnenschein Nath & Rosenthal LLP)
[Guidance Overview] What Constitutes a Breach under the HIPAA HiTech Breach Notification Requirements (PDF)
Excerpt: "This advisory focuses on identifying a breach and whether possible exceptions apply. . . . Practice Pointer: Although business associates and covered entities have slightly different notice obligations,each must be able to identify 'breaches' in order to satisfy its respective notice obligations." (Alston & Bird LLP)
[Guidance Overview] New HIPAA Security Breach Notification Rules Requiring Prompt Action by Covered Entities (PDF)
Pages 1-4 of 10 pages. Excerpt: "[T]he interim rule will take effect on September 23, 2009. Although HHS has stated in the preamble to the interim rule that it will not impose sanctions for any failure to provide notification for breaches discovered before 180 calendar days from the publication of the interim rule on August 24, 2009 (February 22, 2010), affected organizations should act immediately to ensure compliance including, but not limited to, updating policies and procedures and the notice of privacy practices, training employees and other applicable workforce members on these requirements, and revising business associateagreements." (Trucker Huss)
[Guidance Overview] Group Health Plan Sponsors Should Be Aware of Changes Made by the HITECT Act
Excerpt: "The Health Information Technology for Economic and Clinical Health Act (the 'HITECH Act'), which was part of the American Recovery and Reinvestment Act of 2009, made some significant changes to the privacy and security rules. Most of the changes are effective on, or after February 17, 2010, although some of the requirements have earlier or later effective dates. The new requirements under the HITECH Act are described [in the target page]. Sponsors of group health plans should familiarize themselves with the changes and begin to take steps to comply with the new requirements." (Snell & Wilmer LLP.)
[Guidance Overview] Seventh Circuit Emphasizes Need to Assess the 'Gravity' of Any Conflict of Interest in Its Latest Post-Glenn Decision
Excerpt: "EBIA Comment: At this point, most of the federal circuit courts have weighed in on the impact of the Glenn case, which was decided over a year ago. This latest Seventh Circuit decision is notable among these post-Glenn decisions for its re-examination of the multifactor analysis and its attempt to make this standard 'more directive' for courts and plan administrators. One byproduct of this decision's emphasis on the gravity of a conflict of interest is that it may justify more discovery of information regarding the conflict -- an issue that has divided the courts post-Glenn." (Employee Benefits Institute of America)
[Guidance Overview] Final FTC Rule on Health Information Breach Notification
Excerpt: "EBIA Comment: The HHS final interim rule on breach notification for unsecured PHI has also been published and is effective September 23, 2009. Together, the adoption of the FTC and HHS final rules creates far-reaching breach notification requirements under the American Recovery and Reinvestment Act of 2009 (ARRA)." (Employee Benefits Institute of America)
[Guidance Overview] Final Regulations on HITECH Security Breach Notification for HIPAA Protected Health Information (PDF)
2 pages. Excerpt: "The regulations clarify a number of key issues: Use or disclosure must violate privacy rule, Risk of harm threshold, Concrete examples of breach exceptions, Flexibility in dealing with business associates, Technology guidance does not amend security rule, and The HIPAA's Privacy rule's administrative requirements apply." (The Segal Group, Inc.)
[Guidance Overview] Summary of the HHS Security Breach Notification Rules (PDF)
6 pages. Excerpt: "The Department of Health and Human Services ('HHS') has issued interim final rules on HIPAA's new security breach notification requirement, which was adopted under the HITECH Act in February as part of the stimulus bill. The HITECH Act made significant changes to the HIPAA privacy and security rules, including imposing a new requirement that covered entities notify individuals when their 'unsecure' protected health information ('PHI') is breached." (Groom Law Group via American Benefits Council)
[Guidance Overview] HIPAA Security Breach Notification Rules
Excerpt: "The new rules are effective 30 days after publication in the Federal Register, or September 9, 2009 (although HHS did adopt a nonenforcement policy through 2/22/10). Comments are due October 23, 2009. The [summary attached to the target page] details the new rules, including what steps health plans and health care providers should be taking. Also attached are the rules themselves." (Groom Law Group)
[Guidance Overview] New HIPAA Breach Notification Regulations Require Immediate Attention
Excerpt: "Once published, covered entities and business associates will, as a practical matter, only have [until September 23, 2009] to comply with the new rules -- a very short time and one which will force them to work very diligently to comply with the new rules. . . . A covered entity and business associate must be able to identify, record, investigate, and report to an affected individual and HHS any breach occurring after September 23, 2009. This will require covered entities and business associates to update all their business associate agreements, train their workforces and establish their policies and procedures to ensure that they can identify, record and report such breaches." (Michael Best & Friedrich)
[Guidance Overview] New Standards for Breaches of Health Plan Participant Unsecured Protected Health Information
Excerpt: "The new regulations are effective for breaches occurring on and after September 23, 2009, and provide employers with much-needed guidance in determining: (1) whether a 'breach' has occurred; (2) exactly when notices to the media are needed and how they are to be provided; and (3) how HHS thinks the new federal rules will work in conjunction with existing state notice requirements. HHS does indicate, however, that through March 2010, it will not impose penalties for failing to comply with the rules . . . ." (Ogletree Deakins)
[Official Guidance] Interim Final Regs: Breach Notification for Unsecured Protected Health Information (PDF)
32 pages. Excerpt: "[T]he [HITECH] Act requires HHS to issue interim final regulations within 180 days to require covered entities under [HIPAA] and their business associates to provide notification in the case of breaches of unsecured protected health information. For purposes of determining what information is 'unsecured protected health information,' in this document HHS is also issuing an update to its guidance specifying the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals." (U.S. Department of Health and Human Services)
[Guidance Overview] HHS and FTC Final Rules on Health Information Breach Notification Requirements
Excerpt: "EBIA Comment: The breach notification implementation guidance has been widely anticipated by HIPAA-covered entities, business associates, and certain noncovered entities. These provisions, enacted under ARRA, provide very tight timeframes for compliance which are reflected in the quick effective dates of both the HHS and FTC rules. However, the approach announced by both agencies to use their discretion in not immediately enforcing the new requirements should provide some short-term relief as entities gear up for compliance. Affected entities should take immediate steps to determine to what extent they can meet the safe harbor guidance for securing PHI." (Employee Benefits Institute of America)
[Guidance Overview] HIPAA Security Breach Notification Rule Refinement of Key Terms
Excerpt: "On August 19, 2009, the federal Department of Health and Human Services (HHS) issued the interim final rule regarding notification of breaches of unsecured protected health information under the privacy and security provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The rule refines and narrows key concepts in a manner that will limit the notification obligations of covered entities. In connection with the rule, HHS also updated its April 17, 2009, guidance specifying technologies and methodologies that render protected health information unusuable, unreadable or indecipherable to unauthorized individuals, and therefore exempt from the notice requirements." (Faegre & Benson LLP)
CMS's HIPAA Security Review Summary Implies Encryption and Employee Background Checks May Be Required
Excerpt: "'The two themes that stand out to me in the CMS summary are the importance of well-developed policies and procedures and the obligation of ongoing compliance,' [Chris Bennington, an attorney in the Cincinnati-Dayton office of Bricker & Eckler LLP] tells RPP. 'Not surprisingly, many of the compliance issues highlighted by CMS focused on the covered entities' policies and procedures.'" (AISHealth.com)
[Guidance Overview] HHS Delegates Authority for Administration and Enforcement of HIPAA Security Rule to Office for Civil Rights
Excerpt: "EBIA Comment: Given that administration and enforcement of the privacy and security rules are naturally intertwined, the shift to consolidate authority under a single office within HHS makes practical sense. Whether this signals an adoption of a stricter attitude or approach toward enforcement remains to be seen. It is worth noting that the American Recovery and Reinvestment Act of 2009 (ARRA) mandated improved enforcement of the privacy and security rules . . . ." (Employee Benefits Institute of America)
[Guidance Overview] Bizarre Case Teaches Key HIPAA Lessons
Excerpt: "The facts of a recent Minnesota lawsuit are so outlandish that they seem more appropriate for a tabloid cover or TV soap opera than a court opinion. After all, the old adage is that truth is sometimes stranger than fiction. The case of Yath v. Fairview Clinics involved a patient who came to a clinic and was diagnosed with a sexually transmitted disease. She told the doctor that she had a new partner, even though she was still married at the time to her estranged husband. An employee at the clinic snooped into her records and disclosed this information to several others, including one person who displayed many of the details on a MySpace web page. Much of these disclosures were via the employer's e-mail system. Ultimately, the patient and her soon-to-be ex-husband found out." (Infinisource)
Accounting for Disclosures in Electronic Health Records Could Be Problem for HIPAA Covered Entities
Excerpt: "The new accounting of disclosures requirements for EHRs under the HITECH Act dictates that providers log all disclosures made through EHRs -- including those made for treatment, payment and health care purposes -- and report them to patients when requested. Formerly, HIPAA required that providers log when protected health information (PHI) is disclosed for purposes other than treatment, payment or health care operations." (AISHealth.com)
[Guidance Overview] Securing Data Under the New HIPAA Amendments
Excerpt: "Similar to security breach notification laws that have been enacted in more than 40 states, the HIPAA breach notification law requires that if an employer's self-insured health plan experiences a data breach involving individually identifiable health information about plan participants (known as Protected Health Information or PHI), the employer must notify those individuals whose data is involved in the breach. Unlike state laws, which generally apply only to electronic data, the HIPAA breach notification law applies to data in any form, which includes paper documents and even verbal communications. Thus, a duty to notify could arise in the following circumstances: A hacker penetrates your firewall and accesses and possibly acquires a database of health plan participants; An employee goes snooping through health plan records to find information about a co-worker; A manager accesses health plan records to make personnel decisions about employees; An employee e-mails records containing PHI to the wrong e-mail address; An employee discusses a participant's health condition with other employees . . . ." (Warner Norcross & Judd LLP)
HIPAA Security Rule to Now Be Administered and Enforced by OCR, Not CMS
Excerpt: "Department of Health and Human Services (HHS) Secretary Kathleen Sebelius has announced that authority for the administration and enforcement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule has been delegated to the Office for Civil Rights (OCR)." (International Foundation of Employee Benefit Plans)
[Guidance Overview] Tackling Top 10 HIPAA Duties to Meet New HITECH Act Obligations
Excerpt: "To comply with the HIPAA changes made by the HITECH provisions of the American Reinvestment and Recovery Act, employers sponsoring group health plans must revisit their privacy and security practices and review plan documents. This Update identifies 10 key tasks, ranked by the timelines for taking action, to help employers tackle the new HIPAA requirements by their effective dates. Because HITECH requires annual or more frequent updates of regulatory guidance on suitable methods of securing protected health information, employers can expect to undertake ongoing compliance reviews." (Mercer LLC)
[Guidance Overview] HIPAA Does Not Preempt State-Law Claim for Improper Disclosure of Medical Records
Excerpt: "EBIA Comment: Although this case did not involve a health plan, it caught our attention because it makes the important point that while HIPAA provides no private cause of action for individuals whose privacy rights are violated, state-law claims are still possible. This is because only state laws that are 'contrary' to HIPAA are preempted and a provision of state law is 'contrary' to HIPAA only if it would be impossible to comply with both the state and federal requirements, or if the state law stands as an obstacle to the accomplishment and execution of the full purposes and objectives of HIPAA. We also note that if the state-law claim in this case had been made against a health plan subject to ERISA (ERISA applies to most private-sector plans), the plan would have had an additional argument for preemption based on ERISA's more sweeping preemption provision." (Employee Benefits Institute of America)
[Guidance Overview] Recent Legislation and Regulations Require Changes to Health and Welfare Benefit Plans
Excerpt: "Congress and federal regulatory agencies have been busy enacting legislation and proffering guidance which implements many new requirements for group health and welfare benefit plans. Many of the changes will require thoughtful action on the part of administrators and sponsors of group health and welfare benefit plans. This brief outline of current health and welfare compliance developments is not intended to be exhaustive, but rather serves to illustrate the depth and breadth of changes facing plan sponsors now and in the coming months." (Littler Mendelson P.C.)
[Guidance Overview] Health Privacy Changes Create Increased Risks and Obligations for Holders of Health Data
Excerpt: "In the wake of the recent changes, organizations that handle protected health information may consider: reassessing any potential HIPAA obligations; determining the extent of that obligation, if they are obligated to comply with HIPAA; and reviewing existing HIPAA compliance policies and procedures in light of the legal changes, and regularly in the future, to assure continued compliance with the law." (Wilson Sonsini Goodrich & Rosati)
[Guidance Overview] What Is a 'Special Enrollment Opportunity' in Employment-Based Health Insurance Plans (PDF)
4 pages. Excerpt: "This special enrollment opportunity gives people who are losing coverage a chance to sign up immediately in an employer's group health plan -- even if it is outside of the plan's specified times for enrollment, such as when you are starting a job. Like many federal protections, however, this one has a number of conditions that make it complicated. You must meet certain requirements for the right to enroll, including notifying the employer within a specified time . . . . The employer, too, has certain responsibilities. For example, the employer or the employer's health plan must give all employees notice of special enrollment rights when the employee is first offered the chance to enroll in the employer's group health plan." (Families USA)
[Guidance Overview] Under HITECH Act, Business Associates Now Directly Covered by HIPAA (PDF)
Excerpt: "[Business associates (BAs)] should act now to review: (1) the information security measures it employs to protect PHI, (2) its policies and procedures relating to PHI it handles for Covered Entity clients, (3) its BA agreements, (4) the ways in which it uses and discloses PHI and the amount of PHI disclosed and (5) its communications to patients, if any, to implement measures to meet these new requirements. Also, BAs should prepare for the compliance audits that will be coming by implementing appropriate written policies and maintaining documentation to demonstrate their compliance with the new privacy and security requirements for PHI as they become effective. And BAs should assign responsibility for monitoring the development and issuance of the many implementing regulations that willbe forthcoming." (Alston & Bird LLP)
[Guidance Overview] Expanded HIPAA Requirements and HHS Guidance on Securing Protected Health Information
Excerpt: "On April 17, the Department of Health and Human Services (HHS) released guidance on technologies and methodologies for securing PHI, which takes effect immediately. Employers will have to review and possibly update agreements with business associates, revise privacy practices and systems, update notices about privacy practices and make other changes. The effective dates generally vary by provision -- the stricter penalties are already in effect, while other changes and requirements take effect next year or later." (Watson Wyatt Worldwide)
[Guidance Overview] The Stimulus Push for Electronic Health Records and Strengthened Privacy and Security
Excerpt: "A significant chunk of The American Recovery and Reinvestment Act of 2009 (ARRA), approximately $20 billion, is aimed at motivating health care providers to implement electronic health record (EHR) systems. The incentives will be paid in the form of increased Medicare and/or Medicaid payments. Medicare incentive payments will begin in 2011 and will be paid over four years for eligible hospitals and over five years for eligible health care professionals who can show 'meaningful use' of a 'certified EHR' system. The incentive program for hospitals is based on the 'Medicare share' of a base payment amount of $2 Million, adjusted based on the hospital's discharge data. The Medicare share takes into account the proportion of inpatient bed days that are paid by Medicare as well as an adjustment for charity care." (Poyner Spruill LLP)
The links shown above have been gathered from the web by the editors at BenefitsLink.com. Each article's publisher is shown above in parentheses. Opinions expressed in each article are those of the article's publisher, not necessarily those of BenefitsLink.com, Inc. or any web site that displays these headlines in a "frame." You should contact the listed publisher for copyright information about any particular article or to inquire into the right to use the article in any manner.