Headlines about "Health plan admin - HIPAA"
Gathered from the web by the editors at BenefitsLink.com.
Workplace Wellness Programs: Trends, Changes in the Law Starting in 2014, and Issues to Watch
"Employer wellness programs must comply with a number of federal and state requirements, such as the Americans with Disabilities Act of 1990, the Genetic Information Nondiscrimination Act of 2008, and the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The issues discussed in this brief relate mostly to HIPAA provisions that prohibit employer health benefit plans from discriminating against individuals based on any factor connected with their health status." (Health Affairs)
Providing Incentives for Healthy Behaviors for Employee While Theading the HIPAA Privacy Needle
"[T]here are exceptions within the HIPAA regulations when it comes to discrimination. You can still protect employee privacy while administering programs that actually do single out particular of individuals, as long as you meet the standards. Participation-only programs and standards-based programs are how you do it. Participation-only programs are programs that offer a reward to anyone who participates - regardless of the outcome of that participation. These are exempt from the non-discrimination requirements with the HIPAA regulations, as long as participation is available to all similarly-situated individuals." (HR.BLR.com)
Proposed Meaningful Use Stage 2 Regs Draw Strong Reaction
"[A few paragraphs in the 68-page comment letter from the American Hospital Association have] drawn the attention and ire of patient and consumer advocate groups. Citing HIPAA concerns, the AHA disagrees with the Centers for Medicare & Medicaid Services proposal 'to provide patients with the ability to view, download, and transmit large volumes of protected health information via the Internet.'" (HealthLeaders Media)
[Guidance Overview] Medical Professional Association Hit with HIPAA Penalty Over Health Information in Insecure Emails and Text Messages
"The small size of the covered entity is notable, and the News Release delivers the message clearly: '[The Office for Civil Rights] expects full compliance no matter the size of a covered entity.' As usual, the CAP's provisions exceed the regulatory requirements, reminding us that compliance may be more onerous after an alleged violation. But the allegations and CAP provisions regarding email are somewhat surprising." (Thomson Reuters/EBIA)
Major Reported PHI Breaches Hits 400 with Theft as Primary Type of Breach
"As the first postings on the HHS List occurred on March 4, 2010, it took almost exactly two years to reach the 400 level, which means that an average of 200 postings of List Breaches have been occurring each year." (Fox Rothschild LLP)
[Guidance Overview] Arizona Surgical Practice to Pay $100,000 in HIPAA Settlement
"A heart surgery group practice agreed to pay $100,000 to settle federal allegations that it chronically neglected standard HIPAA requirements such as risk assessment, training and business associate contracts, [HHS] announced April 17." (Thompson)
Cyber Liability Insurance: Protecting Public Sector Plans against Inappropriate Participant Information Disclosures (PDF)
"Plan sponsors that are considering purchasing cyber liability insurance should review the different coverage options available in the market to help make the proper choice for their unique needs. This is important because policies can be very different in the scope of coverage they provide." (Segal)
[Guidance Overview] Proposed HIPAA Regs Address Unique Health Plan Identifier and ICD-10 Compliance Date
"With little progress under the original HIPAA directive, health care reform prompted action by requiring HHS to implement a standard for a unique health plan identifier by October 1, 2012. The preamble to the proposed regulations notes that health plans will bear the administrative cost of complying with the HPID requirement, while providers (which must identify health plans for billing and other transactions) will likely reap most of the benefits through increased automation." (Thomson Reuters/EBIA)
[Official Guidance] Text of HHS Proposed Rule on Administrative Simplification: Adoption of a Standard for a Unique Health Plan Identifier; Addition to the National Provider Identifier Requirements; and a Change to the Compliance Date for ICD-10-CM and ICD-10-PCS Medical Data Code Sets (PDF)
"This proposed rule would implement section 1104 of the [PPACA] by establishing new requirements for administrative transactions that would improve the utility of the existing [HIPAA] transactions and reduce administrative burden and costs. It proposes the adoption of the standard for a national unique health plan identifier (HPID) and requirements or provisions for the implementation of the HPID. This rule also proposes the adoption of a data element that will serve as an other entity identifier (OEID), an identifier for entities that are not health plans, health care providers, or 'individuals,' that need to be identified in standard transactions." (Department of Health & Human Services)
[Guidance Overview] Official 'Fact Sheet': HHS Proposes HIPAA Standard for a Unique Health Plan Identifier
"[A committee in 2010] addressed the need for an identifier for entities such as health care clearinghouses, third party administrators (TPAs), and repricers, that are not health plans but that perform certain health plan functions. These entities are currently identified in the standard transactions in the same fields and using the same types of identifiers as health plans, but are not health plans and so cannot obtain a health plan identifier. Based on the [committee's] recommendations, HHS is proposing to adopt an 'other entity' identifier (OEID).' ... [C]overed entities, excluding small health plans, would be required to be in compliance with the HPID on October 1, 2014. Small health plans would be required to be in compliance with the HPID on October 1, 2015." (U.S. Department of Health and Human Services)
[Official Guidance] Text of Proposed HHS Regs Requiring Health Plan Identifiers and Extending Compliance Date for ICD-10 Code Sets for Billing (PDF)
"This proposed rule would implement section 1104 of the Patient Protection and Affordable Care Act ... by establishing new requirements for administrative transactions that would improve the utility of the existing [HIPAA] transactions and reduce administrative burden and costs. It proposes the adoption of the standard for a national unique health plan identifier (HPID) and requirements or provisions for the implementation of the HPID." (U.S. Department of Health and Human Services)
Final HITECH Rules Reach OMB
"In addition to finalizing the HITECH changes to HIPAA's privacy, security and enforcement rules proposed in July 2010 by [HHS], the rules will finalize genetic privacy rules that HHS proposed in 2009, as well as HITECH rules on enforcement and breach notification that the agency issued in 2009 in interim final form." (Thompson)
Strong Privacy and Security Rules Crucial to Success of Health Insurance Exchanges Mandated by Health Care Reform
"These exchanges will require new and unique exchanges of data among state agencies, the federal government, private health plans, businesses, individuals and the exchange itself. This process will trigger the creation, collection, exchange, and disclosure of personally identifiable information. Exchanges will handle, at a minimum, basic demographic information, financial information, immigration information, incarceration information and Social Security Numbers." (Center for Democracy & Technology)
[Guidance Overview] $1.5 Million Settlement after HIPAA Security Incident Results in More than $17 Million in Investigation and Remediation Costs
"The [latter part of this] Alert focuses upon risks to employers operating health plans. HIPAA triggers important additional obligations for many other types of businesses, and this latest enforcement action highlights these risks. In the current regulatory and enforcement environment, we recommend that employers obtain a better understanding of the rules applicable to their group health plans by reviewing their legal obligations and risks." (Wilson Sonsini Goodrich & Rosati)
[Guidance Overview] Insurer Pays $1.5 Million in First Settlement Resulting from HIPAA Breach Report
"This is the latest development in a rising tide of HIPAA privacy and security enforcement activity. The news release's characterization of the HITECH Act's notification requirements as 'an important enforcement tool' suggests that more investigations may be commencing this way. With HHS's audit program also underway ..., covered entities and business associates need to be vigilant about compliance. As this settlement demonstrates, there's no avoiding the requirement to perform a HIPAA security risk analysis, and to periodically revisit it." (Thomson Reuters/EBIA)
Data Breach Leads to First HITECH Enforcement Settlement
"Though the settlement is the first relating to HITECH's breach reporting requirements, there likely are more enforcement actions in the pipeline. Since launching its breach notification website in February 2010 as required by HITECH, HHS has received, on average, 17 breach reports each month. Six of those reports involved breaches involving PHI of more than one million patients. HHS has initiated audits on many (if not all) of the significant reported breaches to date and we anticipate further enforcement action settlements to follow." (Ballard Sphar LLP)
[Guidance Overview] Finding the Messages to Employers in $1.5M HIPAA Settlement
"Employers can draw several lessons from this incident and its resolution: First, to date, HHS's monetary settlements with covered entities have focused on health care providers, such as hospitals and pharmacies. This is the first monetary settlement of which we are aware involving a covered health plan. Insurers and self-insured employers offering HIPAA-covered benefits should take note." (Littler)
[Guidance Overview] HHS Settles HIPAA Case with Insurer for $1.5 Million
"HHS announced that Blue Cross Blue Shield of Tennessee ... agreed to pay $1.5 million to settle possible violations of the HIPAA privacy and security rules. This is the first enforcement action which resulted from a breach report required by the Health Information Technology for Economic and Clinical Health (HITECH) Act Breach Notification Rule." (Practical Law Company)
Insurer, Office of Civil Rights Reach $1.5M Settlement for HIPAA Breach
"The HIPAA privacy and security enforcer settled Tuesday, March 13, with Blue Cross Blue Shield of Tennessee ... for $1.5 million for its 2009 HIPAA breach that affected more than 1 million individuals[.]" (HealthLeaders Media)
Privacy and Security Issues Affecting Employee Benefit Plans
"The Council recommended that [DOL]: (1) provide guidance on the obligation of plan fiduciaries to secure and keep private the personal identifiable information ... of participants and beneficiaries; (2) develop educational materials and outreach efforts for plan sponsors, participants, and beneficiaries to address the issues of privacy and security of PII; and (3) include in their outreach and educational materials information regarding elder abuse related to benefit plans." (21011 Advisory Council on Employee Welfare and Pension Benefit Plans)
[Guidance Overview] Despite Multiple COBRA Notice Problems, Court Imposes Nominal Penalty
"This multi-faceted COBRA case is packed with issues, including a rarely seen application of the combined notice rule for a termination shortly after entering a plan. Notably, however, the opinion may have missed the mark in dismissing the employee's dental plan and premium subsidy claims: The court misapplied HIPAA's excepted benefit rules to determine that the dental plan was excused from COBRA's requirements, and seemed unaware that ARRA required plans to provide an additional notice and extended election period to eligible individuals involuntarily terminated from September 1, 2008 through February 16, 2009." (Thomson Reuters/EBIA)
[Guidance Overview] Audits Heat Up HIPAA Liability: What to Do Now to Mitigate Risk
"In November 2011, the Office for Civil Rights (OCR) began audits to assess compliance with the HIPAA Privacy, Breach Notice, and Security Rules. The OCR compliance audits will be conducted by KPMG LLP and generally will consist of an initial document request, an onsite visit by the auditors, and then negotiation of an audit report." (Poyner Spruill)
[Guidance Overview] IRS Updates Form 8928 for Self-Reporting of Excises Taxes Owed for PPACA Failures
"PPACA created several new reporting and compliance standards for plans and employers. The [chart in this document] lists some of those new requirements and their effective dates. Failure to meet any of these must be reported on Form 8928 starting in 2012 as of the due date of the employer's federal income tax return. In general, the penalty assessed under Code ? 4980D is $100 per day, per affected participant for as long as the plan is non-compliant." (Faegre Baker Daniels)
First HIPAA Enforcement Action Against a Business Associate (and the Plot Thickens with Transparency Demands)
"On Jan. 19, 2012, in the wake of the theft of an unencrypted laptop computer containing approximately 23,500 patients' records, the Minnesota attorney general brought the first formal enforcement action against a business associate, Accretive Health, Inc., for an alleged violation under [HIPAA], using her authority under the [HITECH] Act. Additionally, the attorney general appears deeply unsettled by the amount of information that Accretive Health collected about patients without the patients' knowledge, alleging that this lack of transparency represents deceptive and fraudulent practices under Minnesota law." (Davis Wright Tremaine LLP)
[Guidance Overview] Ninth Circuit Holds That Federal HIPAA Preempts Montana's 'Little HIPAA' Law
"Due to preemption of the state law, the state law claim was defeated on its merits. The court, however, noted that it was not expressing an opinion as to whether its holding would apply to a state HIPAA-type statute that provided additional protection beyond the federal HIPAA statute." (Haynes And Boone)
HIPAA Audits Come with Short Turnaround Times
"[HHS] has begun a pilot program of HIPAA privacy and security audits for health care providers and health plans, and the audits will have some very short turnaround times." (The Bureau of National Affairs, Inc.)
[Guidance Overview] Office of Civil Rights to Conduct HIPAA Compliance Audits
"According to a recent survey, a majority of health care organizations are not fully prepared for the federal audits that will test compliance with HIPAA privacy and security rules. Of the more than 400 survey respondents, less than 20 percent indicated they were fully prepared for OCR's HIPAA compliance audits." (Snell & Wilmer L.L.P.)
[Guidance Overview] HHS Commences HIPAA Pilot Audit Program
"The vast majority of covered entities and business associates will not be audited in 2012, but they can expect the audit program to provide lessons on compliance risks and best practices. They will likely need to update their staffing, policies and procedures, training, and business associate agreements accordingly. They may also gain insight into the audit methodologies and begin preparing for potential audits in 2013 and beyond." (Cooley LLP)
[Guidance Overview] Update on Fiscal Year Health FSAs and the $2,500 Limit
"On January 10, 2011 I posted about how employers with health FSAs that follow a fiscal year might comply with the $2,500 deferral dollar limit going into effect on January 1, 2013. This post updates and corrects the earlier post as follows: Notice 2012-9, which provides updated guidance on Form W-2 reporting of the value of group health care, exempts most health FSAs from the reporting requirement. The specific exemption applies to health FSAs that are exempt from HIPAA because they are funded entirely by employee salary deferrals, or because any employer contribution is $500 or less." (E is for ERISA)
[Guidance Overview] HHS Adopts HIPAA Transaction Standards for Health Care Electronic Funds Transfer and Remittance Advice
"HHS confirmed that a health plan may rely on its financial institution to translate payment instructions into the new file format requirements without the financial institution necessarily becoming subject to HIPAA's requirements. But, as the preamble warns, the health plan, and not its financial institution, will be ultimately responsible for compliance." (Thomson Reuters/EBIA)
[Guidance Overview] Court Imposes Statutory Penalties for Failure to Send COBRA Election Notice to Employee's Last-Known Address
"This case illustrates the importance of making sure accurate information from employment records is communicated by the employer to its TPA. It was not clear in this case whether the TPA accessed the employer's employment records system when it prepared the COBRA notice, nor was it clear whether the notice mailed by the TPA was actually returned as undeliverable." (Thomson Reuters/EBIA)
[Official Guidance] Interim Final HHS Regs: Adoption of Standards for Health Care Electronic Funds Transfers and Remittance Advice (PDF)
"This interim final rule with comment period implements parts of section 1104 of the Affordable Care Act which requires the adoption of a standard for electronic funds transfers (EFT). It defines EFT and explains how the adopted standards support and facilitate health care EFT transmissions. . . . These regulations are effective on [the date of publication in the Federal Register, expected to be January 10, 2012]." (U.S. Department of Health & Human Services)
HIPAA Audits of 150 Plan Sponsors and Employers to Make Sure Employee Health and Financial Records Adequately Protected
"Work began late last year, with 30 of the planned 150 audits beginning in November, with the remainder taking place through the end of this year. The audits -- selected by the Office of Civil Rights -- will include companies of all sizes and types of industries and be conducted by New York-based KPMG, an international financial and auditing firm." (Human Resource Executive Online)
2011 Saw Surge in HIPAA Compliance Issues
"According to a recent Ponemon research study, data breaches alone have risen by 32%. Ninety-two percent of all healthcare institutions report they've experienced one in the past two years, and each such incident costs an average of $2.2 million." (Forbes.com LLC)
TAA Extension Act Includes Health Coverage Provisions
"[The Trade Adjustment Assistance Extension Act of 2011] retroactively increases the health coverage tax credit and extends COBRA periods for eligible TAA program participants and certain Pension Benefit Guaranty Corporation . . . payees. President Obama signed the act into law on October 21." (Towers Watson)
HIPAA Audits Come with Short Turnaround Times
"The planned timeline for the audits is aggressive. As described by HHS, an audit notification letter describing the initial documents and information to be turned over will be sent to a covered entity. The covered entity is then expected to provide the documents and information within 10 business days." (Perkins Coie LLP)
HHS Website: HIPAA Privacy & Security Audit Program
"The audit program serves as a new part of OCR's health information privacy and security compliance program. OCR will use the audit program to assess HIPAA compliance efforts by a range of covered entities[.]" (U.S. Department of Health & Human Services)
[Guidance Overview] HHS Rolls Out HIPAA Audit Program
"The Pilot Audit Program will include only HIPAA-covered entities, i.e., health care providers, health plans and health care clearinghouses, and not their business associates, but OCR stated that business associates would be included in future audits." (McDermott Will & Emery)
[Guidance Overview] HHS Announces Immediate Start to HIPAA Audit Program (PDF)
"The audit program will be run through the HHS's Office of Civil Rights . . . and will examine a wide range of covered entities, including group health plans." (Kelly, Hannaford & Battles P.A.)
[Guidance Overview] Have the 'HIPAA Police' Finally Arrived? HHS Launches Formal Audit Program
"The action is not unexpected; the American Recovery and Reinvestment Act of 2009 ('ARRA') required OCR to conduct the audits. However, the announcement, along with ARRA's increased penalties for not complying with HIPAA, may cause covered entities and business associates to refocus on HIPAA's requirements." (Quarles & Brady LLP)
[Guidance Overview] HHS Launches Audit Program to Assess HIPAA Compliance
"The [HHS Office for Civil Rights] is conducting audits of covered entities, including health plans, in a pilot program that begins November 2011 and will continue through December 2012." (Practical Law Company)
[Guidance Overview] HHS to Begin HIPAA Privacy and Security Audits in November 2011
"The description of the pilot program emphasizes the benefits that may come from an increased understanding of why breaches occur and a sharing of best practices. But these audits can still lead to compliance reviews, resulting in monetary settlements or the imposition of civil money penalties." (Thomson Reuters/EBIA)
HHS Announces Immediate HIPAA Audit Initiative
"The audit will focus on the HIPAA privacy and security requirements. The OCR will select a broad range of entities, including health plans and health care providers of all sizes. HIPAA audits begin immediately." (Constangy, Brooks & Smith, LLP)
[Guidance Overview] Proposed HHS Regs Address Health Plan Identifiers and Delay Compliance Date for Use of Standardized Billing Codes
"In general, all health plans that transmit health information electronically in connection with HIPAA covered transactions must comply with transaction standards adopted under HIPAA. The transaction standards are intended to standardize the exchange of electronic data by reducing the use of multiple formats." (Practical Law Company)
The links shown above have been gathered from the web by the editors at BenefitsLink.com. Each article's publisher is shown above in parentheses. Opinions expressed in each article are those of the article's publisher, not necessarily those of BenefitsLink.com, Inc. or any web site that displays these headlines in a "frame." You should contact the listed publisher for copyright information about any particular article or to inquire into the right to use the article in any manner.