Headlines about "Health plan admin - HIPAA"
Gathered from the web by the editors at BenefitsLink.com.
[Guidance Overview] IRS Issues New Form 8928 on Excise Taxes for Failures to Comply with HSA Comparability, COBRA, HIPAA, and Other Group Health Plan Mandates
Excerpt: "EBIA Comment: This Form's publication likely signals increased focus on excise tax assessment for noncompliance with these various mandates. To help keep the excise tax risks to a minimum, cautious plan sponsors (and others, like TPAs and insurers, who may be liable) will follow an approach to compliance designed not only to prevent mistakes from happening but also to catch and correct the ones that inevitably fall through the cracks." (Employee Benefits Institute of America)
[Guidance Overview] Podcast: HITECH's Impact on Benefit Brokers and Advisers
Excerpt: "With enforcement of the HITECH rules slated to begin this month, attorney Christine Roberts provides an overview of the requirements and offers some tips on what to do now to prepare." (Employee Benefit Adviser; free registration required)
[Guidance Overview] Number of HITECH Provisions Will Take Effect or Become Subject to Enforcement This Month (PDF)
Excerpt: "Although HITECH's new breach notification requirements took effect September 23, 2009, HHS adopted a non-enforcement policy allowing HIPAA-covered entities and business associates an additional five months ? or until February 22, 2010 ? to come into compliance with these provisions. . . . Action should be taken immediately to ensure that appropriate procedures are in place by that deadline." (Buck Consultants)
The Health Information Security and Privacy Collaboration
Excerpt: "Established in June 2006 by RTI International through a contract with the U.S. Department of Health and Human Services (HHS), the Health Information Security and Privacy Collaboration (HISPC) originally comprised 34 states and territories. . . . Each project is designed to develop common, replicable multi-state solutions that have the potential to reduce variation in and harmonize privacy and security practices, policies, and laws." (U.S. Office of the National Coordinator for Health Information Technology)
HIPAA HITECH Compliance Steps to Take Now
Excerpt: "Here is a quick checklist of what you should be doing to comply: Send updated agreements to your business associates. . . . Adopt a HIPAA breach notification policy. . . . Amend HIPAA policies and procedures to address the following issues: Updated minimum necessary rule; Additional prohibitions on the use of PHI for marketing; [and,] New individual right to request restrictions on disclosures to health plans. Evaluate your Notice of Privacy Practices . . . . Train staff on new procedures." (Warner Norcross & Judd LLP)
[Guidance Overview] Excise Tax Reporting for HIPAA, COBRA and HSA Violations
Excerpt: "HIPAA, COBRA and certain other laws include excise tax penalties for violations and similar excise tax provisions apply to certain health savings account (HSA) and medical savings account (MSA) contributions. Employers have had little guidance on reporting or paying these excise taxes, but final IRS regulations issued in September 2009 fill that void, describing who is responsible for paying the tax, and how and when to report violations." (Mercer LLC)
[Guidance Overview] Complying with HIPAA Privacy and Security Mandates under the HITECH Act: A Field Guide for Benefits Brokers, Consultants and other Business Associates
Excerpt: "The Act has both raised and broadened the HIPAA compliance bar for business associates. Prior law gave business associates something of a free pass. That was -- as they say -- then. Among other things, business associate agreements will need to be reviewed and updated to comply with HITECH's new rules, and employees with access to PHI will need to be trained. Covered entities and business associates should be aggressively moving to anticipate these rules and to comply with them even in the absence of guidance." (Mintz, Levin, Cohn, Ferris, Glovsky and Popeo P.C.)
[Guidance Overview] Enforcement of HITECH Act Breach Provisions Set to Take Effect in February
Excerpt: "[O]n August 24, 2009, HHS released regulations delineating a covered entity's duty to notify affected persons of a breach of unsecured protected health information (PHI). Although these regulations became effective on September 23, 2009, due to concerns over the period of time necessary to comply with these regulations, HHS delayed enforcement of the regulations for six months. This enforcement delay is set to expire on February 22, 2010." (The ERESA Industry Committee)
Important Dates to Remember in the First Quarter of the Year
Examples: HITECH Act Takes Primary Effect, February 17, 2010; DoDAA Grace Period Extension Period Ends, February 17, 2010; Penalties for HITECH Act Breach Notice Violations Begin, February 22, 2010. (Infinisource)
[Guidance Overview] Year-End Reminders for Health and Welfare Plans: 2009
Excerpt: "As an eventful 2009 draws to a close, this Update highlights federal developments affecting health and welfare plans, including new restrictions on the use of genetic information, coverage expansions, the COBRA subsidy program, new rights for military families, parity requirements for mental health coverage, Medicare secondary payer reporting, and changes in HIPAA privacy and security provisions made by the HITECH Act." (Mercer LLC)
[Guidance Overview] IRS Guidance Requires Group Health Plan Excise Tax Reporting in 2010 (PDF)
Excerpt: "Beginning in 2010, employers that fail to comply with COBRA, HIPAA and other federal group health plan mandates will have to file an excise tax return. Recent IRS guidance indicates that these taxes must be reported on Form 8928 and paid on or before the due date (without extension) of the employer's federal income tax return. The guidance also clarifies HSA comparability rules in light of 2006 law changes." (Buck Consultants)
[Guidance Overview] Interim Final Regulations on Increased Penalties for HIPAA Violations (PDF)
2 pages. Excerpt: "The interim final regulations take effect on November 30, 2009, and apply to violations occurring on or after February 18, 2009. . . . . The interim final regulations establish the significantly increased penalty structure for HIPAA privacy and security violations. Covered entities should assure that they can demonstrate full compliance with HIPAA requirements to avoid significant liability." (Buck Consultants)
[Guidance Overview] EEOC Revision of 'Equal Employment Opportunity Is the Law' Poster to Address ADA Amendments and GINA
Excerpt: "EBIA Comment: Employers should update their EEOC posters right away in accordance with the applicable options, keeping in mind that special rules apply about where to post such notices. As a practical matter, we recommend using the November 2009 poster, which contains a full description of the current rules and would be less confusing for employees. Note that many of the employment nondiscrimination laws in the EEOC posters provide protections relating to fringe benefits (including group health plans) provided by employers." (Employee Benefits Institute of America)
[Opinion] ERIC Urges Agencies Not to Eviscerate Workplace Wellness Programs (PDF)
15 pages. Excerpt: "The ERISA Industry Committee (ERIC), the Washington, D.C.-based trade association representing America's major employers, today submitted comments in response to a request for comments on the interim final rules implementing provisions of Title I of the Genetic Information Nondiscrimination Act of 2008 (GINA) that prohibit group health plans from discriminating on the basis of genetic information. The request was published by the Departments of Labor, Health and Human Services, and Treasury in the Federal Register on October 7, 2009." (The ERISA Industry Committee)
Employers Must Post New EEOC Poster to Comply with GINA
Excerpt: "The Equal Employment Opportunity Commission has revised its 'Equal Employment Opportunity is the Law' poster to include information about Title II of the Genetic Information Nondiscrimination Act (GINA) and the Americans with Disabilities Act Amendments Act of 2008. Employers are waiting for the EEOC to issue final regulations implementing Title II of GINA, which prohibits the use of genetic information in employment decisions and restricts its collection and disclosure by employers. Employers are required to post the new notice by Title II's effective date of Nov. 21, 2009." (Mercer LLC)
Employers Urged to Warn Regulators About GINA Rules' Negative Impact on Wellness Programs
Excerpt: "Genetic Information Nondiscrimination Act (GINA) rules should not force employers to drop family medical history questions from health risk assessments (HRAs) or alter related incentives, according to leading employer groups. The ERISA Industry Committee and American Benefits Council are urging employers to write regulators in November about what role family medical history plays in HRAs; why incentives are key to wellness, disease management and other programs; and how the GINA rules could impede use of such programs and negatively affect efforts to improve health and control costs." (Mercer LLC)
[Guidance Overview] HHS's Interim Final Rule Conforming HIPAA Civil Money Penalties to HITECH Act Requirements
Excerpt: "The new HIPAA civil money penalties scheme substantially increases the potential penalties for HIPAA violations occurring on or after February 18, 2009." (McDermott Will & Emery)
Health Care Companies Not Ready for HITECH Act Compliance, According to Survey
Excerpt: "A new survey reveals most health care organizations are not properly prepared to deal with pending privacy and security compliance regulations required under the Health Information Technology for Economic and Clinical Health Act. More than 90 percent of health care companies are not ready to comply with the privacy and security provision of the Health Information Technology for Economic and Clinical Health Act, according to a survey conducted by the Ponemon Institute and sponsored by Crowe Horwath." (eWEEK.com)
[Guidance Overview] HHS's Increases in Civil Monetary Penalties for HIPAA Violations
Excerpt: "On October 30, 2009, the Department of Health and Human Services (HHS) published an interim final rule that significantly amends the civil monetary penalty guidelines for violations of the Health Insurance Portability and Accountability Act (HIPAA) (the 'Interim Final Rule'). These amendments, mandated by the Health Information Technology for Economic and Clinical Health Act (HITECH Act), become effective on November 30, 2009, but apply to violations occurring on or after February 18, 2009." (Troutman Sanders LLP)
[Guidance Overview] Employers Offering Health Benefits Can No Longer Ignore HIPAA
Excerpt: "If you are an employer offering health insurance to your employees (a Health Plan Sponsor), you know that your group health plan (including any medical, dental, vision and health FSA benefits) is considered a 'covered entity' under the HIPAA privacy and security rules. For many of you who are Health Plan Sponsors, HIPAA privacy and security compliance was a one-time event involving a plan amendment, a few changes to vendor agreements, a notice to plan participants and some training. Unfortunately, Health Plan Sponsors can no longer ignore HIPAA." (DrinkerBiddle)
E-Health Privacy Regulations Draw Congressional Fire
Excerpt: "The U.S. Department of Health and Human Services issued an interim final rule to beef up penalties for violations of the Health Insurance Portability and Accounting Act (HIPAA), as several Congressmen criticize the agency for leaving dangerous loopholes in the law." (Information Week)
[Guidance Overview] HHS Issues Interim Final Rule to Conform HIPAA Enforcement Regulations to HITECH Act Penalty Revisions
Excerpt: "The enforcement is tougher and the penalties that may be imposed are potentially higher under the HITECH Act than under the prior statutory language. Now that the currently effective HITECH Act enforcement provisions are incorporated into the regulations, more aggressive enforcement of HIPAA's administrative simplification rules (including privacy and security) seems likely." (Employee Benefits Institute of America)
[Guidance Overview] New Treasury Regulations Require Group Health Plans to Self-Report Excise Tax Liability
Excerpt: "Beginning January 1, 2010, plan sponsors (plan administrators for multiemployer plans) will need to self-report excise tax liabilities for failure to meet certain health plan requirements, including requirements under: * COBRA; * HIPAA's portability and nondiscrimination rules; * Newborns' and Mothers' Health Protection Act; * Mental Health Parity and Addiction Equity Act; * Health savings account comparability provisions; * Michelle's Law; * Genetic Information Nondiscrimination Act (GINA)" (Ballard Spahr)
HHS Unveils Online Form for Reporting HIPAA Health Information Breaches
Excerpt: "To report breaches of protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA), health plans and other covered entities subject to the law's privacy requirements must use a new online form on the HHS website. HIPAA changes enacted by the 2009 HITECH Act require group health plans to report PHI breaches to HHS, even if the breach originated with a vendor or elsewhere. Initial reports of breaches affecting fewer than 500 people are due March 1, 2010." (Mercer LLC)
[Opinion] HHS Breach Notification Rules Again Under Fire
Excerpt: "The Center for Democracy and Technology is the latest to find fault with the Department of Health and Human Services' data breach rules for personal health records. Under the current interim rules health care organizations that use encryption or destruction, no breach notification is necessary, but for those who don't, the health organization makes the call on whether the breach is harmful enough to trigger a breach notification. The Department of Health and Human Services should replace its controversial harm standard for triggering a personal health record data breach notification with a risk assessment approach that requires organizations to determine whether the data was actually viewed or acquired by an unauthorized person, according to the Center for Democracy and Technology." (eWEEK.com)
[Opinion] American Benefits Council Comments on Interim Final Rule on Breach Notification for Unsecured Protected Health Information (PDF)
4 pages. Excerpt: "The Council strongly supports the 'harm threshold' HHS adopted in its Interim Final Rule, requiring a covered entity to consider a number of factors to determine whether a particular disclosure poses a 'significant risk of financial, reputational, or other harm to the individual.' 45 CFR 164.402 (definition of 'breach'). If a disclosure meets the 'harm threshold,' the covered entity is required to provide notice to the affected individuals, the media (where applicable) and HHS." (American Benefits Council)
[Guidance Overview] Health Risk Assessments Face Bias Hurdle
Excerpt: "Under IRS rules associated with the Genetic Information Nondiscrimination Act, employers are prohibited from collecting genetic information -- defined as family medical history -- in health risk assessments if that information will be used for 'underwriting' purposes. That includes offering employees discounts on their monthly premium contributions or lowering deductibles for completing a health risk assessment." (Workforce Management; free registration required)
[Guidance Overview] Requirement that Employees Complete Health Risk Assessments in Order to Receive HRA Reimbursements Violates the ADA
Excerpt: "The broadened scope of the definition of 'disability' under recent amendments to the ADA . . . may cause more inquiries in health risk assessments to be viewed as disability-related and thus subject to scrutiny under the ADA. Formal guidance from the EEOC on the ADA's application to wellness programs is sorely needed. It also bears repeating that in addition to the ADA, wellness programs must also meet applicable HIPAA requirements and comply with GINA." (Employee Benefits Institute of America)
[Guidance Overview] Does Your Wellness Program Need to Revise Its Health Risk Assessment?
Excerpt: "The new rules clarify that your health risk assessment can still seek genetic information if no reward is provided, completing the HRA is voluntary, and the HRA is not completed until after a new participant is covered under your health plan. But if your plan offers a reward, then the HRA may not directly or indirectly seek genetic information (although you could put questions seeking genetic information into a separate, voluntary HRA for which there is no reward.)" (Warner Norcross & Judd LLP)
[Guidance Overview] New HIPAA Breach Notification Rules
Excerpt: "Rather than waiting for a breach to occur and then reacting in a panic, best practice is to proactively act now to establish notice procedures, maintain breach logs, revise business associate agreements, train employees and update privacy procedures." (Briggs and Morgan P.A.)
[Guidance Overview] GINA Interim Final Regulations: Wellness and Disease Management Programs Impacted
Excerpt: "Title I of GINA, as interpreted by the interim final regulations, prohibits plans from ? Increasing group premiums or contributions based on genetic information; Requesting or requiring an individual or family member to undergo a genetic test (other than for certain limited exceptions, including a plan's right to condition payment for a medical service on medical appropriateness which may in turn depend on the genetic information of the individual); and Requesting, requiring or purchasing genetic information prior to or in connection with enrollment, or at any time for underwriting purposes. It is also important to note that unlike the other provisions of the HIPAA portability and nondiscrimination rules, GINA does apply to group health plans with fewer than two participants who are current employees. In other words, GINA does apply to a separate retiree medical plan." (Kilpatrick Stockton LLP)
[Guidance Overview] HHS GINA Proposed Regulations: HIPAA Covered Entities Impacted
Excerpt: "Based on the proposed regulations, other documents should also be updated to reflect the new GINA provisions, including the health plan's policies and procedures. Depending on the services that are provided by a business associate and the language of existing business associate agreements, applicable business associate agreements may also need to be updated. Last, health plan sponsors should also consider whether adding protective language in their health plan documents is also appropriate." (Kilpatrick Stockton LLP)
It's Time for HIPAA Covered Entities to Update Their Policies on the Use of Cell Phones and Cameras
Excerpt: "Covered entities (CEs) should review and update their policies on cell phones and cameras and make the rules clear and highly visible to employees, patients and visitors . . . . Technology and social networking sites are simple to use and very widespread. A person can take a picture with an iPhone and post it to his or her Facebook page in an instant." (AISHealth.com)
Congressmen Want HIPAA Harm Threshold Eliminated
Excerpt: "Six members of the House of Representatives signed a letter written to HHS Secretary Kathleen Sebelius that urges HHS to repeal or revise the harm standard provision in HHS' interim final rule on breach notification. . . . The Congressmen, all but one of whom are Democrats, wrote they are 'deeply concerned' about the harm provision because it gives covered entities and business associates (BAs) a 'breadth of discretion' as they determine the level of harm to an individual whose PHI was inappropriately disclosed." (HealthLeaders Media)
[Guidance Overview] HHS's Reporting Form for HIPAA Breaches
Excerpt: "[The Department of Health and Human Services] has now published an online form for reporting breaches of unsecured PHI. The HHS form provides a checklist for plan sponsors who experience a breach of unsecured PHI. Plan sponsors can use the form to help them track breaches and to assure that appropriate preventive measures are in place." (The Segal Group, Inc.)
[Guidance Overview] Breach Notification Under the HITECH Act: Action Points for Employers Who Sponsor Self-Insured Group Health Plans (PDF)
Excerpt: "Because the Rule is currently effective and because sanctions will be imposed by HHS for failure to provide required notifications for breaches that are discovered on or after February 22, 2010, what should employers who sponsor self-insured group health plans begin doing now to comply?" (Porter Wright Morris & Arthur LLP)
[Guidance Overview] GINA Regulations: Prohibiting Discrimination in Health Plans Based on Genetic Information and Revising Privacy Rules (PDF)
4 pages. Excerpt: "The proposed regulations would require plans and insurance issuers to revise their Notices of Privacy Practices to include a statement that genetic information cannot be used or disclosed for underwriting purposes. The Privacy Rule generally requires plans to issue an updated notice within 60 days of a material change to the notice. HHS indicated that it understands that this timing may be burdensome and that distributing revised notices may be costly. Thus, HHS solicited comments on ways to mitigate these burdens, such as by allowing a revised notice to be distributed with annual open enrollment materials or allowing a specific extension of time in this instance. The amendments to the Privacy Rule are proposed to be effective 180 days after final regulations are published in the Federal Register. Comments are due on the proposed regulations within 60 days after publication in the Federal Register." (Sutherland Asbill & Brennan LLP)
[Guidance Overview] HIPAA Obligations Create Legal Challenges
Excerpt: "Until Sept. 23, when consumers' health information was accidentally disclosed, they might not have known about it. But under the new regulation, breaches must be reported to the Department of Health and Human Services and to the individuals affected. If providers cannot locate them, they must report the violation on their Web site and to the local media. The media must also be notified if a breach affects more than 500 individuals. Here's where the regulation gets a little murky . . . . It's left up to the businesses themselves to make fact-based determinations as to whether notification is necessary, based on whether there has been a 'significant risk of financial, reputational, or other harm' to the patient. 'It's a bit of a judgment call. We're waiting to see what that turns out as,' . . . ." (Wisconsin Law Journal)
[Official Guidance] Text of Proposed HHS Regs on GINA Changes to HIPAA Privacy Rule (PDF)
13 pages. Excerpt: "In accordance with section 105 of GINA 2 and the Department's general authority under sections 262 and 264 of HIPAA, the Department proposes to modify the HIPAA Privacy Rule to: (1) Explicitly provide that genetic information is health information for purposes of the Rule; (2) prohibit health plans from using or disclosing protected health information that is genetic information for underwriting purposes; (3) revise the provisions relating to the Notice of Privacy Practices for health plans that perform underwriting; (4) make a number of conforming modifications to definitions and other provisions of the Rule; and (5) make technical corrections to update the definition of 'health plan.'" (U.S. Department of Health and Human Services)
[Official Guidance] Text of GINA Regulations from U.S. Department of Health and Human Services, IRS, DOL (PDF)
35 pages, from Federal Register of October 7, 2009; 'Prohibiting Discrimination Based on Genetic Information; Interim Final Rules; HIPAA Administrative Simplification; Genetic Information Nondiscrimination Act; Proposed Rules" (U.S. Department of Health and Human Services, Internal Revenue Service, U.S. Department of Labor)
[Guidance Overview] IRS Final Regs on COBRA, HIPAA and HSA Penalty Reporting, Clarifies HSA Comparability Rules
Excerpt: "Final IRS rules require filing Form 8928 to report and pay excise taxes for violations of HIPAA portability, COBRA, or comparability rules for employer contributions to health savings accounts (HSA) outside of a cafeteria plan or to Archer medical savings accounts. The regulations also clarify certain HSA comparability rules, including the allowance for some higher-paid employees and contributions for midyear plan entrants. The new requirements and clarifications apply to filings due and employer HSA contributions made on or after Jan. 1, 2010." (Mercer LLC)
[Guidance Overview] HITECH Breach Notification Guidance and Employer Next Steps (PDF)
7 pages. Excerpt: "Significant new data security obligations apply to employer health plans under the Health Information Technology for Economic and Clinical Health Act (HITECH) that was enacted February 17, 2009 as part of the American Recovery and Reinvestment Act of 2009. . . . To avoid potentially significant notice requirements, plan sponsors will need to review their current policies, procedures, and safeguards under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and decide how best to proceed." (Aon Consulting)
HHS Officials Provide Informal Views on Upcoming HIPAA Guidance and More
Excerpt: "The Joint Committee on Employee Benefits (JCEB) of the American Bar Association has reported on its May 2009 Q&A session with officials from HHS's Office for Civil Rights (OCR). Highlights include the following informal, nonbinding remarks regarding HIPAA privacy rule issues . . . ." (Employee Benefits Institute of America)
[Guidance Overview] Online Form and Instructions Available for Reporting Breaches of Unsecured PHI to HHS
Excerpt: "EBIA Comment: Covered entities (including health plans) will likely appreciate this relatively straightforward form, as well as the ability to complete and file it online. It is worth noting that, for breaches affecting more than 500 individuals, ARRA requires that some of the information provided on this form be made publicly available by posting on the HHS website. ARRA also requires that OCR provide an annual report to Congress regarding the number and nature of breaches that are reported each year and the actions taken to respond to such breaches." (Employee Benefits Institute of America)
[Guidance Overview] Mental Health Parity: Is Your Health Plan Ready?
Excerpt: "A number of legislative and regulatory changes affecting group health plans recently have or soon will become effective in the 15 months between October 1, 2008, and January 1, 2010 [including]: * The COBRA subsidy; * Michelle's Law; * Genetic Information Nondiscrimination Act; * Special enrollment rights for persons losing CHIP or Medicare coverage or obtaining premium assistance from a state under a CHIP or Medicare program; * HIPAA privacy and security changes, including a breach notification requirement; * Final cafeteria plan regulations; and * Changes in state health insurance laws, such as the expansion of the available continuation coverage period from 18 to 36 months (New York) and modifications to the Massachusetts Health Care Reform Act. [In addition, the] Mental Health Parity and Addiction Equity Act of 2008 . . . becomes effective for plan years beginning after October 3, 2009 (a special rule applies to collectively bargained plans). Thus, the effective date is January 1, 2010, for calendar year plans." (Jackson Lewis)
[Guidance Overview] Insurer Not Liable for Discontinuing Small Group Supplemental Medical Policy
Excerpt: "We agree with this court's conclusion that the policy's termination did not violate HIPAA's prohibition on health status discrimination (which also applies to employer-sponsored health plans). HIPAA does not prohibit employers from making changes to their group health plan eligibility, benefits, or coverage provisions, so long as similarly situated individuals are treated the same and the change is not directed at individual participants or beneficiaries." (Employee Benefits Institute of America)
[Guidance Overview] Data Mining Coalition Battles for Prescription Data
Excerpt: "In IMS Health Inc. v. Ayotte, 550 F.3d 42 (1st Cir. N.H. 2008), cert. den., 129 S. Ct. 2864 (2009) the First Circuit upheld a Hampshire law that among other things prohibited certain transfers of physicians' prescribing histories for use in marketing drugs to physicians. A similar battle is now underway in the Second Circuit Court of Appeals over a Vermont statute. In IMS et al v. Sorrells a coalition of data mining entities seek to overturn an decision by the district court (IMS Health Inc. v. Sorrell, 2009 U.S. Dist. LEXIS 35594 (D. Vt.) (2009)) upholding the Vermont law. The Electronic Privacy Information Center (EPIC) has filed an amicus brief urging the Second Circuit to affirm the decision." (Roy Harmon III via Health Plan Law)
[Guidance Overview] Governance and Compliance Advisory Update: September 2009
Excerpt: "Most of these developments relate to health and welfare plans, particularly IRS guidance on over-the-counter items for FSAs. The HHS released final regulations covering security breaches under new HIPAA rules; Ohio initiated required health care coverage for uninsured and older dependent children, and Massachusetts clarified rules under its 'pay or play' mandate." (Towers Perrin)
With New Authority, HHS Office for Civil Rights Vows 'Vigorous Enforcement' of HIPAA Security as Well As Privacy
Excerpt: "Covered entities, as well as business associates, should expect stepped-up federal enforcement of both the privacy and security rules now that the HHS Office for Civil Rights was granted authority for investigating alleged violations of the HIPAA security rule, complementing its role as the enforcer of the privacy rule. Since 2005, the security rule had been enforced by the Centers for Medicare and Medicaid Services, while privacy was OCR's job. That changed on August 4 when incoming HHS Secretary Katherine Sebelius re-delegated that authority to OCR." (AISHealth.com)
[Guidance Overview] The Four Things You Need to Know and Do to Comply with the New HIPAA Breach Notification Rules
Excerpt: "Special note for entities that provide personal health record services as Covered Entities: Comply with HIPAA, not the new FTC Rules. One day after the Rule takes effect, new Federal Trade Commission breach notification requirements will require personal health record (PHR) vendors and their third-party service providers to notify affected individuals of breaches.2 The intent of the FTC Rule is to govern entities that do not have to comply with HIPAA, such as occupational health vendors that host employee health records and vendors who sell devices that areable to upload data to a personal record. If an entity is subject to both the HHS and FTC rules, such as vendors that offer PHRs to customers of a Covered Entity as a Business Associate and also offer PHRs directly to the public, the FTC will deem compliance with certain provisions of the HIPAA breach notification rule as compliance with the FTC's Rule." (von Briesen & Roper, s.c.)
[Guidance Overview] HIPPA Privacy Breach Notification Regulations
9 pages. (Gallagher Benefit Services, Inc.)
[Guidance Overview] New HITECH Changes to HIPAA Require Action by Group Health Plans: September 23, 2009 Effective Date
Excerpt: "The Health Information Technology for Economic and Clinical Health Act ('HITECH'), a part of the American Recovery and Reinvestment Act of 2009, imposes a new duty on covered entities (including group health plans) to notify affected individuals and, in some cases, the media and the Department of Health and Human Services ('HHS'), of a breach of unsecured protected health information ('PHI'). As required by HITECH, HHS issued regulations on August 24, 2009 providing more detail regarding this new duty. The regulations are effective September 23, 2009 but, as noted . . ., HHS will not impose sanctions for breaches discovered during the 180-day period beginning on the issue date." (Sonnenschein Nath & Rosenthal LLP)
[Guidance Overview] What Constitutes a Breach under the HIPAA HiTech Breach Notification Requirements (PDF)
Excerpt: "This advisory focuses on identifying a breach and whether possible exceptions apply. . . . Practice Pointer: Although business associates and covered entities have slightly different notice obligations,each must be able to identify 'breaches' in order to satisfy its respective notice obligations." (Alston & Bird LLP)
[Guidance Overview] New HIPAA Security Breach Notification Rules Requiring Prompt Action by Covered Entities (PDF)
Pages 1-4 of 10 pages. Excerpt: "[T]he interim rule will take effect on September 23, 2009. Although HHS has stated in the preamble to the interim rule that it will not impose sanctions for any failure to provide notification for breaches discovered before 180 calendar days from the publication of the interim rule on August 24, 2009 (February 22, 2010), affected organizations should act immediately to ensure compliance including, but not limited to, updating policies and procedures and the notice of privacy practices, training employees and other applicable workforce members on these requirements, and revising business associateagreements." (Trucker Huss)
[Guidance Overview] Group Health Plan Sponsors Should Be Aware of Changes Made by the HITECT Act
Excerpt: "The Health Information Technology for Economic and Clinical Health Act (the 'HITECH Act'), which was part of the American Recovery and Reinvestment Act of 2009, made some significant changes to the privacy and security rules. Most of the changes are effective on, or after February 17, 2010, although some of the requirements have earlier or later effective dates. The new requirements under the HITECH Act are described [in the target page]. Sponsors of group health plans should familiarize themselves with the changes and begin to take steps to comply with the new requirements." (Snell & Wilmer LLP.)
[Guidance Overview] Seventh Circuit Emphasizes Need to Assess the 'Gravity' of Any Conflict of Interest in Its Latest Post-Glenn Decision
Excerpt: "EBIA Comment: At this point, most of the federal circuit courts have weighed in on the impact of the Glenn case, which was decided over a year ago. This latest Seventh Circuit decision is notable among these post-Glenn decisions for its re-examination of the multifactor analysis and its attempt to make this standard 'more directive' for courts and plan administrators. One byproduct of this decision's emphasis on the gravity of a conflict of interest is that it may justify more discovery of information regarding the conflict -- an issue that has divided the courts post-Glenn." (Employee Benefits Institute of America)
[Guidance Overview] Final FTC Rule on Health Information Breach Notification
Excerpt: "EBIA Comment: The HHS final interim rule on breach notification for unsecured PHI has also been published and is effective September 23, 2009. Together, the adoption of the FTC and HHS final rules creates far-reaching breach notification requirements under the American Recovery and Reinvestment Act of 2009 (ARRA)." (Employee Benefits Institute of America)
[Guidance Overview] Final Regulations on HITECH Security Breach Notification for HIPAA Protected Health Information (PDF)
2 pages. Excerpt: "The regulations clarify a number of key issues: Use or disclosure must violate privacy rule, Risk of harm threshold, Concrete examples of breach exceptions, Flexibility in dealing with business associates, Technology guidance does not amend security rule, and The HIPAA's Privacy rule's administrative requirements apply." (The Segal Group, Inc.)
[Guidance Overview] Summary of the HHS Security Breach Notification Rules (PDF)
6 pages. Excerpt: "The Department of Health and Human Services ('HHS') has issued interim final rules on HIPAA's new security breach notification requirement, which was adopted under the HITECH Act in February as part of the stimulus bill. The HITECH Act made significant changes to the HIPAA privacy and security rules, including imposing a new requirement that covered entities notify individuals when their 'unsecure' protected health information ('PHI') is breached." (Groom Law Group via American Benefits Council)
[Guidance Overview] HIPAA Security Breach Notification Rules
Excerpt: "The new rules are effective 30 days after publication in the Federal Register, or September 9, 2009 (although HHS did adopt a nonenforcement policy through 2/22/10). Comments are due October 23, 2009. The [summary attached to the target page] details the new rules, including what steps health plans and health care providers should be taking. Also attached are the rules themselves." (Groom Law Group)
The links shown above have been gathered from the web by the editors at BenefitsLink.com. Each article's publisher is shown above in parentheses. Opinions expressed in each article are those of the article's publisher, not necessarily those of BenefitsLink.com, Inc. or any web site that displays these headlines in a "frame." You should contact the listed publisher for copyright information about any particular article or to inquire into the right to use the article in any manner.