Headlines about "Health plan admin - HIPAA"
Gathered from the web by the editors at BenefitsLink.com.
[Guidance Overview] Under HITECH Act, Business Associates Now Directly Covered by HIPAA (PDF)
Excerpt: "[Business associates (BAs)] should act now to review: (1) the information security measures it employs to protect PHI, (2) its policies and procedures relating to PHI it handles for Covered Entity clients, (3) its BA agreements, (4) the ways in which it uses and discloses PHI and the amount of PHI disclosed and (5) its communications to patients, if any, to implement measures to meet these new requirements. Also, BAs should prepare for the compliance audits that will be coming by implementing appropriate written policies and maintaining documentation to demonstrate their compliance with the new privacy and security requirements for PHI as they become effective. And BAs should assign responsibility for monitoring the development and issuance of the many implementing regulations that willbe forthcoming." (Alston & Bird LLP)
[Guidance Overview] Expanded HIPAA Requirements and HHS Guidance on Securing Protected Health Information
Excerpt: "On April 17, the Department of Health and Human Services (HHS) released guidance on technologies and methodologies for securing PHI, which takes effect immediately. Employers will have to review and possibly update agreements with business associates, revise privacy practices and systems, update notices about privacy practices and make other changes. The effective dates generally vary by provision -- the stricter penalties are already in effect, while other changes and requirements take effect next year or later." (Watson Wyatt Worldwide)
[Guidance Overview] The Stimulus Push for Electronic Health Records and Strengthened Privacy and Security
Excerpt: "A significant chunk of The American Recovery and Reinvestment Act of 2009 (ARRA), approximately $20 billion, is aimed at motivating health care providers to implement electronic health record (EHR) systems. The incentives will be paid in the form of increased Medicare and/or Medicaid payments. Medicare incentive payments will begin in 2011 and will be paid over four years for eligible hospitals and over five years for eligible health care professionals who can show 'meaningful use' of a 'certified EHR' system. The incentive program for hospitals is based on the 'Medicare share' of a base payment amount of $2 Million, adjusted based on the hospital's discharge data. The Medicare share takes into account the proportion of inpatient bed days that are paid by Medicare as well as an adjustment for charity care." (Poyner Spruill LLP)
Key Health IT Definition Expected Soon
Excerpt: "The Office of the National Coordinator for Health Information Technology's number-two man, Charles Friedman, told industry members that an official definition of the term 'meaningful use' of health information technology is 'in the works' and they should expect its release 'in the not too distant future.' " (Kaiser Health News)
How Safe Are Your Medical Records?
Excerpt: "Stealing medical data has become more attractive to hackers and identity thieves as banks and individuals have become more sophisticated about protecting credit-building information." (Forbes.com)
[Opinion] American Benefits Council Comment Letter to FTC Regarding Protected HITECH Health Information Guidance (PDF)
5 pages. Excerpt: "The American Benefits Council . . . appreciates the opportunity to comment on the Federal Trade Commission's . . . Notice of Proposed Rulemaking and Request for Public Comment . . . , which provide rules for personal health record (PHR) related entities with respect to the security breach notification requirements under the Health Information Technology for Economic and Clinical Health . . . ." (American Benefits Council)
[Guidance Overview] HHS Guidance on Securing Protected Health Information and Avoiding Breach Notification
Excerpt: "The first guidance implementing the breach notification rules was published by HHS in April 2009.1 The guidance sets forth a safe harbor rule that plan sponsors can follow to secure PHI and therefore avoid the breach notification requirements. In the guidance, HHS clarifies when information is secure (and therefore not subject to the breach notification rules) or unsecure." (The Segal Group, Inc.)
[Opinion] American Benefits Council Letter on HHS Guidance and Request for Information: HITECH Breach Notification (PDF)
5 pages. Excerpt: "[The Council comments on the Guidance] specifying the technologies and methodologies that render protected health information (PHI) unusable, unreadable or indecipherable to unauthorized individuals and thus 'secure' PHI, not subject to the breach notification requirements imposed by the Health Information Technology for Economic and Clinical Health (HITECH) Act. . . . The HITECH Act added new privacy and security obligations for covered entities subject to the Health Insurance Portability and Accountability Act of 1996 (HIPPA). The comments . . . specifically address the Guidance on technologies and methodologies that render PHI 'secure', as well as the breach notification requirementsmore generally." (American Benefits Council)
[Guidance Overview] Disclosure Accounting in Electronic Health Records Could Be Big Problem for HIPAA Covered Entities
Excerpt: "The new accounting of disclosures requirements for EHRs under the HITECH Act dictates that providers log all disclosures made through EHRs -- including those made for treatment, payment and health care purposes -- and report them to patients when requested. Formerly, HIPAA required that providers log when protected health information (PHI) is disclosed for purposes other than treatment, payment or health care operations. The new requirements are a ticking time bomb for covered entities mainly because so much has yet to be defined, says Frank Ruelas, privacy and compliance trainer for CEs. 'So many people are reading the [provisions], which are saying 'You must do X, Y and Z -- and by the way, we'll let you know what X, Y and Z are later,'' he contends." (AISHealth.com)
[Guidance Overview] COBRA Notice Was Sufficient Despite Employee's Claim That He Never Received It
Excerpt: "EBIA Comment: As this court points out, COBRA does not require actual receipt of notification by the qualified beneficiary. In this regard, the decision follows the majority of courts, which have held that to demonstrate compliance with COBRA's notice requirements, a plan administrator need only prove that the election notice was sent to the qualified beneficiary by a method that is reasonably calculated to reach the qualified beneficiary. This standard is consistent with the DOL's general disclosure regulations." (Employee Benefits Institute of America)
[Guidance Overview] HITECH Act HIPAA Guidance
Excerpt: "The FTC and HHS have issued the first set of HIPAA privacy/security guidance under the new HITECH Act requirements. The new guidance relates to the security breach notification requirement, which will go into effect in September 2009 (the exact date will depend on the date final regulations are issued). [The target page links to a four-page overview of HHS Guidance, a Breach Notification Chart, and a HITECH Act Timeline.]" (Groom Law Group)
[Guidance Overview] HHS Guidance on Safe Harbor from Data Breach Notification Requirements
Excerpt: "The Guidance describes what is essentially a 'safe harbor' from within which covered entities and business associates need not comply with ARRA's data breach notification requirements. At its center, the Guidance establishes an encryption and destruction standard for health information, and explains that covered entities and business associates will not be subject to ARRA's data breach notification requirements for breaches of data that is encrypted or destroyed in accordance with this standard. Although the Guidance raises more questions than answers, it does offer a process-oriented approach. Entities and business associates covered by the Guidance should take careful note of its provisions, and, if needed, provide input to HHS. The Guidance solicits comments, which must be made before May 21, 2009." (Davis Wright Tremaine LLP)
[Guidance Overview] HIPAA Guidance and Request for Comments: Securing Protected Health Information and Breach Notification
Excerpt: "As required under HITECH, on April 17, 2009, the Department of Health and Human Services (HHS) issued guidance regarding the proper methods for securing PHI. Also contained in the guidance is a request for information on: (1) the introduced methods for securing PHI, and (2) the breach notification process. Comments must be submitted on or before May 21, 2009." (McGuireWoods LLP)
[Guidance Overview] ARRA's Amendments to HIPAA Privacy & Security Rules (PDF)
25 pages. Excerpt: "Overview of Amendments to HIPAA Privacy and Security Rules: Expanded Obligations of Business Associates (BAs); Affirmative Notification of Breach Requirements; Guidance on 'Minimum Necessary' Standard; Prohibition on Sale of PHI; Restrictions on Marketing; Limited Application to Personal Health Records (PHR) Vendors; Increased Enforcement and Penalties, including application to BAs. Note: This presentation relates to obligations of employer-sponsored health plans, not health care providers or healthcare industry companies to which additional requirements apply." (Morgan, Lewis & Bockius LLP)
[Guidance Overview] FAQs About Disposing of Protected Health Information
Excerpt: "Recent guidance from the U.S. Department of Health and Human Services in the form of six frequently asked questions reminds providers to properly dispose of Protected Health Information in compliance with HIPAA. So this is a good time to review how your organization handles PHI and update your policies. If you don't have policies in place already, you need to fix this right away. Here is the gist of what DHHS has to say. Everyone who handles PHI should know this." (Poyner Spruill LLP)
[Guidance Overview] ARRA Required Changes in HIPAA Compliance
Excerpt: "The American Recovery and Reinvestment Act passed at the end of February contains a number of changes to HIPAA privacy and security rules. Among the most important changes are new notification obligations in cases of breaches of protected health information (PHI). Upon discovering a breach of unsecured PHI, health plans will now be required to notify affected individuals and -- if more than 500 individuals are affected -- the Department of Health and Human Services (HHS) and prominent media outlets serving the area. Health plans will also be required to maintain and submit annually to HHS a log of all breaches." (Faegre & Benson)
[Guidance Overview] Final Updates to HIPAA EDI Rules
Excerpt: "Implications for Plan Sponsors: Although there is still plenty of time to achieve compliance, plan sponsors may want to begin discussions with system vendors and third-party administrators to ascertain their plans for complying with these new requirements on behalf of their group health plan clients. Plan sponsors that are self-insured and self-administered will need to ensure that they are compliant, while those that are insured or rely on an administrator should monitor their service provider's compliance efforts." (The Segal Group, Inc.)
[Guidance Overview] Swine Flu Pandemic Preparation for Employers: Legal Issues to Consider
Excerpt: "As an overriding principle, workplace safety law requires employers to provide a workplace free from recognized hazards likely to cause death or serious physical harm. Contingency plans to protect employees during an illness outbreak can, however, trigger benefit and employment law issues. . . . Employers must be concerned, for example, about how they will detect swine flu symptoms among employees and communicate information to affected employees and others without violating applicable privacy laws. In general, HIPAA privacy rules will not govern such uses and disclosures of health information related to the swine flu, unless employers obtain such health information from their health plans. Further, HIPAA may permit uses or disclosures of protected health information that are necessary for public health reasons -- that is, to prevent or control the spread of swine flu. Employers should also check state medical privacy rules regarding such issues." (Faegre & Benson)
[Guidance Overview] Required Notifications of Breaches of Unsecured PHI Under HIPAA (PDF)
4 pages. Excerpt: "Group health plan administrators and designated HIPAA Privacy and Security Officers should consult with their information technology professionals to determine if their electronic systems on which PHI is stored, used, or destroyed or over which PHI is transmitted comply with the standards set forth in the guidance. They should also review their disposal policies for destroyed hard copies of PHI to ensure the procedures comply with the standards." (Bryan Cave LLP)
[Guidance Overview] New HIPAA Breach Notification Requirements' Guidance
Excerpt: "A notice of a breach of Unsecured PHI generally is required to include, among other things, (1) a description of the breach, (2) steps that affected individuals should take to protect themselves from potential harm that could arise out of the breach, (3) a summary of what the applicable covered entity is doing to investigate the breach, to mitigate potential losses, and to prevent additional breaches from occurring, and (4) steps that can be taken to obtain additional information." (Bond, Schoeneck & King, PLLC)
[Guidance Overview] The Breach Notification Provisions of the HITECH Act
Excerpt: "The HITECH Act [provides new provisions for notifying affected individuals] about breaches, which apply to business associates and covered entities that access, maintain, retain, modify, record, store, destroy or otherwise hold, use or disclose unsecured PHI. A breach is defined as an 'unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information . . ." (Pepper Hamilton LLP)
[Guidance Overview] HHS Proposes Encryption and Destruction as Exclusive Methods for Securing PHI
Excerpt: "As required under the HITECH Act, the Department of Health and Human Services issued guidance identifying the methodologies that will render protected health information (PHI) unusable, unreadable, or indecipherable to unauthorized individuals. HITECH's new breach notification requirements will not apply to PHI that has been so secured through either encryption or destruction ? but HHS is seeking comments on whether PHI in limited data set form, or whether additional technologies and methodologies, should be added to the list." (Deloitte via BenefitsLink.com)
[Guidance Overview] FTC as Enforcer: Proposed Data Breach Notification Rule for Personal Health Records
Excerpt: "Notification of a breach must be made 'without unreasonable delay' but in no event later than within 60 calendar days of learning of the breach. PHR vendors and PHR-related entities must provide notice to each individual who is a citizen or resident of the United States whose unsecured PHR identifiable information was acquired by an unauthorized person as a result of such breach of security and to the FTC. Third-party service providers must provide notice of a breach of security to a senior official at the applicable PHR vendor or PHR-related entity." (Davis Wright Tremaine LLP)
[Guidance Overview] New HIPAA Privacy and Security Requirements in Stimulus Bill (PDF)
4 pages. Excerpt: "The recently enacted American Reinvestment and Recovery Act (ARRA) includes a significant expansion of the privacy and security requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) that affects both covered health plans and business associates. In particular, ARRA imposes breach notification requirements, makes business associates directly responsible for complying with HIPAA privacy and security rules, and provides for increased enforcement activity and penalties for noncompliance. Many of the changes will not take effect until next year, but some are effective now." (Buck Consultants)
[Guidance Overview] HHS Issues Guidance on Securing Protected Health Information and Preventing Harm From Breaches
Excerpt: "Employers and administrators will welcome this guidance on what is only one of ARRA's sweeping changes to the HIPAA privacy and security provisions. HHS has asked for public input on the guidance, including whether other technologies and methodologies should be included in future updates to the guidance and whether the risk of re-identification of a limited data set warrants its exclusion from the list of technologies and methodologies in the guidance." (EBIA)
[Guidance Overview] FTC Proposes Regulations on Security Breach Notification Requirements Applicable to Entities Not Covered Under HIPAA
Excerpt: "[T]he FTC has published proposed regulations that would require vendors of personal health records (PHRs) and related entities, upon discovery of a breach of security of individually identifiable health information, to notify affected individuals and the FTC (the preamble notes that the 'FTC is consulting with HHS to harmonize its proposed rule with HHS' proposed rule'). Here are some highlights: . . . ." (EBIA)
[Official Guidance] Federal Register Format of HHS Regs on Indecipherable Health Information Pursuant to HITECH (PDF)
5 pages. The Federal Register document is a reprint of guidance released April 17 by HHS on its web site. Excerpt: "[The HITECH statute] provides that no later than 60 days after enactment, the Secretary shall, after consultation with stakeholders, issue (and annually update) guidance specifying the technologies and methodologies that render [Personal Health Information] unusable, unreadable, or indecipherable to unauthorized individuals. . . . Because the [HIPAA] breach notification requirements apply only to breaches of unsecured PHI, this guidance provides the means by which covered entities and their business associates are to determine whether a breach has occurred to which the notification obligations under the Act and its implementing regulations apply." (U.S. Department of Health and Human Services)
[Guidance Overview] Unsecured Protected Health Information for Notification of Breaches Under HIPAA
Excerpt: "The new rules provide that protected health information will be 'unsecured' if it is not secured through the application of a technology or methodology that renders it unusable, unreadable, or indecipherable to unauthorized individuals and that meets standards specified in guidance published by the government. Complying with a 60-day statutory deadline for issuing that guidance, HHS has published information and a request for comments on these technologies and methodologies." (Ballard Spahr Andrews & Ingersoll, LLP)
[Guidance Overview] HHS's Long Awaited Guidance for Securing Protected Health Information (PDF)
Excerpt: "The guidance identifies technologies and methodologies for ensuring that PHI is unusable, unreadable or indecipherable to unauthorized individuals, as mandated by Section 13402(h)(2) of the American Recovery and Reinvestment Act of 2009 (ARRA). ARRA required that HHS issue such guidance within 60 days of the law's enactment and annually thereafter." (Alston & Bird LLP)
[Guidance Overview] HITECH's Security Breach Notification Requirements (PDF)
8 pages. Excerpt: "This White Paper discusses guidance issued by the U.S. Department of Health and Human Services under the Health Information Technology for Economic and Clinical Health Act (HITECH Act), part of the American Recovery and Reinvestment Act of 2009, which requires covered entities, business associates, vendors of personal health records (PHR) and related entities to notify individuals when their unsecured protected health information and PHR identifiable health information is subject to a breach of security." (McDermott Will & Emery)
[Guidance Overview] Proposed FTC Rule Would Expand Reach of Health Data Breach Regulations
Excerpt: "The American Recovery and Reinvestment Act requires FTC to issue an interim final rule on breach notification requirements for PHR vendors and related entities by August. The act also requires HHS and FTC to publish a study on potential privacy, security and breach notification requirements for PHR vendors and related entities by February 2010 . . . ." (California HealthCare Foundation)
[Guidance Overview] Summary of Health Privacy Provisions in the 2009 Economic Stimulus Legislation (PDF)
Excerpt: "The American Recovery and Reinvestment Act of 2009 . . . included provisions making significant improvement in the privacy and security standards for health information. The provisions on privacy and security (generally in ARRA's Title XIII, Subtitle D and some parts of Subtitle A) can be grouped into four broad categories: Substantive changes to HIPAA statute and privacy and security regulations; Changes in HIPAA enforcement; Provisions to address health information held by entities not covered by HIPAA (as either covered entities or business associates); Miscellaneous: Administration/Studies/Reports/Educational Initiatives[.]" (Center for Democracy and Technology)
[Guidance Overview] HHS's First HITECH HIPAA Guidance
Excerpt: "On April 17, 2009, the U.S. Department of Health and Human Services (HHS) published its first guidance under the Health Information Technology for Economic and Clinical Health (HITECH) provisions of the American Recovery and Reinvestment Act. The HITECH Act amends the privacy and security provisions of the Health Insurance Portability and Accountability Act (HIPAA). This new guidance provides key information to health care providers, health plans, health care clearinghouses and their business associates about the security of protected health information." (Faegre & Benson)
[Guidance Overview] PHR Vendors and Related Entities Face the FTC'S New Health Breach Notification Rule (PDF)
6 pages. Excerpt: "In general, the Proposed Rule is substantively similar to the provisions of Section 13407 of ARRA. The FTC is using this opportunity, however, to shed additional light on certain definitions and aspects of the Health Breach Notification Rule. This advisory highlights the key provisions of the Proposed Rule, including those sections where the FTC is seeking public comment." (Alston & Bird LLP)
[Guidance Overview] Proposed FTC Rule Would Require Notice About Personal Health Record System Breaches
Excerpt: "The Federal Trade Commission, in compliance with the American Recovery and Reinvestment Act of 2009, issued a formal notice seeking public comment on a proposed rule requiring vendors of personal health record systems and related entities to provide notice to consumers in the event of a security breach. Comments on the 50-page proposed rule can be submitted online and must be in by June 1. The stimulus act requires the FTC and HHS to work on a report to Congress due in February 2010 on potential privacy, security and breach notification requirements for personal health-record vendors and 'related entities.' In the meantime, the law required the FTC to publish 'interim final regulations' not later 180 days after the act was enacted." (Modern Healthcare; free registration required)
[Guidance Overview] HIPAA Covered Entities Face a Variety of New Enforcement Risks
Excerpt: "'Privacy and security enforcement will get much more aggressive' under the Obama administration, says Washington, D.C., attorney Robert Hudock, with Epstein, Becker & Green. He expects a shift from the voluntary compliance approach that has marked enforcement so far to more fines and penalties. . . . CMS and OCR have a much bigger stick -- in the form of fines that now go up to $1.5 million per entity per calendar year." (AISHealth.com)
[Guidance Overview] HITECH Changes to HIPAA Privacy and Security Rules for Group Health Plans
Excerpt: "The HITECH Act, which amends the privacy and security regulations promulgated under the Health Insurance Portability and Accountability Act of 1996 ('HIPAA'), creates . . . new risks and penalties . . . ." (Dorsey & Whitney LLP)
[Guidance Overview] Major Changes to HIPAA Privacy and Security Rules
Excerpt: "The civil monetary penalties for a violation of the HIPAA Privacy Rule or Security Rule have been significantly increased. In general, the penalty for violations due to reasonable cause and not to willful neglect has increased ten times, from $100 per violation to $1,000 per violation. Violations that are found to be due to willful neglect (even if corrected) are subject to a penalty of $10,000 per violation. Additionally, although there is still no individual private cause of action under HIPAA, state attorneys general can now bring an enforcement action and obtain damages (including attorneys' fees) on behalf of residents of that state." (Tax Management Inc.)
[Guidance Overview] HIPAA Privacy Notice Reminder Deadline on April 14, 2009
Excerpt: "Employers that sponsor group health plans may want to consider the following when deciding how to comply with the privacy notice reminder requirement . . . ." (Dorsey & Whitney LLP)
[Guidance Overview] Increased HIPAA Obligation on Health Benefit Plans and Service Providers (PDF)
6 pages. Excerpt: "The much-heralded economic stimulus package signed by President Obama on February 17, 2009 (ARRA or the 'Act'),1 dramatically expands and strengthens the security and privacy requirements under the Health Insurance Portability and Accountability Act of 1996 (the 'HIPAA Rules'). Most of ARRA's security and privacy provisions will be effective within a year of ARRA's enactment; some provisions, however, are already in effect. This article highlights the key changes to the HIPAA Rules and the impact of these changes on health benefit plans, their business associates and certain previously non-covered entities." (Alston & Bird LLP)
[Guidance Overview] New Penalties of up to $50,000 per Violation for Noncompliance with Health Data Privacy and Security Rules
Excerpt: "A portion of the new economic stimulus bill, called the Health Information Technology for Economic and Clinical Health Act (the 'HITECH Act'), will have a significant impact on employers that sponsor group health plans. The HITECH Act effectively mandates that group health plans secure protected health information ('PHI') of plan participants by using a technology or methodology to be specified by guidance in April 2009. Plan sponsors that fail to bring their group health plans into compliance are at risk for enforcement actions, large penalties, class action lawsuits, and injuries to reputation. By any measure, it is the toughest federal law ever enacted to regulate employee benefit plans." (Dorsey & Whitney LLP)
[Guidance Overview] HITECH Act Modification of HIPAA's Privacy and Security Rules
Excerpt: "The HITECH Act places additional obligations on entities traditionally covered under HIPAA and extends the new rules to traditional business associates. Specifically, the HITECH Act sets forth new rules regarding notification of data breaches and accounting and reporting requirements for data disclosures. All entities traditionally covered under HIPAA, and companies doing business with and for those entities, should be aware of the new obligations set forth in the HITECH Act." (Porter Wright Morris & Arthur LLP)
[Guidance Overview] Webinar: Unscrambling the New Legislative Requirements for 2009-2010
Excerpt: "On March 17, Michael Rosenbaum, partner in the Chicago office with Gallagher Benefit Services hosting presented a webinar entitled 'Unscrambling The New Legislative Requirements 2009-2010'. This webinar focused on reviewing the list of legal/regulatory challenges facing HR professionals in 2009 and 2010, such as FMLA, Federal COBRA Subsidy, COBRA and the Trade Assistance Act (TAA) and HIPAA Privacy & Security. [A link is provided to the audio portion of this webinar.]" (Drinker Biddle & Reath LLP)
[Guidance Overview] Impact of the American Recovery & Reinvestment Act of 2009 on HIPAA Privacy & Security (PDF)
9 pages. Excerpt: "The Act includes a significant portion on Healthcare IT -- including updates to the HIPAA Privacy & Security regulations. There are several new provisions, such as: New Enforcement Rules - Audits will be proactively performed, State Attorney Generals can prosecute criminal violations and fines have been raised. Business Associates & Covered Entities - Now business associates have as much responsibility (and liability) to protect PHI as Covered Entities. Increased Liability - Individuals can be held accountable in addition to organizations. New Disclosure Rules - If a breach occurs, you will be required to alert not only those impacted, but if it's a large breach also notify certain authorities and post announcements in newspapers." (BridgeFront)
[Guidance Overview] New HIPAA Special Enrollment Rights Effective April 1, 2009
Excerpt: "The deadline to request special enrollment for these new events is longer than the deadline most group health plans permit for other special enrollment events. For existing special enrollment events (i.e., marriage, birth, adoption, placement for adoption and loss of other specified coverage) the special enrollee has at least 30 days after the event to request special enrollment. For the new special enrollment events, special enrollees must request enrollment not later than 60 days after the loss of Medicaid or CHIP coverage or not later than 60 days of the determination of eligibility for Medicaid or CHIP premium assistance." (Dorsey & Whitney LLP)
[Guidance Overview] Major Changes to HIPAA Privacy and Security Rules Are on the Way
Excerpt: "The most significant change in the new rules is the extension of certain HIPAA provisions to 'business associates.' . . . . Under ARRA, certain HIPAA security provisions now apply directly to business associates to the same extent that such provisions apply to covered entities . . . . This is a major sea change for business associates such as third-party administrators and other vendors who previously thought that their sole legal obligation was to comply with the terms of the business associate agreement." (Spencer Fane)
[Guidance Overview] Major Changes to HIPAA Privacy and Security Rules
Excerpt: "The most significant change in the new rules is the extension of certain HIPAA provisions to 'business associates.' Previously, the HIPAA rules made a clear distinction between 'covered entities' (to which all of the HIPAA privacy and security rules apply) and 'business associates' (which were not directly covered by the HIPAA rules, but with whom covered entities were required to obtain business associate agreements). Under ARRA, certain HIPAA security provisions now apply directly to business associates to the same extent that such provisions apply to covered entities, including the potential application of civil and criminal penalties for violations of HIPAA." (Spencer Fane Britt & Browne LLP)
[Guidance Overview] Presentation: Welfare Plan Compliance Checklist, Legislative and Regulatory Update, and HIPAA Title II (PDF)
86 pages. Federal legislative changes for 2009 starts on page 2; A LEGISLATIVE AND REGULATORY UPDATE FOR HEALTH AND WELFARE PLANS starts on page 23; and, HIPAA TITLE II starts on page 56. (Marin Legal PC)
[Guidance Overview] Stronger Protections for Health Information (PDF)
3 pages. Excerpt: "A key part of the fiscal stimulus package (the 'Act'), signed by President Obama into law on February 17, 2009, included sweeping changes to the health information privacy and security provisions promulgated under the Health Insurance Portability and Accountability Act of 1996 ('HIPAA'). Many of these new protections will take effect February 17, 2010 (one year after enactment of the Act); however, some have their effective dates delayed until the Department of Health and Human Services ('HHS') provides specific guidance. The Act calls for guidance in several areas, so increased rulemaking activity should be expected from HHS in the coming months." (Paul, Hastings, Janofsky & Walker LLP)
[Guidance Overview] HIPAA Changes Leading to New Era of Electronic Health Data (PDF)
6 pages. Excerpt: "HIPAA Security Rules. Starting on February 17, 2010, follow the HIPAA security rules previously applicable only to covered entities. Business associates will be required to appoint a security officer; develop written security policies and procedures; adopt administrative, physical and technical safeguards for PHI; and train its workforce on how to protect PHI. HHS is required to issue guidance on appropriate technical safeguards for PHI." (Thompson Hine LLP)
[Guidance Overview] Presentation: New Federal Legislation Affecting Health Plans (PDF)
70 slides. New COBRA Subsidy, New Special Enrollment Rights, and New Privacy and Security Requirements in the HITECH Act are covered in the presentation. (Dorsey & Whitney LLP)
[Guidance Overview] HHS Enhances Its Health Information Privacy Webpage
Excerpt: "EBIA Comment: [M]uch of the detailed privacy information has been better organized and the webpage has a more 'user friendly' feel. Covered entities, such as health plans, should find it easier to navigate the updated webpage for helpful information relating to privacy compliance and enforcement." (Employee Benefits Institute of America)
[Guidance Overview] Stimulus Law Includes Major Changes to HIPAA Privacy and Security Rules (PDF)
Excerpt: "This Bulletin discusses the key HIPAA changes: Breach notification required by fall 2009, New approach to business associates, a term that covers third party administrators (TPAs), pharmacy benefit managers (PBMs), health benefits administration system vendors, attorneys, actuaries and consultants, and Guidance required from the Secretary of Health and Human Services on the privacy rule's minimum necessary standard, which governs nearly all uses, disclosures and requests for protected health information (PHI). The Bulletin also discusses other key changes, such as significant increases in civil monetary penalties and enforcement. It concludes with a list of action steps for plan sponsors." (The Segal Group, Inc.)
[Guidance Overview] Summary of HIPAA Amendments in New Stimulus Package
Excerpt: "The new Stimulus Bill makes certain sections of HIPAA's Security Rule applicable to business associates of covered entities in the same manner that those sections currently apply to covered entities. HIPAA defines a business associate as an individual or corporate 'person' that performs on behalf of the covered entity any function or activity involving the use or disclosure of protected health information and is not a member of the covered entity's workforce. These certain Security Rules provisions will also need to be incorporated into the business associate agreement between the business associate and the covered entity. Failure to comply with these provisions of the Security Rule will subject the business associate to civil and criminal penalties in the same manner as a covered entity." (Adams and Reese LLP)
[Guidance Overview] Privacy Provisions of the HITECH Act (PDF)
6 pages. Excerpt: "The stimulus bill, also known as the American Recovery and Reinvestment Act of 2009 . . ., makes major changes to the privacy and security provisions of the Health Insurance Portability and Accountability Act of 1996 . . . . In particular, individuals must receive notification when their health information is unlawfully disclosed, there are expanded prohibitions on selling health information and contacting individuals to promote products or services, and 'business associates' will now be directly subject to HIPAA requirements. In addition, penalties for violations are significantly increased and individuals who are harmed by disclosure of their health information may recover a portion of the penalty amount." (Winston & Strawn LLP)
[Guidance Overview] New Privacy & Security Rules Included in Stimulus Bill
Excerpt: "The economic stimulus package also includes new privacy and security requirements for the handling of medical records. Many of the provisions will become effective in 12 months. Although the focus of the legislation is on electronic records, most of the provisions apply to paper records as well." (Drinker Biddle & Reath LLP)
[Guidance Overview] HIPAA Goes HITECH (PDF)
8 pages. Excerpt: "The new economic stimulus package [the American Recovery and Reinvestment Act of 2009 (ARRA)], signed by President Obama on February 17, 2009, presents significant new data and security obligations for health plans and their vendors under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). These new HIPAA-related requirements are spelled out in the Health Information Technology for Economic and Clinical Health Act (HITECH) that is contained within ARRA. In addition to HIPAA privacy and security, HITECH greatly expands the use of health information technology in the health care field. HITECH generally becomes effective on February 17, 2010; however, some provisions may be effective earlier, and others after regulations and guidance are provided by the Secretary of Health and Human Services (HHS)." (Aon Consulting)
[Guidance Overview] New Requirements on Third Party Administrators, Wellness Program Vendors, Disease Management Companies and other Business Associates
Excerpt: "A portion of the new economic stimulus bill, called the Health Information Technology for Economic and Clinical Health Act or 'HITECH Act,' will have a significant impact on service providers to group health plans, health care providers and other covered entities that use or disclose protected health information ('PHI'). Such 'business associates' may include third party administrators and vendors of wellness programs, disease management, utilization review, and a host of other professional services. The HITECH Act makes business associates directly subject to the new and expanded requirements under HIPAA, and creates significant risks of penalties, enforcement actions, and impediments to core business functions." (Dorsey & Whitney LLP)
[Guidance Overview] Timeline of HIPAA Privacy and Security Provisions (PDF)
1 page. HITECH Act (H.R. 1) Timeline: HIPAA Privacy & Security Provisions. (Groom Law Group via American Benefits Council)
[Guidance Overview] New FAQs on Appropriate Disposal of Health Information Information
Excerpt: "EBIA Comment: Covered entities (including health plans) should review the new FAQs closely as they provide helpful, practical advice on the proper disposal of PHI and electronic PHI. Enforcement activities are being strengthened under both the privacy and security rules and there can be significant consequences for noncompliance." (Employee Benefits Institute of America)
The links shown above have been gathered from the web by the editors at BenefitsLink.com. Each article's publisher is shown above in parentheses. Opinions expressed in each article are those of the article's publisher, not necessarily those of BenefitsLink.com, Inc. or any web site that displays these headlines in a "frame." You should contact the listed publisher for copyright information about any particular article or to inquire into the right to use the article in any manner.