BenefitsLink logo
EmployeeBenefitsJobs logo

Subscribe to Newsletters

Search the News

Featured Jobs
Client Service Representative for Retirement Plan
401(k) Administrator
Pension Assistant
ESOP Administrator
DC Plan Administrator
Client Relationship Manager
Search all jobs
Get the BenefitsLink app for iPhone and iPad LinkedIn

Benefits in the News > By Subject >

Health plan admin - HIPAA

View Recent Headlines Now Viewing Excerpts and
Recent Headlines

[Guidance Overview] Q&A on HIPAA Compliance for Group Health Plans and Wellness Programs That Use Health Apps (PDF)
"Is all health information received in connection with employer-provided benefits protected under HIPAA? ... If a health plan recommends that plan participants use a health app that provides wellness tools ... will use of the app trigger HIPAA compliance obligations? ... [If] health information is monitored by or provided directly to a third-party wellness vendor that uses data tracked in the health app to determine eligibility for certain incentives offered under an employer-sponsored wellness program. Is HIPAA compliance required? ... What are the consequences of a breach of unsecured PHI involving the transfer of health plan-related data from the app developer to the group health plan?" (Dechert LLP via Practical Law)
The Potential Perils of Collecting Biometric Data About Employees
"Adding to the potential hazards of these initiatives is the dearth of legal authority on the issue of how to collect and manage biometric data.... [O]nly two states, Illinois and Texas, have enacted statutes that even define specifically what constitutes biometric data; and only a few additional states, Alaska, California, New York and Washington, have proposed legislation on the issue.... Here are some rules of thumb -- based in part on the key provisions of the Illinois and Texas laws -- that an employer in possession of its employees' biometric data would be well advised to apply." (Foley & Lardner LLP)
Are You Prepared for a HIPAA Audit?
"In some cases, the covered entity selected for audit may have only ten days and one opportunity to provide the OCR with documentation of compliance policies, procedures, and day-to-day practices. Therefore, it is in covered entities' best interests to prepare for a successful audit in advance.... [S]elf-funded plan sponsors [can] prepare now by taking the time to shore up their PHI privacy and security practices as well as compile the documentation necessary to demonstrate their compliance efforts. [This article includes] a checklist to help you get started[.]" (Marsh Consulting Group)
HIPAA Phase 2 Audits Are Here. Are You Ready?
"Employer-sponsored plans providing health care benefits are generally Covered Entities, and this may include arrangements such as health care flexible spending accounts. Some employers with insured health care plans may be successful in taking a 'hands off' policy so as to avoid the need for the employer to take the many steps necessary to to satisfy the rules." (Tucker Ellis LLP)
Are HIPAA Audits Moving Into Enforcement Territory?
"The [HHS] Office for Civil Rights [OCR] began a first phase of the compliance audits in 2011, focused solely on covered entities, while the current phase includes both covered entities and business entities.... OCR's current audits are focused on cybersecurity issues affecting cloud computing, patients' right to access information and health information exchanges." (Bloomberg BNA)
Do You Have Audit Controls to Ensure Access for Terminated Employees is Ended?
"[E]mployers generally have procedures in place that ensure immediate termination of access to an employer's network and computer systems upon the employee's termination of employment.... [Do] you have audit controls in place to ensure the access has been properly terminated? If not, you should put some in place right away, especially if you are a covered entity under HIPAA. And remember not only health care providers are covered entities. Self-funded health plans are also covered entities and subject to the HIPAA privacy and security rules." (Graydon Head & Ritchey LLP)
$5.5M Settlement Reminds Health Plans to Implement and Audit HIPAA Compliance
"MHS' failure to follow through to implement the controls required by its policies and audit and enforce compliance with HIPAA and its HIPAA policies was a costly mistake.... [H]ealth plans, their sponsors, fiduciaries and business associates should take documented action to audit and correct ... their operational compliance with HIPAA to mitigate their exposure to similar enforcement action for HIPAA violations." (Solutions Law Press)
[Guidance Overview] HIPAA for HR: Some Good News for Employers
"[E]mployers providing health coverage to their employees through a health insurance policy will generally not be responsible for HIPAA compliance ... The story is different, however, for those employers who sponsor health plans on a 'self-insured' basis ... Most of the information contained in an employer's personnel files and records is not PHI.... Employers may be subject to various state privacy laws, which afford different and additional protections to employees than does HIPAA." (Foley & Lardner LLP)
[Guidance Overview] HIPAA Small Breach Notifications Due to OCR March 1
"Covered Entities should submit notice for each small breach online via OCR's breach portal. The breach portal requires a separate fillable report for each breach rather than a simple upload of the covered entities' breach logs." (von Briesen & Roper, s.c.)
[Guidance Overview] HIPAA Small Breach Notification Due March 1
"HIPAA requires covered entities to provide breach notification to affected individuals without unreasonable delay -- and not later than 60 days after discovery. Covered entities also must report small breaches to OCR no later than 60 days after the calendar year in which the small breaches were discovered. For this year, notifications of small breaches are due no later than March 1, 2017." (Davis Wright Tremaine LLP)
[Opinion] Call for State Privacy Laws to Align with HIPAA
"State privacy laws supersede HIPAA and can be complex and confusing ... Market impediments include the absence of any economic incentives to share information, in addition to the deliberate blocking of information exchange by providers, insurers, and IT vendors ... By aligning state privacy laws with HIPAA and creating standardized consent forms, states could facilitate information exchange, reducing confusion and legal costs.... [A recent report] includes a detailed roadmap for advancing information flow between providers, including the following steps." (Jeffrey C. Bauer, for HFMA)
Key Lessons to Be Learned from $3.2 Million HIPAA Penalty
"[T]he Final Decision drives home the importance of: [1] Proper encryption and other security and access controls of devices and systems containing ePHI; and [2] Proper documentation of risk assessments, audits, breach investigations and other events, compliance analysis and conclusions taken in response, and corrective actions selected and implemented in response to these events.... [The penalty amount also illustrates] the importance of proper behavior in response to a known or suspected breach." (Solutions Law Press)
How Does an Employer Comply with HIPAA's Privacy Rule When Reporting Health Plan Enrollment Information on Form 1095-C?
"A number of technical requirements must be satisfied before these disclosures may be made by the health plan to the plan sponsor.... Information about offers of coverage to your employees should be available from your employment records (rather than your health plan). Because information in employment records generally is not PHI, reporting this information should not implicate HIPAA's privacy rule." (Thomson Reuters / EBIA)
[Guidance Overview] End-of-Administration Changes: 21st Century Cures Act, Disability Claims Procedures, and More
"[The 21st Century Cures Act ('Cures')] provides for more enforcement coordination and sharing of information on enforcement efforts.... Cures clarified that if a group health plan subject to the MHPAEA provides coverage for eating disorder benefits, including residential treatment, such benefit coverage must be provided consistent with the MHPAEA.... Cures requires guidance by December 13, 2017 [on relaxed HIPAA] requirements for communications with caregivers of adults with a serious mental illness in order to facilitate treatment. While portions of Cures talk of this solely in reference to health care providers, other provisions refer to this as applying to covered entities in general which would include group health plans." (Winstead PC)
Stolen Pen Drive Results in $2.2 Million HIPAA Settlement
"On January 18, 2017, HHS announced a $2.2 million settlement with the Puerto Rico-based subsidiary of a multinational insurance company for potential HIPAA violations. HHS investigated the subsidiary, which is a HIPAA covered entity and underwriter of life and disability insurance and group health insurance plans, after the subsidiary notified the government of the theft of a pen drive containing electronic protected health information (ePHI)." (Practical Law Company)
OCR Announces First HIPAA Enforcement Action for Untimely Breach Notification
"This enforcement action underscores the need for covered entities and business associates to have clear policies and procedures in place to respond to Breach Notification Rule requirements in an effective and timely manner. All breaches discovered in 2016 affecting fewer than 500 individuals must be reported to HHS by March 1, 2017." (von Briesen & Roper, s.c.)
Time Waits for No One: OCR Announces First HIPAA Settlement for Lack of Timely Breach Notification
"Presence Health agreed to pay a settlement amount of $475,000. It is noteworthy that Presence Health is a relatively large health system, but the settlement is well below the average of recent settlements (the average 2016 resolution agreement was approximately $2 million). Presence Health also agreed to enter into a two-year corrective action plan, which requires new policies and procedures and training, but does not include internal or external monitoring like some prior settlements." (Davis Wright Tremaine LLP)
[Guidance Overview] Who is a HIPAA 'Business Associate'?
"The extension of business associate status to subcontractors can ensnare unsuspecting individuals and organizations because prior to the Omnibus Rule subcontractors were untouched by the HIPAA Rules. Many could still be unaware that they are performing functions for covered entities or dealing with PHI.... OCR has specifically reminded covered entities and business associates that using a cloud service provider to maintain ePHI without entering into a business associate agreement violates the HIPAA Rules. In addition, risk analysis and risk management need to account for ePHI stored in the cloud, whether on servers within the U.S. or overseas." (McDonald Hopkins)
First HIPAA Enforcement Action for Lack of Timely Breach Notification Settles for $475,000
"OCR's investigation revealed that Presence Health failed to notify, without unreasonable delay and within 60 days of discovering the breach, each of the 836 individuals affected by the breach, prominent media outlets (as required for breaches affecting 500 or more individuals), and OCR." (U.S. Department of Health and Human Services [HHS])
Beware of Phishing Email Disguised as Official OCR Audit Communication
"[OCR has warned] health plans, health care providers, and their vendors of a mock communication involving the OCR audit program under [HIPAA]. The email falsifies HHS departmental letterhead and the signature of the OCR Director and directs individuals to a non-governmental website marketing the cybersecurity services of a firm that is not associated with HHS or OCR.... OCR has begun contacting business associates as part of its HIPAA audit program. Business associates should be looking out for any emails they receive from OCR and, after first confirming that they are genuine, take prompt measures to meet audit response deadlines." (Ballard Spahr LLP)
[Guidance Overview] HHS Increases Penalties for HIPAA Violations (PDF)
"The new penalties reflect a 10.02 percent increase over the prior amounts and include a 'catch-up' inflation adjustment. Inflation adjustments will now be issued on an annual basis, no later than January 15 each year." (Xerox HR Services)
HHS Alert: Phishing Email Disguised as Official OCR Audit Communication
"[A] phishing email is being circulated on mock HHS Departmental letterhead under the signature of OCR's Director, Jocelyn Samuels. This email appears to be an official government communication, and targets employees of HIPAA covered entities and their business associates. The email prompts recipients to click a link regarding possible inclusion in the HIPAA Privacy, Security, and Breach Rules Audit Program. The link directs individuals to a non-governmental website marketing a firm's cybersecurity services. In no way is this firm associated with [HHS] or the Office for Civil Rights." (U.S. Department of Health and Human Services [HHS])
Malware Infiltration Results in $650,000 HIPAA Settlement
"[HHS] has announced a settlement with an East Coast university involving potential violations of [HIPAA] resulting from a malware infection at one of the university's facilities. The university will pay $650,000 to settle the potential HIPAA violations and must comply with numerous requirements under a corrective action plan." (Practical Law Company)
Shared Information Compliance: After HIPAA Comes FTC Act
"The agencies offered tips to help businesses ensure that their disclosure statements are in compliance with the FTC Act: [1] Don't bury key facts in links to a privacy policy, terms of use or the HIPAA authorization.... [2] Design user interface with various devices in mind, ensuring that participants do not have to scroll to view disclosure claims. [3] Review user interface for contradictions and get rid of them. [4] Ensure paper and electronic disclosure statements are consistent as the FTC Act applies to both." (Bloomberg BNA)
[Guidance Overview] New Guidance on Cloud Computing and the HIPAA Privacy and Security Rules (PDF)
"A cloud service provider is a business associate under HIPAA even if the cloud service provider processes or stores only encrypted ePHI and lacks an encryption key for the data. Even 'no-view' cloud-based systems are business associates and require monitoring to ensure compliance with HIPAA. Employers should review their human resources and benefits systems to determine which are cloud-based and ensure that HIPAA protections are in place." (Segal Consulting)
How to Avoid Being the Next OCR Target for a HIPAA Civil Monetary Penalty
"The most frequent violations of the Health Insurance Portability and Accountability Act and the Health Information Technology for Economic and Clinical Health Act regulations are not hacking! They are: [1] Lost/stolen laptops, mobile devices, paper medical records, thumb drives; [2] No security risk assessment or assessment not enterprise-wide; [3] No or outdated Business Associate Agreement; [4] Improper disclosure of PHI." (Bryan Cave LLP)
[Guidance Overview] Dear Participant, Here's Your Notice That Your HIPAA Privacy Notice Is Available
"Not only must Covered Entities abide by the Privacy Standards, but they are also required to let covered individuals know about these standards by providing a notice.... Self-insured Health Plans (and fully-insured health plans that get PHI) are responsible for providing this notice to covered individuals at the time of enrollment and within 60 days of a material revision to the notice.... In addition to the Notice of Privacy Practices, a reminder notice must be distributed every three years notifying individuals covered by the health plan that the Notice of Privacy Practices is available and how they can obtain a copy of it." (Compliance Dashboard)
[Guidance Overview] Clouds, with a Nearly 100% Chance of a Business Associate Agreement
"[If] your company has an off-site data server that is managed by a third party and ePHI is stored on that server, a business associate agreement with that third party is probably necessary. Even if all you do is use something like Google Docs, OneNote, Evernote, or Dropbox for storage, that could be considered cloud computing subject to these rules.... HHS's position is that it is a HIPAA violation if ePHI is shared with a cloud provider and there's no business associate agreement in place." (Benefits Bryan Cave)
HIPAA Privacy and Security Audits: OCR Phase 2
"Covered entities and business associates will have approximately 10 days to respond to the audit request. OCR will issue two separate document requests via email: one for policies and procedures (and related documentation), and another for a list of business associates. Auditees must submit requested documentation to OCR's online portal[.]" (Compliance Dashboard)
Sharing Consumer Health Information? Look to HIPAA and the FTC Act
"Does your business collect and share consumer health information? When it comes to privacy, you've probably thought about the Health Insurance Portability and Accountability Act (HIPAA). But did you know that you also need to comply with the Federal Trade Commission (FTC) Act? This means if you share health information, it's not enough to simply consider the HIPAA regulations. You also must make sure your disclosure statements are not deceptive under the FTC Act." (Federal Trade Commission [FTC])
OCR on HIPAA Enforcement: 'We May Have More Fines in the Future'
"OCR will be providing more guidance to help entities and [business associates], noted Deven McGraw, OCR's deputy director for health information privacy, also speaking at the conference. The guidance will address, among other things, the distinction between a request for records from a third party versus from an individual patient, text messaging, sharing information with a patient's friends and family, and social media." (FierceHealthcare)
Outdated HIPAA Agreement Costs Business Associate Big Bucks
"An out-of-date business associate agreement and its potential [HIPAA] violations came with a $400,000 price tag for business associate Care New England Health System.... The business associate agreement, which was updated as a result of the OCR investigation in August 2015, failed to include revisions required under the January 2013 HIPAA Omnibus final rule." (Bloomberg BNA)
Outdated HIPAA Agreement Costs Business Associate Big Bucks
"The business associate agreement, which was updated as a result of the OCR investigation in August 2015, failed to include revisions required under the January 2013 HIPAA Omnibus final rule." (Bloomberg BNA)
Just Around the Corner: HIPAA Audits for Business Associates
"For business associates, desk audits will target breach notification and the security rule's risk analysis and risk management requirements. OCR intends for the desk audits to begin any time now and to conclude by the end of the year. Next year, OCR plans to conduct full audits of all the HIPAA requirements of a selected group a both business associates and covered entities." (Davis Wright Tremaine LLP)
[Guidance Overview] Time to Send Notice that Your HIPAA Privacy Notice is Available
"HIPAA has a requirement that plan sponsors must send a notice to participants letting them know they have a right to receive a notice of privacy practices.... Since all group health plans were required to revise their notices by November 23, 2013 ... the 3-year deadline for reminding participants is approaching for all plans that have not sent a revised notice or notice of availability since the deadline in 2013." (Graydon Head & Ritchey LLP)
HHS Clarifies Cloud Providers as Business Associates
"Whether a contractor to a covered entity or subcontractor to a business associate, this status applies even if a cloud provider handles only encrypted ePHI and does not hold the key to decrypt the data, OCR says. That means covered entities and business associates are required to enter into HIPAA-compliant business associate agreements with cloud providers. The guidance calls cloud providers contractually liable for meeting the agreement's terms, and directly liable for compliance with applicable HIPAA requirements." (FierceHealthcare)
Resolution Agreement and FAQ Highlight OCR's Emphasis on HIPAA Business Associates
"The resolution agreement illustrates that service providers may be business associates even if they are related corporate affiliates of a covered entity. And the FAQ highlights the importance of careful contract drafting based on a clear understanding of each business associate's services. Contracts that restrict a covered entity's access to PHI maintained on its behalf raise significant compliance issues." (Thomson Reuters / EBIA)
[Guidance Overview] HIPAA Compliance: Not Just an Issue for Health Care Providers
"[A]ny employer that sponsors a self-insured group health plan for its employees will have substantial HIPAA compliance obligations and the failure to satisfy such obligations can have significant adverse consequences. Therefore, as part of the acquisition due diligence process, it is essential for potential purchasers to assess a target company's level of HIPAA compliance." (Dechert)
HIPAA Settlement Illustrates Importance of Reviewing and Possibly Updating Business Associate Agreements
"The settlement includes a monetary payment of $400,000 and a comprehensive corrective action plan. [Care New England Health System (CNE)] provides centralized corporate support for its subsidiary affiliated covered entities, which include a number of hospitals and health care providers in Massachusetts and Rhode Island. These functions include, but are not limited to, finance, human resources, information services and technical support, insurance, compliance and administrative functions." (U.S. Department of Health and Human Services [HHS])
Taking Measure of HIPAA Enforcement
"[It] has been a banner year for OCR in HIPAA enforcement, with more settlements and a bigger haul than ever before. Yet, many of the enforcement actions involve relatively straightforward allegations of noncompliance, such as the lack of adequate risk analyses and risk management plans, failure to enter into business associate agreements, or failure to implement appropriate policies and procedures. Covered entities and business associates should be mindful of these enforcement actions and use them as an opportunity to critically evaluate their own compliance efforts." (Bradley Arant Boult Cummings LLP)
[Guidance Overview] Building Excellence in HIPAA Compliance: Not Just for Health Care Providers
"If you offer a group health plan and/or on-site health services, ... determine the existence and scope of your HIPAA compliance responsibilities. For businesses with direct compliance obligations: [a] Keep momentum strong. Compliance audits don't stop with Phase 2. [b] Learn from past enforcements. OCR trigger points include: [1] Security Rule risk analyses and risk management plans for ePHI; [2] Portable electronic device security; [3] Individuals' right to access their own PHI; and [4] Proper BA relationships. [c] Ensure buy-in. Engage your c-suite, and build a culture of compliance among the workforce. [d] Train your employees.... [e] Learn from your peers." (Ice Miller LLP)
[Guidance Overview] Penalties for HIPAA Noncompliance Rise on August 1
"[The] adjusted penalty for each February 18, 2009 or later violation of HIPAA's administrative simplification provisions, if it is established that a covered entity (CE) or business associate (BA) did not know (and by exercising reasonable diligence would not have known) that the CE or BA violated the provision, is [between] $110 (increased from $100) [and a maximum of] $55,010 (increased from $50,000).... [The] adjusted penalty for each February 18, 2009 or later violation of HIPAA's administrative simplification provisions, if it is established that the violation was due to reasonable cause and not willful neglect, is [between] $1,100 (increased from $1,000) [and a maximum of] $55,010 (increased from $50,000)." (Practical Law Company)
HIPAA Audit Check-Up: Where We Are and What's to Come
"Business associates should verify that risk analysis, risk management, and breach notification policies and procedures, and supporting documentation, are in place and readily available ... Covered entities should focus on likely areas of future desk audits, such as device and media controls, transmission security, privacy safeguards, privacy training, encryption and decryption, and facility access controls." (Davis Wright Tremaine LLP)
Court Dismisses Claims in Premera Data Breach Class Action But Allows Re-Filing
"The court identified a number of procedural problems with the complaint and its alleged causes of action. For example, the complaint alleged fraud but did not clearly articulate the actions Premera should have taken, specific affirmative misrepresentations by Premera, or the information that Premera should have disclosed to affected individuals.... Conversely, the court ruled that the claim for unjust enrichment was adequately pled, based on allegations that it was unjust for Premera to retain fees for health insurance without securing sensitive data." [In re Premera Blue Cross Customer Data Security Breach Litigation, No. 15-2633 (D. Or. Aug. 1, 2016)] (Thomson Reuters / EBIA)
HIPAA Phase 2 Audits: What Has OCR Requested from Auditees to Date? (PDF)
"[W]hile HIPAA-covered entities that were not selected can breathe a deep sigh of relief (for now), the audit activity is far from over. As part of its Phase 2 audit program, OCR will next audit business associates based on the information the covered entities provide. Additionally, OCR will conduct onsite audits of covered entities and business associates." (Alston & Bird LLP)
[Guidance Overview] HHS to Target HIPAA Breaches Affecting Fewer Than 500 Individuals
"The [HHS] website indicates that the first settlement involving a breach of unsecured electronic PHI affecting fewer than 500 individuals occurred in late 2012. But HHS's formal initiative on breaches affecting fewer than 500 individuals appears to reflect the government's belief that investigating the 'root causes' of smaller breaches may reveal the kinds of entity-wide HIPAA noncompliance that have driven some of the large and expensive settlements[.]" (Practical Law Company)
Personal Info of 3.3 Million Health Insurance Customers at Risk After Massive Breach
"Personal information for 3.3 million health insurance customers was compromised when a server for a company that creates ID cards for payers was accessed without authorization. The company, Albany, New York-based Newkirk Products Inc., announced the breach on [August 5]. Newkirk creates ID cards for more than 10 health insurance companies both directly and through its relationship as a service provider to Birmingham, Alabama-based DST Health Solutions Inc." (FierceHealthcare)
Advocate Health Care Settles Potential HIPAA Penalties for $5.55 Million
"This significant settlement, the largest to-date against a single entity, is a result of the extent and duration of the alleged noncompliance (dating back to the inception of the Security Rule in some instances), the involvement of the State Attorney General in a corresponding investigation, and the large number of individuals whose information was affected by Advocate, one of the largest health systems in the country." (U.S. Department of Health and Human Services [HHS])
Banner Health Nailed by Huge Cyberattack
"Banner Health revealed that hackers may have accessed the healthcare, payment and health plan information of up to 3.7 million individuals. Attackers reportedly gained access through payment processing systems for food and beverage purchases at the Phoenix-based health system.... Stolen information may have included names, birthdates, social security numbers, addresses, dates of service and claims information, as well as health insurance information as a current or former member of one of Banner's health plans or as a beneficiary of a Banner Health employee benefits plan." (Healthcare Finance News)
[Guidance Overview] HIPAA Wake-Up Call for Financial Institutions: First HIPAA Settlement with a Business Associate
"This settlement case focused on the absence of risk analysis and risk management. Once again, OCR is sounding the alarm for the need for periodic risk analysis.... [F]inancial institutions acting as business associates should review whether they have an up-to-date HIPAA compliance program in place and fine-tune existing policies and procedures based on experience." (Davis Wright Tremaine LLP)
[Guidance Overview] HIPAA Audit Guidance Issued by OCR
"[S]elected auditees are not being uniformly audited; rather, some have been asked about selected privacy policies and practices, others will be audited on selected security and breach notification standards, and still others received inquiries regarding selected privacy, security and breach notification standards.... [C]overed entities with multiple locations are being audited either with respect to one particular site or all locations in the system....The selected audit standards focus on many of the areas that have been cited in the OCR resolution agreements and corrective action plans announced in the past year." (Nixon Peabody LLP)
[Guidance Overview] New HIPAA Guidance Requires Ransomware Attacks to Be Reported
"Most notable in the HHS's guidance is the clarification of whether a ransomware attack is considered a HIPAA breach and thus requires notification of the incident to them.... When electronic protected health information (ePHI) is encrypted as a result of a ransomware attack, a breach has indeed occurred. In being encrypted by the ransomware, the attackers have taken possession and control of the information, which constitutes 'disclosure' in violation of the HIPAA Privacy Rule. While the intent of a ransomware attack is not necessarily to steal the data but instead to hold it for ransom, by taking possession of it, they are still creating a breach." (WithumSmith+Brown, PC)
Health Plans and Other HIPAA Entities Should Learn From $2.75M UMMC HIPAA Settlement
"UMMC's breach notification disclosed that UMMC's privacy officer had discovered a password-protected laptop containing ePHI of thousands of UMMC patients missing from UMMC's Medical Intensive Care Unit (MICU). UMMC additionally reported that based on its investigation, UMMC believed that the missing laptop likely was stolen by a visitor to the MICU who had inquired about borrowing one of the laptops." (Solutions Law Press)
[Guidance Overview] OCR Releases Guidance Documents for Phase 2 Audits
"To ... help regulated entities prepare for future audits and improve their overall compliance programs, OCR released three targeted guidance documents to further clarify the Phase 2 Audit process: [1] a comprehensive question-and-answer set addressing questions from auditees; [2] a chart placing OCR's desk audit document requests in context with HIPAA requirements, associated protocol audit inquiries, and questions from auditees; and [3] slides used in OCR's July 13, 2016 webinar for the selected auditees. These documents supplement the Phase 2 audit protocol released earlier this year." (Ice Miller LLP)
OCR Fines HIPAA Covered Entity Over Multiple Noncompliance
"OCR opened its investigation after receiving multiple breach reports ... including two reports involving unencrypted laptops and a large breach involving an unencrypted thumb drive ... OCR reported that OHSU had performed at least six Security Rule risk analyses, but they were not enterprise-wide in scope -- that is, the risk analyses did not address all of the ePHI maintained or transmitted within the organization." (Ice Miller LLP)
Despite Six Risk Analyses, University Must Pay $2.7 Million in HIPAA Settlement
"Though multi-million dollar HHS settlements involving HIPAA compliance have become surprisingly routine, this one [is notable] because of what it suggests regarding HHS's position on cloud vendors as HIPAA business associates. In the past, it could be argued that at least some cloud providers fell within a 'conduit exception' to the BAA requirement that HHS had recognized regarding entities that merely transported information but generally did not access it ... More recently, however, HHS has taken the view that an entity that maintains PHI on a covered entity's behalf is a business associate and not a conduit -- even if the entity does not view the PHI." (Practical Law Company)
Widespread HIPAA Vulnerabilities Result in $2.7 Million Settlement
"OCR's investigation uncovered evidence of widespread vulnerabilities within [Oregon Health and Science University's] HIPAA compliance program, including the storage of the electronic protected health information (ePHI) of over 3,000 individuals on a cloud-based server without a business associate agreement. OCR found significant risk of harm to 1,361 of these individuals due to the sensitive nature of their diagnoses. The server stored a variety of ePHI including credit card and payment information, diagnoses, procedures, photos, driver's license numbers and Social Security numbers." (U.S. Department of Health and Human Services [HHS])
[Guidance Overview] OCR Releases HIPAA Guidance on Ransomware
"The guidance states that the presence of any malware, including ransomware, on the device of a covered entity or business associate 'is a security incident' under the HIPAA regulations. Business associates who are targeted by ransomware should review the requirements of their business associate agreements with respect to when and how they are required to report security incidents to the covered entities with which they contract. In addition, the OCR [description of] the new guidance states that a ransomware attack 'usually' results in a breach of unsecured PHI." (Nixon Peabody LLP)
Ransomware in Healthcare
"The threat of ransomware is not going away. New viruses are being developed and deployed every single day. Every healthcare organization must assume that it will be attacked by ransomware in the near future and prepare accordingly. This means updating your security incident response plan, educating employees about the ransomware threat, conducting realistic exercises simulating a ransomware attack to identify gaps in your organization's response, and addressing those gaps quickly." (Troutman Sanders)
[Guidance Overview] HIPAA Security Guidance Addresses Ransomware Attacks
"Addressing the scope of risk analyses required under the security management process standard, HHS would expect CEs and BAs to adopt measures as part of the security management process to reduce risks to ePHI 'throughout an organization's entire enterprise.' HHS acknowledges that there is not a HIPAA Security Rule standard or implementation specification for updating firmware. However, HHS believes that an entity should, as part of its risk analysis, identify and address risks to ePHI from network devices that use obsolete firmware." (Practical Law Company)

Important word about authorship:
BenefitsLink® ( provides this page for you, containing selected hypertext links to pages on the web that our editors think will be useful or interesting to you. But BenefitsLink is not the author or publisher of those linked pages (except as expressly indicated). You should contact directly the author of any such linked pages for copyright or other information about their contents.
© 2017, Inc.
Privacy Policy