BenefitsLink logo
EmployeeBenefitsJobs logo

Subscribe to Newsletters

Search the News

Featured Jobs
Retirement Plan Administrator
Employee Benefits Analyst
DC Plan Administrator
Retirement Plan Documents Consultant
Retirement Plan Administrator
DB / DC Plan Administrator (3+yrs Cash Balance exp)
401k Plan Administrator
Search all jobs
Get the BenefitsLink app for iPhone and iPad LinkedIn

Benefits in the News > By Subject >

Health plan admin - HIPAA

View Recent Headlines Now Viewing Excerpts and
Recent Headlines

[Official Guidance] Text of IRS and DOL 'Extension of Time Frames' for Employee Benefit Plans, Participants and Beneficiaries Affected by Hurricane Maria
12 pages. "With respect to plan participants, beneficiaries, qualified beneficiaries, or claimants directly affected by Hurricane Maria ... group health plans, disability and other welfare plans, pension plans, and health insurance issuers offering coverage in connection with a group health plan must disregard the period from September 17, 2017 through March 16, 2018 for such plan participants, beneficiaries, qualified beneficiaries, or claimants located in Puerto Rico, and must disregard the period from September 16, 2017 through March 15, 2018 for such plan participants, beneficiaries, qualified beneficiaries, or claimants located in the United States Virgin Islands, when determining any of the following time periods and dates:
  • The 30-day period (or 60-day period, if applicable) to request special enrollment under ERISA section 701(f) and Code section 9801(f);
  • The 60-day election period for COBRA continuation coverage under ERISA section 605 and Code section 4980B(f)(5);
  • The date for making COBRA premium payments pursuant to ERISA section 602(2)(C) and (3) and Code section 4980B(f)(2)(B)(iii) and (C);
  • The date for individuals to notify the plan of a qualifying event or determination of disability under ERISA section 606(a)(3) and Code section 4980B(f)(6)(C);
  • The date within which individuals may file a benefit claim under the plan's claims procedure pursuant to 29 CFR 2560.503-1;
  • The date within which claimants may file an appeal of an adverse benefit determination under the plan's claims procedure pursuant to 29 CFR 2560.503-1(h);
  • The date within which claimants may file a request for an external review after receipt of an adverse benefit determination or final internal adverse benefit determination pursuant to 29 CFR 2590.715-2719(d)(2)(i) and 26 CFR 54.9815-2719(d)(2)(i), and
  • The date within which a claimant may file information to perfect a request for external review upon a finding that the request was not complete pursuant to 29 CFR 2590.715-2719(d)(2)(ii) and 26 CFR 54.9815-2719(d)(2)(ii)....
"With respect to group health plans, and their sponsors and administrators, that are directly affected by Hurricane Maria ... the period from September 17, 2017 through March 16, 2018 for those located in Puerto Rico, and the period from September 16, 2017 through March 15, 2018 for those located in the United States Virgin Islands, shall be disregarded when determining the date for providing a COBRA election notice under ERISA section 606(c) and Code section 4980B(f)(6)(D)." (Employee Benefits Security Administration [EBSA], Department of Labor [DOL]; Internal Revenue Service [IRS], Department of the Treasury)
Discretionary Clauses in ERISA Health and Disability Plans: Are They Still Viable? (PDF)
"As of 2015 ... nearly 25 states either have or are in the process of banning discretionary clauses in insurance policies subject to ERISA.... The Firestone decision made it clear that in the absence of an effective discretionary clause, a court deciding a benefit disputes utilizes the de novo standard of adjudication that favors neither party.... Plan insurers ... are expected to continue their opposition to the laws and argue that states run afoul of ERISA when they attempt to regulate the language in ERISA plans; however, the Supreme Court's refusal to hear an appeal from the Morrison ruling suggests that such efforts are unlikely to succeed." (DeBofsky & Associates, P.C., via Bloomberg BNA)
[Guidance Overview] ACA's Nondiscrimination Taglines and Notices Require Updating Your Notice of Privacy Practices
"OCR has issued guidance indicating that ACA does indeed impact [a covered entity's notice of privacy practices (NPP)]. Moreover, breach notifications also likely are affected.... [If] they have not already done so, covered entities should consider updating their NPPs to include the required nondiscrimination language and 'taglines' in different languages. Covered entities also should address their breach notification policies, procedures, templates, processes, and checklists so that any required ACA language and taglines are included in any breach notifications going to individuals." (Davis Wright Tremaine LLP)
HHS Withdraws Proposed Regs Requiring Health Plans to Certify HIPAA Compliance
"Withdrawal of the proposed regulations indicates that HHS has decided to go back to the drawing board -- and also takes some pressure off of HHS to make a decision on health plan identifiers (HPIDs), which, among other uses, were going to be used to identify health plans submitting compliance certifications." (Thomson Reuters / EBIA)
[Guidance Overview] HIPAA Compliance Checklist for Employer-Sponsored Health Plans (PDF)
"Given recent high-profile HIPAA enforcement actions, employers should understand their compliance obligations. This checklist is intended to assist plan sponsors with HIPAA compliance for their plans." (Davis Wright Tremaine LLP)
[Official Guidance] Text of HHS Withdrawal of Proposed Regs for Certification of Compliance for Health Plans
"This document withdraws the January 2, 2014, proposed rule that would have required a controlling health plan (CHP) to submit information and documentation demonstrating that it is compliant with certain standards and operating rules under [HIPAA]. This proposed rule would have also established penalty fees for a CHP that failed to comply with the certification of compliance requirements." (U.S. Department of Health and Human Services [HHS])
HIPAA Compliance: Protecting Employee Information
"Document employee training.... Procedures should affect every department.... Audit all subcontractors.... Make areas with private information secure.... Use shredders.... Make privacy a workplace culture.... Shut off the auto-complete option.... Protect employee files.... Ask for outside help." (Lindquist LLP)
Aetna Accidentally Exposed Customers' HIV Status
"The letters, which contained information about changes in pharmacy benefits and access to HIV medications, were sent to about 12,000 customers across multiple states, Aetna confirmed ... For some of these customers, a plastic window on the envelope exposed not only the patient's name and address, but also a reference to filling prescriptions for HIV medications. This meant that whoever picked up the mail that day -- a family member, a friend, a postal worker -- would have been able to see the confidential information[.]" (The Washington Post; subscription may be required)
Attempting to Avoid the High Cost of a Reported HIPAA Breach
"In the last 24 months, 349 breaches of unsecured protected health information affecting 500 or more individuals have reported to [HHS Office of Civil Rights]. Nearly 175 of those breaches occurred in 2017 alone, affecting over 3.2 million individuals in just seven months. From January to July this year, the OCR entered into settlement resolutions related to reported HIPAA breaches for a combined total of approximately $17 million.... Three of the largest settlement amounts paid this year resulted from failure to develop and implement policies to prevent, report and correct breaches." (Dickinson Wright PLLC)
Making Sense of Employee Health Record Privacy Regs (PDF)
"As employers become more involved in the overall management of employee wellness and healthcare expenditures, there is a strong interest in effective management and utilization of this employee data for a growing range of employer interests. Employers and other entities are becoming more involved in Big Data initiatives, offering new opportunities to gather information that will promote more effective and efficient workplaces. However, employers need to consider carefully their approach to employee healthcare information and act intelligently." (Wiley Rein LLP, via Journal of the American Health Information Management Association [AHIMA])
Heightened Transparency in Breach Notification Tool Nudges HIPAA Compliance
"The new [HIPAA Breach Reporting Tool (HBRT)] features enhanced search and navigation functions, but its main purpose is much the same as its predecessor -- namely, public access to information about HIPAA breaches affecting 500 or more individuals. Its enhanced functions allow HBRT users to filter through the most recent types of breaches, where the breaches occurred, and the number of impacted individuals. The HBRT ... provides enough information about the type, source and scope of the breach to potentially impact the breaching party's reputation as a provider or vendor." (Drinker Biddle)
HIPAA 'Wall of Shame' Gets Update from OCR
"The tool, commonly referred to as the 'Wall of Shame,' is a publically available listing of reported breaches of unsecured protected health information ('PHI') affecting 500 or more individuals.... [It] now includes enhanced functionality, an archive with all older breaches and how they were resolved, improved navigation to additional breach information, and consumer tips." (von Briesen & Roper, s.c.)
Tracking EEOC Rules for Wearables in Wellness Programs
"FitBits and Apple watches, among other wearables, not only count steps but provide data including activity levels, sleep patterns and heart rates. As these devices become central to workplace wellness programs, it is especially important that employers understand that many of the new EEOC rules govern privacy and security issues associated with the collection, storage and sharing of individual data collected through workplace wellness programs." (International Foundation of Employee Benefit Plans [IFEBP])
Assessments, Policies, and Training Are Key to HIPAA Compliance
"Periodic risk assessments, updated policies and procedures, and ongoing training are critical to HIPAA compliance ... The urgency of these has been driven home by the recent rise in big-ticket HIPAA settlements obtained by [HHS].... The OCR still sees insufficiency in the scope of risk assessments ... [which] they should cover everywhere PHI is located and all of its vulnerabilities." (HRDailyAdvisor)
HHS Provides Cyberattack Checklist for HIPAA-Covered Entities
"The Office for Civil Rights presumes that most cyber-related security incidents in which PHI was accessed, acquired, used or disclosed are reportable breaches. Health plan sponsors (and affiliates) who experience a ransomware attack or other cyber-related security incident should follow the OCR checklist. Coordination will likely be required between the employer's information technology and HR departments to properly respond to a cyberattack." (Willis Towers Watson)
Fiduciary Obligations to Safeguard Plan Participants' Data
"Because benefit data includes participants' names, Social Security numbers, account information and PII, it is increasingly important for ERISA plan fiduciaries to acknowledge and act on their inherent responsibilities to secure online plan data from cyberattacks. Failure to do so would almost certainly be counter to the prudence standard by which ERISA fiduciaries are required to abide.... Given the broad scope of an ERISA fiduciary's obligation to act with prudence, it is in the best interest of all parties involved with ERISA plans to begin developing systems and procedures for properly handling and securing PII." (Trucker Huss)
[Official Guidance] OCR Cyber Attack Checklist for HIPAA Covered Entities and Business Associates (PDF)
"This guide explains, in brief, the steps for a HIPAA covered entity or its business associate (the entity) to take in response to a cyber-related security incident. In the event of a cyber attack or similar emergency an entity: [1] Must execute its response and mitigation procedures and contingency plans.... [2] Should report the crime to other law enforcement agencies ... [3] Should report all cyber threat indicators vii to federal and information -sharing and analysis organizations ... [4] Must report the breach to OCR as soon as possible, but no later than 60 days after the discovery of a breach affecting 500 or more individuals[.]" [Unnumbered and undated document, published online June 2017.] (U.S. Department of Health and Human Services [HHS])
Molina Healthcare Investigates Breach of Patients' Data
"Molina Healthcare... has shut down its online patient portal as it investigates a potential data breach that may have exposed sensitive medical information. The company said [May 26] that it closed the online portal for medical claims and other customer information while it examined a 'security vulnerability.' It's not clear how many patient records might have been exposed and for how long. The company has more than 4.8 million customers in 12 states and Puerto Rico." (Kaiser Health News)
HIPAA Is Here to Stay
"Audits initiated by OCR and investigations resulting from reported violations reveal that HIPAA compliance continues to be a governmental priority under the new administration. Indeed, nine representative resolution agreements have been released by HHS thus far in 2017 ... Thus, it is as important as ever for employer-sponsored group health plans to ensure that they are complying with HIPAA's encompassing and technical requirements. As the various resolution agreements detail, failure to do so can have dire financial consequences on the group health plan (and correspondingly on the sponsoring employer)." (Fraser Trebilcock)
Two HHS Settlements for HIPAA Violations Include Penalties Totaling Over $5 Million
"To prevent costly HIPAA enforcement actions, covered entities are advised to: [1] Conduct new risk analyses after all modifications to underlying technology; [2] Update policies and procedures to account for changes in technology or practices; [3] Regularly provide HIPAA training to employees; [4] Conduct HIPAA audits; [5] Monitor security breaches; and [6] Create and implement a breach response plan." (The Wagner Law Group)
Multimillion Dollar HIPAA Settlements Focus on Encryption and Unauthorized Disclosures
"Encryption continues to be one of OCR's top priorities for mobile devices and storage media.... OCR cited a covered entity's continued use of unencrypted portable devices as an aggravating factor when it recently assessed a $3.2 million civil monetary penalty. And OCR has previously warned that a covered entity is not excused from HIPAA's privacy requirements simply because it believes an individual's identity is already publicly known." (Thomson Reuters / EBIA)
$2.4M HIPAA Settlement Warns Health Plans and Providers Against Sharing Medical Info with Media, Others
"Healthcare providers, health plans, healthcare clearinghouses and their business associates (Covered Entities) can't disclose the name or other protected health care information about a patient in press releases or other announcements without prior authorization from the patient. That's the clear lesson Covered Entities should learn from the $2.4 million ... that the largest not-for-profit health system in Southeast Texas ... is paying to settle charges it violated the [HIPAA] Privacy Rule by issuing a press release with the name and other protected health information (PHI) about a patient without the patient's prior HIPAA-compliant authorization[.]" (Solutions Law Press)
Button Up Your HIPAA Business Associate Agreements or Pay the Price
"The CCDH settlement is a timely reminder of the importance of a business associate agreement even if no electronic protected health information is involved and demonstrates OCR's readiness to require a settlement agreement, resolution amount and corrective action plan even in the absence of any protected health information being made public.... [P]lan administrators should ensure that as they enter into arrangements with new service providers for their group health plans no protected health information is transferred until the business associate agreement (and not just the service agreement) has been executed." (Benefits Bryan Cave)
Top Five HIPAA Myths That Arise in Higher Education
"[1] HIPAA applies to all medical information we maintain as a college or university.... [2] If we release medical information about a student or employee we can be sued for violating HIPAA.... [3] HIPAA prohibits a college or university from asking an employee or student for medical information.... [4] HIPAA applies to any person with medical training and a professional license.... [5] HIPAA prohibits employees from talking about the health situation of their co-workers or their students." (Husch Blackwell)
OCR Announces First HIPAA Settlement with Wireless Health Services Provider
"OCR appears to be voicing its concern regarding HIPAA compliance and wireless health devices.... CardioNet's corrective action plan underscores OCR's expectations for HIPAA Security Rule compliance in this sector. During the last year, OCR has issued guidance for mobile health application developers, and developed a portal designed to provide guidance to health app developers." (Morgan Lewis)
HIPAA Risk Analysis Lapses Lead to OCR Enforcement: How Is Your Security Management Process?
"[In] its guidance materials, OCR describes several baseline expectations for a compliant risk analysis.... With these enforcement actions, OCR continues to hammer home the message that the security management process should be top-priority for CEs and BAs that create, receive, maintain, or transmit ePHI and that risk analysis and risk management are indeed foundational to achieving and maintaining Security Rule compliance. HIPAA-regulated entities should not only thoughtfully plan, carry out, and implement a risk analysis and RMP but also be mindful of organizational and environmental changes that require them to review and revise their processes to best safeguard ePHI." (Ice Miller LLP)
Latest HIPAA Resolution Agreement Drives Home Importance of Maintaining Current, Signed Business Associate Agreements
"[A]ll health plans, health care providers and other covered entities and business associates should focus on the adequacy of their BAAs and their BAA recordkeeping. HIPAA compliance surveys reflect deficiencies with the BAA rules are common throughout the industry. These findings and the involvement of BAs in data breaches or other OCR enforcement activities suggest a high probability that many other covered entities and business associates may be sitting ducks for similar sanctions." (Solutions Law Press)
The Costly Consequences of Failing to Enter Into Written Business Associate Agreements
"The Filefax investigation was likely launched after news reports at the time revealed that medical records held by the company were found in a dumpster. CCDH had used Filefax to store its inactive paper medical records since 2003. Further investigation revealed that CCDH had disclosed the PHI of at least 10,728 individuals to Filefax without obtaining Filefax's satisfactory assurances in the form of a written business associate agreement that it would safeguard the PHI in its possession or control." (Drinker Biddle)
$2.5 Million Settlement Shows That Not Understanding HIPAA Requirements Creates Risk
"In January 2012, CardioNet reported to the HHS Office for Civil Rights (OCR) that a workforce member's laptop was stolen from a parked vehicle outside of the employee's home. The laptop contained the ePHI of 1,391 individuals. OCR's investigation ... revealed that CardioNet had an insufficient risk analysis and risk management processes in place at the time of the theft. Additionally, CardioNet's policies and procedures implementing the standards of the HIPAA Security Rule were in draft form and had not been implemented." (U.S. Department of Health and Human Services [HHS])
2016 Was Biggest Year Yet for HIPAA Monetary Settlements
"The year 2016 was by far the biggest yet for monetary settlements under the [HIPAA] privacy and security rules, and 2017 thus far is proceeding apace ... [HHS] announced 12 such settlements in 2016, averaging nearly $2 million ... Three more were concluded in the first 2 months of 2017, along with an outright penalty of $3.2 million in a fourth case. Overall, since it began enforcing HIPAA, the HHS' Office for Civil Rights (OCR) has collected nearly $60 million from 48 monetary settlements and penalties[.]" (HRDailyAdvisor)
$400,000 HIPAA Settlement Highlights Importance of Risk Assessment and Management Plans
"This OCR HIPAA settlement, reached less than one month after Roger Severino's appointment as OCR Director in late March 2017, indicates that there is no slowing down on HIPAA enforcement at HHS under the new administration. Recent HIPAA settlements such as this one emphasize the importance of properly conducting risk analyses and implementing risk management plans to secure ePHI." (Drinker Biddle)
FBI Warns Healthcare Facilities about Cyber-Vulnerable FTP Servers
"Often a default setting, anonymous mode enables a user to access [a server that makes files available for download via file transfer protocol (FTP)] with a common username, either without using a password or by submitting a generic password or email address.... [C]ybercriminals are actively seeking out FTP servers in anonymous mode to access protected health information (PHI) and personally identifiable information (PII) in order to intimidate, harass or blackmail business owners, or to sell stolen information on the dark web." (BDO Center for Healthcare Excellence and Innovation)
[Guidance Overview] HIPAA Guidance Issued on Man-in-the-Middle Attacks
"OCR states that when electronic protected health information (ePHI) that is protected under the Health Insurance Portability and Accountability Act (HIPAA) is transmitted over the internet, covered entities and business associates should include factors for securing end-to-end communication in their security risk analysis required by the HIPAA Security Rule." (McGuireWoods, LLP)
OCR Settlement Emphasizes Need for Swift Breach Response
"The Breach Notification Rule's reporting requirements for breaches of unsecured PHI vary according to the size of the breach and the type of the regulated entity.... For HIPAA-regulated entities, maintaining -- and regularly testing -- a breach response plan is critical to ensuring compliance with the Breach Notification Rule's reporting requirements.... OCR may find that a HIPAA-regulated entity has violated the Breach Notification Rule's timeliness requirements if it gathers sufficient evidence to demonstrate that the entity unreasonably delayed its provision of breach notifications -- even if the entity ultimately sent the notifications within the 60-day window." (Ice Miller LLP)
Recent HIPAA Privacy and Security Settlements, and Lessons Learned
"The settlements and penalties so far [in 2017] total over $11 million, with one of the settlements equaling the largest ever, at $5.5 million.... [L]essons and reminders [include]: [1] Don't use unsupported software (i.e., out-of-date versions) and apply patches regularly and promptly. [2] Train your workforce that idle curiosity ... is forbidden and a HIPAA violation. [3] Pay close attention to Internet scheduling tools, which can present special problems. [4] After routine maintenance, always check that firewalls are reactivated and security settings are appropriate. [5] Wipe any hard drives (which many copiers have) before reselling or returning to leasing companies." (Perkins Coie LLP)
[Guidance Overview] Q&A on HIPAA Compliance for Group Health Plans and Wellness Programs That Use Health Apps (PDF)
"Is all health information received in connection with employer-provided benefits protected under HIPAA? ... If a health plan recommends that plan participants use a health app that provides wellness tools ... will use of the app trigger HIPAA compliance obligations? ... [If] health information is monitored by or provided directly to a third-party wellness vendor that uses data tracked in the health app to determine eligibility for certain incentives offered under an employer-sponsored wellness program. Is HIPAA compliance required? ... What are the consequences of a breach of unsecured PHI involving the transfer of health plan-related data from the app developer to the group health plan?" (Dechert LLP via Practical Law)
The Potential Perils of Collecting Biometric Data About Employees
"Adding to the potential hazards of these initiatives is the dearth of legal authority on the issue of how to collect and manage biometric data.... [O]nly two states, Illinois and Texas, have enacted statutes that even define specifically what constitutes biometric data; and only a few additional states, Alaska, California, New York and Washington, have proposed legislation on the issue.... Here are some rules of thumb -- based in part on the key provisions of the Illinois and Texas laws -- that an employer in possession of its employees' biometric data would be well advised to apply." (Foley & Lardner LLP)
Are You Prepared for a HIPAA Audit?
"In some cases, the covered entity selected for audit may have only ten days and one opportunity to provide the OCR with documentation of compliance policies, procedures, and day-to-day practices. Therefore, it is in covered entities' best interests to prepare for a successful audit in advance.... [S]elf-funded plan sponsors [can] prepare now by taking the time to shore up their PHI privacy and security practices as well as compile the documentation necessary to demonstrate their compliance efforts. [This article includes] a checklist to help you get started[.]" (Marsh Consulting Group)
HIPAA Phase 2 Audits Are Here. Are You Ready?
"Employer-sponsored plans providing health care benefits are generally Covered Entities, and this may include arrangements such as health care flexible spending accounts. Some employers with insured health care plans may be successful in taking a 'hands off' policy so as to avoid the need for the employer to take the many steps necessary to to satisfy the rules." (Tucker Ellis LLP)
Are HIPAA Audits Moving Into Enforcement Territory?
"The [HHS] Office for Civil Rights [OCR] began a first phase of the compliance audits in 2011, focused solely on covered entities, while the current phase includes both covered entities and business entities.... OCR's current audits are focused on cybersecurity issues affecting cloud computing, patients' right to access information and health information exchanges." (Bloomberg BNA)
Do You Have Audit Controls to Ensure Access for Terminated Employees is Ended?
"[E]mployers generally have procedures in place that ensure immediate termination of access to an employer's network and computer systems upon the employee's termination of employment.... [Do] you have audit controls in place to ensure the access has been properly terminated? If not, you should put some in place right away, especially if you are a covered entity under HIPAA. And remember not only health care providers are covered entities. Self-funded health plans are also covered entities and subject to the HIPAA privacy and security rules." (Graydon Head & Ritchey LLP)
$5.5M Settlement Reminds Health Plans to Implement and Audit HIPAA Compliance
"MHS' failure to follow through to implement the controls required by its policies and audit and enforce compliance with HIPAA and its HIPAA policies was a costly mistake.... [H]ealth plans, their sponsors, fiduciaries and business associates should take documented action to audit and correct ... their operational compliance with HIPAA to mitigate their exposure to similar enforcement action for HIPAA violations." (Solutions Law Press)
[Guidance Overview] HIPAA for HR: Some Good News for Employers
"[E]mployers providing health coverage to their employees through a health insurance policy will generally not be responsible for HIPAA compliance ... The story is different, however, for those employers who sponsor health plans on a 'self-insured' basis ... Most of the information contained in an employer's personnel files and records is not PHI.... Employers may be subject to various state privacy laws, which afford different and additional protections to employees than does HIPAA." (Foley & Lardner LLP)
[Guidance Overview] HIPAA Small Breach Notifications Due to OCR March 1
"Covered Entities should submit notice for each small breach online via OCR's breach portal. The breach portal requires a separate fillable report for each breach rather than a simple upload of the covered entities' breach logs." (von Briesen & Roper, s.c.)
[Guidance Overview] HIPAA Small Breach Notification Due March 1
"HIPAA requires covered entities to provide breach notification to affected individuals without unreasonable delay -- and not later than 60 days after discovery. Covered entities also must report small breaches to OCR no later than 60 days after the calendar year in which the small breaches were discovered. For this year, notifications of small breaches are due no later than March 1, 2017." (Davis Wright Tremaine LLP)
[Opinion] Call for State Privacy Laws to Align with HIPAA
"State privacy laws supersede HIPAA and can be complex and confusing ... Market impediments include the absence of any economic incentives to share information, in addition to the deliberate blocking of information exchange by providers, insurers, and IT vendors ... By aligning state privacy laws with HIPAA and creating standardized consent forms, states could facilitate information exchange, reducing confusion and legal costs.... [A recent report] includes a detailed roadmap for advancing information flow between providers, including the following steps." (Jeffrey C. Bauer, for HFMA)
Key Lessons to Be Learned from $3.2 Million HIPAA Penalty
"[T]he Final Decision drives home the importance of: [1] Proper encryption and other security and access controls of devices and systems containing ePHI; and [2] Proper documentation of risk assessments, audits, breach investigations and other events, compliance analysis and conclusions taken in response, and corrective actions selected and implemented in response to these events.... [The penalty amount also illustrates] the importance of proper behavior in response to a known or suspected breach." (Solutions Law Press)
How Does an Employer Comply with HIPAA's Privacy Rule When Reporting Health Plan Enrollment Information on Form 1095-C?
"A number of technical requirements must be satisfied before these disclosures may be made by the health plan to the plan sponsor.... Information about offers of coverage to your employees should be available from your employment records (rather than your health plan). Because information in employment records generally is not PHI, reporting this information should not implicate HIPAA's privacy rule." (Thomson Reuters / EBIA)
[Guidance Overview] End-of-Administration Changes: 21st Century Cures Act, Disability Claims Procedures, and More
"[The 21st Century Cures Act ('Cures')] provides for more enforcement coordination and sharing of information on enforcement efforts.... Cures clarified that if a group health plan subject to the MHPAEA provides coverage for eating disorder benefits, including residential treatment, such benefit coverage must be provided consistent with the MHPAEA.... Cures requires guidance by December 13, 2017 [on relaxed HIPAA] requirements for communications with caregivers of adults with a serious mental illness in order to facilitate treatment. While portions of Cures talk of this solely in reference to health care providers, other provisions refer to this as applying to covered entities in general which would include group health plans." (Winstead PC)
Stolen Pen Drive Results in $2.2 Million HIPAA Settlement
"On January 18, 2017, HHS announced a $2.2 million settlement with the Puerto Rico-based subsidiary of a multinational insurance company for potential HIPAA violations. HHS investigated the subsidiary, which is a HIPAA covered entity and underwriter of life and disability insurance and group health insurance plans, after the subsidiary notified the government of the theft of a pen drive containing electronic protected health information (ePHI)." (Practical Law Company)
OCR Announces First HIPAA Enforcement Action for Untimely Breach Notification
"This enforcement action underscores the need for covered entities and business associates to have clear policies and procedures in place to respond to Breach Notification Rule requirements in an effective and timely manner. All breaches discovered in 2016 affecting fewer than 500 individuals must be reported to HHS by March 1, 2017." (von Briesen & Roper, s.c.)
Time Waits for No One: OCR Announces First HIPAA Settlement for Lack of Timely Breach Notification
"Presence Health agreed to pay a settlement amount of $475,000. It is noteworthy that Presence Health is a relatively large health system, but the settlement is well below the average of recent settlements (the average 2016 resolution agreement was approximately $2 million). Presence Health also agreed to enter into a two-year corrective action plan, which requires new policies and procedures and training, but does not include internal or external monitoring like some prior settlements." (Davis Wright Tremaine LLP)
[Guidance Overview] Who is a HIPAA 'Business Associate'?
"The extension of business associate status to subcontractors can ensnare unsuspecting individuals and organizations because prior to the Omnibus Rule subcontractors were untouched by the HIPAA Rules. Many could still be unaware that they are performing functions for covered entities or dealing with PHI.... OCR has specifically reminded covered entities and business associates that using a cloud service provider to maintain ePHI without entering into a business associate agreement violates the HIPAA Rules. In addition, risk analysis and risk management need to account for ePHI stored in the cloud, whether on servers within the U.S. or overseas." (McDonald Hopkins)
First HIPAA Enforcement Action for Lack of Timely Breach Notification Settles for $475,000
"OCR's investigation revealed that Presence Health failed to notify, without unreasonable delay and within 60 days of discovering the breach, each of the 836 individuals affected by the breach, prominent media outlets (as required for breaches affecting 500 or more individuals), and OCR." (U.S. Department of Health and Human Services [HHS])
Beware of Phishing Email Disguised as Official OCR Audit Communication
"[OCR has warned] health plans, health care providers, and their vendors of a mock communication involving the OCR audit program under [HIPAA]. The email falsifies HHS departmental letterhead and the signature of the OCR Director and directs individuals to a non-governmental website marketing the cybersecurity services of a firm that is not associated with HHS or OCR.... OCR has begun contacting business associates as part of its HIPAA audit program. Business associates should be looking out for any emails they receive from OCR and, after first confirming that they are genuine, take prompt measures to meet audit response deadlines." (Ballard Spahr LLP)
[Guidance Overview] HHS Increases Penalties for HIPAA Violations (PDF)
"The new penalties reflect a 10.02 percent increase over the prior amounts and include a 'catch-up' inflation adjustment. Inflation adjustments will now be issued on an annual basis, no later than January 15 each year." (Xerox HR Services)
HHS Alert: Phishing Email Disguised as Official OCR Audit Communication
"[A] phishing email is being circulated on mock HHS Departmental letterhead under the signature of OCR's Director, Jocelyn Samuels. This email appears to be an official government communication, and targets employees of HIPAA covered entities and their business associates. The email prompts recipients to click a link regarding possible inclusion in the HIPAA Privacy, Security, and Breach Rules Audit Program. The link directs individuals to a non-governmental website marketing a firm's cybersecurity services. In no way is this firm associated with [HHS] or the Office for Civil Rights." (U.S. Department of Health and Human Services [HHS])
Malware Infiltration Results in $650,000 HIPAA Settlement
"[HHS] has announced a settlement with an East Coast university involving potential violations of [HIPAA] resulting from a malware infection at one of the university's facilities. The university will pay $650,000 to settle the potential HIPAA violations and must comply with numerous requirements under a corrective action plan." (Practical Law Company)
Shared Information Compliance: After HIPAA Comes FTC Act
"The agencies offered tips to help businesses ensure that their disclosure statements are in compliance with the FTC Act: [1] Don't bury key facts in links to a privacy policy, terms of use or the HIPAA authorization.... [2] Design user interface with various devices in mind, ensuring that participants do not have to scroll to view disclosure claims. [3] Review user interface for contradictions and get rid of them. [4] Ensure paper and electronic disclosure statements are consistent as the FTC Act applies to both." (Bloomberg BNA)
[Guidance Overview] New Guidance on Cloud Computing and the HIPAA Privacy and Security Rules (PDF)
"A cloud service provider is a business associate under HIPAA even if the cloud service provider processes or stores only encrypted ePHI and lacks an encryption key for the data. Even 'no-view' cloud-based systems are business associates and require monitoring to ensure compliance with HIPAA. Employers should review their human resources and benefits systems to determine which are cloud-based and ensure that HIPAA protections are in place." (Segal Consulting)

Important word about authorship:
BenefitsLink® ( provides this page for you, containing selected hypertext links to pages on the web that our editors think will be useful or interesting to you. But BenefitsLink is not the author or publisher of those linked pages (except as expressly indicated). You should contact directly the author of any such linked pages for copyright or other information about their contents.
© 2017, Inc.
Privacy Policy