BenefitsLink logo
EmployeeBenefitsJobs logo
Subscribe Now

“BenefitsLink continues to be the most valuable resource we have at the firm.”
-- An attorney subscriber
Featured Jobs
Daily Valuation Retirement Plan Administrator (ANY STATE, FL)
Retirement Plan Compliance Analyst QKA (AL, AZ, CA, FL, IA, IL, MD, MN, MO, NC, NY, TX, VA, VT, WI)
Sr Specialist - Retirement Plan Documents (CO, WI)
Plan Termination Account Manager (ANY STATE)
ESOP Administrator (ANY STATE, VA)
Qualified Plan Ops & Compliance Manager (TX)
Senior ERISA Legal Compliance Counsel (GA)
Employee Benefits Associate (IL)
Retirement Plan Administrator (CA)
Plan Administrator-DC Specialist (ANY STATE)
Implementation Consultant (TX)
Get the BenefitsLink app LinkedIn

News Items, by Subject

Health plan admin - HIPAA

View Headlines Now Viewing Excerpts and

To Bring Health Information Privacy Into the 21st Century, Look Beyond HIPAA
"Even though HIPAA remains 'surprisingly functional,' significant gaps persist. These gaps, however, derive not from HIPAA per se, but from the patchwork of health information privacy rules outside of HIPAA.... [O]ne element of this patchwork: the complex rules around and new challenges created by big data analytics. [Additional examples are] ... Social Media ... The Role of States ... Veterans ... Following the European Union's Lead." (Health Affairs)
[Guidance Overview] OCR Cybersecurity Newsletter: Guidance on Software Vulnerabilities and Patching (PDF)
"Identifying software vulnerabilities and mitigating the associated risks are important activities for [HIPAA covered entities and business associates] to conduct as part of their security management process and technical evaluations.... Mitigation activities could include installing patches ... In situations where patches are not available (e.g., obsolete or unsupported software) or testing or other concerns weigh against patching ... entities should implement reasonable compensating controls to reduce the risk of identified vulnerabilities to a reasonable and appropriate level[.]" (U.S. Department of Health and Human Services [HHS])
Privacy Please: HIPAA and Artificial Intelligence
"A critical threshold question is at what point does an AI vendor become subject to HIPAA? The answer has significant ramifications for both the AI vendor and the covered customer, which may be a health care provider, health plan, clearinghouse, or business associate. The AI functionality could fall along a continuum ranging from falling outside of HIPAA to triggering the business associate obligations subject to HIPAA." (Artificial Intelligence Law Advisor, Davis Wright Tremaine LLP)
Failure to Encrypt Leads to $4.3 Million in HIPAA Civil Money Penalties
"The breach reports involved: The theft of an unencrypted laptop computer, used for teleworking, which contained the electronic protected health information (ePHI) of nearly 30,000 individuals, from a workforce member's residence. The loss of two unencrypted USB drives, which had belonged to a trainee and a visiting researcher (respectively), and collectively contained the ePHI of roughly 5,800 individuals.... The ALJ's ruling faults the CE, at length, for adopting policies that acknowledged the need for encryption and protecting confidential information (including ePHI), but not fully carrying out those policies in practice for years." (Thomson Reuters Practical Law)
OCR Provides Reminder About Fundamental Aspect of Physical Security for PHI
"One aspect of security that is lurking in plain sight is the workstation. The Security Rule ... focuses on two key areas: [1] controls on physical access to the facility or area where systems which process Protected Health Information (PHI) operate; and [2] protecting the individual system components like workstations. The May OCR newsletter highlights some important issues relating to the workstations that handle PHI." (Poyner Spruill LLP)
Court Requires Texas Cancer Center to Pay $4.3 Million in Penalties for HIPAA Violations
"MD Anderson had written encryption policies going as far back as 2006 [and] MD Anderson's own risk analyses had found that the lack of device-level encryption posed a high risk to the security of ePHI. Despite the encryption policies and high risk findings, MD Anderson did not begin to adopt an enterprise-wide solution to implement encryption of ePHI until 2011, and even then it failed to encrypt its inventory of electronic devices containing ePHI between March 24, 2011 and January 25, 2013." (U.S. Department of Health and Human Services [HHS])
IBM Employees Can't Use Removable Storage Anymore: A Strategy for Lowering HIPAA Liability Risk?
"[IBM's global chief information security officer, Shamla Naidoo] explains, 'the possible financial and reputational damage from misplaced, lost or misused removable portable storage devices must be minimised.' ... USB sticks and SD cards are very easy to forget or lose, and whoever finds them will usually check what they contain. Removing them from the equation completely solves that problem, but the cloud access replacing it needs to be rock solid." (PC Magazine)
[Guidance Overview] Beware: HIPAA Applies to the Health Plans You Never Knew You Had
"Most [employee assistance plans (EAPs)] are staffed by health care providers, such as licensed counselors, and assist employees who are struggling with family or personal problems that rise to the level of a medical condition ... Employers/plan administrators ... will need to enter into a HIPAA business associate agreement with the EAP vendor, amend the EAP plan document to include language required by the HIPAA Rules and develop and implement other compliance documents and policies and procedures under the HIPAA Rules." (Fox Rothschild LLP)
Risk Analyses vs. Gap Analyses -- What Is the Difference? (PDF)
"Conducting a risk analysis is the first step in identifying and implementing safeguards that ensure the confidentiality, integrity, and availability of [electronic protected health information]. A gap analysis, while not required by the HIPAA Rules, is a useful tool to identify whether certain standards and implementation specifications of the Security Rule have been met." (Office for Civil Rights [OCR], U.S. Department of Health and Human Services [HHS])
Court Allows Terminated Employee to Pursue ERISA Section 510 Claims Tied to Son's Large Medical Expenses
"[A]ctions justifiable under the FMLA proved the employer's undoing ... under ERISA.... [C]autious employers should take care to separate employment decisions from employee benefit plan considerations. In fact, this separation is mandatory under HIPAA's privacy rule for employers receiving protected health information from their health plan." [Stein v. Atlas Industries, Inc., No. 17-3737 (6th Cir. Apr. 9, 2018)] (Thomson Reuters / EBIA)
New York State Settlement of Data Breach with Health Plan Includes HIPAA Compliance Undertones
"While the Health Information Technology for Economic and Clinical Health Act [HITECH] granted state attorneys general the authority to enforce HIPAA through civil actions brought on behalf of state residents, until now this authority has not been publicly invoked to any noteworthy degree. The EmblemHealth case is an important reminder that covered entities and business associates, in addition to complying with HIPAA, must also ensure that they abide by state privacy laws that prohibit the improper disclosure of certain personal information." (Akerman)
Federal Enforcement Isn't the Only HIPAA Concern: States Flex Their Muscles
"Despite the lack of significant settlements for HIPAA enforcement by the federal Office of Civil Rights (OCR) so far in 2018, states have not hesitated to patrol privacy and security breach activity and take action against perceived violations.... Two recent settlements suggest that states are ramping up their enforcement activities." (McGuireWoods, LLP)
How to Stay Within the Law When Using Biometric Information
"Several states have passed laws that regulate how companies may collect, store and disclose biometric information from employees or other individuals.... State data-breach notification statutes include biometric information in the definition of protected personal information." (Society for Human Resource Management [SHRM])
HIPAA in Due Diligence, Part 3: Risk Mitigation Strategies
"Given the uptick in enforcement against both covered entities and business associates and ever-increasing fines, it is important to take a proactive approach to quickly address compliance gaps.... [I]t is important to ensure that any post-close compliance is completed within a specified time, such as 30, 60, 90 or 120 days post-close.... Buyers should consider whether it is appropriate to obtain specific indemnification or escrow of funds to cover potential HIPAA non-compliance.... If the seller is involved in any government or third party investigation or settlement negotiation related to HIPAA compliance, buyers should consider obtaining a waiver of liabilities and rights from the government or third party prior to close." (McGuireWoods, LLP)
Blockchain for Healthcare
"Given the decentralized, distributed nature of blockchain, HIPPA issues will need to be carefully considered. One of the benefits of many blockchains is that the transaction data is replicated to multiple nodes. This can create issues for protected information. This suggests that some form of private blockchain may be better suited for patient health records, perhaps combined with separating and encrypting personal health information." (Sheppard Mullin)
HIPAA in Due Diligence, Part 2: Cloud Server Data and HIPAA Compliance
"For an online or virtual data room administrator, opening access to an inquiring stakeholder, valuator, or reviewer party to an acquisition target company's documentation may be as simple as a few clicks and perhaps an email or two. However, if any document contains personal or identifiable health information, a number of privacy and data protection regulations may deem access to such information by an unauthorized party to be a violation.... HIPAA may impose significant penalties on target providers posting the PHI and the unauthorized parties accessing the PHI alike." (McGuireWoods, LLP)
HIPAA in Due Diligence: Four Key Questions
"To better understand a seller's overall HIPAA compliance, there are four key diligence questions upon which buyers should focus their efforts in a transaction: [1] Does the seller have the core HIPAA documentation in place? ... [2] Is the seller complying with its policies? ... [3] How does the seller address potential HIPAA security and breach risk areas? ... [4] What is the nature of risk related to any identified gaps?" (McGuireWoods, LLP)
Is HIPAA a Sleeping Giant?
"So far, 2018 has been a light year in terms of HIPAA enforcement. There have been only two publicly-disclosed settlements.... Theories include that the priorities of the current administration are driving less enforcement, that the OCR is focusing its efforts on the current round of audits, and that the OCR is simply holding back on some settlements so that it can ensure a consistent approach to multiple settlements that it will announce in the near future. No matter the answer, it is not safe to assume that things will remain quiet on the HIPAA front." (McGuireWoods, LLP)
What Employers Need to Know About Protecting Employee Health Information
"HIPAA generally does not apply to employee health information maintained by an employer.... Even when HIPAA does not apply, employers still have other legal obligations to protect the confidentiality of employee health information in their possession." (Ogletree Deakins)
Anticipating This Year's HIPAA Enforcement Trends (PDF)
"In a time of cybersecurity where each state (almost) is developing their own cybersecurity and breach notification rules, there is still a general rule of federal preemption when it comes to HIPAA, with only a narrow exception for additional state laws and regulations that are in excess of the requirements of HIPAA. It is not inconceivable that in 'streamlining' HIPAA regulations that HHS looks for ways to give the states more rights to legislate the security and use of medical information." (Jenner & Block, via Law360)
Receiver for Out-of-Business HIPAA Business Associate Reaches $100,000 Settlement with HHS
"In addition to the $100,000 payment, the receiver agreed, on the company's behalf, to comply with a corrective action plan (CAP). The receiver had already placed the medical records at issue into storage with a third-party information management company. The CAP requires the receiver to properly store and dispose of these remaining medical records." (Thomson Reuters Practical Law)
Consequences for HIPAA Violations Don't Stop When a Business Closes
"A receiver appointed to liquidate the assets of Filefax, Inc. has agreed to pay $100,000 ... in order to settle potential violations of the [HIPAA] Privacy Rule. Filefax ... advertised that it provided for the storage, maintenance, and delivery of medical records for covered entities. Although Filefax shut its doors during the course of OCR's investigation into alleged HIPAA violations, it could not escape its obligations under the law." (U.S. Department of Health and Human Services [HHS])
[Guidance Overview] Due March 1: HIPAA Small Breach Notifications
"HIPAA requires covered entities to provide breach notification to affected individuals without unreasonable delay ... Covered entities also must report small breaches to OCR no later than 60 days after the calendar year in which the small breaches were discovered.... Most business associates will not be affected by this deadline because their reporting obligation is to the covered entity and not to OCR, unless the covered entity has delegated its breach reporting obligations to the business associate." (Davis Wright Tremaine LLP)
[Guidance Overview] Opioid Abuse: Employment Laws, HIPAA Privacy and Other Considerations for Employers
"Employers who may be facing employees with substance use and abuse issues need to be concerned with workplace laws related to safety (OSHA), HIPAA Privacy (if the information about the condition is received by the employer's medical plan), the Mental Health Parity and Addiction Equity Act and their medical plan's compliance with such law, FMLA, the Americans with Disabilities Act and state medical privacy laws." (Winstead PC)
$3.5M HIPAA Settlement Highlights Need to Prioritize Health Plan HIPAA Compliance in 2018
"When weighing the importance of HIPAA compliance and risk management for their health plans, health plans, their employer or other sponsors, fiduciaries, insurers, administrators and their business associates should resist the temptation to underestimate the exposure because providers, rather than health plans, have been the most common target of the majority of the announced OCR enforcement actions resulting in substantial civil monetary penalties or resolution payments." (Solutions Law Press)
Court Declines to Dismiss Claims Against Business Associate Subcontractor Responsible for HIPAA Breach
"The PBM, which contracted with a group health plan to provide mail-order pharmacy services, subcontracted certain functions to the mail service.... According to the PBM, the mail service's unauthorized disclosures violated a performance standard under the PBM's contract with the health plan and triggered a payment of over $1.8 million by the PBM to the plan. The PBM then sought indemnification from the mail service, both under its business associate subcontract and common-law principles, and also contended that the mail service was negligent." [CVS Pharmacy, Inc. v. Press America, Inc., No. 17-190 (S.D.N.Y. Jan. 3, 2018)] (Thomson Reuters / EBIA)
Remember February Deadline for HIPAA Breach Reporting
"While breaches involving 500 or more individuals must be reported no later than 60 calendar days from the date of discovery, breaches involving less than 500 individuals can be documented throughout the course of the year and submitted 60 days after the end of the calendar year.[1] This means that covered entities have until February 28, 2018 to complete their annual breach reporting obligations." (Husch Blackwell)
HIPAA Breach Reporting: 2017 Trends and Mends
"OCR data shows that HIPAA privacy breach reports affecting 500 or more individuals remained relatively stable when compared to 2016, increasing slightly from 327 to 345. Hacking and IT incidents, however, rose by 25%, with 142 in 2017 compared to 113 in 2016." (McGuireWoods, LLP)
Multiple Security Failures Lead to $2.3 Million HIPAA Settlement
"This is the first resolution agreement publicly announced in several months, but the size of the settlement payment and the strict terms of the CAP indicate that OCR continues to take HIPAA privacy and security compliance seriously. More robust audit controls might have enabled this provider to discover the unauthorized disclosures before the FBI did -- potentially avoiding OCR's investigation and the attendant ramifications." (Thomson Reuters / EBIA)
$2.3M Penalty is Only a Small Part of Oncology Firm's Data Breach Fallout
"While the financial burden of paying the $2.3 million resolution amount and other costs required to respond to OCR's investigation and comply with the resulting corrective action plan are significant in their own right, other businesses and business leaders should realize that these settlement costs represent only a small portion of the fallout that often follows a large data breach.... [The] resolution agreement [with 21st Century Oncology, a now-bankrupt radiation oncology and cancer care provider,] is the first of what almost certainly will be a multitude of HIPAA resolution agreements with OCR that require bankruptcy court approval to release the necessary funds to pay the required $2.3 million resolution payment." (Solutions Law Press)
Failure to Protect the Health Records of Millions of Persons Costs Entity Millions of Dollars
"21st Century Oncology, Inc. (21CO) has agreed to pay $2.3 million in lieu of potential civil money penalties to the [HHS] Office for Civil Rights (OCR) ... to settle potential violations of the [HIPAA] Privacy and Security Rules. 21CO is a provider of cancer care services and radiation oncology. With their headquarters located in Fort Myers, Florida, 21CO operates and manages 179 treatment centers, including 143 centers located in 17 states and 36 centers located in seven countries in Latin America." (U.S. Department of Health and Human Services [HHS])
[Official Guidance] Text of IRS and DOL 'Extension of Time Frames' for Employee Benefit Plans, Participants and Beneficiaries Affected by Hurricane Maria
12 pages. "With respect to plan participants, beneficiaries, qualified beneficiaries, or claimants directly affected by Hurricane Maria ... group health plans, disability and other welfare plans, pension plans, and health insurance issuers offering coverage in connection with a group health plan must disregard the period from September 17, 2017 through March 16, 2018 for such plan participants, beneficiaries, qualified beneficiaries, or claimants located in Puerto Rico, and must disregard the period from September 16, 2017 through March 15, 2018 for such plan participants, beneficiaries, qualified beneficiaries, or claimants located in the United States Virgin Islands, when determining any of the following time periods and dates:
  • The 30-day period (or 60-day period, if applicable) to request special enrollment under ERISA section 701(f) and Code section 9801(f);
  • The 60-day election period for COBRA continuation coverage under ERISA section 605 and Code section 4980B(f)(5);
  • The date for making COBRA premium payments pursuant to ERISA section 602(2)(C) and (3) and Code section 4980B(f)(2)(B)(iii) and (C);
  • The date for individuals to notify the plan of a qualifying event or determination of disability under ERISA section 606(a)(3) and Code section 4980B(f)(6)(C);
  • The date within which individuals may file a benefit claim under the plan's claims procedure pursuant to 29 CFR 2560.503-1;
  • The date within which claimants may file an appeal of an adverse benefit determination under the plan's claims procedure pursuant to 29 CFR 2560.503-1(h);
  • The date within which claimants may file a request for an external review after receipt of an adverse benefit determination or final internal adverse benefit determination pursuant to 29 CFR 2590.715-2719(d)(2)(i) and 26 CFR 54.9815-2719(d)(2)(i), and
  • The date within which a claimant may file information to perfect a request for external review upon a finding that the request was not complete pursuant to 29 CFR 2590.715-2719(d)(2)(ii) and 26 CFR 54.9815-2719(d)(2)(ii)....
"With respect to group health plans, and their sponsors and administrators, that are directly affected by Hurricane Maria ... the period from September 17, 2017 through March 16, 2018 for those located in Puerto Rico, and the period from September 16, 2017 through March 15, 2018 for those located in the United States Virgin Islands, shall be disregarded when determining the date for providing a COBRA election notice under ERISA section 606(c) and Code section 4980B(f)(6)(D)." (Employee Benefits Security Administration [EBSA], Department of Labor [DOL]; Internal Revenue Service [IRS], Department of the Treasury)
Discretionary Clauses in ERISA Health and Disability Plans: Are They Still Viable? (PDF)
"As of 2015 ... nearly 25 states either have or are in the process of banning discretionary clauses in insurance policies subject to ERISA.... The Firestone decision made it clear that in the absence of an effective discretionary clause, a court deciding a benefit disputes utilizes the de novo standard of adjudication that favors neither party.... Plan insurers ... are expected to continue their opposition to the laws and argue that states run afoul of ERISA when they attempt to regulate the language in ERISA plans; however, the Supreme Court's refusal to hear an appeal from the Morrison ruling suggests that such efforts are unlikely to succeed." (DeBofsky & Associates, P.C., via Bloomberg BNA)
[Guidance Overview] ACA's Nondiscrimination Taglines and Notices Require Updating Your Notice of Privacy Practices
"OCR has issued guidance indicating that ACA does indeed impact [a covered entity's notice of privacy practices (NPP)]. Moreover, breach notifications also likely are affected.... [If] they have not already done so, covered entities should consider updating their NPPs to include the required nondiscrimination language and 'taglines' in different languages. Covered entities also should address their breach notification policies, procedures, templates, processes, and checklists so that any required ACA language and taglines are included in any breach notifications going to individuals." (Davis Wright Tremaine LLP)
HHS Withdraws Proposed Regs Requiring Health Plans to Certify HIPAA Compliance
"Withdrawal of the proposed regulations indicates that HHS has decided to go back to the drawing board -- and also takes some pressure off of HHS to make a decision on health plan identifiers (HPIDs), which, among other uses, were going to be used to identify health plans submitting compliance certifications." (Thomson Reuters / EBIA)
[Guidance Overview] HIPAA Compliance Checklist for Employer-Sponsored Health Plans (PDF)
"Given recent high-profile HIPAA enforcement actions, employers should understand their compliance obligations. This checklist is intended to assist plan sponsors with HIPAA compliance for their plans." (Davis Wright Tremaine LLP)
[Official Guidance] Text of HHS Withdrawal of Proposed Regs for Certification of Compliance for Health Plans
"This document withdraws the January 2, 2014, proposed rule that would have required a controlling health plan (CHP) to submit information and documentation demonstrating that it is compliant with certain standards and operating rules under [HIPAA]. This proposed rule would have also established penalty fees for a CHP that failed to comply with the certification of compliance requirements." (U.S. Department of Health and Human Services [HHS])
HIPAA Compliance: Protecting Employee Information
"Document employee training.... Procedures should affect every department.... Audit all subcontractors.... Make areas with private information secure.... Use shredders.... Make privacy a workplace culture.... Shut off the auto-complete option.... Protect employee files.... Ask for outside help." (Lindquist LLP)
Aetna Accidentally Exposed Customers' HIV Status
"The letters, which contained information about changes in pharmacy benefits and access to HIV medications, were sent to about 12,000 customers across multiple states, Aetna confirmed ... For some of these customers, a plastic window on the envelope exposed not only the patient's name and address, but also a reference to filling prescriptions for HIV medications. This meant that whoever picked up the mail that day -- a family member, a friend, a postal worker -- would have been able to see the confidential information[.]" (The Washington Post; subscription may be required)
Attempting to Avoid the High Cost of a Reported HIPAA Breach
"In the last 24 months, 349 breaches of unsecured protected health information affecting 500 or more individuals have reported to [HHS Office of Civil Rights]. Nearly 175 of those breaches occurred in 2017 alone, affecting over 3.2 million individuals in just seven months. From January to July this year, the OCR entered into settlement resolutions related to reported HIPAA breaches for a combined total of approximately $17 million.... Three of the largest settlement amounts paid this year resulted from failure to develop and implement policies to prevent, report and correct breaches." (Dickinson Wright PLLC)
Making Sense of Employee Health Record Privacy Regs (PDF)
"As employers become more involved in the overall management of employee wellness and healthcare expenditures, there is a strong interest in effective management and utilization of this employee data for a growing range of employer interests. Employers and other entities are becoming more involved in Big Data initiatives, offering new opportunities to gather information that will promote more effective and efficient workplaces. However, employers need to consider carefully their approach to employee healthcare information and act intelligently." (Wiley Rein LLP, via Journal of the American Health Information Management Association [AHIMA])
Heightened Transparency in Breach Notification Tool Nudges HIPAA Compliance
"The new [HIPAA Breach Reporting Tool (HBRT)] features enhanced search and navigation functions, but its main purpose is much the same as its predecessor -- namely, public access to information about HIPAA breaches affecting 500 or more individuals. Its enhanced functions allow HBRT users to filter through the most recent types of breaches, where the breaches occurred, and the number of impacted individuals. The HBRT ... provides enough information about the type, source and scope of the breach to potentially impact the breaching party's reputation as a provider or vendor." (Drinker Biddle)
HIPAA 'Wall of Shame' Gets Update from OCR
"The tool, commonly referred to as the 'Wall of Shame,' is a publically available listing of reported breaches of unsecured protected health information ('PHI') affecting 500 or more individuals.... [It] now includes enhanced functionality, an archive with all older breaches and how they were resolved, improved navigation to additional breach information, and consumer tips." (von Briesen & Roper, s.c.)
Tracking EEOC Rules for Wearables in Wellness Programs
"FitBits and Apple watches, among other wearables, not only count steps but provide data including activity levels, sleep patterns and heart rates. As these devices become central to workplace wellness programs, it is especially important that employers understand that many of the new EEOC rules govern privacy and security issues associated with the collection, storage and sharing of individual data collected through workplace wellness programs." (International Foundation of Employee Benefit Plans [IFEBP])
Assessments, Policies, and Training Are Key to HIPAA Compliance
"Periodic risk assessments, updated policies and procedures, and ongoing training are critical to HIPAA compliance ... The urgency of these has been driven home by the recent rise in big-ticket HIPAA settlements obtained by [HHS].... The OCR still sees insufficiency in the scope of risk assessments ... [which] they should cover everywhere PHI is located and all of its vulnerabilities." (HRDailyAdvisor)
HHS Provides Cyberattack Checklist for HIPAA-Covered Entities
"The Office for Civil Rights presumes that most cyber-related security incidents in which PHI was accessed, acquired, used or disclosed are reportable breaches. Health plan sponsors (and affiliates) who experience a ransomware attack or other cyber-related security incident should follow the OCR checklist. Coordination will likely be required between the employer's information technology and HR departments to properly respond to a cyberattack." (Willis Towers Watson)
Fiduciary Obligations to Safeguard Plan Participants' Data
"Because benefit data includes participants' names, Social Security numbers, account information and PII, it is increasingly important for ERISA plan fiduciaries to acknowledge and act on their inherent responsibilities to secure online plan data from cyberattacks. Failure to do so would almost certainly be counter to the prudence standard by which ERISA fiduciaries are required to abide.... Given the broad scope of an ERISA fiduciary's obligation to act with prudence, it is in the best interest of all parties involved with ERISA plans to begin developing systems and procedures for properly handling and securing PII." (Trucker Huss)
[Official Guidance] OCR Cyber Attack Checklist for HIPAA Covered Entities and Business Associates (PDF)
"This guide explains, in brief, the steps for a HIPAA covered entity or its business associate (the entity) to take in response to a cyber-related security incident. In the event of a cyber attack or similar emergency an entity: [1] Must execute its response and mitigation procedures and contingency plans.... [2] Should report the crime to other law enforcement agencies ... [3] Should report all cyber threat indicators vii to federal and information -sharing and analysis organizations ... [4] Must report the breach to OCR as soon as possible, but no later than 60 days after the discovery of a breach affecting 500 or more individuals[.]" [Unnumbered and undated document, published online June 2017.] (U.S. Department of Health and Human Services [HHS])
Molina Healthcare Investigates Breach of Patients' Data
"Molina Healthcare... has shut down its online patient portal as it investigates a potential data breach that may have exposed sensitive medical information. The company said [May 26] that it closed the online portal for medical claims and other customer information while it examined a 'security vulnerability.' It's not clear how many patient records might have been exposed and for how long. The company has more than 4.8 million customers in 12 states and Puerto Rico." (Kaiser Health News)
HIPAA Is Here to Stay
"Audits initiated by OCR and investigations resulting from reported violations reveal that HIPAA compliance continues to be a governmental priority under the new administration. Indeed, nine representative resolution agreements have been released by HHS thus far in 2017 ... Thus, it is as important as ever for employer-sponsored group health plans to ensure that they are complying with HIPAA's encompassing and technical requirements. As the various resolution agreements detail, failure to do so can have dire financial consequences on the group health plan (and correspondingly on the sponsoring employer)." (Fraser Trebilcock)
Two HHS Settlements for HIPAA Violations Include Penalties Totaling Over $5 Million
"To prevent costly HIPAA enforcement actions, covered entities are advised to: [1] Conduct new risk analyses after all modifications to underlying technology; [2] Update policies and procedures to account for changes in technology or practices; [3] Regularly provide HIPAA training to employees; [4] Conduct HIPAA audits; [5] Monitor security breaches; and [6] Create and implement a breach response plan." (The Wagner Law Group)
Multimillion Dollar HIPAA Settlements Focus on Encryption and Unauthorized Disclosures
"Encryption continues to be one of OCR's top priorities for mobile devices and storage media.... OCR cited a covered entity's continued use of unencrypted portable devices as an aggravating factor when it recently assessed a $3.2 million civil monetary penalty. And OCR has previously warned that a covered entity is not excused from HIPAA's privacy requirements simply because it believes an individual's identity is already publicly known." (Thomson Reuters / EBIA)
$2.4M HIPAA Settlement Warns Health Plans and Providers Against Sharing Medical Info with Media, Others
"Healthcare providers, health plans, healthcare clearinghouses and their business associates (Covered Entities) can't disclose the name or other protected health care information about a patient in press releases or other announcements without prior authorization from the patient. That's the clear lesson Covered Entities should learn from the $2.4 million ... that the largest not-for-profit health system in Southeast Texas ... is paying to settle charges it violated the [HIPAA] Privacy Rule by issuing a press release with the name and other protected health information (PHI) about a patient without the patient's prior HIPAA-compliant authorization[.]" (Solutions Law Press)
Button Up Your HIPAA Business Associate Agreements or Pay the Price
"The CCDH settlement is a timely reminder of the importance of a business associate agreement even if no electronic protected health information is involved and demonstrates OCR's readiness to require a settlement agreement, resolution amount and corrective action plan even in the absence of any protected health information being made public.... [P]lan administrators should ensure that as they enter into arrangements with new service providers for their group health plans no protected health information is transferred until the business associate agreement (and not just the service agreement) has been executed." (Benefits Bryan Cave)
Top Five HIPAA Myths That Arise in Higher Education
"[1] HIPAA applies to all medical information we maintain as a college or university.... [2] If we release medical information about a student or employee we can be sued for violating HIPAA.... [3] HIPAA prohibits a college or university from asking an employee or student for medical information.... [4] HIPAA applies to any person with medical training and a professional license.... [5] HIPAA prohibits employees from talking about the health situation of their co-workers or their students." (Husch Blackwell)
OCR Announces First HIPAA Settlement with Wireless Health Services Provider
"OCR appears to be voicing its concern regarding HIPAA compliance and wireless health devices.... CardioNet's corrective action plan underscores OCR's expectations for HIPAA Security Rule compliance in this sector. During the last year, OCR has issued guidance for mobile health application developers, and developed a portal designed to provide guidance to health app developers." (Morgan Lewis)
HIPAA Risk Analysis Lapses Lead to OCR Enforcement: How Is Your Security Management Process?
"[In] its guidance materials, OCR describes several baseline expectations for a compliant risk analysis.... With these enforcement actions, OCR continues to hammer home the message that the security management process should be top-priority for CEs and BAs that create, receive, maintain, or transmit ePHI and that risk analysis and risk management are indeed foundational to achieving and maintaining Security Rule compliance. HIPAA-regulated entities should not only thoughtfully plan, carry out, and implement a risk analysis and RMP but also be mindful of organizational and environmental changes that require them to review and revise their processes to best safeguard ePHI." (Ice Miller LLP)
Latest HIPAA Resolution Agreement Drives Home Importance of Maintaining Current, Signed Business Associate Agreements
"[A]ll health plans, health care providers and other covered entities and business associates should focus on the adequacy of their BAAs and their BAA recordkeeping. HIPAA compliance surveys reflect deficiencies with the BAA rules are common throughout the industry. These findings and the involvement of BAs in data breaches or other OCR enforcement activities suggest a high probability that many other covered entities and business associates may be sitting ducks for similar sanctions." (Solutions Law Press)
The Costly Consequences of Failing to Enter Into Written Business Associate Agreements
"The Filefax investigation was likely launched after news reports at the time revealed that medical records held by the company were found in a dumpster. CCDH had used Filefax to store its inactive paper medical records since 2003. Further investigation revealed that CCDH had disclosed the PHI of at least 10,728 individuals to Filefax without obtaining Filefax's satisfactory assurances in the form of a written business associate agreement that it would safeguard the PHI in its possession or control." (Drinker Biddle)
$2.5 Million Settlement Shows That Not Understanding HIPAA Requirements Creates Risk
"In January 2012, CardioNet reported to the HHS Office for Civil Rights (OCR) that a workforce member's laptop was stolen from a parked vehicle outside of the employee's home. The laptop contained the ePHI of 1,391 individuals. OCR's investigation ... revealed that CardioNet had an insufficient risk analysis and risk management processes in place at the time of the theft. Additionally, CardioNet's policies and procedures implementing the standards of the HIPAA Security Rule were in draft form and had not been implemented." (U.S. Department of Health and Human Services [HHS])
About Us


Privacy Policy

Post a Job

Advertise in the BenefitsLink Newsletters

Add Your Company to the Directory of Vendors and Software

Submit a News Item, Press Release, Webcast or Conference

Contact Us

Payment Portal

© 2018, Inc.