BenefitsLink logo
EmployeeBenefitsJobs logo
Free Daily News and Jobs

“BenefitsLink continues to be the most valuable resource we have at the firm.”
-- An attorney subscriber
Featured Jobs

Client Services Representative (Miami FL / Telecommute)

Retirement Plan Administrator (Santa Ana CA)

Sales - 401(k) / DB (FL / GA / IL / MN / MO / NC / TN / WI)
Get the BenefitsLink app LinkedIn

News Items, by Subject

Health plan admin - HIPAA

View Headlines Now Viewing Excerpts and

HHS Fact Sheet Provides Reminder of HIPAA Liability for Business Associates (PDF)
"Business associates can be held directly liable for certain types of HIPAA violations. Business associates include TPAs, consultants or brokers, and other entities that receive PHI on behalf of a health plan. HHS actively enforces the HIPAA Rules, with costly outcomes for covered entities and business associates." (Cowden Associates, Inc.)
HIPAA Breach Settles for $1M in First Settlement Involving State Attorneys General
"Indiana-based Medical Informatics Engineering, Inc. (MIE) agreed to pay $100,000 to the [HHS] Office for Civil Rights (OCR). MIE provides electronic health record and related services to healthcare entities. MIE also committed to a two-year corrective action plan to resolve potential violations of the [HIPAA] Privacy and Security Rules. Separately, MIE agreed to pay $900,000 to 16 states whose attorneys general had sued the company over a related data breach. The suit was the first of its kind premised on a HIPAA violation." (Poyner Spruill LLP)
HIPAA Guidance and Enforcement: A New Alignment?
"[OCR] announced that it has entered into a settlement with a business associate that provides electronic medical records services to health care providers ... Shortly after [announcing] this settlement, HHS published guidance on the broad range of HIPAA violations for which a business associate may be held directly liable.... In tandem, the guidance and settlement serve as strong warnings to business associates that they may be held directly liable for acts or omissions that do not meet HIPAA standards." (Ballard Spahr LLP)
[Guidance Overview] OCR Clarifies Direct Liability of Business Associates Under HIPAA
"In one illustrative example, OCR indicated it has enforcement authority directly over a business associate that has agreed in a BAA to satisfy individual rights (e.g., requests from individuals for access to copies of their medical records).... OCR's example demonstrates that the agency will hold business associates accountable for certain contractual obligations it has made with a covered entity, even if such obligations otherwise exceed the scope of business associate requirements under HIPAA." (ReedSmith)
[Official Guidance] Text of HHS Fact Sheet: Direct Liability of Business Associates
"OCR has authority to take enforcement action against business associates only for those requirements and prohibitions of the HIPAA Rules as set forth [in this Fact Sheet].... By contrast, OCR lacks the authority to enforce the 'reasonable, cost-based fee' limitation ... against business associates because the HITECH Act does not apply the fee limitation provision to business associates.... If the fee charged is in excess of the fee limitation, OCR can take enforcement action against only the covered entity." (U.S. Department of Health and Human Services [HHS])
Insecure Server Affects PHI of 300,000 Individuals, Leading to $3 Million Settlement
"The imaging service may have made a significant misstep when it prematurely concluded that no patient PHI was exposed despite the alert from the FBI. Its later admission that PHI of more than 300,000 patients was exposed set the stage for this significant settlement and comprehensive [corrective action plan (CAP)]." (Thomson Reuters / EBIA)
Fact Check: Did the ACA Create Preexisting Condition Protections for People in Employer Plans?
"Protections for preexisting conditions for most people with job-based insurance predated the ACA by more than a decade.... [T]he principal purpose of [HIPAA] was to put an end to what was known as 'job lock.' That happened when people with preexisting health conditions were afraid to leave one job with insurance for another job with insurance because the new insurance would not cover their condition, or would impose long waiting periods.... Most of the states had already attempted to address the job-lock problem by the mid-1990s, but states could not reach the majority of the population with health insurance because they were covered by [ERISA]." (Kaiser Health News)
[Guidance Overview] Health Apps and HIPAA: Recent FAQs Highlight Importance of Covered Entities and Business Associates Scrutinizing their Relationships with App Developers
"OCR's new FAQs extend upon this discussion of the business associate relationship between a covered entity and app developer, and highlight the vicarious liability faced by a covered entity if and when an impermissible use or disclosure of ePHI involves the app. The new FAQs reiterate that if the app was not provided by or on behalf of the covered entity, then the covered entity will not be liable for a breach of any information later experienced by the app. However, if the app was developed for, or provided for or on behalf of, the covered entity, then the covered entity could be held responsible for an impermissible use or disclosure of the ePHI in the app." (ReedSmith)
Can You Afford Not to Investigate a Security Incident?
"HIPAA's administrative safeguards require covered entities to identify and respond to suspected or known security incidents, mitigate harmful effects of security incidents that are known to the covered entity, and document security incidents and their outcomes. If the security incident rises to the level of a breach the covered entity also has notification requirements. Failure to satisfy these requirements can have very real consequences to your business." (Graydon)
Despite Increased Awareness and Employee Training, Ransomware Is Still the Healthcare Industry's No. 1 Threat
"Training employees to be highly suspicious of attachments and unknown hyperlinks is key to preventing these phishing attacks. Employers should educate employees on how to spot emails that attempt to masquerade as legitimate emails from co-workers and business contacts but often contain a number of [specific tells.]" (Holland & Hart LLP)
HHS Reduces Most Maximum Annual Civil Monetary Penalties for Violations of HIPAA Privacy and Security Rules
"HHS states that its new approach better reflects the language in the HITECH Act.... While lowering most of the annual maximums is a technical change, it is possible that HHS could also lower its demands as part of future resolution agreement settlements." (Segal Consulting)
[Guidance Overview] HHS FAQs Make Clear that Most Healthcare, Fitness Tracker, and Wellness Apps Are Not Covered by HIPAA
"[M]ost people assume that HIPAA protects health information from disclosure or at least provides some higher level of security over health information. However, HIPAA is narrower than most people believe... HHS's FAQs [are] specific to transactions between a patient, a healthcare provider, and the healthcare provider recommending a course of treatment that includes transmitting healthcare information to an app.... The key takeaway here is that app users bear the bulk of responsibility when they choose to input their personal health or other information into apps." (Dickinson Wright PLLC)
$3 Million OCR Touchstone Settlement Warns Health Plans of Perils of HIPAA Violations
"Around May 9, 2014, the [FBI] and OCR notified Touchstone that one of its FTP servers allowed uncontrolled access to PHI that allowed search engines to index the PHI of more than 300,000 of Touchstone's patients, which remained visible on the Internet even after the server was taken offline.... Touchstone did not provide notice of the breach until October, 2014, months after OCR and FBI notified it of the breach.... Covered Entities should learn from the painful lesson learned by Touchstone by reconfirming the adequacy of their current HIPAA compliance and using care to timely and adequately investigate and provide notification if and when a breach occurs." (Solutions Law Press)
[Guidance Overview] OCR Reduces HIPAA Penalties and Clarifies Liability for Transferring ePHI to Third-Party Health Apps
"OCR guidance issued last week changed the Department's historical position that the maximum penalty for violations of an identical HIPAA provision for each of the four types of violations is $1.5 million per year. While OCR retains the $50,000 maximum per-violation penalty across all tiers, its new guidance adopts graduated annual limitations for violations of the same requirement, which lower the annual limitations for all but the most serious violations." (Data Matters, Sidley Austin LLP)
HHS Guidance Clarifies HIPAA Liability with Use of Third-Party Health Apps
"OCR clarifies that when a patient shares protected health information with a third-party app or requests their healthcare provider share their health data with an app, the provider organization is not liable for any subsequent use or disclosure of the data as long as the app developer is not a business associate of the provider." (FierceHealthcare)
[Guidance Overview] HHS Changes Course on Limits for HIPAA Civil Money Penalties
"HHS concluded ... that the better reading of the statute is to apply the following annual limits: $25,000 for violations involving no knowledge. $100,000 for reasonable cause violations. $250,000 for willful neglect violations that are corrected. $1,500,000 for willful neglect that are not corrected....HIPAA covered entities and business associates will welcome the less severe cumulative annual CMP limits for Tier 1, 2, and 3 violations -- particularly given HHS's aggressive enforcement in the HIPAA space[.]" (Thomson Reuters Practical Law)
[Official Guidance] Text of HHS Notification of Enforcement Discretion Regarding HIPAA Civil Money Penalties
"Current HHS regulations apply the same cumulative annual CMP limit across four categories of violations based on the level of culpability. As a matter of enforcement discretion, and pending further rulemaking, HHS will apply a different cumulative annual CMP limit for each of the four penalties tiers in the [Health Information Technology for Economic and Clinical Health (HITECH) Act]." (U.S. Department of Health and Human Services [HHS])
Slack Files to Go Public, Aims to Act as HIPAA Business Associate
"The cloud-based communication tool ... is looking to have its messaging application being used by healthcare providers. Slack will be subject to HIPAA, as well as other state health information laws, which will require a keen focus on compliance. Some have raised concerns about vendors potentially accessing protected health information shared in messages, not files, through the service." (HealthLeaders Media)
For HIPAA and Covered Entities and Business Associates: OCR Discussion of Advanced Persistent Threats and Zero Day Vulnerabilities (PDF)
"An advanced persistent threat (APT) is a long-term cybersecurity attack that continuously attempts to find and exploit vulnerabilities in a target's information systems to steal information or disrupt the target's operations.... One of the most dangerous tools in a hacker's arsenal is the 'zero day' exploit or attack which takes advantage of a previously unknown hardware, firmware, or software vulnerability.... There are many security measures that organizations can proactively implement to help mitigate or prevent the damage that an APT or zero day attack may cause." (U.S. Department of Health and Human Services [HHS])
Two Recent HIPAA Breach Cases Highlight Importance of Compliant Business Associate Agreement
"HHS noticed and focused on the fact that the business associate agreements and the processes they outlined between the healthcare providers and the data processing and storage companies were out of date or nonexistent." (Hall Benefits Law)
California's Data Privacy Law Excepts HIPAA-Covered Group Health Plans
"California's sweeping new data privacy law, effective Jan. 1, 2020, gives the state's residents new rights over the use of their personal information.... The law applies to a broad spectrum of personal information but specifically carves out an exception for medical information and health care providers governed by the California Confidentiality of Medical Information Act (CCMIA) as well as protected health information (PHI), covered entities and business associates subject to [HIPAA's] privacy, security and notification rules[.]" (Mercer)
[Official Guidance] CMS Announces HIPAA Compliance Review Program
"[CMS] is launching the Compliance Review Program to ensure compliance among covered entities with HIPAA Administrative Simplification rules for electronic health care transactions. In April 2019, HHS will randomly select 9 HIPAA-covered entities -- a mix of health plans and clearinghouses -- for Compliance Reviews. Any health plan or clearinghouse -- not just those who work with Medicare or Medicaid -- may be selected.... [P]roviders will be able to participate in a separate pilot program on a voluntary basis." (Centers for Medicare & Medicaid Services [CMS], U.S. Department of Health and Human Services [HHS])
Amazon Alexa Now HIPAA-Compliant, Allows Secure Access to Data
"Perhaps more significant than the individual uses is Alexa's ability to now traffic in patient information that is protected by [HIPAA] ... The company said its Alexa Skills Kit, a cloud-based service used to build voice tools, can be used by health firms to create products that transmit and receive patient data. The move will embolden hospitals, insurers, and other health care firms to expose Alexa to more sensitive details of patients' lives and medical conditions, and potentially embed the technology deeper into clinical settings." (STAT)
Court Allows Patients to Pursue Claims Premised on Excessive Fees to Access PHI
"The providers (or their recordkeepers) attempted to charge amounts exceeding the permissible fees for individual access requests under HIPAA, which the patients refused to pay. The patients then sued under state consumer-protection laws -- no private right of action exists under HIPAA.... Citing HHS's access guidance, the court noted that requests by individuals to have a copy of their PHI sent to a third party are subject to the same fee limitations that apply to requests by individuals to have their PHI sent to themselves." [Rios v. Partners in Primary Care, P.A., No. 18-0538 (W.D. Tex. Feb. 15, 2019)] (Thomson Reuters / EBIA)
What Can We Learn From 2018's Record-High HIPAA Penalties?
"While most of the penalties were assessed against providers, there are some lessons employers with health plans can learn from these enforcement efforts: [1] It's not the breach; it's the lack of compliance.... [2] We are (still) living in a material world.... [3] BAAs Matter.... [4] Those who know shouldn't speak." (HUB International)
OCR Report to Congress on HIPAA Compliance for 2015-2017 (PDF)
40 pages. "[This] report summarizes [OCR's] compliance and enforcement activities with respect to the HIPAA Privacy, Security, and Breach Notification Rules [for 2015, 2016 and 2017] ... OCR completed desk audits and its examination of documentation for 166 covered entities in September 2017 and 41 business associates in December 2017. These audits found that all types of audited entities fail to implement effective risk analysis and risk management strategies pursuant to the HIPAA Security Rule, and most audited entities fail to adequately safeguard protected health information and ensure individual access as required by the HIPAA Privacy Rule." (Office for Civil Rights [OCR], U.S. Department of Health and Human Services [HHS])
Server Vulnerabilities Affect PHI of 60,000 Individuals and Lead to $3 Million Settlement
"Because servers can store large amounts of PHI, violations can affect many individuals and lead to significant settlement payments -- including a $4.8 million settlement in May 2014 and a $2.14 million settlement in October 2016.... Whenever changes are made to a device capable of storing or processing PHI, an evaluation should be undertaken to identify and address vulnerabilities to PHI." (Thomson Reuters / EBIA)
Court Dismisses Most Claims for Damages Arising From Large Data Breach
"Even when liability for a breach is clear, individuals may face an uphill battle to obtain a recovery. Most courts have held that HIPAA does not establish a private right of action for damages. In addition, many courts are skeptical of claims for damages unless individuals can show that their personal information was actually misused with adverse financial consequences." [Attias v. CareFirst, Inc., No. 15-882 (D. D.C. Jan. 20, 2019)] (Thomson Reuters / EBIA)
Navigating Telehealth Benefits Compliance Issues
"[If] telehealth benefits are available to employees not enrolled in the medical plan, the employer will have to ensure that the benefit is either: [1] reflected in the Form 5500 and the plan document ... or [2] that a separate 5500 filing is made and a separate plan document is maintained ... [and] separate COBRA administration will be required.... Because the obligation to comply with MHPAEA falls on group health plans, employers should not assume that a vendor's standard offering includes MH/SUD services ... [D]iffering -- and evolving -- state laws also affect these benefits." (Buck)
March 1 Deadline Approaching to Submit Data Breach Reports
"Breaches discovered by a covered entity in 2018 and involving fewer than 500 individuals must be submitted via OCR's website portal by March 1, 2019.... A separate report must be submitted for each breach that occurred during the 2018 calendar year. A copy of the completed form should be printed prior to and after submission and maintained in the covered entity's records to document the notification." (McDonald Hopkins)
2018 Was a Record Year in HIPAA Enforcement
"OCR had only entered into three settlements to resolve HIPAA violations by mid-year. But, enforcement activity picked up in the fall of 2018. In October, OCR issued the largest financial penalty ever imposed on a covered entity. Per the terms of the settlement agreement reached with the OCR, Anthem was required to pay $16 million and take substantial corrective action to resolve the HIPAA violations that led to the largest U.S. health data breach in history." (Carlton Fields)
Identifying a HIPAA Privacy or Security Breach (PDF)
"In performing a HIPAA breach risk assessment, a covered entity should consider factors which include ... [1] The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; [2] The unauthorized person who used the PHI or to whom the disclosure was made; [3] Whether the PHI was actually acquired or viewed; and [4] The extent to which the risk to the PHI has been mitigated." (OneDigital Health and Benefits)
Record-Setting 2018 Enforcement Show Need for Proactive Health Plan HIPAA Compliance
"[HHS] Office of Civil Rights (OCR) [announced] that its 2018 year-end $3 Million Resolution Agreement with California-based Cottage Health increased OCR's already record-setting enforcement recoveries in 2018 to nearly $28.7 million ... Along with acting to ensure their own organization's ability to defend their HIPAA compliance, Covered Entities and their leaders also should take advantage of the opportunity to provide input to OCR on opportunities for simplifying and improving OCR's HIPAA regulations and enforcement[.]" (Solutions Law Press)
First Multistate HIPAA Data Breach Lawsuit May Signal Increased State Interest in Data Security Enforcement
"The AGs have brought their claims under HIPAA and a variety of state statutes, i.e., state data breach and unfair or deceptive trade acts and practices laws. They argue that the Company failed to protect its computer systems adequately, take steps to prevent the breach, disclose material facts to consumers, and provide timely and adequate notice[.]" [Indiana v. Med. Informatics Engineering, Inc., No. 18-969 (N.D. Ind., complaint filed Dec. 3, 2018)] (Data Matters, Sidley Austin LLP)
Deadline Approaching to Submit Comments on Potential Updates to HIPAA in Response to Agency Request for Information
"On December 14, 2018, the [HHS] Office for Civil Rights (OCR) issued a broad request for information (RFI) to help the agency identify and address undue obstacles to the sharing of protected health information (PHI) among health care providers, payers, patients and caregivers. Comments are due February 12, 2019." (Akin Gump)
HIPAA Settlements Highlight Importance of Business Associate Contracts
"To date, at least seven resolution agreements have resulted from a covered entity's failure to enter into, or update, business associate contracts. Recognizing when a service provider is a business associate is crucial. Once business associates are identified, covered entities should keep a detailed inventory of business associate contracts and make sure they are accessible and updated. Failure to terminate access has also caught OCR's attention -- leading, for example, to a $5.5 million settlement in February 2017[.]" (Thomson Reuters / EBIA)
HHS Requests Public Input on Potential Changes to HIPAA Privacy and Security Rules
"The RFI includes questions about various aspects of the privacy rule's disclosure provisions, with the goal of promoting information sharing for treatment and care coordination.... The RFI notes anecdotal evidence suggesting that some covered entities are reluctant to disclose PHI to relatives of individuals facing health crises for fear of violating HIPAA.... The RFI asks whether the requirements for Notices of Privacy Practices can be made less burdensome, whether the model notices are being used, and whether there are better ways to inform individuals of their HIPAA rights." (Thomson Reuters / EBIA)
Healthcare Industry Reminded to Heed Cybersecurity: New 'Industry Standard' Guidance
"HHS in partnership with the healthcare industry has released 'Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients' ... This four-volume publication addresses voluntary, best cybersecurity practices for healthcare organizations of all sizes.... The resource should not be read to override other healthcare security obligations (such as under [HIPAA]) but may help fill interpretation gaps where there's discretion on how to meet a specific HIPAA security standard. It may also be grounds to show lack of reasonable security in support of legal claims under other laws beyond HIPAA." (Womble Bond Dickinson)
[Guidance Overview] HIPAA Breach Notification: When and How to Self-Report
"Under the breach notification rule, covered entities are only required to self-report if there is a 'breach' of 'unsecured' PHI.... [T]he covered entity or business associate must determine the following: Was there a violation of the privacy rule? ... Does the violation fit within breach exception? ... Is there a 'low probability that the data has been compromised?' ... When in doubt, it is likely safer to report." (Holland & Hart LLP)
HIPAA and Health Care Data Privacy: 2018 Year-in-Review
"Though there were fewer resolution agreements than in 2017, 2018 brought us the largest fine since OCR began enforcing HIPAA (Anthem's payment of $16 million in October). With this year's resolution agreements ... we see many of the same enforcement themes we have seen in previous years, including: [1] the importance of conducting an accurate and thorough risk assessment; [2] the necessity of business associate agreements; and [3] the need to be good at the 'basics' of HIPAA compliance." (Mintz)
Does Loss of Eligibility for Short-Term, Limited-Duration Health Insurance Trigger HIPAA Special Enrollment Rights?
"The preamble to the regulations indicates that loss of eligibility for short-term, limited-duration coverage gives rise to a HIPAA special enrollment right with respect to group health plan coverage ... [L]oss of eligibility does not include loss of coverage resulting from the failure to pay timely premiums or voluntarily dropping coverage. Thus, special enrollment rights under your plan will not be triggered ... solely because an employee becomes dissatisfied with the short-term, limited-duration coverage and decides to drop the coverage." (Thomson Reuters / EBIA)
[Official Guidance] Text of EBSA Updated FAQs: EFAST2 Form 5500 Electronic Filing for Small Businesses
"Q1: Do I need to buy software to submit my Form 5500 or 5500-SF? ... Q2: If I want to use IFILE, what do I need? ... Q3: What do you mean by EFAST2 credentials and why do I need them? ... Q4: Is it easy to get EFAST2 credentials? ... Q5: If I don't want to get EFAST2 credentials so that I can personally file my plan's Form 5500 or Form 5500-SF, is there any way that I can have a service provider complete and electronically file the Form 5500/5500-SF for me? ... Q6: Once my completed and electronically signed Form 5500 or 5500-SF is transmitted, how do I confirm that it was received by EFAST2? ... Q7: Are there civil penalties for failure to electronically file the plans Form 5500 or Form 5500-SF? ... Q8: Is there a process to appeal civil penalties assessed for failing to e-file?" (Employee Benefits Security Administration [EBSA], U.S. Department of Labor [DOL])
[Official Guidance] Reminders to Qualified Health Plan Issuers: CMS QHP Requirements for Personally Identifiable Information Breach and Security Incident Reporting (PDF)
Unnumbered document; Dec. 14, 2018. "What happens if a QHPI fails to report a suspected or confirmed Incident or Breach involving PII? ... What happens if a QHPI fails to report a suspected or confirmed Incident or Breach involving PII?" (Centers for Medicare & Medicaid Services [CMS], U.S. Department of Health and Human Services [HHS])
[Guidance Overview] HHS Seeks Public Input on Improving Care Coordination and Reducing the Regulatory Burdens of the HIPAA Rules
"HHS developed the HIPAA Rules to protect individuals' health information privacy and security interests, while permitting information sharing needed for important purposes. However, in recent years, OCR has heard calls to revisit aspects of the Rules that may limit or discourage information sharing needed for coordinated care or to facilitate the transformation to value-based health care. The RFI requests information on any provisions of the HIPAA Rules that may present obstacles to these goals without meaningfully contributing to the privacy and security of protected health information (PHI) and/or patients' ability to exercise their rights with respect to their PHI." (U.S. Department of Health and Human Services [HHS])
[Official Guidance] Text of HHS RFI on Modifying HIPAA Rules to Improve Coordinated Care
"The Office for Civil Rights (OCR) is issuing this Request for Information (RFI) to assist OCR in identifying provisions of the [HIPAA] privacy and security regulations that may impede the transformation to value-based health care or that limit or discourage coordinated care among individuals and covered entities (including hospitals, physicians, and other providers, payors, and insurers), without meaningfully contributing to the protection of the privacy or security of individuals' protected health information. This RFI requests information on whether and how the rules could be revised to promote these goals, while preserving and protecting the privacy and security of such information and individuals' rights with respect to it." (Office for Civil Rights [OCR], U.S. Department of Health and Human Services [HHS])
Former HHS Official Says Health Data Must be Portable, But Don't Forget the Consumer
"HIPAA does not address the handling of PHI by other entities, typically referred to as 'non-covered entities,' including many new consumer health technology companies (and even some healthcare providers who don't accept insurance). Limited protections exist for data held by these entities under current state and federal law." (Bloomberg BNA)
DOL Lawsuits Show Increased Enforcement of HIPAA Wellness Rules
"Recent lawsuits against certain employers assert that their health-contingent outcome-based wellness programs don't comply with the HIPAA wellness rules, generally by not offering a [reasonable alternative standard (RAS)].... Most of the participants in the recent DOL lawsuits who did not confirm they had quit smoking -- that is, were tobacco free -- for some duration, such as six months, had to pay surcharges. Moreover, the employers failed to give participants who met the RAS a way to avoid the surcharge retroactively, which is required under HIPAA's wellness rules." (Willis Towers Watson)
Healthcare Data Breach Enforcements and Fines
"[1] While enforcement activities and fines are projecting upward, they appear stable between 2014‑2015. [2] Only a minority of investigations lead to fines and penalties. [3] Cooperation in government-initiated compliance reviews is key to reducing the risk of a penalty. [4] Having multiple incidents, even if minor on their own, tends to trigger an investigation and lead to fines and [Resolution Agreements]. [5] All entities, regardless of size, are at risk of being found non-compliant and facing large fines in an investigation." (Bryan Cave Leighton Paisner)
Checklist for Evaluating Business Associate Compliance with HIPAA
"[1] Verify that a Business Associate Agreement is in-place with all service providers that handle PHI. [2] Designate a security officer. [3] Perform a Security Risk Assessment. [4] Implement administrative, physical, and technical safeguards to protect PHI. [5] Identify and report breaches of security. [6] Develop policies for HIPAA / HITECH compliance. [7] Impose disciplinary actions where employees or vendors violate HIPAA / HITECH obligations. [8] Maintain HIPAA and HITECH relevant documentation for such periods as required by law." (Bryan Cave Leighton Paisner)
$16 Million Record-Breaking HIPAA Settlement
"While this phishing attack took place in 2015, it is another example in the increasing trend of phishing campaigns and the significant reach these cyberattacks can have on targeted companies.... [W]hile an enterprise-wide risk analysis is important and required, less time consuming efforts can also be extremely effective preventive measures.... [P]hishing awareness programs (including an organization phishing campaign) can go a long way in addressing the significant human factor in decreasing these types of cyberattacks." (Quarles & Brady LLP)
Changes Ahead for HIPAA?
"HHS plans to issue a request for information on a proposal to share a percentage of money paid by health care organizations through civil monetary penalties or monetary settlements resulting from data breaches with the affected individuals.... HHS's list also includes a request for information on whether HIPAA regulations are stalling progress toward increased care coordination and value-based payment systems, both of which require sharing of patient information." (Mintz)
Handling HIPAA Breaches: Investigating, Mitigating and Reporting
"[1] Stop the breach.... [2] Contact the privacy officer.... [3] Respond promptly.... [4] Investigate appropriately.... [5] Mitigate the effects of the breach.... [6] Correct the breach.... [7] Impose sanctions.... [8] Determine if the breach must be reported to the individual and HHS.... [9] If required, report the breach to the individual and HHS." (Holland & Hart LLP)
[Guidance Overview] Wellness Promotion/Prevention: Overcoming Legal and Compliance Hurdles (PDF)
28 presentation slides. Topics include: [1] HIPAA nondiscrimination requirements; [2] Americans with Disabilities Act (ADA); [3] Genetic Information Nondiscrimination Act (GINA); [4] Age Discrimination in Employment Act (ADEA); [5] ERISA/ACA compliance issues; [6] HIPAA administrative simplification (privacy, EDI, and security); [7] COBRA; [8] ERISA; [9] Income tax; [10] Plan design/integration issues (e.g., HRAs and HSAs); [11] State law. (Alston & Bird)
Maintaining Current Enterprise Wide Security Risk Assessment Critical to Managing HIPAA Security Rule and Other Breach Risks
"HIPAA Entities generally will want to ensure that their new enterprise risk assessment documents their consideration of [1] the newly updated Security Risk Assessment (SRA) Tool ... [2] lessons shared in OCR's $16 million Anthem, Inc. resolution agreement, [3] $5.55 million resolution agreement with Memorial Healthcare System and other OCR HIPAA resolution agreements, [4] civil monetary penalty assessments and other Security Rule guidance, [and] ... [5] other emergent internal and external data suggesting potential susceptibilities of their own systems and data to breach or loss." (Solutions Law Press)
HIPAA and Accounting Cybersecurity Update
"The SEC had been investigating 9 publicly traded companies who became victims ... The fake vendor scams were emails from company vendors (following hacking into vendor systems) requesting payment to the vendors but directing the funds to non-vendor accounts.... [Two of the companies] lost in excess of $30 million and all 9 in total lost nearly $100 million. Because HR requires the use of a number of vendors to deliver benefits, it is important that all of the HR department personnel be alert when reviewing email requests for payment." (Winstead PC)
Anthem's $16 Million HIPAA Settlement Is Largest in History
"HHS has begun providing tools for addressing cyber attacks, though in some ways these resources are geared more toward incident response than to preventing an attack in the first place.... In the Anthem settlement, HHS focuses on at least two compliance shortfalls that contributed to the breach -- not conducting a thorough risk analysis of potential risks to ePHI and not regularly reviewing records of information system activity." (Thomson Reuters Practical Law)
HHS Increases Civil Money Penalties for HIPAA Noncompliance
"The adjusted penalty amounts apply to penalties assessed on or after October 11, 2018, if the violation occurred on or after November 2, 2015 ... [A] table reflects certain of HHS's annual inflation adjustments to the civil money penalties for HHS-administered provisions, effective October 11, 2018." (Thomson Reuters Practical Law)
How to Avoid a $16 Million Settlement with HHS
"While you may not have PHI of 79 million individuals, even a single violation of HIPAA can lead to the $1.5 million cap per violation very quickly (as HHS has the authority to penalize a covered entity up to $50,000 per violation per individual impacted). This breach all began with employees receiving phishing emails. At least one Anthem employee responded to the phishing email, which opened the door to the cyber-attackers obtaining personally identifiable information of approximately 79 million individuals." (Graydon)
Anthem Pays OCR $16 Million in Record HIPAA Settlement Following Largest U.S. Health Data Breach in History
"The $16 million settlement eclipses the previous high of $5.55 million paid to OCR in 2016.... This breach affected electronic protected health information (ePHI) that Anthem, Inc. maintained for its affiliated health plans and any other covered entity health plans." (U.S. Department of Health and Human Services [HHS])
HHS Adjusts Penalties for HIPAA Violations (PDF)
"HHS has announced its annual inflation-related adjustments to civil monetary penalties for violations of the HIPAA Privacy and Security Rules. These penalties reflect a 2.041 percent increase over the prior amounts and are effective as of October 11, 2018.... The new amounts apply only to penalties assessed on or after October 11, 2018, for violations occurring on or after November 2, 2015." (Buck)
About Us


Privacy Policy

Post a Job

Advertise in the BenefitsLink Newsletters

Add Your Company to the Directory of Vendors and Software

Submit a News Item, Press Release, Webcast or Conference

Contact Us

Payment Portal

© 2019, Inc.