BenefitsLink logo
EmployeeBenefitsJobs logo
Free Daily News and Jobs

“BenefitsLink continues to be the most valuable resource we have at the firm.”
-- An attorney subscriber
Featured Jobs

Sr. Business Systems Analyst (Denver CO / Telecommute)
Get the BenefitsLink app LinkedIn

News Items, by Subject

Health plan admin - HIPAA

View Headlines Now Viewing Excerpts and

OCR Report to Congress on HIPAA Compliance for 2015-2017 (PDF)
40 pages. "[This] report summarizes [OCR's] compliance and enforcement activities with respect to the HIPAA Privacy, Security, and Breach Notification Rules [for 2015, 2016 and 2017] ... OCR completed desk audits and its examination of documentation for 166 covered entities in September 2017 and 41 business associates in December 2017. These audits found that all types of audited entities fail to implement effective risk analysis and risk management strategies pursuant to the HIPAA Security Rule, and most audited entities fail to adequately safeguard protected health information and ensure individual access as required by the HIPAA Privacy Rule." (Office for Civil Rights [OCR], U.S. Department of Health and Human Services [HHS])
Server Vulnerabilities Affect PHI of 60,000 Individuals and Lead to $3 Million Settlement
"Because servers can store large amounts of PHI, violations can affect many individuals and lead to significant settlement payments -- including a $4.8 million settlement in May 2014 and a $2.14 million settlement in October 2016.... Whenever changes are made to a device capable of storing or processing PHI, an evaluation should be undertaken to identify and address vulnerabilities to PHI." (Thomson Reuters / EBIA)
Court Dismisses Most Claims for Damages Arising From Large Data Breach
"Even when liability for a breach is clear, individuals may face an uphill battle to obtain a recovery. Most courts have held that HIPAA does not establish a private right of action for damages. In addition, many courts are skeptical of claims for damages unless individuals can show that their personal information was actually misused with adverse financial consequences." [Attias v. CareFirst, Inc., No. 15-882 (D. D.C. Jan. 20, 2019)] (Thomson Reuters / EBIA)
Navigating Telehealth Benefits Compliance Issues
"[If] telehealth benefits are available to employees not enrolled in the medical plan, the employer will have to ensure that the benefit is either: [1] reflected in the Form 5500 and the plan document ... or [2] that a separate 5500 filing is made and a separate plan document is maintained ... [and] separate COBRA administration will be required.... Because the obligation to comply with MHPAEA falls on group health plans, employers should not assume that a vendor's standard offering includes MH/SUD services ... [D]iffering -- and evolving -- state laws also affect these benefits." (Buck)
March 1 Deadline Approaching to Submit Data Breach Reports
"Breaches discovered by a covered entity in 2018 and involving fewer than 500 individuals must be submitted via OCR's website portal by March 1, 2019.... A separate report must be submitted for each breach that occurred during the 2018 calendar year. A copy of the completed form should be printed prior to and after submission and maintained in the covered entity's records to document the notification." (McDonald Hopkins)
2018 Was a Record Year in HIPAA Enforcement
"OCR had only entered into three settlements to resolve HIPAA violations by mid-year. But, enforcement activity picked up in the fall of 2018. In October, OCR issued the largest financial penalty ever imposed on a covered entity. Per the terms of the settlement agreement reached with the OCR, Anthem was required to pay $16 million and take substantial corrective action to resolve the HIPAA violations that led to the largest U.S. health data breach in history." (Carlton Fields)
Identifying a HIPAA Privacy or Security Breach (PDF)
"In performing a HIPAA breach risk assessment, a covered entity should consider factors which include ... [1] The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; [2] The unauthorized person who used the PHI or to whom the disclosure was made; [3] Whether the PHI was actually acquired or viewed; and [4] The extent to which the risk to the PHI has been mitigated." (OneDigital Health and Benefits)
Record-Setting 2018 Enforcement Show Need for Proactive Health Plan HIPAA Compliance
"[HHS] Office of Civil Rights (OCR) [announced] that its 2018 year-end $3 Million Resolution Agreement with California-based Cottage Health increased OCR's already record-setting enforcement recoveries in 2018 to nearly $28.7 million ... Along with acting to ensure their own organization's ability to defend their HIPAA compliance, Covered Entities and their leaders also should take advantage of the opportunity to provide input to OCR on opportunities for simplifying and improving OCR's HIPAA regulations and enforcement[.]" (Solutions Law Press)
First Multistate HIPAA Data Breach Lawsuit May Signal Increased State Interest in Data Security Enforcement
"The AGs have brought their claims under HIPAA and a variety of state statutes, i.e., state data breach and unfair or deceptive trade acts and practices laws. They argue that the Company failed to protect its computer systems adequately, take steps to prevent the breach, disclose material facts to consumers, and provide timely and adequate notice[.]" [Indiana v. Med. Informatics Engineering, Inc., No. 18-969 (N.D. Ind., complaint filed Dec. 3, 2018)] (Data Matters, Sidley Austin LLP)
Deadline Approaching to Submit Comments on Potential Updates to HIPAA in Response to Agency Request for Information
"On December 14, 2018, the [HHS] Office for Civil Rights (OCR) issued a broad request for information (RFI) to help the agency identify and address undue obstacles to the sharing of protected health information (PHI) among health care providers, payers, patients and caregivers. Comments are due February 12, 2019." (Akin Gump)
HIPAA Settlements Highlight Importance of Business Associate Contracts
"To date, at least seven resolution agreements have resulted from a covered entity's failure to enter into, or update, business associate contracts. Recognizing when a service provider is a business associate is crucial. Once business associates are identified, covered entities should keep a detailed inventory of business associate contracts and make sure they are accessible and updated. Failure to terminate access has also caught OCR's attention -- leading, for example, to a $5.5 million settlement in February 2017[.]" (Thomson Reuters / EBIA)
HHS Requests Public Input on Potential Changes to HIPAA Privacy and Security Rules
"The RFI includes questions about various aspects of the privacy rule's disclosure provisions, with the goal of promoting information sharing for treatment and care coordination.... The RFI notes anecdotal evidence suggesting that some covered entities are reluctant to disclose PHI to relatives of individuals facing health crises for fear of violating HIPAA.... The RFI asks whether the requirements for Notices of Privacy Practices can be made less burdensome, whether the model notices are being used, and whether there are better ways to inform individuals of their HIPAA rights." (Thomson Reuters / EBIA)
Healthcare Industry Reminded to Heed Cybersecurity: New 'Industry Standard' Guidance
"HHS in partnership with the healthcare industry has released 'Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients' ... This four-volume publication addresses voluntary, best cybersecurity practices for healthcare organizations of all sizes.... The resource should not be read to override other healthcare security obligations (such as under [HIPAA]) but may help fill interpretation gaps where there's discretion on how to meet a specific HIPAA security standard. It may also be grounds to show lack of reasonable security in support of legal claims under other laws beyond HIPAA." (Womble Bond Dickinson)
[Guidance Overview] HIPAA Breach Notification: When and How to Self-Report
"Under the breach notification rule, covered entities are only required to self-report if there is a 'breach' of 'unsecured' PHI.... [T]he covered entity or business associate must determine the following: Was there a violation of the privacy rule? ... Does the violation fit within breach exception? ... Is there a 'low probability that the data has been compromised?' ... When in doubt, it is likely safer to report." (Holland & Hart LLP)
HIPAA and Health Care Data Privacy: 2018 Year-in-Review
"Though there were fewer resolution agreements than in 2017, 2018 brought us the largest fine since OCR began enforcing HIPAA (Anthem's payment of $16 million in October). With this year's resolution agreements ... we see many of the same enforcement themes we have seen in previous years, including: [1] the importance of conducting an accurate and thorough risk assessment; [2] the necessity of business associate agreements; and [3] the need to be good at the 'basics' of HIPAA compliance." (Mintz)
Does Loss of Eligibility for Short-Term, Limited-Duration Health Insurance Trigger HIPAA Special Enrollment Rights?
"The preamble to the regulations indicates that loss of eligibility for short-term, limited-duration coverage gives rise to a HIPAA special enrollment right with respect to group health plan coverage ... [L]oss of eligibility does not include loss of coverage resulting from the failure to pay timely premiums or voluntarily dropping coverage. Thus, special enrollment rights under your plan will not be triggered ... solely because an employee becomes dissatisfied with the short-term, limited-duration coverage and decides to drop the coverage." (Thomson Reuters / EBIA)
[Official Guidance] Text of EBSA Updated FAQs: EFAST2 Form 5500 Electronic Filing for Small Businesses
"Q1: Do I need to buy software to submit my Form 5500 or 5500-SF? ... Q2: If I want to use IFILE, what do I need? ... Q3: What do you mean by EFAST2 credentials and why do I need them? ... Q4: Is it easy to get EFAST2 credentials? ... Q5: If I don't want to get EFAST2 credentials so that I can personally file my plan's Form 5500 or Form 5500-SF, is there any way that I can have a service provider complete and electronically file the Form 5500/5500-SF for me? ... Q6: Once my completed and electronically signed Form 5500 or 5500-SF is transmitted, how do I confirm that it was received by EFAST2? ... Q7: Are there civil penalties for failure to electronically file the plans Form 5500 or Form 5500-SF? ... Q8: Is there a process to appeal civil penalties assessed for failing to e-file?" (Employee Benefits Security Administration [EBSA], U.S. Department of Labor [DOL])
[Official Guidance] Reminders to Qualified Health Plan Issuers: CMS QHP Requirements for Personally Identifiable Information Breach and Security Incident Reporting (PDF)
Unnumbered document; Dec. 14, 2018. "What happens if a QHPI fails to report a suspected or confirmed Incident or Breach involving PII? ... What happens if a QHPI fails to report a suspected or confirmed Incident or Breach involving PII?" (Centers for Medicare & Medicaid Services [CMS], U.S. Department of Health and Human Services [HHS])
[Guidance Overview] HHS Seeks Public Input on Improving Care Coordination and Reducing the Regulatory Burdens of the HIPAA Rules
"HHS developed the HIPAA Rules to protect individuals' health information privacy and security interests, while permitting information sharing needed for important purposes. However, in recent years, OCR has heard calls to revisit aspects of the Rules that may limit or discourage information sharing needed for coordinated care or to facilitate the transformation to value-based health care. The RFI requests information on any provisions of the HIPAA Rules that may present obstacles to these goals without meaningfully contributing to the privacy and security of protected health information (PHI) and/or patients' ability to exercise their rights with respect to their PHI." (U.S. Department of Health and Human Services [HHS])
[Official Guidance] Text of HHS RFI on Modifying HIPAA Rules to Improve Coordinated Care
"The Office for Civil Rights (OCR) is issuing this Request for Information (RFI) to assist OCR in identifying provisions of the [HIPAA] privacy and security regulations that may impede the transformation to value-based health care or that limit or discourage coordinated care among individuals and covered entities (including hospitals, physicians, and other providers, payors, and insurers), without meaningfully contributing to the protection of the privacy or security of individuals' protected health information. This RFI requests information on whether and how the rules could be revised to promote these goals, while preserving and protecting the privacy and security of such information and individuals' rights with respect to it." (Office for Civil Rights [OCR], U.S. Department of Health and Human Services [HHS])
Former HHS Official Says Health Data Must be Portable, But Don't Forget the Consumer
"HIPAA does not address the handling of PHI by other entities, typically referred to as 'non-covered entities,' including many new consumer health technology companies (and even some healthcare providers who don't accept insurance). Limited protections exist for data held by these entities under current state and federal law." (Bloomberg BNA)
DOL Lawsuits Show Increased Enforcement of HIPAA Wellness Rules
"Recent lawsuits against certain employers assert that their health-contingent outcome-based wellness programs don't comply with the HIPAA wellness rules, generally by not offering a [reasonable alternative standard (RAS)].... Most of the participants in the recent DOL lawsuits who did not confirm they had quit smoking -- that is, were tobacco free -- for some duration, such as six months, had to pay surcharges. Moreover, the employers failed to give participants who met the RAS a way to avoid the surcharge retroactively, which is required under HIPAA's wellness rules." (Willis Towers Watson)
Healthcare Data Breach Enforcements and Fines
"[1] While enforcement activities and fines are projecting upward, they appear stable between 2014‑2015. [2] Only a minority of investigations lead to fines and penalties. [3] Cooperation in government-initiated compliance reviews is key to reducing the risk of a penalty. [4] Having multiple incidents, even if minor on their own, tends to trigger an investigation and lead to fines and [Resolution Agreements]. [5] All entities, regardless of size, are at risk of being found non-compliant and facing large fines in an investigation." (Bryan Cave Leighton Paisner)
Checklist for Evaluating Business Associate Compliance with HIPAA
"[1] Verify that a Business Associate Agreement is in-place with all service providers that handle PHI. [2] Designate a security officer. [3] Perform a Security Risk Assessment. [4] Implement administrative, physical, and technical safeguards to protect PHI. [5] Identify and report breaches of security. [6] Develop policies for HIPAA / HITECH compliance. [7] Impose disciplinary actions where employees or vendors violate HIPAA / HITECH obligations. [8] Maintain HIPAA and HITECH relevant documentation for such periods as required by law." (Bryan Cave Leighton Paisner)
$16 Million Record-Breaking HIPAA Settlement
"While this phishing attack took place in 2015, it is another example in the increasing trend of phishing campaigns and the significant reach these cyberattacks can have on targeted companies.... [W]hile an enterprise-wide risk analysis is important and required, less time consuming efforts can also be extremely effective preventive measures.... [P]hishing awareness programs (including an organization phishing campaign) can go a long way in addressing the significant human factor in decreasing these types of cyberattacks." (Quarles & Brady LLP)
Changes Ahead for HIPAA?
"HHS plans to issue a request for information on a proposal to share a percentage of money paid by health care organizations through civil monetary penalties or monetary settlements resulting from data breaches with the affected individuals.... HHS's list also includes a request for information on whether HIPAA regulations are stalling progress toward increased care coordination and value-based payment systems, both of which require sharing of patient information." (Mintz)
Handling HIPAA Breaches: Investigating, Mitigating and Reporting
"[1] Stop the breach.... [2] Contact the privacy officer.... [3] Respond promptly.... [4] Investigate appropriately.... [5] Mitigate the effects of the breach.... [6] Correct the breach.... [7] Impose sanctions.... [8] Determine if the breach must be reported to the individual and HHS.... [9] If required, report the breach to the individual and HHS." (Holland & Hart LLP)
[Guidance Overview] Wellness Promotion/Prevention: Overcoming Legal and Compliance Hurdles (PDF)
28 presentation slides. Topics include: [1] HIPAA nondiscrimination requirements; [2] Americans with Disabilities Act (ADA); [3] Genetic Information Nondiscrimination Act (GINA); [4] Age Discrimination in Employment Act (ADEA); [5] ERISA/ACA compliance issues; [6] HIPAA administrative simplification (privacy, EDI, and security); [7] COBRA; [8] ERISA; [9] Income tax; [10] Plan design/integration issues (e.g., HRAs and HSAs); [11] State law. (Alston & Bird)
Maintaining Current Enterprise Wide Security Risk Assessment Critical to Managing HIPAA Security Rule and Other Breach Risks
"HIPAA Entities generally will want to ensure that their new enterprise risk assessment documents their consideration of [1] the newly updated Security Risk Assessment (SRA) Tool ... [2] lessons shared in OCR's $16 million Anthem, Inc. resolution agreement, [3] $5.55 million resolution agreement with Memorial Healthcare System and other OCR HIPAA resolution agreements, [4] civil monetary penalty assessments and other Security Rule guidance, [and] ... [5] other emergent internal and external data suggesting potential susceptibilities of their own systems and data to breach or loss." (Solutions Law Press)
HHS Opens Door to Major Health-Care Privacy Changes
"[HHS] will release a request for information in November asking the public whether [HIPAA] is blocking a move toward providing coordinated care for patients and creating a value-based payment system ... New regulations in this area could especially enhance the ability of providers to exchange patient information and improve overall patient care[.]" (Bloomberg BNA)
HIPAA and Accounting Cybersecurity Update
"The SEC had been investigating 9 publicly traded companies who became victims ... The fake vendor scams were emails from company vendors (following hacking into vendor systems) requesting payment to the vendors but directing the funds to non-vendor accounts.... [Two of the companies] lost in excess of $30 million and all 9 in total lost nearly $100 million. Because HR requires the use of a number of vendors to deliver benefits, it is important that all of the HR department personnel be alert when reviewing email requests for payment." (Winstead PC)
Anthem's $16 Million HIPAA Settlement Is Largest in History
"HHS has begun providing tools for addressing cyber attacks, though in some ways these resources are geared more toward incident response than to preventing an attack in the first place.... In the Anthem settlement, HHS focuses on at least two compliance shortfalls that contributed to the breach -- not conducting a thorough risk analysis of potential risks to ePHI and not regularly reviewing records of information system activity." (Thomson Reuters Practical Law)
HHS Increases Civil Money Penalties for HIPAA Noncompliance
"The adjusted penalty amounts apply to penalties assessed on or after October 11, 2018, if the violation occurred on or after November 2, 2015 ... [A] table reflects certain of HHS's annual inflation adjustments to the civil money penalties for HHS-administered provisions, effective October 11, 2018." (Thomson Reuters Practical Law)
How to Avoid a $16 Million Settlement with HHS
"While you may not have PHI of 79 million individuals, even a single violation of HIPAA can lead to the $1.5 million cap per violation very quickly (as HHS has the authority to penalize a covered entity up to $50,000 per violation per individual impacted). This breach all began with employees receiving phishing emails. At least one Anthem employee responded to the phishing email, which opened the door to the cyber-attackers obtaining personally identifiable information of approximately 79 million individuals." (Graydon)
Anthem Pays OCR $16 Million in Record HIPAA Settlement Following Largest U.S. Health Data Breach in History
"The $16 million settlement eclipses the previous high of $5.55 million paid to OCR in 2016.... This breach affected electronic protected health information (ePHI) that Anthem, Inc. maintained for its affiliated health plans and any other covered entity health plans." (U.S. Department of Health and Human Services [HHS])
HHS Adjusts Penalties for HIPAA Violations (PDF)
"HHS has announced its annual inflation-related adjustments to civil monetary penalties for violations of the HIPAA Privacy and Security Rules. These penalties reflect a 2.041 percent increase over the prior amounts and are effective as of October 11, 2018.... The new amounts apply only to penalties assessed on or after October 11, 2018, for violations occurring on or after November 2, 2015." (Buck)
Unauthorized Disclosure of PHI During Filming of TV Series Leads to Nearly $1 Million in HIPAA Settlements
"[T]hese settlements provide important reminders. First, information that identifies, or can be used to identify, individuals may be PHI, even if the individuals are not specifically named.... Second, HIPAA generally does not recognize implied authorizations to use or disclose PHI." (Thomson Reuters / EBIA)
Television Crew's Filming of Hospital Patients Results in HIPAA Settlements Totaling Nearly $1 Million
"In some cases the hospitals had reviewed and assessed patient privacy issues concerning the filming and adopted protections concerning patient privacy, for example, providing the film crews with the same HIPAA privacy training that workforce members received ... Despite these protections, however, HHS concluded in its investigations that the hospitals: [1] Impermissibly disclosed patients' protected health information (PHI) to the television crews by permitting filming without first receiving patient authorizations. [2] Failed to adequately safeguard patient PHI from disclosure." (Thomson Reuters Practical Law)
OCR Cybersecurity Newsletter: Considerations for Securing Electronic Media and Devices (PDF)
"To reduce the risk of loss, theft, and the potential of a breach of PHI, organizations may want to consider the following questions ... [1] Is there a record that tracks the location, movement, modifications or repairs, and disposition of devices and media throughout their lifecycles? ... [2] Does the organization's record of device and media movement include the person(s) responsible for such devices and media? ... [3] Are workforce members (including management) trained on the proper use and handling of devices and media to safeguard ePHI? ... [4] Are appropriate technical controls, for example, access controls, audit controls, and encryption, in use?" [August 2018] (U.S. Department of Health and Human Services [HHS])
HHS Addresses Disposing of Electronic Devices and Media Under HIPAA
"HHS's Office for Civil Rights (OCR) has issued newsletter guidance on disposing of electronic devices and media that may contain protected health information (PHI) subject to HIPAA ... The newsletter addresses procedures for securely decommissioning and disposing of devices or media that need to be replaced. In general, these procedures involve either: Destroying the devices or media [or] Removing any confidential or sensitive information stored on the devices or media." (Thomson Reuters Practical Law)
HIPAA Case Study Shows How to Get it Right
"Employers that are, or that have plans, subject to HIPAA should: [1] Ensure you have HIPAA and disciplinary policies that are well written, clear, and understandable. [2] Provide examples of prohibited conduct. [3] Enforce your policies consistently and across the board -- don't make exceptions or vary your response to similar violations and misconduct. [4] Ensure that employees are trained and tested on a regular basis ... [5] Monitor employee conduct and behavior for compliance ... [6] Be sure that if you are a medical provider that provides care to your employees that they are included in the protections offered by your policies." (HUB International)
Frequently Overlooked Mistakes in HIPAA Compliance
"HIPAA requires that disclosure of health care records be minimized to the extent necessary to accomplish the objective. In other words, a contractor or other entity with access to personal health information (PHI) is only entitled to those data points necessary to perform their function, e.g. names and addresses.... HITECH and the Security Rule require a security assessment and the institution of safeguards to protect against reasonably anticipated disclosure.... [I]ncorporating compliance into the succession plan at the earliest possible stage is the prudent approach." (Poyner Spruill LLP)
To Bring Health Information Privacy Into the 21st Century, Look Beyond HIPAA
"Even though HIPAA remains 'surprisingly functional,' significant gaps persist. These gaps, however, derive not from HIPAA per se, but from the patchwork of health information privacy rules outside of HIPAA.... [O]ne element of this patchwork: the complex rules around and new challenges created by big data analytics. [Additional examples are] ... Social Media ... The Role of States ... Veterans ... Following the European Union's Lead." (Health Affairs)
[Guidance Overview] OCR Cybersecurity Newsletter: Guidance on Software Vulnerabilities and Patching (PDF)
"Identifying software vulnerabilities and mitigating the associated risks are important activities for [HIPAA covered entities and business associates] to conduct as part of their security management process and technical evaluations.... Mitigation activities could include installing patches ... In situations where patches are not available (e.g., obsolete or unsupported software) or testing or other concerns weigh against patching ... entities should implement reasonable compensating controls to reduce the risk of identified vulnerabilities to a reasonable and appropriate level[.]" (U.S. Department of Health and Human Services [HHS])
Privacy Please: HIPAA and Artificial Intelligence
"A critical threshold question is at what point does an AI vendor become subject to HIPAA? The answer has significant ramifications for both the AI vendor and the covered customer, which may be a health care provider, health plan, clearinghouse, or business associate. The AI functionality could fall along a continuum ranging from falling outside of HIPAA to triggering the business associate obligations subject to HIPAA." (Artificial Intelligence Law Advisor, Davis Wright Tremaine LLP)
Failure to Encrypt Leads to $4.3 Million in HIPAA Civil Money Penalties
"The breach reports involved: The theft of an unencrypted laptop computer, used for teleworking, which contained the electronic protected health information (ePHI) of nearly 30,000 individuals, from a workforce member's residence. The loss of two unencrypted USB drives, which had belonged to a trainee and a visiting researcher (respectively), and collectively contained the ePHI of roughly 5,800 individuals.... The ALJ's ruling faults the CE, at length, for adopting policies that acknowledged the need for encryption and protecting confidential information (including ePHI), but not fully carrying out those policies in practice for years." (Thomson Reuters Practical Law)
OCR Provides Reminder About Fundamental Aspect of Physical Security for PHI
"One aspect of security that is lurking in plain sight is the workstation. The Security Rule ... focuses on two key areas: [1] controls on physical access to the facility or area where systems which process Protected Health Information (PHI) operate; and [2] protecting the individual system components like workstations. The May OCR newsletter highlights some important issues relating to the workstations that handle PHI." (Poyner Spruill LLP)
Court Requires Texas Cancer Center to Pay $4.3 Million in Penalties for HIPAA Violations
"MD Anderson had written encryption policies going as far back as 2006 [and] MD Anderson's own risk analyses had found that the lack of device-level encryption posed a high risk to the security of ePHI. Despite the encryption policies and high risk findings, MD Anderson did not begin to adopt an enterprise-wide solution to implement encryption of ePHI until 2011, and even then it failed to encrypt its inventory of electronic devices containing ePHI between March 24, 2011 and January 25, 2013." (U.S. Department of Health and Human Services [HHS])
IBM Employees Can't Use Removable Storage Anymore: A Strategy for Lowering HIPAA Liability Risk?
"[IBM's global chief information security officer, Shamla Naidoo] explains, 'the possible financial and reputational damage from misplaced, lost or misused removable portable storage devices must be minimised.' ... USB sticks and SD cards are very easy to forget or lose, and whoever finds them will usually check what they contain. Removing them from the equation completely solves that problem, but the cloud access replacing it needs to be rock solid." (PC Magazine)
[Guidance Overview] Beware: HIPAA Applies to the Health Plans You Never Knew You Had
"Most [employee assistance plans (EAPs)] are staffed by health care providers, such as licensed counselors, and assist employees who are struggling with family or personal problems that rise to the level of a medical condition ... Employers/plan administrators ... will need to enter into a HIPAA business associate agreement with the EAP vendor, amend the EAP plan document to include language required by the HIPAA Rules and develop and implement other compliance documents and policies and procedures under the HIPAA Rules." (Fox Rothschild LLP)
Risk Analyses vs. Gap Analyses -- What Is the Difference? (PDF)
"Conducting a risk analysis is the first step in identifying and implementing safeguards that ensure the confidentiality, integrity, and availability of [electronic protected health information]. A gap analysis, while not required by the HIPAA Rules, is a useful tool to identify whether certain standards and implementation specifications of the Security Rule have been met." (Office for Civil Rights [OCR], U.S. Department of Health and Human Services [HHS])
Court Allows Terminated Employee to Pursue ERISA Section 510 Claims Tied to Son's Large Medical Expenses
"[A]ctions justifiable under the FMLA proved the employer's undoing ... under ERISA.... [C]autious employers should take care to separate employment decisions from employee benefit plan considerations. In fact, this separation is mandatory under HIPAA's privacy rule for employers receiving protected health information from their health plan." [Stein v. Atlas Industries, Inc., No. 17-3737 (6th Cir. Apr. 9, 2018)] (Thomson Reuters / EBIA)
New York State Settlement of Data Breach with Health Plan Includes HIPAA Compliance Undertones
"While the Health Information Technology for Economic and Clinical Health Act [HITECH] granted state attorneys general the authority to enforce HIPAA through civil actions brought on behalf of state residents, until now this authority has not been publicly invoked to any noteworthy degree. The EmblemHealth case is an important reminder that covered entities and business associates, in addition to complying with HIPAA, must also ensure that they abide by state privacy laws that prohibit the improper disclosure of certain personal information." (Akerman)
Federal Enforcement Isn't the Only HIPAA Concern: States Flex Their Muscles
"Despite the lack of significant settlements for HIPAA enforcement by the federal Office of Civil Rights (OCR) so far in 2018, states have not hesitated to patrol privacy and security breach activity and take action against perceived violations.... Two recent settlements suggest that states are ramping up their enforcement activities." (McGuireWoods, LLP)
How to Stay Within the Law When Using Biometric Information
"Several states have passed laws that regulate how companies may collect, store and disclose biometric information from employees or other individuals.... State data-breach notification statutes include biometric information in the definition of protected personal information." (Society for Human Resource Management [SHRM])
HIPAA in Due Diligence, Part 3: Risk Mitigation Strategies
"Given the uptick in enforcement against both covered entities and business associates and ever-increasing fines, it is important to take a proactive approach to quickly address compliance gaps.... [I]t is important to ensure that any post-close compliance is completed within a specified time, such as 30, 60, 90 or 120 days post-close.... Buyers should consider whether it is appropriate to obtain specific indemnification or escrow of funds to cover potential HIPAA non-compliance.... If the seller is involved in any government or third party investigation or settlement negotiation related to HIPAA compliance, buyers should consider obtaining a waiver of liabilities and rights from the government or third party prior to close." (McGuireWoods, LLP)
Blockchain for Healthcare
"Given the decentralized, distributed nature of blockchain, HIPPA issues will need to be carefully considered. One of the benefits of many blockchains is that the transaction data is replicated to multiple nodes. This can create issues for protected information. This suggests that some form of private blockchain may be better suited for patient health records, perhaps combined with separating and encrypting personal health information." (Sheppard Mullin)
HIPAA in Due Diligence, Part 2: Cloud Server Data and HIPAA Compliance
"For an online or virtual data room administrator, opening access to an inquiring stakeholder, valuator, or reviewer party to an acquisition target company's documentation may be as simple as a few clicks and perhaps an email or two. However, if any document contains personal or identifiable health information, a number of privacy and data protection regulations may deem access to such information by an unauthorized party to be a violation.... HIPAA may impose significant penalties on target providers posting the PHI and the unauthorized parties accessing the PHI alike." (McGuireWoods, LLP)
HIPAA in Due Diligence: Four Key Questions
"To better understand a seller's overall HIPAA compliance, there are four key diligence questions upon which buyers should focus their efforts in a transaction: [1] Does the seller have the core HIPAA documentation in place? ... [2] Is the seller complying with its policies? ... [3] How does the seller address potential HIPAA security and breach risk areas? ... [4] What is the nature of risk related to any identified gaps?" (McGuireWoods, LLP)
Is HIPAA a Sleeping Giant?
"So far, 2018 has been a light year in terms of HIPAA enforcement. There have been only two publicly-disclosed settlements.... Theories include that the priorities of the current administration are driving less enforcement, that the OCR is focusing its efforts on the current round of audits, and that the OCR is simply holding back on some settlements so that it can ensure a consistent approach to multiple settlements that it will announce in the near future. No matter the answer, it is not safe to assume that things will remain quiet on the HIPAA front." (McGuireWoods, LLP)
About Us


Privacy Policy

Post a Job

Advertise in the BenefitsLink Newsletters

Add Your Company to the Directory of Vendors and Software

Submit a News Item, Press Release, Webcast or Conference

Contact Us

Payment Portal

© 2019, Inc.