BenefitsLink logo
EmployeeBenefitsJobs logo
Subscribe Now

“BenefitsLink continues to be the most valuable resource we have at the firm.”
-- An attorney subscriber
Featured Jobs
ESOP Administrator (VA, Telecommute)
Retirement Plan Administrator (NY)
Defined Contribution Plan Administrator (CA, Telecommute)
Client Service Manager (CA)
401(k) Plan Administrator (FL)
Get the BenefitsLink app LinkedIn

News Items, by Subject

Health plan admin - HIPAA

View Headlines Now Viewing Excerpts and

HHS Requests Public Input on Potential Changes to HIPAA Privacy and Security Rules
"The RFI includes questions about various aspects of the privacy rule's disclosure provisions, with the goal of promoting information sharing for treatment and care coordination.... The RFI notes anecdotal evidence suggesting that some covered entities are reluctant to disclose PHI to relatives of individuals facing health crises for fear of violating HIPAA.... The RFI asks whether the requirements for Notices of Privacy Practices can be made less burdensome, whether the model notices are being used, and whether there are better ways to inform individuals of their HIPAA rights." (Thomson Reuters / EBIA)
Healthcare Industry Reminded to Heed Cybersecurity: New 'Industry Standard' Guidance
"HHS in partnership with the healthcare industry has released 'Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients' ... This four-volume publication addresses voluntary, best cybersecurity practices for healthcare organizations of all sizes.... The resource should not be read to override other healthcare security obligations (such as under [HIPAA]) but may help fill interpretation gaps where there's discretion on how to meet a specific HIPAA security standard. It may also be grounds to show lack of reasonable security in support of legal claims under other laws beyond HIPAA." (Womble Bond Dickinson)
[Guidance Overview] HIPAA Breach Notification: When and How to Self-Report
"Under the breach notification rule, covered entities are only required to self-report if there is a 'breach' of 'unsecured' PHI.... [T]he covered entity or business associate must determine the following: Was there a violation of the privacy rule? ... Does the violation fit within breach exception? ... Is there a 'low probability that the data has been compromised?' ... When in doubt, it is likely safer to report." (Holland & Hart LLP)
HIPAA and Health Care Data Privacy: 2018 Year-in-Review
"Though there were fewer resolution agreements than in 2017, 2018 brought us the largest fine since OCR began enforcing HIPAA (Anthem's payment of $16 million in October). With this year's resolution agreements ... we see many of the same enforcement themes we have seen in previous years, including: [1] the importance of conducting an accurate and thorough risk assessment; [2] the necessity of business associate agreements; and [3] the need to be good at the 'basics' of HIPAA compliance." (Mintz)
Does Loss of Eligibility for Short-Term, Limited-Duration Health Insurance Trigger HIPAA Special Enrollment Rights?
"The preamble to the regulations indicates that loss of eligibility for short-term, limited-duration coverage gives rise to a HIPAA special enrollment right with respect to group health plan coverage ... [L]oss of eligibility does not include loss of coverage resulting from the failure to pay timely premiums or voluntarily dropping coverage. Thus, special enrollment rights under your plan will not be triggered ... solely because an employee becomes dissatisfied with the short-term, limited-duration coverage and decides to drop the coverage." (Thomson Reuters / EBIA)
[Official Guidance] Text of EBSA Updated FAQs: EFAST2 Form 5500 Electronic Filing for Small Businesses
"Q1: Do I need to buy software to submit my Form 5500 or 5500-SF? ... Q2: If I want to use IFILE, what do I need? ... Q3: What do you mean by EFAST2 credentials and why do I need them? ... Q4: Is it easy to get EFAST2 credentials? ... Q5: If I don't want to get EFAST2 credentials so that I can personally file my plan's Form 5500 or Form 5500-SF, is there any way that I can have a service provider complete and electronically file the Form 5500/5500-SF for me? ... Q6: Once my completed and electronically signed Form 5500 or 5500-SF is transmitted, how do I confirm that it was received by EFAST2? ... Q7: Are there civil penalties for failure to electronically file the plans Form 5500 or Form 5500-SF? ... Q8: Is there a process to appeal civil penalties assessed for failing to e-file?" (Employee Benefits Security Administration [EBSA], U.S. Department of Labor [DOL])
[Official Guidance] Reminders to Qualified Health Plan Issuers: CMS QHP Requirements for Personally Identifiable Information Breach and Security Incident Reporting (PDF)
Unnumbered document; Dec. 14, 2018. "What happens if a QHPI fails to report a suspected or confirmed Incident or Breach involving PII? ... What happens if a QHPI fails to report a suspected or confirmed Incident or Breach involving PII?" (Centers for Medicare & Medicaid Services [CMS], U.S. Department of Health and Human Services [HHS])
[Guidance Overview] HHS Seeks Public Input on Improving Care Coordination and Reducing the Regulatory Burdens of the HIPAA Rules
"HHS developed the HIPAA Rules to protect individuals' health information privacy and security interests, while permitting information sharing needed for important purposes. However, in recent years, OCR has heard calls to revisit aspects of the Rules that may limit or discourage information sharing needed for coordinated care or to facilitate the transformation to value-based health care. The RFI requests information on any provisions of the HIPAA Rules that may present obstacles to these goals without meaningfully contributing to the privacy and security of protected health information (PHI) and/or patients' ability to exercise their rights with respect to their PHI." (U.S. Department of Health and Human Services [HHS])
[Official Guidance] Text of HHS RFI on Modifying HIPAA Rules to Improve Coordinated Care
"The Office for Civil Rights (OCR) is issuing this Request for Information (RFI) to assist OCR in identifying provisions of the [HIPAA] privacy and security regulations that may impede the transformation to value-based health care or that limit or discourage coordinated care among individuals and covered entities (including hospitals, physicians, and other providers, payors, and insurers), without meaningfully contributing to the protection of the privacy or security of individuals' protected health information. This RFI requests information on whether and how the rules could be revised to promote these goals, while preserving and protecting the privacy and security of such information and individuals' rights with respect to it." (Office for Civil Rights [OCR], U.S. Department of Health and Human Services [HHS])
Former HHS Official Says Health Data Must be Portable, But Don't Forget the Consumer
"HIPAA does not address the handling of PHI by other entities, typically referred to as 'non-covered entities,' including many new consumer health technology companies (and even some healthcare providers who don't accept insurance). Limited protections exist for data held by these entities under current state and federal law." (Bloomberg BNA)
DOL Lawsuits Show Increased Enforcement of HIPAA Wellness Rules
"Recent lawsuits against certain employers assert that their health-contingent outcome-based wellness programs don't comply with the HIPAA wellness rules, generally by not offering a [reasonable alternative standard (RAS)].... Most of the participants in the recent DOL lawsuits who did not confirm they had quit smoking -- that is, were tobacco free -- for some duration, such as six months, had to pay surcharges. Moreover, the employers failed to give participants who met the RAS a way to avoid the surcharge retroactively, which is required under HIPAA's wellness rules." (Willis Towers Watson)
Healthcare Data Breach Enforcements and Fines
"[1] While enforcement activities and fines are projecting upward, they appear stable between 2014‑2015. [2] Only a minority of investigations lead to fines and penalties. [3] Cooperation in government-initiated compliance reviews is key to reducing the risk of a penalty. [4] Having multiple incidents, even if minor on their own, tends to trigger an investigation and lead to fines and [Resolution Agreements]. [5] All entities, regardless of size, are at risk of being found non-compliant and facing large fines in an investigation." (Bryan Cave Leighton Paisner)
Checklist for Evaluating Business Associate Compliance with HIPAA
"[1] Verify that a Business Associate Agreement is in-place with all service providers that handle PHI. [2] Designate a security officer. [3] Perform a Security Risk Assessment. [4] Implement administrative, physical, and technical safeguards to protect PHI. [5] Identify and report breaches of security. [6] Develop policies for HIPAA / HITECH compliance. [7] Impose disciplinary actions where employees or vendors violate HIPAA / HITECH obligations. [8] Maintain HIPAA and HITECH relevant documentation for such periods as required by law." (Bryan Cave Leighton Paisner)
$16 Million Record-Breaking HIPAA Settlement
"While this phishing attack took place in 2015, it is another example in the increasing trend of phishing campaigns and the significant reach these cyberattacks can have on targeted companies.... [W]hile an enterprise-wide risk analysis is important and required, less time consuming efforts can also be extremely effective preventive measures.... [P]hishing awareness programs (including an organization phishing campaign) can go a long way in addressing the significant human factor in decreasing these types of cyberattacks." (Quarles & Brady LLP)
Changes Ahead for HIPAA?
"HHS plans to issue a request for information on a proposal to share a percentage of money paid by health care organizations through civil monetary penalties or monetary settlements resulting from data breaches with the affected individuals.... HHS's list also includes a request for information on whether HIPAA regulations are stalling progress toward increased care coordination and value-based payment systems, both of which require sharing of patient information." (Mintz)
Handling HIPAA Breaches: Investigating, Mitigating and Reporting
"[1] Stop the breach.... [2] Contact the privacy officer.... [3] Respond promptly.... [4] Investigate appropriately.... [5] Mitigate the effects of the breach.... [6] Correct the breach.... [7] Impose sanctions.... [8] Determine if the breach must be reported to the individual and HHS.... [9] If required, report the breach to the individual and HHS." (Holland & Hart LLP)
[Guidance Overview] Wellness Promotion/Prevention: Overcoming Legal and Compliance Hurdles (PDF)
28 presentation slides. Topics include: [1] HIPAA nondiscrimination requirements; [2] Americans with Disabilities Act (ADA); [3] Genetic Information Nondiscrimination Act (GINA); [4] Age Discrimination in Employment Act (ADEA); [5] ERISA/ACA compliance issues; [6] HIPAA administrative simplification (privacy, EDI, and security); [7] COBRA; [8] ERISA; [9] Income tax; [10] Plan design/integration issues (e.g., HRAs and HSAs); [11] State law. (Alston & Bird)
Maintaining Current Enterprise Wide Security Risk Assessment Critical to Managing HIPAA Security Rule and Other Breach Risks
"HIPAA Entities generally will want to ensure that their new enterprise risk assessment documents their consideration of [1] the newly updated Security Risk Assessment (SRA) Tool ... [2] lessons shared in OCR's $16 million Anthem, Inc. resolution agreement, [3] $5.55 million resolution agreement with Memorial Healthcare System and other OCR HIPAA resolution agreements, [4] civil monetary penalty assessments and other Security Rule guidance, [and] ... [5] other emergent internal and external data suggesting potential susceptibilities of their own systems and data to breach or loss." (Solutions Law Press)
HHS Opens Door to Major Health-Care Privacy Changes
"[HHS] will release a request for information in November asking the public whether [HIPAA] is blocking a move toward providing coordinated care for patients and creating a value-based payment system ... New regulations in this area could especially enhance the ability of providers to exchange patient information and improve overall patient care[.]" (Bloomberg BNA)
HIPAA and Accounting Cybersecurity Update
"The SEC had been investigating 9 publicly traded companies who became victims ... The fake vendor scams were emails from company vendors (following hacking into vendor systems) requesting payment to the vendors but directing the funds to non-vendor accounts.... [Two of the companies] lost in excess of $30 million and all 9 in total lost nearly $100 million. Because HR requires the use of a number of vendors to deliver benefits, it is important that all of the HR department personnel be alert when reviewing email requests for payment." (Winstead PC)
Anthem's $16 Million HIPAA Settlement Is Largest in History
"HHS has begun providing tools for addressing cyber attacks, though in some ways these resources are geared more toward incident response than to preventing an attack in the first place.... In the Anthem settlement, HHS focuses on at least two compliance shortfalls that contributed to the breach -- not conducting a thorough risk analysis of potential risks to ePHI and not regularly reviewing records of information system activity." (Thomson Reuters Practical Law)
HHS Increases Civil Money Penalties for HIPAA Noncompliance
"The adjusted penalty amounts apply to penalties assessed on or after October 11, 2018, if the violation occurred on or after November 2, 2015 ... [A] table reflects certain of HHS's annual inflation adjustments to the civil money penalties for HHS-administered provisions, effective October 11, 2018." (Thomson Reuters Practical Law)
How to Avoid a $16 Million Settlement with HHS
"While you may not have PHI of 79 million individuals, even a single violation of HIPAA can lead to the $1.5 million cap per violation very quickly (as HHS has the authority to penalize a covered entity up to $50,000 per violation per individual impacted). This breach all began with employees receiving phishing emails. At least one Anthem employee responded to the phishing email, which opened the door to the cyber-attackers obtaining personally identifiable information of approximately 79 million individuals." (Graydon)
Anthem Pays OCR $16 Million in Record HIPAA Settlement Following Largest U.S. Health Data Breach in History
"The $16 million settlement eclipses the previous high of $5.55 million paid to OCR in 2016.... This breach affected electronic protected health information (ePHI) that Anthem, Inc. maintained for its affiliated health plans and any other covered entity health plans." (U.S. Department of Health and Human Services [HHS])
HHS Adjusts Penalties for HIPAA Violations (PDF)
"HHS has announced its annual inflation-related adjustments to civil monetary penalties for violations of the HIPAA Privacy and Security Rules. These penalties reflect a 2.041 percent increase over the prior amounts and are effective as of October 11, 2018.... The new amounts apply only to penalties assessed on or after October 11, 2018, for violations occurring on or after November 2, 2015." (Buck)
Unauthorized Disclosure of PHI During Filming of TV Series Leads to Nearly $1 Million in HIPAA Settlements
"[T]hese settlements provide important reminders. First, information that identifies, or can be used to identify, individuals may be PHI, even if the individuals are not specifically named.... Second, HIPAA generally does not recognize implied authorizations to use or disclose PHI." (Thomson Reuters / EBIA)
Television Crew's Filming of Hospital Patients Results in HIPAA Settlements Totaling Nearly $1 Million
"In some cases the hospitals had reviewed and assessed patient privacy issues concerning the filming and adopted protections concerning patient privacy, for example, providing the film crews with the same HIPAA privacy training that workforce members received ... Despite these protections, however, HHS concluded in its investigations that the hospitals: [1] Impermissibly disclosed patients' protected health information (PHI) to the television crews by permitting filming without first receiving patient authorizations. [2] Failed to adequately safeguard patient PHI from disclosure." (Thomson Reuters Practical Law)
OCR Cybersecurity Newsletter: Considerations for Securing Electronic Media and Devices (PDF)
"To reduce the risk of loss, theft, and the potential of a breach of PHI, organizations may want to consider the following questions ... [1] Is there a record that tracks the location, movement, modifications or repairs, and disposition of devices and media throughout their lifecycles? ... [2] Does the organization's record of device and media movement include the person(s) responsible for such devices and media? ... [3] Are workforce members (including management) trained on the proper use and handling of devices and media to safeguard ePHI? ... [4] Are appropriate technical controls, for example, access controls, audit controls, and encryption, in use?" [August 2018] (U.S. Department of Health and Human Services [HHS])
HHS Addresses Disposing of Electronic Devices and Media Under HIPAA
"HHS's Office for Civil Rights (OCR) has issued newsletter guidance on disposing of electronic devices and media that may contain protected health information (PHI) subject to HIPAA ... The newsletter addresses procedures for securely decommissioning and disposing of devices or media that need to be replaced. In general, these procedures involve either: Destroying the devices or media [or] Removing any confidential or sensitive information stored on the devices or media." (Thomson Reuters Practical Law)
HIPAA Case Study Shows How to Get it Right
"Employers that are, or that have plans, subject to HIPAA should: [1] Ensure you have HIPAA and disciplinary policies that are well written, clear, and understandable. [2] Provide examples of prohibited conduct. [3] Enforce your policies consistently and across the board -- don't make exceptions or vary your response to similar violations and misconduct. [4] Ensure that employees are trained and tested on a regular basis ... [5] Monitor employee conduct and behavior for compliance ... [6] Be sure that if you are a medical provider that provides care to your employees that they are included in the protections offered by your policies." (HUB International)
Frequently Overlooked Mistakes in HIPAA Compliance
"HIPAA requires that disclosure of health care records be minimized to the extent necessary to accomplish the objective. In other words, a contractor or other entity with access to personal health information (PHI) is only entitled to those data points necessary to perform their function, e.g. names and addresses.... HITECH and the Security Rule require a security assessment and the institution of safeguards to protect against reasonably anticipated disclosure.... [I]ncorporating compliance into the succession plan at the earliest possible stage is the prudent approach." (Poyner Spruill LLP)
To Bring Health Information Privacy Into the 21st Century, Look Beyond HIPAA
"Even though HIPAA remains 'surprisingly functional,' significant gaps persist. These gaps, however, derive not from HIPAA per se, but from the patchwork of health information privacy rules outside of HIPAA.... [O]ne element of this patchwork: the complex rules around and new challenges created by big data analytics. [Additional examples are] ... Social Media ... The Role of States ... Veterans ... Following the European Union's Lead." (Health Affairs)
[Guidance Overview] OCR Cybersecurity Newsletter: Guidance on Software Vulnerabilities and Patching (PDF)
"Identifying software vulnerabilities and mitigating the associated risks are important activities for [HIPAA covered entities and business associates] to conduct as part of their security management process and technical evaluations.... Mitigation activities could include installing patches ... In situations where patches are not available (e.g., obsolete or unsupported software) or testing or other concerns weigh against patching ... entities should implement reasonable compensating controls to reduce the risk of identified vulnerabilities to a reasonable and appropriate level[.]" (U.S. Department of Health and Human Services [HHS])
Privacy Please: HIPAA and Artificial Intelligence
"A critical threshold question is at what point does an AI vendor become subject to HIPAA? The answer has significant ramifications for both the AI vendor and the covered customer, which may be a health care provider, health plan, clearinghouse, or business associate. The AI functionality could fall along a continuum ranging from falling outside of HIPAA to triggering the business associate obligations subject to HIPAA." (Artificial Intelligence Law Advisor, Davis Wright Tremaine LLP)
Failure to Encrypt Leads to $4.3 Million in HIPAA Civil Money Penalties
"The breach reports involved: The theft of an unencrypted laptop computer, used for teleworking, which contained the electronic protected health information (ePHI) of nearly 30,000 individuals, from a workforce member's residence. The loss of two unencrypted USB drives, which had belonged to a trainee and a visiting researcher (respectively), and collectively contained the ePHI of roughly 5,800 individuals.... The ALJ's ruling faults the CE, at length, for adopting policies that acknowledged the need for encryption and protecting confidential information (including ePHI), but not fully carrying out those policies in practice for years." (Thomson Reuters Practical Law)
OCR Provides Reminder About Fundamental Aspect of Physical Security for PHI
"One aspect of security that is lurking in plain sight is the workstation. The Security Rule ... focuses on two key areas: [1] controls on physical access to the facility or area where systems which process Protected Health Information (PHI) operate; and [2] protecting the individual system components like workstations. The May OCR newsletter highlights some important issues relating to the workstations that handle PHI." (Poyner Spruill LLP)
Court Requires Texas Cancer Center to Pay $4.3 Million in Penalties for HIPAA Violations
"MD Anderson had written encryption policies going as far back as 2006 [and] MD Anderson's own risk analyses had found that the lack of device-level encryption posed a high risk to the security of ePHI. Despite the encryption policies and high risk findings, MD Anderson did not begin to adopt an enterprise-wide solution to implement encryption of ePHI until 2011, and even then it failed to encrypt its inventory of electronic devices containing ePHI between March 24, 2011 and January 25, 2013." (U.S. Department of Health and Human Services [HHS])
IBM Employees Can't Use Removable Storage Anymore: A Strategy for Lowering HIPAA Liability Risk?
"[IBM's global chief information security officer, Shamla Naidoo] explains, 'the possible financial and reputational damage from misplaced, lost or misused removable portable storage devices must be minimised.' ... USB sticks and SD cards are very easy to forget or lose, and whoever finds them will usually check what they contain. Removing them from the equation completely solves that problem, but the cloud access replacing it needs to be rock solid." (PC Magazine)
[Guidance Overview] Beware: HIPAA Applies to the Health Plans You Never Knew You Had
"Most [employee assistance plans (EAPs)] are staffed by health care providers, such as licensed counselors, and assist employees who are struggling with family or personal problems that rise to the level of a medical condition ... Employers/plan administrators ... will need to enter into a HIPAA business associate agreement with the EAP vendor, amend the EAP plan document to include language required by the HIPAA Rules and develop and implement other compliance documents and policies and procedures under the HIPAA Rules." (Fox Rothschild LLP)
Risk Analyses vs. Gap Analyses -- What Is the Difference? (PDF)
"Conducting a risk analysis is the first step in identifying and implementing safeguards that ensure the confidentiality, integrity, and availability of [electronic protected health information]. A gap analysis, while not required by the HIPAA Rules, is a useful tool to identify whether certain standards and implementation specifications of the Security Rule have been met." (Office for Civil Rights [OCR], U.S. Department of Health and Human Services [HHS])
Court Allows Terminated Employee to Pursue ERISA Section 510 Claims Tied to Son's Large Medical Expenses
"[A]ctions justifiable under the FMLA proved the employer's undoing ... under ERISA.... [C]autious employers should take care to separate employment decisions from employee benefit plan considerations. In fact, this separation is mandatory under HIPAA's privacy rule for employers receiving protected health information from their health plan." [Stein v. Atlas Industries, Inc., No. 17-3737 (6th Cir. Apr. 9, 2018)] (Thomson Reuters / EBIA)
New York State Settlement of Data Breach with Health Plan Includes HIPAA Compliance Undertones
"While the Health Information Technology for Economic and Clinical Health Act [HITECH] granted state attorneys general the authority to enforce HIPAA through civil actions brought on behalf of state residents, until now this authority has not been publicly invoked to any noteworthy degree. The EmblemHealth case is an important reminder that covered entities and business associates, in addition to complying with HIPAA, must also ensure that they abide by state privacy laws that prohibit the improper disclosure of certain personal information." (Akerman)
Federal Enforcement Isn't the Only HIPAA Concern: States Flex Their Muscles
"Despite the lack of significant settlements for HIPAA enforcement by the federal Office of Civil Rights (OCR) so far in 2018, states have not hesitated to patrol privacy and security breach activity and take action against perceived violations.... Two recent settlements suggest that states are ramping up their enforcement activities." (McGuireWoods, LLP)
How to Stay Within the Law When Using Biometric Information
"Several states have passed laws that regulate how companies may collect, store and disclose biometric information from employees or other individuals.... State data-breach notification statutes include biometric information in the definition of protected personal information." (Society for Human Resource Management [SHRM])
HIPAA in Due Diligence, Part 3: Risk Mitigation Strategies
"Given the uptick in enforcement against both covered entities and business associates and ever-increasing fines, it is important to take a proactive approach to quickly address compliance gaps.... [I]t is important to ensure that any post-close compliance is completed within a specified time, such as 30, 60, 90 or 120 days post-close.... Buyers should consider whether it is appropriate to obtain specific indemnification or escrow of funds to cover potential HIPAA non-compliance.... If the seller is involved in any government or third party investigation or settlement negotiation related to HIPAA compliance, buyers should consider obtaining a waiver of liabilities and rights from the government or third party prior to close." (McGuireWoods, LLP)
Blockchain for Healthcare
"Given the decentralized, distributed nature of blockchain, HIPPA issues will need to be carefully considered. One of the benefits of many blockchains is that the transaction data is replicated to multiple nodes. This can create issues for protected information. This suggests that some form of private blockchain may be better suited for patient health records, perhaps combined with separating and encrypting personal health information." (Sheppard Mullin)
HIPAA in Due Diligence, Part 2: Cloud Server Data and HIPAA Compliance
"For an online or virtual data room administrator, opening access to an inquiring stakeholder, valuator, or reviewer party to an acquisition target company's documentation may be as simple as a few clicks and perhaps an email or two. However, if any document contains personal or identifiable health information, a number of privacy and data protection regulations may deem access to such information by an unauthorized party to be a violation.... HIPAA may impose significant penalties on target providers posting the PHI and the unauthorized parties accessing the PHI alike." (McGuireWoods, LLP)
HIPAA in Due Diligence: Four Key Questions
"To better understand a seller's overall HIPAA compliance, there are four key diligence questions upon which buyers should focus their efforts in a transaction: [1] Does the seller have the core HIPAA documentation in place? ... [2] Is the seller complying with its policies? ... [3] How does the seller address potential HIPAA security and breach risk areas? ... [4] What is the nature of risk related to any identified gaps?" (McGuireWoods, LLP)
Is HIPAA a Sleeping Giant?
"So far, 2018 has been a light year in terms of HIPAA enforcement. There have been only two publicly-disclosed settlements.... Theories include that the priorities of the current administration are driving less enforcement, that the OCR is focusing its efforts on the current round of audits, and that the OCR is simply holding back on some settlements so that it can ensure a consistent approach to multiple settlements that it will announce in the near future. No matter the answer, it is not safe to assume that things will remain quiet on the HIPAA front." (McGuireWoods, LLP)
What Employers Need to Know About Protecting Employee Health Information
"HIPAA generally does not apply to employee health information maintained by an employer.... Even when HIPAA does not apply, employers still have other legal obligations to protect the confidentiality of employee health information in their possession." (Ogletree Deakins)
Anticipating This Year's HIPAA Enforcement Trends (PDF)
"In a time of cybersecurity where each state (almost) is developing their own cybersecurity and breach notification rules, there is still a general rule of federal preemption when it comes to HIPAA, with only a narrow exception for additional state laws and regulations that are in excess of the requirements of HIPAA. It is not inconceivable that in 'streamlining' HIPAA regulations that HHS looks for ways to give the states more rights to legislate the security and use of medical information." (Jenner & Block, via Law360)
Receiver for Out-of-Business HIPAA Business Associate Reaches $100,000 Settlement with HHS
"In addition to the $100,000 payment, the receiver agreed, on the company's behalf, to comply with a corrective action plan (CAP). The receiver had already placed the medical records at issue into storage with a third-party information management company. The CAP requires the receiver to properly store and dispose of these remaining medical records." (Thomson Reuters Practical Law)
Consequences for HIPAA Violations Don't Stop When a Business Closes
"A receiver appointed to liquidate the assets of Filefax, Inc. has agreed to pay $100,000 ... in order to settle potential violations of the [HIPAA] Privacy Rule. Filefax ... advertised that it provided for the storage, maintenance, and delivery of medical records for covered entities. Although Filefax shut its doors during the course of OCR's investigation into alleged HIPAA violations, it could not escape its obligations under the law." (U.S. Department of Health and Human Services [HHS])
[Guidance Overview] Due March 1: HIPAA Small Breach Notifications
"HIPAA requires covered entities to provide breach notification to affected individuals without unreasonable delay ... Covered entities also must report small breaches to OCR no later than 60 days after the calendar year in which the small breaches were discovered.... Most business associates will not be affected by this deadline because their reporting obligation is to the covered entity and not to OCR, unless the covered entity has delegated its breach reporting obligations to the business associate." (Davis Wright Tremaine LLP)
[Guidance Overview] Opioid Abuse: Employment Laws, HIPAA Privacy and Other Considerations for Employers
"Employers who may be facing employees with substance use and abuse issues need to be concerned with workplace laws related to safety (OSHA), HIPAA Privacy (if the information about the condition is received by the employer's medical plan), the Mental Health Parity and Addiction Equity Act and their medical plan's compliance with such law, FMLA, the Americans with Disabilities Act and state medical privacy laws." (Winstead PC)
$3.5M HIPAA Settlement Highlights Need to Prioritize Health Plan HIPAA Compliance in 2018
"When weighing the importance of HIPAA compliance and risk management for their health plans, health plans, their employer or other sponsors, fiduciaries, insurers, administrators and their business associates should resist the temptation to underestimate the exposure because providers, rather than health plans, have been the most common target of the majority of the announced OCR enforcement actions resulting in substantial civil monetary penalties or resolution payments." (Solutions Law Press)
Court Declines to Dismiss Claims Against Business Associate Subcontractor Responsible for HIPAA Breach
"The PBM, which contracted with a group health plan to provide mail-order pharmacy services, subcontracted certain functions to the mail service.... According to the PBM, the mail service's unauthorized disclosures violated a performance standard under the PBM's contract with the health plan and triggered a payment of over $1.8 million by the PBM to the plan. The PBM then sought indemnification from the mail service, both under its business associate subcontract and common-law principles, and also contended that the mail service was negligent." [CVS Pharmacy, Inc. v. Press America, Inc., No. 17-190 (S.D.N.Y. Jan. 3, 2018)] (Thomson Reuters / EBIA)
Remember February Deadline for HIPAA Breach Reporting
"While breaches involving 500 or more individuals must be reported no later than 60 calendar days from the date of discovery, breaches involving less than 500 individuals can be documented throughout the course of the year and submitted 60 days after the end of the calendar year.[1] This means that covered entities have until February 28, 2018 to complete their annual breach reporting obligations." (Husch Blackwell)
HIPAA Breach Reporting: 2017 Trends and Mends
"OCR data shows that HIPAA privacy breach reports affecting 500 or more individuals remained relatively stable when compared to 2016, increasing slightly from 327 to 345. Hacking and IT incidents, however, rose by 25%, with 142 in 2017 compared to 113 in 2016." (McGuireWoods, LLP)
Multiple Security Failures Lead to $2.3 Million HIPAA Settlement
"This is the first resolution agreement publicly announced in several months, but the size of the settlement payment and the strict terms of the CAP indicate that OCR continues to take HIPAA privacy and security compliance seriously. More robust audit controls might have enabled this provider to discover the unauthorized disclosures before the FBI did -- potentially avoiding OCR's investigation and the attendant ramifications." (Thomson Reuters / EBIA)
About Us


Privacy Policy

Post a Job

Advertise in the BenefitsLink Newsletters

Add Your Company to the Directory of Vendors and Software

Submit a News Item, Press Release, Webcast or Conference

Contact Us

Payment Portal

© 2019, Inc.