News Archive

"Self-funded group health plans implicate HIPAA ... Ransomware is treated as a presumptive breach ... A thorough and comprehensive risk analysis is critical in the wake of a breach ... Questions employers should be asking: [1] Do we have policies and procedure in place for HIPAA Privacy and HIPAA Security? [2] What about Breach Notification protocols? [3] Are employees with access to PHI completing HIPAA training annually? [4] Do we have a written incident response procedure that addresses ransomware scenarios and HIPAA breach notification timelines?"  MORE >>

"The HIPAA privacy and security rules generally apply to protected health information of deceased persons as well as the living.... As with living persons, HIPAA allows providers to use or disclose protected health information of deceased persons for purposes of treatment, payment, or the provider's healthcare operations, unless the provider has agreed otherwise."  MORE >>

"A recent resolution agreement between [HHS] and an employer-sponsored group health plan resulted in a $245,000 payment and a comprehensive corrective action plan. This serves as a timely reminder that the Security Rule's requirements apply squarely to plan sponsors, not just healthcare providers.... [This article discusses] the key details of this enforcement action ... what the required risk analysis entails and ... what you should prioritize to stay ahead of the curve."  MORE >>

"This checklist helps employers understand their obligations and opportunities when an employee notifies them of their new marriage. Questions often arise on possible election changes, beneficiary rights and organizational policies. This checklist captures common compliance issues and offers helpful suggestions to avoid complications down the road."  MORE >>

"Under the settlement, the Plan agreed to pay $245,000 to OCR and to implement a two-year corrective action plan. While OCR routinely enters into settlement agreements with regulated entities, actions directly targeting employer-sponsored group health plans remain relatively rare, making this case noteworthy for plan sponsors."  MORE >>

"While HIPAA included employer-sponsored health plans within the definition of a HIPAA covered entity, OCR is -- for the first time in OCR's enforcement history -- applying its long-standing enforcement agenda directly to the employer health plan context. This activity is a reminder that HIPAA applicability is an overlooked legal risk for many major employers."  MORE >>

"If your plan (or any of its business associates) creates, receives, maintains, or transmits information that qualifies as Part 2-protected substance use disorder (SUD) patient records, then your plan should treat the Part 2-related NPP revisions as mandatory content requirements that are enforceable as of February 16, 2026."  MORE >>

"Risk analysis remains the foundation of HIPAA Security Rule compliance and continues to be a key OCR enforcement focus. Business associates and vendors are a major source of healthcare cybersecurity risk, making third-party oversight essential. Incident response, workforce training and documented security decisions are now critical markers of a defensible compliance program."  MORE >>

"While HIPAA enforcement is common in the healthcare sector, actions directly against employer-sponsored group health plans are not as common. This case, coupled with DOL guidance for ERISA fiduciaries concerning cybersecurity, underscores a growing regulatory focus not only on traditional healthcare entities, but also on the plans and ecosystems maintained by employers under ERISA."  MORE >>

27 pages. "OCR received 732 notifications of breaches of unsecured PHI affecting 500 or more individuals that occurred during 2023, representing an increase of 17% from the number of reports received in calendar year 2022. These reported breaches affected a total of approximately 113,173,613 individuals. The most commonly reported category of breaches was hacking, and the largest breach of this type involved approximately 11,270,000 individuals. OCR also received 68,315 reports of breaches affecting fewer than 500 individuals that occurred during 2023, with unauthorized access or disclosure as the most frequent type of breach reported. These smaller breaches affected a total of 269,290 individuals."  MORE >>

"The Conduent incident is one of the largest reported health care data breaches in U.S. history and appears to have involved sensitive personal and protected health information. Even when a breach occurs at a third-party subcontractor, the employers' health plans may still have obligations under HIPAA. Because of the significant potential penalties for failure to report a breach, it is important to for employers with self-funded group health plans to take prompt steps to assess whether the plan's data has been affected and whether any obligations have been triggered for the plan."  MORE >>

"If the provisions of the Final Rule are substantially similar to those in the Proposed Rule, it would raise the bar for demonstrating compliance with the HIPAA Security Rule. Under the proposed framework, incomplete documentation or informal practices will be harder to defend, particularly where an entity cannot show consistent, enterprise-wide governance. Organizations with mature, well-documented security programs will be better positioned to adapt, while others may need to reassess foundational compliance structures."  MORE >>

"Employers should continue to exercise care to ensure that requests for medical records and similar information are justified by applicable law ... but can now be assured that, where necessary, HIPAA does not excuse the employee's obligation to provide it.... Employers should also continue to maintain medical records separately from personnel files, limit access to those with a need to know, and state in forms and notices how information will be used and protected, aligning with federal and state privacy obligations.​" [Trumper v. Women's Healthcare Assoc. LLC, No. 1010 (Ore. App. Nov. 26, 2025)]  MORE >>

"This alert highlights key filing, notice, contribution, and reporting obligations commonly applicable during the April-June timeframe, including ERISA plan filings, health plan reporting, and HSA-related actions."  MORE >>

"For plan sponsors, the potential lag between the date when mail is deposited at USPS and when it is actually processed and postmarked creates risk that time-sensitive materials (e.g., COBRA election notices, HIPAA certificates, decisions on benefit claims and appeals, summary plan descriptions, QDIA notices, fee disclosures and other required disclosures) may bear a postmark date later than intended, even if mailed before the deadline."  MORE >>

"Group health plans can access a model notice as well as a Word version of a model notice on the HHS website. Under the HIPAA privacy rules, group health plans and other covered entities that receive, maintain or transmit certain SUD treatment records must update their NPPs to include specific content related to how they use or disclose the records. The deadline for updating the NPP was February 16, 2026."  MORE >>

"[1] Determine if your organization receives, maintains, or transmits PHI.... [2] Don't rely solely on TPA's policies.... [3] Designate a HIPAA Compliance Officer.... [4] Implement policies on uses and disclosures of PHI.... [5] Maintain a Notice of Privacy Practices (NPP) for your plan participants.... [6] Comply with the Security Rule and stay tuned for updates.... [7] Implement a business associate agreement (BAA) when required.... [8] Follow breach notification rules.... [9] Ensure ERISA fiduciary and cybersecurity oversight."  MORE >>

"As of February 16, 2026, the new rules governing the confidentiality of substance use disorder (SUD) records will be enforced. If they have not done so, federally assisted SUD programs (Part 2 Programs) who are covered entities under HIPAA will need to update their business associate agreements (BAAs) to ensure compliance with the new rules."  MORE >>

"Health plans (including employer sponsors of self-insured group health plans) must update their published NPPs. Coming to the rescue of providers that waited to make the required changes to their Notices of Privacy Practices regarding SUD treatment records, the federal government itself waited until February 16 to update its model Notice of Privacy Practices to provide sample language that can be used to update or help draft NPPs for Part 2 compliance."  MORE >>

"[T]he revised model notices can be a useful starting point, but plan sponsors should ensure that the final NPP language aligns with their actual practices and administration, and should coordinate updates with insurers, TPAs, and counsel. Given OCR's announcement of a civil enforcement program for confidentiality of SUD patient records, plan sponsors, group health plans, and business associates that receive and disclose information related to SUDs should act quickly to understand their obligations."  MORE >>

"[1] Review and update consent forms facilitating release of SUD information to take advantage of the Final Rule's new flexibilities ... [2] Review and update Notices of Federal Confidentiality Requirements ... [3] Review and update Notices of Confidentiality Requirements ... [4] Revisit existing relationships with qualified service organizations (QPOs) to ensure appropriate agreements are in place. [5] Ensure that personnel handling SUD information receive training on the Final Rule's updates."  MORE >>

"February 16, 2026 was not just another regulatory waypoint -- it marked the compliance deadline for significant changes affecting [HIPAA] Notices of Privacy Practices (NPP), driven by amendments aligning HIPAA more closely with ... the federal confidentiality regulations for substance use disorder (SUD) records. If your plan has not recalibrated yet, now is the time to check your settings."  MORE >>

"[M]any HIPAA covered entities must implement updates to align certain Part 2 regulations with the HIPAA Privacy Rule. Guidance is now available for Notice of Privacy Practices (NPP) updates. OCR's Part 2 enforcement authority becomes active on February 16, 2026, and OCR has opened its portal for Part 2 complaints. To the extent separate from their HIPAA NPP, SUD providers now have a model Part 2 Patient Notice from OCR."  MORE >>

"Plan sponsors should determine if and how the new Part 2 requirements apply to their group health plan and review their NPPs accordingly. Plan sponsors should also review whether and how PHI and SUD records travel through their systems and consult with any vendors that handle SUD records to ensure compliance. This may also require updates to business associate agreements for vendors that handle SUD on behalf of the group health plan."  MORE >>

"In addition to the required NPP changes going into effect on February 16, 2026, OCR's authority to enforce Part 2 will take effect, which will allow the following: [1] Individuals will be able to file complaints with OCR for alleged Part 2 violations; [2] Part 2 providers will be required to report breaches of unsecured Part 2 records; and [3] OCR can begin investigation and enforcement activities, including the imposition of civil monetary penalties for violations."  MORE >>