"The magistrate reasoned that if plaintiff were successful in proving that the defendants breached their fiduciary duties in the dilatory manner in which they processed Mr. Holman's claims as he was dying, surcharge in the amount that the PSA Defendants were unjustly enriched -- presumably equal to the cost of the heart transplant -- could be an available remedy." [Rose v. PSA Airlines, Inc. Group Insurance Plan, No. 19-695 (W.D.N.C. mag. rep. Mar. 25, 2021)]

"Ransomware attacks cost the healthcare industry $20.8 billion in downtime in 2020, which is double the number from 2019 ... 92 individual ransomware attacks occurred at healthcare organizations, and 600 clinics, hospitals and organizations were affected.,,, [N]ore than 18 million patient records were impacted ... a 470% increase from 2019[.]"

"The comment period for the proposed rule, which would end March 22, 2021, is extended to May 6, 2021."

"[T]his article outlines what a business associate is, what a business associate's obligations are, how a business associate can be liable for HIPAA violations, and tips to avoid such liability."

"[I]ndividuals and plans with deadlines that are suspended pursuant to the previously-issued rule will have the applicable periods under the Notices disregarded until the earlier of: [1] one year from the date they were 'first eligible for relief' ... or [2] 60 days after the announced end of the National Emergency."

"It is unclear how plans, TPAs, and insurers will be able to build their systems to create custom COBRA, special enrollment, and claims deadlines individual-by-individual ... Many may have to extend the deadlines for all while they determine how to proceed. This complexity will be even greater if COBRA subsidies are enacted ... DOL seems to be saying that plans may need to notify each individual when his or her one-year extension is about to be up[.]"

"[Disaster Relief Notice 2020-01] acknowledges that the agencies understand and appreciate the complications this latest guidance creates for plan administrators to immediately restart the clock of daily COBRA, HIPAA, and other deadlines and for individuals who now must immediately catch up monthly COBRA premium obligations to maintain health insurance under the employer's plan ... To be considered as acting in 'good faith and with reasonable diligence,' [here is a list of steps employers should take]."

"Effectively, the guidance says that all of the 'pause' buttons are on an individual-by-individual rolling basis. Thus for example, an employee who terminated prior to March 1, 2020 but whose COBRA 60-day election timeline had already begun to run but not yet expired, the timeline suspensions will end on February 28, 2021."

"A small breach involves fewer than 500 individuals.... Covered entities [must] report small breaches to OCR no later than 60 days after the end of the calendar year in which the small breaches were discovered. For calendar-year 2020, small breaches notifications are due on or before March 1, 2021."

"[W]ith just 10 days left before February 28, 2021, there is a bit of confusion as to how to handle what may mean the end of the pandemic's National Emergency declaration and the 'un-pause' of the prior paused timelines.... Congress and/or the agencies ... have four possible choices."

"Without an extension of this 12-month expiration date, [the author] believes the clock starts again on March 1, 2021 for COBRA, certain HIPAA special enrollment, and COBRA qualifying events and claims appeals."

"Adding to the confusion is a one-year statutory limit that applies to extensions mandated by the Departments. Since the Outbreak Period Extensions were first effective as of March 1, 2020, that one-year limit will be up shortly.... [P]lans and plan administrators should decide whether to end the extensions on midnight on February 28, 2021 based on this one-year limit."

"[H]ere we are, almost a year out, and the president hasn't rescinded the national emergency. But under ERISA, the feds only had the authority to suspend these deadlines for a year.... So, what happens on March 1 with respect to all those folks who, since then, haven't yet elected COBRA, paid their COBRA premium, submitted claims, applied for HIPAA special enrollment, or filed an appeal on a denied claim?"

"Employers that offer incentives to employees to get vaccinated may be creating group health plans under [ERISA]. In addition, incentivized vaccination programs may need to comply with [HIPAA] ... [G]uidance issued under the Genetic Information Nondiscrimination Act of 2008 (GINA) provides a road map for employers to avoid running afoul of GINA."

"Although the financial settlement is a large dollar amount, a number of factors likely impacted that penalty, including the high number of impacted individuals and the fact that the breach involved information with a higher degree of sensitivity, such as Social Security numbers and bank account information. In addition, the fact that the hackers reportedly had access to the Excellus system for such a long period likely played into the financial settlement amount."

"Publication 502 provides valuable guidance on what qualifies as a medical expense under Code Section 213(d), and thus helps identify the expenses that may be reimbursed or paid by health FSAs, HSAs, or HRAs, or covered on a tax-favored basis under other group health plans (e.g., employer-sponsored medical plans). But Publication 502 should be used with caution in connection with these benefits because it addresses the deductibility of medical expenses for individuals -- it does not account for differences in the rules for reimbursing expenses under health FSAs, HSAs, or HRAs."

"[T]he court found that the Security Rule did not require M.D. Anderson to have a 'bulletproof' mechanism, nor was it required to enforce the mechanism 'rigorously.' ... Under the court's pained interpretation of the Privacy Rule, M.D. Anderson's loss of ePHI via theft and loss did not qualify as a disclosure.... [T]he court held that the regulation required OCR to prove that someone outside the covered entity actually received the ePHI, and that OCR had failed to do so here." [Univ. of Texas M.D. Anderson Cancer Center v. HHS, No. 19-60226 (5th Cir. Jan. 14, 2021)]

"[T]he court emphasized that the plain language of the Encryption Rule only requires that a covered entity have a 'mechanism' for encryption in place; a covered entity's failure to encrypt three devices did not mean that it 'never implemented 'a mechanism' to encrypt anything at all.' ... The court held that HHS could not prove that M.D. Anderson 'disclosed' ePHI 'without proving that someone 'outside' the entity received it,' a standard that the agency conceded could not be met in that case, and that would be difficult to meet generally." [Univ. of Texas M.D. Anderson Cancer Center v. HHS, No. 19-60226 (5th Cir. Jan. 14, 2021)]

"Although this case is still working its way through proceedings, this strongly worded opinion calls into question some fundamental principles of OCR's enforcement approach. For example, OCR has consistently asserted that an unauthorized disclosure occurs whenever PHI is publicly accessible through an internet search--regardless of whether it can demonstrate that anyone actually accessed the PHI in that way. It will be harder for OCR to establish privacy rule violations if it has to prove that an unauthorized recipient actually accessed PHI." [Univ. of Texas M.D. Anderson Cancer Ctr. v. HHS, No. 19-60226 (5th Cir. Jan. 14, 2021)]

"The [HHS] Proposed Rule would affect how individuals may exercise their rights to access and share their protected health information (PHI), limit and adjust the fees covered entities may charge for access, introduce new concepts such as 'electronic health record' (EHR) and 'personal health application' (PHA) into a health information ecosystem already awash in acronyms, broaden data sharing by modifying the 'minimum necessary' standard and adjusting the definition of 'health care operations,' and reduce administrative burdens relating to the ubiquitous HIPAA notice of privacy practices, among other changes."

"Excellus Health Plan reported that the breach began on or before December 23, 2013, and ended on May 11, 2015. The hackers installed malware and conducted reconnaissance activities that ultimately resulted in the impermissible disclosure of the protected health information of more than 9.3 million individuals, including their names, addresses, dates of birth, email addresses, Social Security numbers, bank account information, health plan claims, and clinical treatment information."

"The proposal would require covered entities to act on access requests 'as soon as practicable' and would shorten the deadline for action from 30 to 15 days.... Health plan participants could, however, instruct their health plan to request EHRs from covered health care providers, which would then be required to disclose the requested EHRs directly to the plan.... The proposal would clarify that health plans' care coordination and case management activities -- whether based on broad populations or particular individuals -- are considered health care operations."

"Congress has passed and President Trump has signed legislation that amends the Health Information Technology for Economic and Clinical Health Act (HITECH Act) to require HHS, in enforcing HIPAA, to consider whether HIPAA covered entities (CEs) or business associates (BAs) have implemented and applied certain recognized security practices -- including with regard to cybersecurity[.]"

"The new law provides a strong incentive to covered entities and business associates to adopt 'recognized cybersecurity practices' and risk reduction frameworks when complying with the HIPAA privacy and security standards to reduce risk associated with security threats and HHS enforcement determinations."

Article provides links to a dozen compliance guides covering various aspects of health plan benefit design and administration.