Subscribe Now!
Free Daily News, Jobs, Webcasts, Discussions
Display and Distribute
Your Job Openings
COVID-19 News
COVID-19 Webcasts

Featured Jobs

Trust Funds Accountant

RFK Medical Plan/JDLC Pension Plan
(Keene CA)

Manager, Defined Contributions Administration

Definiti
(Telecommute / The Woodlands TX / University Place WA / Dallas TX / Erie PA / Canonsburg PA / West Palm Beach FL)

Defined Contribution Administrator

PACETPA
(Telecommute / Clovis CA / Las Vegas NV)

PACETPA logo

Director, Retirement Benefits

Wespath Benefits and Investments
(Telecommute / Glenview IL)

Wespath Benefits and Investments logo

Defined Benefits Combo Cash Balance Consultant

Loren D. Stark Company (LDSCO)
(Telecommute)

Loren D. Stark Company (LDSCO) logo

Defined Contribution Plan Administrator

401k America
(Telecommute / Chino CA)

Client Service Manager

July Business Services
(Telecommute / Waco TX)

July Business Services logo

5500 Specialist

401K Generation
(Altamonte Springs FL)

401K Generation logo

Senior Retirement Plan Administrator

Goldberg, Swedelson & Associates
(Telecommute / Encino CA)

Goldberg, Swedelson & Associates logo

Free Daily News and Jobs

“BenefitsLink continues to be the most valuable resource we have at the firm.”

-- An attorney subscriber

Mobile App image LinkedIn icon
Twitter icon
Facebook icon

View Coronavirus (COVID-19) News and Resources

<< Older News  |  December 4, 2020

News

All News > HIPAA

Get this news and more in our free daily email newsletters.
HIPAA Resolution Agreements Address Web Services, Window Envelopes, and Access Termination
Thomson Reuters / EBIA Link to more items from this source
Nov. 19, 2020

"These resolution agreements address fundamental and common privacy and security issues and provide a reminder that not all breaches are the result of sophisticated cyberattacks. Prosaic failures can also expose PHI to unauthorized disclosures, underscoring the importance of adopting clear policies and procedures, followed by workforce training and consistent implementation."

Tags: HIPAA

Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance, for Calendar Year 2018 (PDF)
U.S. Department of Health and Human Services [HHS] Link to more items from this source
Nov. 9, 2020

19 pages. "[In] addition to requiring covered entities and business associates to take corrective action in hundreds of cases, for 2018, the Department resolved eleven investigations with resolution agreements/corrective action plans or the imposition of civil money penalties totaling more than $28 million."

Tags: HIPAA

Text of Agency Final Rule: Transparency in Coverage by Health Insurance Issuers and Group Health Plans (PDF)
Centers for Medicare & Medicaid Services [CMS], U.S. Department of Health and Human Services [HHS]; Employee Benefits Security Administration [EBSA], U.S. Department of Labor [DOL]; Internal Revenue Service [IRS]; and U.S. Department of the Treasury Link to more items from this source
[Official Guidance]
Oct. 29, 2020

470 pages. "The final rules set forth requirements for group health plans and health insurance issuers in the individual and group markets to disclose cost-sharing information upon request to a participant, beneficiary, or enrollee (or his or her authorized representative), including an estimate of the individual's cost-sharing liability for covered items or services furnished by a particular provider. Under the final rules, plans and issuers are required to make this information available on an internet website and, if requested, in paper form, thereby allowing a participant, beneficiary, or enrollee (or his or her authorized representative) to obtain an estimate and understanding of the individual's out-of-pocket expenses and effectively shop for items and services. The final rules also require plans and issuers to disclose in-network provider negotiated rates, historical out-of-network allowed amounts, and drug pricing information through three machine-readable files posted on an internet website, thereby allowing the public to have access to health coverage information that can be used to understand health care pricing and potentially dampen the rise in health care spending. The Department of Health and Human Services (HHS) also finalizes amendments to its medical loss ratio (MLR) program rules to allow issuers offering group or individual health insurance coverage to receive credit in their MLR calculations for savings they share with enrollees that result from the enrollees shopping for, and receiving care from, lower-cost, higher-value providers.... The final rules are effective [60 days after publication in the Federal Register, now scheduled for Nov. 12, 2020]." [Also available: press release and Fact Sheet]

Tags: HIPAA  •  Health Plan Administration  •  Health Plan Costs

HIV-Related Disclosures (and More) Lead to $1 Million HIPAA Settlement
Thomson Reuters Practical Law Link to more items from this source
Oct. 29, 2020

"HHS's investigation revealed that the insurer: [1] Failed to conduct a periodic technical and nontechnical evaluation following environmental or operational changes affecting the security of PHI. [2] Impermissibly disclosed the PHI of approximately 18,500 individuals. [3] Failed to limit disclosed PHI to the minimum necessary to accomplish the intended purpose. [4] Failed to implement appropriate administrative, technical, and physical safeguards to protect PHI in its possession."

Tags: HIPAA

Aetna Pays $1,000,000 to Settle Three HIPAA Breach Reports
U.S. Department of Health and Human Services [HHS] Link to more items from this source
Oct. 29, 2020

"[On] April 27, 2017, Aetna discovered that two web services used to display plan-related documents to health plan members allowed documents to be accessible without login credentials and subsequently indexed by various internet search engines. Aetna reported that 5,002 individuals were affected by this breach ... In addition to the monetary settlement, Aetna will undertake a corrective action plan that includes two years of monitoring."

Tags: HIPAA

HIPAA Enforcement: Lessons from the OCR's Recent Settlements
Holland & Hart LLP Link to more items from this source
Oct. 27, 2020

"The OCR has announced a surprising number of HIPAA settlements in the past few months with penalties ranging from $10,000 to $6.5 million.... [K]ey takeaways ... [1] Protect against cyberattacks.... [2] Perform an effective security risk assessment.... [3] Maintain appropriate policies and safeguards.... [4] Encrypt your devices.... [5] Respect the [individual's] right to access their information.... [6] Respond promptly to known or suspected concerns.... [7] Report breaches in a timely manner.... [8] Business associates beware! ... [9] Small providers are not exempt.... [10] Do not disclose PHI on social media."

Tags: HIPAA

HIPAA Breach Notifications for Employers
ABD Insurance & Financial Services Link to more items from this source
Oct. 20, 2020

"Once the employer determines that a breach of unsecured PHI has occurred in a self-insured health plan, HIPAA requires notice to the affected individuals, HHS, and in some cases the media depending on the scope of the breach.... [1] Determining whether a breach has occurred: the risk assessment ... [2] The three exclusions from breach ... [3] Breach notification step #1: Notice to affected individuals ... [4] Breach notification step #2: Notice to HHS ... [5] Breach notification step #3: Notice to the media (500+ only)."

Tags: HIPAA

Data Breaches and HIPAA Enforcement Remain Endemic Amidst the COVID-19 Pandemic
Health Law Advisor, Epstein Becker Green Link to more items from this source
Oct. 19, 2020

"[E]nterprise-wide risk analyses should account not only for PHI, but also for other personally identifiable information (PII). Nearly every organization will possess PII, ... with each bearing privacy and security obligations under a variety of federal laws and regulations specifically addressing cybersecurity practices. Organizations must also be mindful of state and local requirements concerning cybersecurity[.]"

Tags: Coronavirus (COVID-19)  •  Cybersecurity  •  HIPAA  •  Retirement Plan Administration

ACA and HIPAA Excepted Benefits
ABD Insurance & Financial Services Link to more items from this source
[Guidance Overview]
Oct. 13, 2020

"Most employer-sponsored dental, vision, health FSA, and EAP plans are excepted benefits that are not subject to certain ACA and HIPAA requirements.... Examples of ACA market reform provisions not applicable to excepted benefits ... Examples of HIPAA portability provisions not applicable to excepted benefits ... [1] Dental plan ... [2] Vision plan ... [3] Health FSA ... [4] EAP."

Tags: HIPAA  •  Health Plan Design

How COVID-19 Rules Changes Affect Benefits Compliance Strategy
HUB International Link to more items from this source
[Guidance Overview]
Oct. 12, 2020

"[1] CARES Act: coverage of COVID-19 testing and COVID-19 antibody testing and preventative care (mandated) ... [2] CARES Act: telehealth and high deductible health plans (optional) ... [3] CARES Act and reimbursements for over-the-counter drugs and women's products (optional) ... [4] COBRA changes may have significant impact on employers (mandated) ... [5] HIPAA Special enrollment rights -- Expanded timeframes (mandated change) ... [6] ERISA claims procedures and COVID-19 (mandated change) ... [7] Mid-year election year changes expanded (optional)."

Tags: CARES Act  •  COBRA  •  Coronavirus (COVID-19)  •  HIPAA  •  Health Plan Administration  •  Health Plan Design

HHS Announces Eight HIPAA Settlements
Ballard Spahr LLP Link to more items from this source
Oct. 5, 2020

"The three largest settlements all relate to breaches from hackers who had access to ePHI over an extended period of time. One of the settlements involves the second-largest HIPAA settlement amount in OCR's history, amounting to $6.85 million. In addition to the three breach-related settlements, the OCR announced this past month that it had entered into five settlements related to patients' access to their own health records."

Tags: HIPAA

Hacker's Use of Vendor's Credentials Reveals Systemic Failures, Leading to $1.5 Million HIPAA Settlement
Thomson Reuters / EBIA Link to more items from this source
Oct. 2, 2020

"This resolution agreement highlights vulnerabilities that can be introduced from outside a covered entity's or business associate's own operating environment. Notably, OCR repeatedly refers to the third party in this settlement as a vendor rather than a business associate, implying that although the third party did not have direct access to PHI, its credentials could be used to gain access."

Tags: HIPAA

Cyber-Attackers' Theft of Over Ten Million Individuals' PHI Leads to $6.85 Million HIPAA Settlement
Thomson Reuters Practical Law Link to more items from this source
Sept. 30, 2020

"HHS's investigation revealed that the plan failed to: [1] Conduct an accurate and thorough assessment of the risks and vulnerabilities concerning the ePHI in its possession. [2] Implement sufficient security procedures to adequately reduce the risks and vulnerabilities to its ePHI. [3] Implement adequate hardware, software, or procedural mechanisms to record and review activity on its information systems containing ePHI until March 2015. [4] Prevent unauthorized access to the ePHI of more than 10.4 million individuals that was stored on its network."

Tags: HIPAA

Second-Largest HIPAA Fine Paid by Premera Blue Cross for 2014 Breach
FierceHealthcare Link to more items from this source
Sept. 28, 2020

"During the breach, which went undetected for nearly nine months ... a hacker had unauthorized access to the Premera network containing 10.4 million individuals' protected health information including their names, addresses, dates of birth, email addresses, Social Security numbers, bank account information and health plan clinical information, according to HHS. The hackers used a phishing email to install malware that gave them access to Premera's IT system."

Tags: Cybersecurity  •  HIPAA

Health Insurer Pays $6.85 Million to Settle Data Breach Affecting Over 10.4 Million People
U.S. Department of Health and Human Services [HHS] Link to more items from this source
Sept. 25, 2020

"Premera Blue Cross (PBC) has agreed to pay $6.85 million to [OCR] and to implement a corrective action plan to settle potential violations of the [HIPAA] Privacy and Security Rules related to a breach affecting over 10.4 million people. This resolution represents the second-largest payment to resolve a HIPAA investigation in OCR history."

Tags: HIPAA

OCR Releases Guidance on HIPAA for Mobile Health Technology
Jackson Lewis Link to more items from this source
Sept. 25, 2020

"The increased use of mobile health applications and other related tools to assist healthcare providers with facilitation of telehealth capabilities, also comes with an increased risk of data breaches and improper disclosures of protected health information (PHI) to unauthorized individuals. The features of OCR's new Health apps are a great starting point for HIPAA covered entities and businesses associates that utilize mobile health apps, and want to ensure compliance with their HIPAA obligations."

Tags: HIPAA

Hacker's Theft of Over Six Million Individuals' PHI Leads to $2.3 Million HIPAA Settlement
Thomson Reuters Practical Law Link to more items from this source
Sept. 25, 2020

"In April 2014, a cyberhacking group used compromised credentials to remotely access the BA's information system through its virtual private network (VPN). Although the BA was initially unaware of the incident, it received notice of the intrusion from the FBI eight days after it occurred. Despite this notice, however, the attacker's impermissible access continued until August 2014."

Tags: HIPAA

HIPAA Business Associate Pays $2.3 Million to Settle Breach
Office for Civil Rights [OCR], U.S. Department of Health and Human Services [HHS] Link to more items from this source
Sept. 24, 2020

"CHSPSC LLC has agreed to pay $2,300,000 to [OCR] ... and to adopt a corrective action plan to settle potential violations of the [HIPAA] Privacy and Security Rules related to a breach affecting over six million people. CHSPSC provides a variety of business associate services, including IT and health information management, to hospitals and physician clinics indirectly owned by Community Health Systems, Inc., in Franklin, Tennessee."

Tags: HIPAA

Hacker Group's Impermissible Access to ePHI Leads to $1.5 Million HIPAA Settlement
Thomson Reuters Practical Law Link to more items from this source
Sept. 22, 2020

"HHS's investigation revealed that the CE failed to: [1] Prevent the unauthorized disclosure of electronic protected health information (ePHI) of more than 208,500 individuals. [2] Maintain copies of its HIPAA policies and procedures. [3] Implement certain technical safeguards. [4] Enter into business associate (BA) agreements with three of its BAs. [4] Provide HIPAA training to all workforce members. [5] Conduct an accurate and thorough risk analysis concerning the ePHI in its possession. [6] Implement sufficient security measures to reduce risks and vulnerabilities to the ePHI in its possession."

Tags: HIPAA

HIPAA Covered Entities and Business Associates Need an IT Asset Inventory List, OCR Recommends
Jackson Lewis Link to more items from this source
[Guidance Overview]
Sept. 8, 2020

"[W]hile the creation of an IT asset inventory list is not required under the HIPAA Security Rule, it could be helpful in the development of a risk analysis, and in turn and implementing appropriate safeguards -- which are HIPAA Security Rule requirements. Essentially, if an organization doesn't know what IT assets it has or where its ePHI is, how can it effectively assess the risks associated with those assets and information and protect them?"

Tags: HIPAA

Editor's Pick OCR Cybersecurity Newsletter Highlights HIPAA Benefits of IT Asset Inventories
Thomson Reuters / EBIA Link to more items from this source
Sept. 3, 2020

"The Summer 2020 OCR Cybersecurity Newsletter ... describes how the IT asset inventory can improve an organization's risk analysis through increased understanding of how electronic PHI is created and enters, flows through, and leaves the organization. The newsletter explains that it may also be beneficial for the inventory to include assets that do not store or process PHI since those assets may present a method for intrusion into IT systems."

Tags: HIPAA

Recent OCR Settlements Target HIPAA Security Rule Non-Compliance
Data Matters, Sidley Austin LLP Link to more items from this source
Aug. 28, 2020

"The first three HIPAA settlements of 2020 highlight that compliance with the Security Rule remains a top priority for OCR in its investigations. In all three investigations, OCR scrutinized the Covered Entities' alleged sustained failure to implement appropriate safeguards in accordance with the HIPAA Security Rule standards, at times knowingly."

Tags: HIPAA

HHS Addresses HIPAA Rules for Contacting COVID-19 Survivors About Donating Plasma
Thomson Reuters Practical Law Link to more items from this source
[Guidance Overview]
Aug. 26, 2020

"[H]ealth plans may use PHI (such as COVID-19 test results) to identify and contact individuals who have recovered from COVID-19 to inform them about how to donate their plasma.... These actions are permitted as health care operations activities to the extent that facilitating the supply of donated convalescent plasma is expected to improve a health plan's or provider's ability to conduct case management for individuals who have or may become infected with COVID-19."

Tags: Coronavirus (COVID-19)  •  HIPAA

Editor's Pick Remote Control: HIPAA Challenges for a Growing Virtual Workforce
Buck Link to more items from this source
Aug. 26, 2020

"To mitigate the risk of compromising protected health information with an increased virtual workforce, ... a thorough risk analysis [would include] the threats posed by personal devices, a remote workforce, unsecured electronic transmission, epidemic/pandemic protocols, and computer virus/malicious code. The risk analysis should be performed by a combination of IT, Benefits, and Physical Security personnel, and should document the likelihood and cost impact of these threats and list the mitigating controls in place for each."

Tags: Coronavirus (COVID-19)  •  HIPAA

Trump Administration Adds Health Plans to June 2020 Plasma Donation Guidance
U.S. Department of Health and Human Services [HHS] Link to more items from this source
[Guidance Overview]
Aug. 24, 2020

"OCR added health plans to the June 2020 guidance that explains how HIPAA permits covered health care providers and health plans to identify and contact patients and beneficiaries who have recovered from COVID-19 for individual and population-based case management or care coordination. The guidance also emphasizes that, without individuals' authorization, the providers and health plans cannot receive any payment from, or on behalf of, a plasma donation center in exchange for such communications with recovered individuals."

Tags: Coronavirus (COVID-19)  •  HIPAA


<< Older News  |  December 4, 2020

© 2020 BenefitsLink.com, Inc.