News

29 presentation slides. Topics: [1] Washington update; [2] STLDI and fixed indemnity regulations; [3] Wellness incentives/surcharges: benefits areas of concern; [4] Updates to HIPAA online tracking; and [5] Compliance corner.

"As a group health plan sponsor, an employer's responsive obligations arising in the context of certain cybercrime events depends largely upon the underlying funding status of the employer's core employee benefit plans ... Additional privacy and security related obligations for the employer may be detailed in various state-level statutory mandates or even within certain international laws or other global-scope regulations.... Several notifications may be required as a consequence of a data breach.... Communication with employees is important[.]"

"Part 2 imposes requirements for substance use disorder (SUD) treatment records ... The Part 2 regulations will come into play typically with employee assistance programs, as well as mental health and substance abuse disorder vendors for a medical plan.... Even though a self-insured health plan sponsor contracts with an EAP or SUD vendor and requires the EAP and SUD vendor to comply with Part 2 and the HIPAA privacy rules (as well as signing a BAA), under the HIPAA privacy rules, self-insured health plans remain responsible for HIPAA privacy compliance."

"Notwithstanding the challenges faced by OCR in enforcing HIPAA compliance amidst rising cybersecurity threats and increasing regulatory responsibilities, the Report provides valuable insight into the OCR investigation process.... [The] steeper penalties resulting from failure to maintain recognized security practices should serve as a cautionary tale to covered entities and business associates. Based on the findings highlighted in the Report, here are ... recommendations for entities regulated by HIPAA to improve compliance and enhance data protection efforts."

"[As of March 27,] CHC is still determining the contents of the 'data that was taken by the threat actor.' ... A third-party vendor has been engaged to assist with data analysis.... It could be some time before CHC announces the scope of data involved.... CHC data has not been found on the dark web.... CHC will be offering to provide notifications for customers 'where permitted.' ... The latest statement from CHC itself does not start any covered entity's '60-day timeline.' "

"Although the OCR stated it is not prioritizing investigations of health care providers, health plans or business associates that were impacted by this cyberattack, the OCR did remind entities that have partnered with Change Healthcare and UHG of their regulatory obligations and responsibilities, including ensuring that up-to-date business associate agreements are in effect, and that timely breach notifications to HHS and the affected individuals are provided."

"OCR's updated guidance reflects its view that tracking technologies used by regulated entities on user-authenticated webpages and mobile applications generally do collect protected health information, referred to as PHI. Where the new guidance differs, however, is on the information collected via tracking technologies on unauthenticated webpages."

"OCR has now ... opined that the information collected may not be PHI depending on the individual user's reason for visiting a Regulated Entity's unauthenticated pages on a website or mobile app.... The updated guidance does not address how an individual's reason for visiting its website ... can be discerned at the point of collection through these automated electronic processes. Nor does the guidance expressly state that consideration of the reason for the individual's visit may be considered by OCR in its enforcement efforts."

"OCR urges covered entities to review cybersecurity measures 'with urgency' ... Covered entities should address in their risk analysis and risk management plans their due diligence process in selecting business associates, including ensuring that contracts include appropriate provisions to safeguard ePHI. If a covered entity knows of a pattern of activity or practice of a business associate that constitutes a material breach of the contract, it may be obligated to take certain steps to cure the breach and, if those steps are unsuccessful, to terminate the contract."

"[B]ased on the examples given by HHS in the Bulletin, if the tracking technologies are accessing information regarding an individual seeking health care services (e.g., looking at oncology services to seek treatment options, scheduling an appointment, or using a symptom tracker tool even without entering credentials), that tracking technology has access to PHI. This would mean the HIPAA regulated entity needs a business associate agreement with the third party or a HIPAA compliant authorization for the sharing."

"[B]ecause of the proliferation of tracking technologies collecting sensitive information, OCR is providing this reminder that it is critical for regulated entities to ensure that they disclose PHI only as expressly permitted or required by the HIPAA Privacy Rule. To this end, this Bulletin provides guidance for regulated entities to consider when contemplating the use of tracking technologies, including an overview of how the HIPAA Rules apply to regulated entities' use of tracking technologies."

"The Guidance reminds covered entities that the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules (HIPAA Rules) apply to their use of online tracking technologies like Google Analytics or Meta Pixel, collect and analyze information about how users are interacting with a regulated entity's website or mobile application."

"While UHG works to remediate and restore the operability and security of the Choice Health tools and systems, health plans, and insurers, their fiduciaries, plan sponsors, and fiduciaries should take timely and prudent steps in response to the breach and resulting disruptions to mitigate the exposure of their health plans, and themselves under HIPAA and ERISA."

"HHS's investigation of the target company, a business associate (BA) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), will focus on whether the target company and its corporate parent (a major health insurer) complied with HIPAA's privacy, security, and breach notification rules."

"[HHS'] Office for Civil Rights (OCR) issued a 'Dear Colleague' letter addressing the cybersecurity incident impacting Change Healthcare ... The cyberattack is disrupting health care and billing information operations nationwide and poses a direct threat to critically needed patient care and essential operations of the health care industry." [Also available: Fact Sheet]

"For organizations with potential exposures arising from the Change Healthcare cyber incident, it's imperative to connect with your internal stakeholders to proactively identify possible financial impacts.... [O]rganizations who have been impacted should strongly consider putting their cyber insurers on notice. Further, organizations that use UnitedHealthcare, Optum or Change Healthcare, but are not yet sure they have been impacted by this incident, should ... determine whether proactively issuing a notice of circumstance is the right course of action."

"The risk analysis ... must address all ePHI across the entire enterprise and identify deficiencies in compliance programs when compared to the HIPAA security rule. Based on the results of the risk analysis, the risk management plan is created to determine what safeguards need to be implemented to bring the identified risks and vulnerabilities to a reasonable level."

"OCR received 30,435 complaints in 2022 -- about 11% fewer than in 2021.... OCR notes that it received 626 large breach notifications affecting approximately 41,747,613 individuals, with hacking incidents the most frequent type of breach and network servers the most frequent breach location. Almost 64,000 small breach notifications were reported affecting 257,105 individuals, with unauthorized access or disclosure the most frequent type of breach and paper records the most frequent breach location."

"[T]he increased need to address employees' mental and physical health conditions is expected to expand EAP services by 11% or more in each of the three successive years, 2024-2027. The continued expansion of assistance services means employers with these programs must maintain ongoing compliance.... [1] How to comply with ERISA  ... [2] COBRA election notices  ... [3] HIPAA considerations for EAP compliance."

"HHS and NIST issued new guidance to provide information and serve as a resource for HIPAA-regulated entities to improve cybersecurity and compliance with the HIPAA Security Rule. The guidance comes after HHS announced a new carrots-and-sticks strategy to improve cybersecurity in the healthcare industry with additional resources and a proposal to increase civil penalties for data breaches to incentivize security measures."

"The CAP also requires the provider to develop (or update) its HIPAA policies and procedures. As revised, the policies and procedures must address -- at a minimum -- a lengthy set of issues under HIPAA's Privacy and Security Rules[.]"

26 pages. "OCR received 626 notifications of breaches affecting 500 or more individuals, representing an increase of 3% from the number of reports received in calendar year 2021. These reported breaches affected a total of approximately 41,747,613 individuals.... OCR completed 799 breach investigations ... OCR resolved three breach investigations with resolution agreements, corrective action plans, and monetary payments totaling $2,425,640."

"The 2024 guide offers drill-down information on complying with the Security Rule's administrative, physical, and technical safeguards for protected health information (PHI) in electronic form."

"HHS released voluntary cybersecurity performance goals catered to the healthcare and public health sectors. In addition, healthcare organizations -- no matter how big or small -- can access helpful guidance through HHS' and the Cybersecurity & Infrastructure Security Agency's joint cybersecurity toolkit. With these resources available, if healthcare entities become victims of a breach of ePHI without having adequate security measures in place, they may face an OCR investigation and similar penalties or enforcement actions."

122 pages. "The HIPAA Security Rule focuses on safeguarding electronic protected health information (ePHI) held or maintained by regulated entities. The ePHI that a regulated entity creates, receives, maintains, or transmits must be protected against reasonably anticipated threats, hazards, and impermissible uses and/or disclosures. This publication provides practical guidance and resources that can be used by regulated entities of all sizes to safeguard ePHI and better understand the security concepts discussed in the HIPAA Security Rule." [Also available: HIPAA Security Rule Resources (18 pages)]