"These resolution agreements address fundamental and common privacy and security issues and provide a reminder that not all breaches are the result of sophisticated cyberattacks. Prosaic failures can also expose PHI to unauthorized disclosures, underscoring the importance of adopting clear policies and procedures, followed by workforce training and consistent implementation."

19 pages. "[In] addition to requiring covered entities and business associates to take corrective action in hundreds of cases, for 2018, the Department resolved eleven investigations with resolution agreements/corrective action plans or the imposition of civil money penalties totaling more than $28 million."

470 pages. "The final rules set forth requirements for group health plans and health insurance issuers in the individual and group markets to disclose cost-sharing information upon request to a participant, beneficiary, or enrollee (or his or her authorized representative), including an estimate of the individual's cost-sharing liability for covered items or services furnished by a particular provider. Under the final rules, plans and issuers are required to make this information available on an internet website and, if requested, in paper form, thereby allowing a participant, beneficiary, or enrollee (or his or her authorized representative) to obtain an estimate and understanding of the individual's out-of-pocket expenses and effectively shop for items and services. The final rules also require plans and issuers to disclose in-network provider negotiated rates, historical out-of-network allowed amounts, and drug pricing information through three machine-readable files posted on an internet website, thereby allowing the public to have access to health coverage information that can be used to understand health care pricing and potentially dampen the rise in health care spending. The Department of Health and Human Services (HHS) also finalizes amendments to its medical loss ratio (MLR) program rules to allow issuers offering group or individual health insurance coverage to receive credit in their MLR calculations for savings they share with enrollees that result from the enrollees shopping for, and receiving care from, lower-cost, higher-value providers.... The final rules are effective [60 days after publication in the Federal Register, now scheduled for Nov. 12, 2020]." [Also available: press release and Fact Sheet]

"HHS's investigation revealed that the insurer: [1] Failed to conduct a periodic technical and nontechnical evaluation following environmental or operational changes affecting the security of PHI. [2] Impermissibly disclosed the PHI of approximately 18,500 individuals. [3] Failed to limit disclosed PHI to the minimum necessary to accomplish the intended purpose. [4] Failed to implement appropriate administrative, technical, and physical safeguards to protect PHI in its possession."

"[On] April 27, 2017, Aetna discovered that two web services used to display plan-related documents to health plan members allowed documents to be accessible without login credentials and subsequently indexed by various internet search engines. Aetna reported that 5,002 individuals were affected by this breach ... In addition to the monetary settlement, Aetna will undertake a corrective action plan that includes two years of monitoring."

"The OCR has announced a surprising number of HIPAA settlements in the past few months with penalties ranging from $10,000 to $6.5 million.... [K]ey takeaways ... [1] Protect against cyberattacks.... [2] Perform an effective security risk assessment.... [3] Maintain appropriate policies and safeguards.... [4] Encrypt your devices.... [5] Respect the [individual's] right to access their information.... [6] Respond promptly to known or suspected concerns.... [7] Report breaches in a timely manner.... [8] Business associates beware! ... [9] Small providers are not exempt.... [10] Do not disclose PHI on social media."

"Once the employer determines that a breach of unsecured PHI has occurred in a self-insured health plan, HIPAA requires notice to the affected individuals, HHS, and in some cases the media depending on the scope of the breach.... [1] Determining whether a breach has occurred: the risk assessment ... [2] The three exclusions from breach ... [3] Breach notification step #1: Notice to affected individuals ... [4] Breach notification step #2: Notice to HHS ... [5] Breach notification step #3: Notice to the media (500+ only)."

"[E]nterprise-wide risk analyses should account not only for PHI, but also for other personally identifiable information (PII). Nearly every organization will possess PII, ... with each bearing privacy and security obligations under a variety of federal laws and regulations specifically addressing cybersecurity practices. Organizations must also be mindful of state and local requirements concerning cybersecurity[.]"

"Most employer-sponsored dental, vision, health FSA, and EAP plans are excepted benefits that are not subject to certain ACA and HIPAA requirements.... Examples of ACA market reform provisions not applicable to excepted benefits ... Examples of HIPAA portability provisions not applicable to excepted benefits ... [1] Dental plan ... [2] Vision plan ... [3] Health FSA ... [4] EAP."

"[1] CARES Act: coverage of COVID-19 testing and COVID-19 antibody testing and preventative care (mandated) ... [2] CARES Act: telehealth and high deductible health plans (optional) ... [3] CARES Act and reimbursements for over-the-counter drugs and women's products (optional) ... [4] COBRA changes may have significant impact on employers (mandated) ... [5] HIPAA Special enrollment rights -- Expanded timeframes (mandated change) ... [6] ERISA claims procedures and COVID-19 (mandated change) ... [7] Mid-year election year changes expanded (optional)."

"The three largest settlements all relate to breaches from hackers who had access to ePHI over an extended period of time. One of the settlements involves the second-largest HIPAA settlement amount in OCR's history, amounting to $6.85 million. In addition to the three breach-related settlements, the OCR announced this past month that it had entered into five settlements related to patients' access to their own health records."

"This resolution agreement highlights vulnerabilities that can be introduced from outside a covered entity's or business associate's own operating environment. Notably, OCR repeatedly refers to the third party in this settlement as a vendor rather than a business associate, implying that although the third party did not have direct access to PHI, its credentials could be used to gain access."

"HHS's investigation revealed that the plan failed to: [1] Conduct an accurate and thorough assessment of the risks and vulnerabilities concerning the ePHI in its possession. [2] Implement sufficient security procedures to adequately reduce the risks and vulnerabilities to its ePHI. [3] Implement adequate hardware, software, or procedural mechanisms to record and review activity on its information systems containing ePHI until March 2015. [4] Prevent unauthorized access to the ePHI of more than 10.4 million individuals that was stored on its network."

"During the breach, which went undetected for nearly nine months ... a hacker had unauthorized access to the Premera network containing 10.4 million individuals' protected health information including their names, addresses, dates of birth, email addresses, Social Security numbers, bank account information and health plan clinical information, according to HHS. The hackers used a phishing email to install malware that gave them access to Premera's IT system."

"Premera Blue Cross (PBC) has agreed to pay $6.85 million to [OCR] and to implement a corrective action plan to settle potential violations of the [HIPAA] Privacy and Security Rules related to a breach affecting over 10.4 million people. This resolution represents the second-largest payment to resolve a HIPAA investigation in OCR history."

"The increased use of mobile health applications and other related tools to assist healthcare providers with facilitation of telehealth capabilities, also comes with an increased risk of data breaches and improper disclosures of protected health information (PHI) to unauthorized individuals. The features of OCR's new Health apps are a great starting point for HIPAA covered entities and businesses associates that utilize mobile health apps, and want to ensure compliance with their HIPAA obligations."

"In April 2014, a cyberhacking group used compromised credentials to remotely access the BA's information system through its virtual private network (VPN). Although the BA was initially unaware of the incident, it received notice of the intrusion from the FBI eight days after it occurred. Despite this notice, however, the attacker's impermissible access continued until August 2014."

"CHSPSC LLC has agreed to pay $2,300,000 to [OCR] ... and to adopt a corrective action plan to settle potential violations of the [HIPAA] Privacy and Security Rules related to a breach affecting over six million people. CHSPSC provides a variety of business associate services, including IT and health information management, to hospitals and physician clinics indirectly owned by Community Health Systems, Inc., in Franklin, Tennessee."

"HHS's investigation revealed that the CE failed to: [1] Prevent the unauthorized disclosure of electronic protected health information (ePHI) of more than 208,500 individuals. [2] Maintain copies of its HIPAA policies and procedures. [3] Implement certain technical safeguards. [4] Enter into business associate (BA) agreements with three of its BAs. [4] Provide HIPAA training to all workforce members. [5] Conduct an accurate and thorough risk analysis concerning the ePHI in its possession. [6] Implement sufficient security measures to reduce risks and vulnerabilities to the ePHI in its possession."

"[W]hile the creation of an IT asset inventory list is not required under the HIPAA Security Rule, it could be helpful in the development of a risk analysis, and in turn and implementing appropriate safeguards -- which are HIPAA Security Rule requirements. Essentially, if an organization doesn't know what IT assets it has or where its ePHI is, how can it effectively assess the risks associated with those assets and information and protect them?"

"The Summer 2020 OCR Cybersecurity Newsletter ... describes how the IT asset inventory can improve an organization's risk analysis through increased understanding of how electronic PHI is created and enters, flows through, and leaves the organization. The newsletter explains that it may also be beneficial for the inventory to include assets that do not store or process PHI since those assets may present a method for intrusion into IT systems."

"The first three HIPAA settlements of 2020 highlight that compliance with the Security Rule remains a top priority for OCR in its investigations. In all three investigations, OCR scrutinized the Covered Entities' alleged sustained failure to implement appropriate safeguards in accordance with the HIPAA Security Rule standards, at times knowingly."

"[H]ealth plans may use PHI (such as COVID-19 test results) to identify and contact individuals who have recovered from COVID-19 to inform them about how to donate their plasma.... These actions are permitted as health care operations activities to the extent that facilitating the supply of donated convalescent plasma is expected to improve a health plan's or provider's ability to conduct case management for individuals who have or may become infected with COVID-19."

"To mitigate the risk of compromising protected health information with an increased virtual workforce, ... a thorough risk analysis [would include] the threats posed by personal devices, a remote workforce, unsecured electronic transmission, epidemic/pandemic protocols, and computer virus/malicious code. The risk analysis should be performed by a combination of IT, Benefits, and Physical Security personnel, and should document the likelihood and cost impact of these threats and list the mitigating controls in place for each."

"OCR added health plans to the June 2020 guidance that explains how HIPAA permits covered health care providers and health plans to identify and contact patients and beneficiaries who have recovered from COVID-19 for individual and population-based case management or care coordination. The guidance also emphasizes that, without individuals' authorization, the providers and health plans cannot receive any payment from, or on behalf of, a plasma donation center in exchange for such communications with recovered individuals."