The U.S. Department of Health and Human Services (“HHS”) recently issued an interim final rule (the “HHS Rule”), which sets out inflation adjustments to the civil monetary penalty (“CMP”) amounts that HHS is authorized to assess or enforce, including for violations of the HIPAA privacy and security rules. The HHS Rule was issued for compliance with the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015, which was enacted on November 2, 2015 (the “2015 Act”). The 2015 Act requires federal agencies to (i) adjust the level of CMP amounts with an initial “catch up” adjustment and (ii) make subsequent annual adjustments for inflation. The HIPAA CMP amounts had not been adjusted since 2009. Under the HHS Rule, HIPAA CMP amounts are increased by 10.2% for violations of the HIPAA privacy or security rules by a covered entity or a business associate, as follows: Prior $$… Continue Reading
A HIPAA Notice of Privacy Practices must be provided to new group health plan participants at the time of enrollment and within 60 days of a material revision. In addition, participants must be notified of the availability of the notice at least once every three years. This requirement can be satisfied by distributing either a copy of the notice or a reminder of the availability of the notice. A reminder of the availability of the notice can be included in annual enrollment materials or other plan publications sent to all participants. For example, group health plans that distributed a new Notice of Privacy Practices in 2013 when the final HIPAA regulations were issued should ensure they have satisfied this reminder requirement in 2016.
The HHS Office for Civil Rights (“OCR“) recently announced an initiative to more widely investigate HIPAA privacy breaches affecting fewer than 500 individuals. Generally, all reported breaches involving 500 or more individuals are automatically investigated by OCR. Breaches involving less than 500 individuals will not automatically be investigated, but Regional Offices will increase efforts to investigate smaller breaches based on (1) the size of the breach, (2) theft or improper disposal of unencrypted protected health information (“PHI“), (3) breaches involving hacking, (4) the sensitive nature of the PHI involved, and (5) where numerous breach reports from the same entity raise similar issues. View additional information on OCR’s enforcement of HIPAA.
The U.S. Department of Health and Human Services (“HHS”) recently issued a “Fact Sheet” which discusses ransomware attack prevention and recovery under HIPAA, as well as the management of HIPAA breach notification procedures in response to a ransomware attack. According to the Fact Sheet, “ransomware” is a type of malicious software by which a hacker gains access to electronic data and then encrypts it with a key known only to the hacker, such that the data owner is denied access to it. The Fact Sheet provides helpful descriptions and specific examples of how the requirements of the security regulations under HIPAA (the “Security Rules”), which govern the confidentiality of a HIPAA covered entity’s electronic protected health information (“EPHI”), may be applied to prevent, detect, and recover from infections of EPHI by ransomware. Importantly, the Fact Sheet also explains HHS’s view that a ransomware infection of unsecured EPHI on a computer… Continue Reading
The OCR recently issued three guidance documents in response to questions received from covered entities currently under audit: (1) a list of all Q&As received from audited entities; (2) a table showing the documents OCR requested for each audit protocol and the Q&As associated with that audit protocol; and (3) slides from an OCR webinar for audited entities. The OCR is currently auditing covered entities, such as employer-sponsored group health plans, for compliance with HIPAA’s privacy and security rules. This new guidance should be helpful to plan sponsors, as well as to HIPAA Privacy and Security Officials, in their ongoing HIPAA compliance efforts. View the three guidance documents.
The U.S. Department of Health and Human Services (“HHS”), Office for Civil Rights (“OCR”), recently entered into a $5.55 million settlement agreement with Advocate Health Care Network and its subsidiaries (“Advocate”) to resolve multiple potential violations of HIPAA involving electronic protected health information (“EPHI”). The settlement results from OCR’s investigation of Advocate which began in 2013 after Advocate submitted three breach notification reports to OCR within a three-month timespan. The reported breaches involved (1) the theft from one of Advocate’s support centers of four desktop computers containing unsecured EPHI of nearly four million individuals, (2) unauthorized access of unsecured EPHI from the computer network of Advocate’s business associate (“BA”), and (3) the theft of a laptop containing unsecured EPHI from an Advocate workforce member’s vehicle. Upon its investigation, OCR determined that Advocate failed to (a) conduct an accurate and thorough risk analysis related to its utilization of EPHI, (b) implement… Continue Reading
HHS recently entered into a Resolution Agreement with North Memorial Health Care of Minnesota (“North Memorial”) to settle charges that North Memorial potentially violated HIPAA by failing to (1) enter into a business associate agreement with a major contractor and (2) implement a comprehensive risk analysis with respect to the security of its patients’ protected health information. OCR launched an investigation of North Memorial after an unencrypted laptop was stolen from the vehicle of an employee of its business associate. As part of the settlement, North Memorial agreed to pay HHS $1.55 million and to a corrective action plan under which North Memorial must, among other conditions, review and revise its HIPAA policies, procedures, and training as well as develop an organization-wide risk analysis and risk management plan. The Resolution Agreement is available here.
The U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) recently announced it has begun its next phase of audits to assess the compliance of covered entities, such as employer-sponsored health plans, and their business associates with the Privacy, Security and Breach Notification Rules under the Health Insurance Portability and Accountability Act (“HIPAA”). During this phase of the audit program, OCR will review the HIPAA policies and procedures adopted by covered entities and business associates, primarily through desk audits but also via some on-site audits. OCR is currently sending letters by email to covered entities and business associates to verify their contact information and will subsequently send pre-audit questionnaires to gather information that OCR will use to identify potential audit candidates. In light of this new audit program, as well as several recent high dollar and burdensome settlement agreements that the U.S. Department of Health and Human… Continue Reading
The Office of Inspector General for the U.S. Department of Health and Human Services (“HHS”) recently released a report that recommends the HHS’s Office for Civil Rights (“OCR”) strengthen its oversight of covered entities’ compliance with the Privacy Rule under the Health Insurance Portability and Accountability Act (“HIPAA”). One specific recommendation is that OCR fully implement the audit program required under the Health Information Technology for Economic and Clinical Health (“HITECH“) Act, so that OCR can proactively gauge HIPAA compliance, rather than launching investigations of covered entities’ privacy practices solely in response to complaints, tips, or media reports of possible noncompliance. Responding to these recommendations in a letter dated September 23, 2015, the Director of OCR stated that the second phase of the HIPAA audit program will be launched in early 2016. According to that letter, the upcoming round of audits will (1) include both “desk reviews of policies” and… Continue Reading
The U.S. Department of Health and Human Services (“HHS”) recently entered into a Resolution Agreement with St. Elizabeth’s Medical Center (“SEMC”) to settle charges that SEMC violated HIPAA by failing to implement sufficient security measures to safeguard protected health information (“PHI”) when using certain Internet-based document sharing applications. In addition, SEMC allegedly failed to timely respond to, and mitigate damages caused by, the breach of unsecured PHI on an employee’s personal laptop and thumb drive. As part of the settlement, SEMC agreed to pay HHS nearly $220,000 and to a corrective action plan under which SEMC must, among other things, review and revise its HIPAA policies, procedures, and training; retrain its workforce who have access to PHI; and submit to certain other reporting and record retention requirements. Employers that sponsor group health plans, in consultation with legal counsel, should undertake a review to ensure full compliance with HIPAA’s privacy and… Continue Reading