[firm] blog logo

HHS Fact Sheet Provides Helpful Information in Addressing Ransomware Attacks under HIPAA

The U.S. Department of Health and Human Services (?Ç£HHS?Ç¥) recently issued a ?Ç£Fact Sheet?Ç¥ which discusses ransomware attack prevention and recovery under HIPAA, as well as the management of HIPAA breach notification procedures in response to a ransomware attack. ?áAccording to the Fact Sheet, ?Ç£ransomware?Ç¥ is a type of malicious software by which a hacker gains access to electronic data and then encrypts it with a key known only to the hacker, such that the data owner is denied access to it. The Fact Sheet provides helpful descriptions and specific examples of how the requirements of the security regulations under HIPAA (the ?Ç£Security Rules?Ç¥), which govern the confidentiality of a HIPAA covered entity?ÇÖs electronic protected health information (?Ç£EPHI?Ç¥), may be applied to prevent, detect, and recover from infections of EPHI by ransomware. ?áImportantly, the Fact Sheet also explains HHS?ÇÖs view that a ransomware infection of unsecured EPHI on a computer… Continue Reading

Updated Marketplace Employer Appeal Request Form

CMS has posted an updated Marketplace Employer Appeal Request Form dated July 2016. The updated form includes formatting changes to the contact information sections and is available here.

IRS Forms 1094-C/1095-C Draft Instructions Released

The IRS recently released draft instructions for Forms 1094/1095 that correspond with the draft Forms 1094/1095 the IRS released in July (please see our prior blog post on the draft forms?áhere). Highlights of the changes and clarifications in the draft instructions for Forms 1094/1095 include: Certain transition relief available in 2015 remains available for non-calendar year plans for the portion of the 2015 plan year that ends in 2016; Certain coding used in Forms 1094-C/1095-C has been reserved for 2016; and Retirees who separated from employment should be reported the same as COBRA participants who separated from employment. Filing Dates and Extensions: To the IRS. The 2016 Form(s) 1094-C and accompanying Forms 1095-C must be filed electronically with the IRS by March 31, 2017 (February 28, 2017 if paper filing is used). An automatic 30-day extension is available if filed no later than the due date. Another 30-day extension may… Continue Reading

IRS Issues Proposed Regulations Addressing Certain Minimum Essential Coverage Reporting Issues Under Code Section 6055

The IRS issued proposed regulations on August 2, 2016, clarifying certain minimum essential coverage (?Ç£MEC?Ç¥) reporting issues related to IRS Forms 1095-B and 1095-C, Part III. Form 1095-B is used to report MEC by insurance carriers for fully-insured MEC and by small employers with self-insured MEC who are not otherwise subject to the employer shared responsibility provisions of the Affordable Care Act. Form 1095-C, Part III is used by large employers with self-insured MEC. A change that is of significant interest to reporting entities is the revised safe harbor for soliciting TINs (e.g., SSNs) from covered participants. The revised safe harbor still requires up to three attempts to obtain a covered participant?ÇÖs TIN pursuant to specific procedures set out in the proposed regulations. The covered participant?ÇÖs date of birth may continue to be used as a substitute for solicited TINs missing when reporting is due. A reporting entity does not… Continue Reading

Additional HIPAA Compliance Guidance Issued

The OCR recently issued three guidance documents in response to questions received from covered entities currently under audit: (1) a list of all Q&As received from audited entities; (2) a table showing the documents OCR requested for each audit protocol and the Q&As associated with that audit protocol; and (3) slides from an OCR webinar for audited entities. The OCR is currently auditing covered entities, such as employer-sponsored group health plans, for compliance with HIPAA’s privacy and security rules. This new guidance should be helpful to plan sponsors, as well as to HIPAA Privacy and Security Officials, in their ongoing HIPAA compliance efforts. View the?áthree guidance documents.

Largest Single-Entity Settlement to Date Due to HIPAA Non-Compliance

The U.S. Department of Health and Human Services (?Ç£HHS?Ç¥), Office for Civil Rights (?Ç£OCR?Ç¥), recently entered into a $5.55 million settlement agreement with Advocate Health Care Network and its subsidiaries (?Ç£Advocate?Ç¥) to resolve multiple potential violations of HIPAA involving electronic protected health information (?Ç£EPHI?Ç¥). The settlement results from OCR?ÇÖs investigation of Advocate which began in 2013 after Advocate submitted three breach notification reports to OCR within a three-month timespan. The reported breaches involved (1) the theft from one of Advocate?ÇÖs support centers of four desktop computers containing unsecured EPHI of nearly four million individuals, (2) unauthorized access of unsecured EPHI from the computer network of Advocate?ÇÖs business associate (?Ç£BA?Ç¥), and (3) the theft of a laptop containing unsecured EPHI from an Advocate workforce member?ÇÖs vehicle. Upon its investigation, OCR determined that Advocate failed to (a) conduct an accurate and thorough risk analysis related to its utilization of EPHI, (b) implement… Continue Reading

Ninth Circuit Holds that ?Ç£Church Plan?Ç¥ Must Be Established By a Church or Convention or Association of Churches

The U.S Court of Appeals for the Ninth Circuit affirmed a district court decision that a church plan must be established by a church or by a convention or association of churches in order to be exempt from ERISA as a ?Ç£church plan.?Ç¥ Under the court?ÇÖs interpretation of the church plan exemption, it is not enough that the plan is maintained by a church-controlled or church-affiliated organization whose principal purpose or function is to provide benefits to church employees. The case was remanded to the district court for further proceedings. The opinion in Rollins v. Dignity Health, No. 15-15351 (9th Cir. July 26, 2016) is available?áhere.

DOL Increases Civil Penalties for Various ERISA Violations

On July 1, 2016, the DOL issued an interim final rule that adjusts the amounts of civil penalties assessed or enforced in its regulations, including for violations of ERISA. The penalties that were increased include the following, among many others: (1) the penalty for a failure to properly file a pension or welfare plan?ÇÖs Form 5500 increased from up to $1,100 per day to up to $2,063 per day; (2) the penalty for a failure to notify participants of certain benefit restrictions under Code Section 436 or to furnish automatic contribution arrangement notices increased from up to $1,000 per day to up to $1,632 per day; (3) the penalty for a failure to provide notices of blackout periods, or notice of the right to divest employer securities, increased from up to $100 per day to up to $131 per day; and (4) the penalty for a failure to provide employees… Continue Reading

August 2016