[firm] blog logo

HIPAA Covered Entity Incurs $300,640 Settlement Penalty Over Improper PHI Disposal

A recent settlement announced by the HHS’s Office for Civil Rights (“OCR”) is a great reminder for all covered entities, including group health plans, to remain vigilant in protecting PHI. OCR recently announced a settlement with a HIPAA covered entity over the covered entity’s improper disposal of PHI under the HIPAA privacy and security rules (“HIPAA Rules”). In this case, the covered entity was a health care provider that routinely disposed of empty specimen containers labeled with PHI by placing them in an outdoor unprotected garbage bin. A breach of PHI occurred when one of the labeled containers was found by a third-party security guard. Upon its investigation into the breach, OCR determined that (i) the covered entity did not maintain appropriate safeguards to protect the privacy of PHI, as required by the HIPAA Rules, and (ii) the covered entity impermissibly disclosed PHI to unauthorized individuals in violation of the… Continue Reading

HIPAA Breach by Express Scripts Vendor Triggers Plan Sponsor Actions

Many employers that sponsor a group health plan which is a “covered entity” subject to the HIPAA privacy and security rules have recently received notice from Express Scripts, Inc., a pharmacy benefit manager (“ESI”), regarding a cyberattack on the computer network of its subcontractor, Medical Review Institute of America (“MRIA”). This cyberattack apparently resulted in a HIPAA breach of current or former participants’ protected health information (“PHI”) under the plans. The breach notices were sent to the employers by ESI in its capacity as a HIPAA business associate of the plans.  A breach of unsecured PHI triggers notification obligations on the part of covered entities under HIPAA’s breach notification regulations (the “Breach Rules”), including (i) notifications to the individuals whose PHI was involved in the breach (the “Impacted Individuals”), and (ii) notification to HHS. Such notifications are subject to specific requirements of the Breach Rules, including content and timing requirements.   ESI’s… Continue Reading

Retirement Plan Cybersecurity—Truth, Justice, and the DOL Way

At a time when digital security and cyberattacks are key concerns for individuals and businesses alike, plan sponsors and other plan fiduciaries have a key role to play in protecting retirement plan assets and data. Otherwise known as “responsible plan fiduciaries,” these individuals and certain plan service providers have a fiduciary duty to ensure there is a robust cybersecurity program in place to keep plan assets and data secure. As we previously reported on our blog here, the DOL recently issued guidance in this arena to keep employers and plan fiduciaries compliant. The DOL is now specifically targeting employers and plan fiduciaries who fail to adequately protect employee retirement plan assets from hackers and cyberthieves, so the time to act is before the DOL issues a plan audit and before participants are victimized by cybercriminals or hackers. The DOL requires that plan fiduciaries responsible for prudently selecting and monitoring service… Continue Reading

The DOL Announces a Non-Enforcement Policy on Final ESG Investment and Proxy Voting Rules

On March 10, 2021, the DOL released an enforcement policy statement (the ?Ç£Statement?Ç¥), which announced that until the DOL publishes further guidance, it will not enforce the recently issued ?Ç£Financial Factors in Selecting Plan Investments?Ç¥ final rule (the ?Ç£ESG Rule?Ç¥) and the ?Ç£Fiduciary Duties Regarding Proxy Voting and Shareholder Rights?Ç¥ final rule (the ?Ç£Proxy Voting Rule?Ç¥, together with the ESG Rule referred to herein as, the ?Ç£Final Rules?Ç¥). The ESG Rule generally required plan fiduciaries to select investments and investment courses of action based solely on consideration of ?Ç£pecuniary factors,?Ç¥ and the Proxy Voting Rule set forth a plan fiduciary?ÇÖs obligations when voting proxies and exercising other shareholder rights in connection with plan investments. The implementation of the ESG Rule in particular has caused concerns for plan fiduciaries about the use of environment, social, and governance considerations in its investment decisions and has been met with increasing criticism from a… Continue Reading

Investigating and Settling Potential HIPAA Privacy and Security Violations

Since the beginning of 2020, the U.S. Department of Health and Human Services, Office for Civil Rights (?Ç£OCR?Ç¥) has announced six substantial settlements with HIPAA covered entities (either health care providers or health plans) for potential violations of the HIPAA privacy and security rules (?Ç£HIPAA Rules?Ç¥) related to safeguarding protected health information (?Ç£PHI?Ç¥). OCR is the federal agency responsible for enforcement of the HIPAA Rules. These settlements generally arose from investigations pursued by OCR following the receipt of a breach report by the covered entity and involved settlement payments ranging from $25,000 to $6.85 million (the second largest HIPAA settlement payment in OCR history). The settlements also imposed a corrective action plan on each covered entity, with two years of monitoring by OCR. Findings by OCR during its investigations included one or more of the following infractions by the subject covered entity: Neglected to implement HIPAA policies and procedures; Failed… Continue Reading

Cross-Plan Offsetting Practice is Challenged in Class Action Lawsuit

This class action lawsuit, styled Scott, et al. v. UnitedHealth Group, Inc., et al., was filed in the U.S. District Court for the District of Minnesota on July 14, 2020. This lawsuit follows the decision of the U.S. Court of Appeals for the Eighth Circuit in Peterson v. UnitedHealth Group Inc. that was issued last year. In Scott, the plaintiffs, who were participants in the plans at issue in Peterson, filed, on behalf of a class of plaintiffs (the ?Ç£Class?Ç¥), a class action against UnitedHealth Group, Inc. and its wholly-owned subsidiaries (collectively, ?Ç£UHC?Ç¥), in their capacities as an insurer and/or third-party claims administrator of employer-sponsored group health plans. The lawsuit alleges the breach of UHC?ÇÖs fiduciary duties under ERISA as related to UHC?ÇÖs practice of ?Ç£cross-plan offsetting.?Ç¥ The Class consists of participants and beneficiaries in all group health plans that are administered by UHC and contain ?Ç£cross-plan offsetting?Ç¥ (collectively, the… Continue Reading

The Supreme Court Holds Participants in Fully-Funded Defined Benefit Plans Cannot Sue for Fiduciary Breach

The U.S. Supreme Court held Monday that participants in a fully-funded defined benefit plan have no standing to bring a lawsuit against plan fiduciaries for a breach of ERISA?ÇÖs fiduciary requirements. In Thole, plan participants alleged that the plan fiduciaries had mismanaged funds and invested in imprudent investments causing the plan to lose approximately $748 million more than it otherwise should have during the 2008 recession. Subsequent to that date, the plan sponsor contributed an additional $311 million to the plan resulting in the plan becoming fully funded. The Court held that because the participants would receive the same benefits whether they won or lost the lawsuit, there was no controversy and, therefore, the participants had no standing under Article III of the U.S. Constitution to bring a civil action under Sections 502(a)(2) or 502(a)(3) of ERISA. Thole v. U.S. Bank N.A., No. 17?Çô1712 (U.S. June 1, 2020) can be… Continue Reading

Fifth Circuit Holds that Offering Single Stock Investments in a 401(k) Plan is Not Per-Se Imprudent

Following a spinoff, a 401(k) plan continued to offer the employer stock fund of the predecessor parent company as an investment alternative, but closed it to new investments. After the share price fell by approximately 50%, the participants brought a lawsuit against the plan fiduciaries claiming, among other things, that the fiduciary breached its duty to diversify under ERISA Section 404(a)(1)(C) by retaining the stock fund as an investment alternative. The District Court dismissed the case and the U.S. Court of Appeals for the Fifth Circuit upheld the dismissal. The Fifth Circuit held that although the stock of the former parent was not statutorily exempt from ERISA?ÇÖs diversification because it was no longer a ?Ç£qualifying employer security?Ç¥, there was no obligation for the plan fiduciaries to force plan participants to divest from the funds. The court explained that ERISA contains no per se prohibition on individual account plans offering single-stock… Continue Reading

HIPAA Covered Entity Settles Breach Notification Failure with OCR for $2.175 Million

The HHS Office for Civil Rights (?Ç£OCR?Ç¥), which is the agency responsible for enforcement of the HIPAA privacy, security, and breach notification rules (?Ç£HIPAA Rules?Ç¥), announced a recent $2.175 million settlement with a covered entity under HIPAA (the ?Ç£Covered Entity?Ç¥) for the Covered Entity?ÇÖs failure to properly notify HHS of a breach of unsecured protected health information (?Ç£PHI?Ç¥) as required by the HIPAA Rules, and other potential violations. Background OCR had investigated the Covered Entity in response to an individual complaint it received that alleged the Covered Entity had sent correspondence to the individual containing another person?ÇÖs PHI. OCR?ÇÖs investigation determined that the Covered Entity had mailed correspondence containing the PHI of 577 individuals to the wrong addresses. In some of the correspondence, the PHI consisted of the names and account numbers of the individuals and their dates of medical service. The Covered Entity had reported this incident to HHS… Continue Reading

Legal Requirements Triggered by HIPAA Breach

An impermissible acquisition, access, use, or disclosure of HIPAA ?Ç£protected health information?Ç¥ (?Ç£PHI?Ç¥) under an employer?ÇÖs group health plan (which is a ?Ç£Covered Entity?Ç¥ under HIPAA) is not uncommon. If such a breach occurs with respect to the PHI of a Covered Entity, the employer needs to know that the Covered Entity may be required by HIPAA?ÇÖs breach notification rules (the ?Ç£Breach Rules?Ç¥) to issue certain notices and perform other tasks. Analysis of the Impermissible Acquisition, Access, Use, or Disclosure of PHI An impermissible acquisition, access, use, or disclosure of PHI is presumed to be a ?Ç£breach?Ç¥ unless the Covered Entity demonstrates that there is a low probability that the PHI has been compromised. The Breach Rules outline the four-factor risk assessment that a Covered Entity must perform (and document) in order to make such a demonstration. If, after completing the step above, the Covered Entity determines that a ?Ç£breach?Ç¥… Continue Reading

December 2022
S M T W T F S
 123
45678910
11121314151617
18192021222324
25262728293031

Archives