[firm] blog logo

HIPAA Covered Entity Incurs $300,640 Settlement Penalty Over Improper PHI Disposal

A recent settlement announced by the HHS’s Office for Civil Rights (“OCR”) is a great reminder for all covered entities, including group health plans, to remain vigilant in protecting PHI. OCR recently announced a settlement with a HIPAA covered entity over the covered entity’s improper disposal of PHI under the HIPAA privacy and security rules (“HIPAA Rules”). In this case, the covered entity was a health care provider that routinely disposed of empty specimen containers labeled with PHI by placing them in an outdoor unprotected garbage bin. A breach of PHI occurred when one of the labeled containers was found by a third-party security guard. Upon its investigation into the breach, OCR determined that (i) the covered entity did not maintain appropriate safeguards to protect the privacy of PHI, as required by the HIPAA Rules, and (ii) the covered entity impermissibly disclosed PHI to unauthorized individuals in violation of the… Continue Reading

New HIPAA Guidance: Use of Remote Technologies for Audio-Only Telehealth

HHS recently issued guidance to clarify how health plan and health care provider covered entities under HIPAA (each, a “Covered Entity”) may use remote communication technologies to deliver audio-only telehealth services (“Audio Services”) in accordance with HIPAA’s privacy and security rules. Audio Services may be offered by a Covered Entity in order to expand access to health care by individuals who are unable to use video telehealth services due to disability, limited English proficiency, lack of internet availability, or other factors.   Topics addressed by the guidance include: Reasonable safeguards that must be implemented by a Covered Entity that is providing Audio Services, including verifying the identity of the individual who is being provided the Audio Services before any PHI is disclosed; The application of the HIPAA security rule, which imposes requirements on the use and disclosure of electronic PHI, to various forms of communication technologies that may be used… Continue Reading

HIPAA Breach by Express Scripts Vendor Triggers Plan Sponsor Actions

Many employers that sponsor a group health plan which is a “covered entity” subject to the HIPAA privacy and security rules have recently received notice from Express Scripts, Inc., a pharmacy benefit manager (“ESI”), regarding a cyberattack on the computer network of its subcontractor, Medical Review Institute of America (“MRIA”). This cyberattack apparently resulted in a HIPAA breach of current or former participants’ protected health information (“PHI”) under the plans. The breach notices were sent to the employers by ESI in its capacity as a HIPAA business associate of the plans.  A breach of unsecured PHI triggers notification obligations on the part of covered entities under HIPAA’s breach notification regulations (the “Breach Rules”), including (i) notifications to the individuals whose PHI was involved in the breach (the “Impacted Individuals”), and (ii) notification to HHS. Such notifications are subject to specific requirements of the Breach Rules, including content and timing requirements.   ESI’s… Continue Reading

New Guidance Addresses HIPAA Rules and COVID-19 Vaccination Information in the Workplace

HHS recently issued guidance, in a Q&A format, to clarify when the HIPAA privacy rules apply to disclosures and requests for information about an individual’s COVID-19 vaccination status.  Among other questions, the guidance addresses whether HIPAA prohibits an employer from requiring its employees to disclose to the employer whether they have received a COVID-19 vaccination. In its answer, HHS confirms the important distinction under HIPAA between (i) an individual’s health information an employer receives in its capacity as the plan sponsor of its group health plan (generally, a “covered entity” under HIPAA), and (ii) individualized health information received by the employer in its capacity as an employer (i.e., as related to employment functions referred to by HIPAA as “employment records”). HHS confirmed that HIPAA does not apply to employment records and thus does not regulate the information, such as vaccination status, employers are permitted to request from employees as part of… Continue Reading

New Year’s Resolutions to Ensure Proper ERISA Fiduciary and HIPAA Privacy Training

With the start of the new year, a good New Year?ÇÖs resolution for employers that sponsor ERISA retirement and/or health and welfare benefit plans is to ensure that all current ERISA plan fiduciaries?Çöincluding any new members of plan administrative and investment committees?Çöhave received up-to-date ERISA fiduciary training. ERISA litigation brought against individual plan fiduciaries has significantly increased in recent years. Plan fiduciaries assume responsibilities and make decisions that could potentially subject them to substantial personal liability. To mitigate this risk exposure, each committee member (or other ERISA plan fiduciary) should receive fiduciary training initially upon becoming a plan fiduciary and at least annually thereafter. Plan fiduciaries need to understand (i) when they are acting on behalf of the plan?ÇÖs participants in a fiduciary capacity, (ii) the different fiduciary roles under a plan and how fiduciary liability can attach in different ways, (iii) the difference between fiduciary decisions and non-fiduciary (?Ç£settlor?Ç¥)… Continue Reading

Investigating and Settling Potential HIPAA Privacy and Security Violations

Since the beginning of 2020, the U.S. Department of Health and Human Services, Office for Civil Rights (?Ç£OCR?Ç¥) has announced six substantial settlements with HIPAA covered entities (either health care providers or health plans) for potential violations of the HIPAA privacy and security rules (?Ç£HIPAA Rules?Ç¥) related to safeguarding protected health information (?Ç£PHI?Ç¥). OCR is the federal agency responsible for enforcement of the HIPAA Rules. These settlements generally arose from investigations pursued by OCR following the receipt of a breach report by the covered entity and involved settlement payments ranging from $25,000 to $6.85 million (the second largest HIPAA settlement payment in OCR history). The settlements also imposed a corrective action plan on each covered entity, with two years of monitoring by OCR. Findings by OCR during its investigations included one or more of the following infractions by the subject covered entity: Neglected to implement HIPAA policies and procedures; Failed… Continue Reading

HIPAA Covered Entity Settles Breach Notification Failure with OCR for $2.175 Million

The HHS Office for Civil Rights (?Ç£OCR?Ç¥), which is the agency responsible for enforcement of the HIPAA privacy, security, and breach notification rules (?Ç£HIPAA Rules?Ç¥), announced a recent $2.175 million settlement with a covered entity under HIPAA (the ?Ç£Covered Entity?Ç¥) for the Covered Entity?ÇÖs failure to properly notify HHS of a breach of unsecured protected health information (?Ç£PHI?Ç¥) as required by the HIPAA Rules, and other potential violations. Background OCR had investigated the Covered Entity in response to an individual complaint it received that alleged the Covered Entity had sent correspondence to the individual containing another person?ÇÖs PHI. OCR?ÇÖs investigation determined that the Covered Entity had mailed correspondence containing the PHI of 577 individuals to the wrong addresses. In some of the correspondence, the PHI consisted of the names and account numbers of the individuals and their dates of medical service. The Covered Entity had reported this incident to HHS… Continue Reading

Legal Requirements Triggered by HIPAA Breach

An impermissible acquisition, access, use, or disclosure of HIPAA ?Ç£protected health information?Ç¥ (?Ç£PHI?Ç¥) under an employer?ÇÖs group health plan (which is a ?Ç£Covered Entity?Ç¥ under HIPAA) is not uncommon. If such a breach occurs with respect to the PHI of a Covered Entity, the employer needs to know that the Covered Entity may be required by HIPAA?ÇÖs breach notification rules (the ?Ç£Breach Rules?Ç¥) to issue certain notices and perform other tasks. Analysis of the Impermissible Acquisition, Access, Use, or Disclosure of PHI An impermissible acquisition, access, use, or disclosure of PHI is presumed to be a ?Ç£breach?Ç¥ unless the Covered Entity demonstrates that there is a low probability that the PHI has been compromised. The Breach Rules outline the four-factor risk assessment that a Covered Entity must perform (and document) in order to make such a demonstration. If, after completing the step above, the Covered Entity determines that a ?Ç£breach?Ç¥… Continue Reading

November 2022
S M T W T F S
 12345
6789101112
13141516171819
20212223242526
27282930  

Archives