[firm] blog logo

New Guidance Addresses HIPAA Rules and COVID-19 Vaccination Information in the Workplace

HHS recently issued guidance, in a Q&A format, to clarify when the HIPAA privacy rules apply to disclosures and requests for information about an individual’s COVID-19 vaccination status.  Among other questions, the guidance addresses whether HIPAA prohibits an employer from requiring its employees to disclose to the employer whether they have received a COVID-19 vaccination. In its answer, HHS confirms the important distinction under HIPAA between (i) an individual’s health information an employer receives in its capacity as the plan sponsor of its group health plan (generally, a “covered entity” under HIPAA), and (ii) individualized health information received by the employer in its capacity as an employer (i.e., as related to employment functions referred to by HIPAA as “employment records”). HHS confirmed that HIPAA does not apply to employment records and thus does not regulate the information, such as vaccination status, employers are permitted to request from employees as part of… Continue Reading

New Year’s Resolutions to Ensure Proper ERISA Fiduciary and HIPAA Privacy Training

With the start of the new year, a good New Year?ÇÖs resolution for employers that sponsor ERISA retirement and/or health and welfare benefit plans is to ensure that all current ERISA plan fiduciaries?Çöincluding any new members of plan administrative and investment committees?Çöhave received up-to-date ERISA fiduciary training. ERISA litigation brought against individual plan fiduciaries has significantly increased in recent years. Plan fiduciaries assume responsibilities and make decisions that could potentially subject them to substantial personal liability. To mitigate this risk exposure, each committee member (or other ERISA plan fiduciary) should receive fiduciary training initially upon becoming a plan fiduciary and at least annually thereafter. Plan fiduciaries need to understand (i) when they are acting on behalf of the plan?ÇÖs participants in a fiduciary capacity, (ii) the different fiduciary roles under a plan and how fiduciary liability can attach in different ways, (iii) the difference between fiduciary decisions and non-fiduciary (?Ç£settlor?Ç¥)… Continue Reading

Investigating and Settling Potential HIPAA Privacy and Security Violations

Since the beginning of 2020, the U.S. Department of Health and Human Services, Office for Civil Rights (?Ç£OCR?Ç¥) has announced six substantial settlements with HIPAA covered entities (either health care providers or health plans) for potential violations of the HIPAA privacy and security rules (?Ç£HIPAA Rules?Ç¥) related to safeguarding protected health information (?Ç£PHI?Ç¥). OCR is the federal agency responsible for enforcement of the HIPAA Rules. These settlements generally arose from investigations pursued by OCR following the receipt of a breach report by the covered entity and involved settlement payments ranging from $25,000 to $6.85 million (the second largest HIPAA settlement payment in OCR history). The settlements also imposed a corrective action plan on each covered entity, with two years of monitoring by OCR. Findings by OCR during its investigations included one or more of the following infractions by the subject covered entity: Neglected to implement HIPAA policies and procedures; Failed… Continue Reading

HIPAA Covered Entity Settles Breach Notification Failure with OCR for $2.175 Million

The HHS Office for Civil Rights (?Ç£OCR?Ç¥), which is the agency responsible for enforcement of the HIPAA privacy, security, and breach notification rules (?Ç£HIPAA Rules?Ç¥), announced a recent $2.175 million settlement with a covered entity under HIPAA (the ?Ç£Covered Entity?Ç¥) for the Covered Entity?ÇÖs failure to properly notify HHS of a breach of unsecured protected health information (?Ç£PHI?Ç¥) as required by the HIPAA Rules, and other potential violations. Background OCR had investigated the Covered Entity in response to an individual complaint it received that alleged the Covered Entity had sent correspondence to the individual containing another person?ÇÖs PHI. OCR?ÇÖs investigation determined that the Covered Entity had mailed correspondence containing the PHI of 577 individuals to the wrong addresses. In some of the correspondence, the PHI consisted of the names and account numbers of the individuals and their dates of medical service. The Covered Entity had reported this incident to HHS… Continue Reading

Legal Requirements Triggered by HIPAA Breach

An impermissible acquisition, access, use, or disclosure of HIPAA ?Ç£protected health information?Ç¥ (?Ç£PHI?Ç¥) under an employer?ÇÖs group health plan (which is a ?Ç£Covered Entity?Ç¥ under HIPAA) is not uncommon. If such a breach occurs with respect to the PHI of a Covered Entity, the employer needs to know that the Covered Entity may be required by HIPAA?ÇÖs breach notification rules (the ?Ç£Breach Rules?Ç¥) to issue certain notices and perform other tasks. Analysis of the Impermissible Acquisition, Access, Use, or Disclosure of PHI An impermissible acquisition, access, use, or disclosure of PHI is presumed to be a ?Ç£breach?Ç¥ unless the Covered Entity demonstrates that there is a low probability that the PHI has been compromised. The Breach Rules outline the four-factor risk assessment that a Covered Entity must perform (and document) in order to make such a demonstration. If, after completing the step above, the Covered Entity determines that a ?Ç£breach?Ç¥… Continue Reading

December 2021
S M T W T F S
 1234
567891011
12131415161718
19202122232425
262728293031  

Archives