[firm] blog logo

HIPAA Covered Entity Incurs $300,640 Settlement Penalty Over Improper PHI Disposal

A recent settlement announced by the HHS’s Office for Civil Rights (“OCR”) is a great reminder for all covered entities, including group health plans, to remain vigilant in protecting PHI. OCR recently announced a settlement with a HIPAA covered entity over the covered entity’s improper disposal of PHI under the HIPAA privacy and security rules (“HIPAA Rules”). In this case, the covered entity was a health care provider that routinely disposed of empty specimen containers labeled with PHI by placing them in an outdoor unprotected garbage bin. A breach of PHI occurred when one of the labeled containers was found by a third-party security guard. Upon its investigation into the breach, OCR determined that (i) the covered entity did not maintain appropriate safeguards to protect the privacy of PHI, as required by the HIPAA Rules, and (ii) the covered entity impermissibly disclosed PHI to unauthorized individuals in violation of the… Continue Reading

New FAQs Address Issues Related to Contraceptive Coverage under Group Health Plans

The federal Treasury, DOL, and HHS (collectively, the “Agencies”) jointly issued a new set of FAQs to address various issues regarding the requirement for most employer-provided and other applicable group health plans to cover contraceptives without cost-sharing under the preventive care mandate of the Affordable Care Act (the “Contraceptive Coverage Mandate”). In particular, the FAQs are intended to (i) respond to reports that individuals continue to experience difficulty accessing contraceptive coverage without cost sharing; (ii) clarify application of the Contraceptive Coverage Mandate to fertility awareness-based methods and emergency contraceptives; and (iii) address the preemption of state law by the Contraceptive Coverage Mandate.  Specific issues addressed in the FAQs include the following:  The requirement for plans to cover items and services that are integral to the furnishing of a recommended preventive service, such as anesthesia necessary for a tubal ligation procedure; The requirement for a plan to cover, without cost-sharing, FDA-approved… Continue Reading

The OCR’s Resolution of HIPAA Matters Highlights Need for Compliance with Administrative Provisions

Recently, the Office for Civil Rights (the “OCR”) of HHS announced the resolution of three investigations and one matter before an Administration Law Judge (collectively, the “HIPAA Matters”) related to non-compliance with the HIPAA privacy rules (the “HIPAA Rules”) by certain covered entities. The OCR’s investigations and enforcement action regarding the HIPAA Matters generally stemmed from infractions of non-administrative provisions of the HIPAA Rules (including impermissible disclosures of PHI) by the HIPAA covered entity in question. Notably, however, the OCR also specifically identified certain violations of administrative provisions by the covered entities that triggered civil monetary penalties and follow up actions by the covered entities under formal corrective action plans with the OCR. The OCR’s published settlement agreements and notice of final determination regarding the HIPAA Matters (each, an “Agreement”) discussed the following administrative violations by one or more covered entities and imposed the associated remedial actions: 1. The failure to… Continue Reading

Increase in Civil Monetary Penalties for Violations of HIPAA and ACA

HHS recently issued a final rule (the “HHS Rule”), which sets out the inflation-adjusted civil monetary penalty (“CMP”) amounts that HHS is authorized to assess or enforce, including for violations of HIPAA and the Affordable Care Act (“ACA”). The following adjusted CMP amounts are applicable to violations that occur after November 2, 2015, for which CMPs are assessed on or after March 17, 2022:   Prior Amount Adjusted Amount Violations under a “did not know/would not have known through exercising reasonable diligence” standard Minimum:Maximum:Calendar Year Cap: $120 $60,226 $1,806,757 $127 $63,973$1,919,173 Violations under a “reasonable cause/not willful neglect” standard Minimum:Maximum:Calendar Year Cap: $1,205 $60,226$1,806,757 $1,280 $63,973$1,919,173 Violations under a “willful neglect” standard, with timely correction Minimum:Maximum:Calendar Year Cap: $12,045 $60,226$1,806,757 $12,794 $63,973 $1,919,173 Violations under a “willful neglect” standard, with untimely correction Minimum:Maximum:Calendar Year Cap: $60,226 $1,806,757$1,806,757 $63,973$1,919,173$1,919,173 In addition, the maximum penalty for each failure by a health insurance… Continue Reading

DOL Responds to Texas Court Invalidating Portions of the No Surprises Act Regulations

The United States District Court for the Eastern District of Texas recently invalidated portions of an interim final rule (the “Rule”) issued by the Departments of Health and Human Services, Labor, and the Treasury (the “Departments”) relating to aspects of the federal independent dispute resolution process under the No Surprises Act (the “Act”). Generally, the court vacated the portion of the Rule that creates a rebuttable presumption that the amount closest to the qualifying payment amount (generally, the average contracted rate) is the proper payment amount. The court found those portions of the Rule conflicted with the Act. In response, the DOL issued a memorandum emphasizing that all other rulemaking by the Departments under the Act has not been affected and thus all such other rulemaking is still in force. Only guidance documents that are based on, or refer to, the portions of the Rule that were invalidated were withdrawn… Continue Reading

New FAQs Address Interaction of No Surprises Act’s Federal IDR Process with DOL Claims Regulations

A set of FAQs recently issued by HHS’s Centers for Medicare and Medicaid Services provide additional guidance regarding the federal independent dispute resolution process (“Federal IDR Process”) that was established under the “No Surprises Act” (the “Act”), enacted as part of the Consolidated Appropriations Act of 2021. The purpose of the Federal IDR Process is to resolve certain types of payment disputes between group health plans or health insurance issuers (each, a “Plan”) and out-of-network health care providers, facilities, and providers of air ambulance services (collectively, “OON Providers”). These disputes concern the out-of-network rates that Plans will pay for emergency, air ambulance, and certain other services subject to the Act that are furnished to plan participants by OON Providers. The Federal IDR Process generally applies to Plans effective for plan (or policy) years beginning on or after January 1, 2022, and to OON Providers beginning on January 1, 2022.  Among… Continue Reading

FAQs Provide Additional Guidance Regarding At-Home COVID-19 Testing Coverage Requirements

As discussed in our prior blog post here, employer-provided group health plans, and insurers and other issuers, are required to cover the cost of over-the-counter, at-home COVID-19 tests (“OTC Tests”) authorized by the Food and Drug Administration (“FDA”). The DOL, HHS, and the Treasury Department (collectively, the “Departments”) previously issued guidance establishing a safe harbor that, if satisfied, allows plans and issuers to limit the reimbursement of OTC Tests to $12 per test (or the actual cost of the OTC Test, if lower). The Departments recently issued additional guidance in the form of FAQs clarifying how plans and issuers may comply with the safe harbor OTC Test coverage requirements. The FAQs clarify that whether a plan or issuer satisfies the safe harbor by providing adequate access to OTC Tests through its direct coverage program will depend on the particular facts and circumstances, but will generally require that OTC Tests are… Continue Reading

HHS Announces Final 2023 Cost-Sharing Maximums under the Affordable Care Act

Last year, HHS issued its final “Notice of Benefit and Payment Parameters for 2022” providing that, beginning with the 2023 benefit year, HHS will publish the maximum annual limit on cost-sharing in guidance issued by January of the year preceding the applicable benefit year, using the most recent National Health Expenditure Accounts income and premium data that is available at the time of publication. HHS recently issued a CMS notice (the “CMS Notice”) providing these annual limits for 2023. The 2023 maximum annual limit on cost sharing is $9,100 for self-only coverage (increased from $8,700 for 2022) and $18,200 for other than self-only coverage (increased from $17,400 for 2022). The CMS Notice is available here. 

HIPAA Breach by Express Scripts Vendor Triggers Plan Sponsor Actions

Many employers that sponsor a group health plan which is a “covered entity” subject to the HIPAA privacy and security rules have recently received notice from Express Scripts, Inc., a pharmacy benefit manager (“ESI”), regarding a cyberattack on the computer network of its subcontractor, Medical Review Institute of America (“MRIA”). This cyberattack apparently resulted in a HIPAA breach of current or former participants’ protected health information (“PHI”) under the plans. The breach notices were sent to the employers by ESI in its capacity as a HIPAA business associate of the plans.  A breach of unsecured PHI triggers notification obligations on the part of covered entities under HIPAA’s breach notification regulations (the “Breach Rules”), including (i) notifications to the individuals whose PHI was involved in the breach (the “Impacted Individuals”), and (ii) notification to HHS. Such notifications are subject to specific requirements of the Breach Rules, including content and timing requirements.   ESI’s… Continue Reading

New Guidance Addresses HIPAA Rules and COVID-19 Vaccination Information in the Workplace

HHS recently issued guidance, in a Q&A format, to clarify when the HIPAA privacy rules apply to disclosures and requests for information about an individual’s COVID-19 vaccination status.  Among other questions, the guidance addresses whether HIPAA prohibits an employer from requiring its employees to disclose to the employer whether they have received a COVID-19 vaccination. In its answer, HHS confirms the important distinction under HIPAA between (i) an individual’s health information an employer receives in its capacity as the plan sponsor of its group health plan (generally, a “covered entity” under HIPAA), and (ii) individualized health information received by the employer in its capacity as an employer (i.e., as related to employment functions referred to by HIPAA as “employment records”). HHS confirmed that HIPAA does not apply to employment records and thus does not regulate the information, such as vaccination status, employers are permitted to request from employees as part of… Continue Reading

September 2022
S M T W T F S
 123
45678910
11121314151617
18192021222324
252627282930  

Archives