[firm] blog logo

HIPAA Covered Entity Incurs $300,640 Settlement Penalty Over Improper PHI Disposal

A recent settlement announced by the HHS’s Office for Civil Rights (“OCR”) is a great reminder for all covered entities, including group health plans, to remain vigilant in protecting PHI. OCR recently announced a settlement with a HIPAA covered entity over the covered entity’s improper disposal of PHI under the HIPAA privacy and security rules (“HIPAA Rules”). In this case, the covered entity was a health care provider that routinely disposed of empty specimen containers labeled with PHI by placing them in an outdoor unprotected garbage bin. A breach of PHI occurred when one of the labeled containers was found by a third-party security guard. Upon its investigation into the breach, OCR determined that (i) the covered entity did not maintain appropriate safeguards to protect the privacy of PHI, as required by the HIPAA Rules, and (ii) the covered entity impermissibly disclosed PHI to unauthorized individuals in violation of the… Continue Reading

The OCR’s Resolution of HIPAA Matters Highlights Need for Compliance with Administrative Provisions

Recently, the Office for Civil Rights (the “OCR”) of HHS announced the resolution of three investigations and one matter before an Administration Law Judge (collectively, the “HIPAA Matters”) related to non-compliance with the HIPAA privacy rules (the “HIPAA Rules”) by certain covered entities. The OCR’s investigations and enforcement action regarding the HIPAA Matters generally stemmed from infractions of non-administrative provisions of the HIPAA Rules (including impermissible disclosures of PHI) by the HIPAA covered entity in question. Notably, however, the OCR also specifically identified certain violations of administrative provisions by the covered entities that triggered civil monetary penalties and follow up actions by the covered entities under formal corrective action plans with the OCR. The OCR’s published settlement agreements and notice of final determination regarding the HIPAA Matters (each, an “Agreement”) discussed the following administrative violations by one or more covered entities and imposed the associated remedial actions: 1. The failure to… Continue Reading

HIPAA Breach by Express Scripts Vendor Triggers Plan Sponsor Actions

Many employers that sponsor a group health plan which is a “covered entity” subject to the HIPAA privacy and security rules have recently received notice from Express Scripts, Inc., a pharmacy benefit manager (“ESI”), regarding a cyberattack on the computer network of its subcontractor, Medical Review Institute of America (“MRIA”). This cyberattack apparently resulted in a HIPAA breach of current or former participants’ protected health information (“PHI”) under the plans. The breach notices were sent to the employers by ESI in its capacity as a HIPAA business associate of the plans.  A breach of unsecured PHI triggers notification obligations on the part of covered entities under HIPAA’s breach notification regulations (the “Breach Rules”), including (i) notifications to the individuals whose PHI was involved in the breach (the “Impacted Individuals”), and (ii) notification to HHS. Such notifications are subject to specific requirements of the Breach Rules, including content and timing requirements.   ESI’s… Continue Reading

Guidance on Benefit Plan Cybersecurity Best Practices

Plan participants now enroll, change elections, review benefits, apply for plan loans and hardship distributions, and access account information through websites and cellphone apps. As electronic access to plan information has increased, so has the interest of hackers in obtaining the wealth of information stored electronically. Recently, the DOL?ÇÖs Employee Benefits Security Administration (the ?Ç£EBSA?Ç¥) issued the following cybersecurity guidance documents to help plan sponsors comply with their duties to protect plan information: Tips for Hiring a Service Provider with Strong Cybersecurity Practices: These tips are intended to help plan sponsors and plan fiduciaries meet their duties under ERISA to prudently select and monitor service providers. They include a list of questions to ask and considerations to make when evaluating potential service providers. Cybersecurity Program Best Practices: This guidance provides a list of 12 best practices intended to help plan fiduciaries mitigate cybersecurity risks and make prudent decisions when selecting… Continue Reading

Updates on Employee Benefits Regulations Impacted by the Biden Administration?ÇÖs Regulatory Freeze

On January 20, 2021, the Biden Administration issued a memorandum (the ?Ç£Memo?Ç¥) calling for a 60-day freeze on regulations that had not taken effect as of the date of the Memo, which included certain regulations related to employee benefits (see our prior blog post regarding the Memo here). The Memo also authorized additional postponement of such regulations following the 60-day period where deemed necessary for further review. Listed below are some of the previously discussed proposed and final regulations related to employee benefits that were impacted by the Memo and updates to their effective dates: Independent Contractor Status Under the Fair Labor Standards Act. Final Rule. Effective date is delayed until May 7, 2021. There is also a proposed withdrawal of this rule with comments due by April 12, 2021. Medicare Program; Secure Electronic Prior Authorization for Medicare Part D. Final Rule. Effective date was delayed until March 30, 2021.… Continue Reading

Employee Benefits Regulations Potentially Impacted by the Biden Administration?ÇÖs Regulatory Freeze

On January 20, 2021, the Biden Administration issued a memorandum (the ?Ç£Memo?Ç¥) announcing a regulatory freeze on regulations that have not taken effect as of the date of the Memo. Specifically, the Memo recommends postponing the effective date of any regulation that has been issued, but has not taken effect, for 60 days from the date of the Memo. The Memo further directs that regulations not yet published in the Federal Register be immediately withdrawn for review. Listed below are some of the proposed and final regulations related to employee benefits that may be subject to withdrawal or postponement under the Memo: Prohibited Transaction Exemption 2020-02 ?Çô Improving Investment Advice for Workers & Retirees. Final Rule. Application of the Employer Shared Responsibility Provisions and Certain Nondiscrimination Rules to Health Reimbursement Arrangements and Other Account-Based Group Health Plans Integrated with Individual Health Insurance Coverage or Medicare. Final Rule. Pension Benefit Statements-Lifetime… Continue Reading

Before Cleaning Out Files, Brush Up on Record Retention Requirements

Our world is filled with paper and electronic records, and the HR departments at most companies are no exception. Enrollment forms, notices, plan documents, summary plan descriptions, benefit statements, and service records are just a few of the records that fill the HR department?ÇÖs file cabinets and computer storage. While it might be tempting to clean out files, plan sponsors should exercise care before disposing of any files relating to benefits under a plan. A clean desk today could create headaches tomorrow. Generally, ERISA requires an employer to retain plan records to support plan filings, including the annual Form 5500, for at least six years from the filing date (ERISA ?º107) and to maintain records for each employee sufficient to determine the benefits due or that may become due to such employee (ERISA ?º209), with no time limit on such requirement. In addition, HIPAA requires retention of the policies and… Continue Reading

New Year’s Resolutions to Ensure Proper ERISA Fiduciary and HIPAA Privacy Training

With the start of the new year, a good New Year?ÇÖs resolution for employers that sponsor ERISA retirement and/or health and welfare benefit plans is to ensure that all current ERISA plan fiduciaries?Çöincluding any new members of plan administrative and investment committees?Çöhave received up-to-date ERISA fiduciary training. ERISA litigation brought against individual plan fiduciaries has significantly increased in recent years. Plan fiduciaries assume responsibilities and make decisions that could potentially subject them to substantial personal liability. To mitigate this risk exposure, each committee member (or other ERISA plan fiduciary) should receive fiduciary training initially upon becoming a plan fiduciary and at least annually thereafter. Plan fiduciaries need to understand (i) when they are acting on behalf of the plan?ÇÖs participants in a fiduciary capacity, (ii) the different fiduciary roles under a plan and how fiduciary liability can attach in different ways, (iii) the difference between fiduciary decisions and non-fiduciary (?Ç£settlor?Ç¥)… Continue Reading

Get Ready to Update HIPAA Privacy Policies Next Year

Last week, HHS issued a Notice of Proposed Rulemaking that proposes changes to the HIPAA Privacy Rule that will affect HIPAA privacy policies and procedures for employer group health plans.?á The proposed revisions affect (i) an individual?ÇÖs right to access ?Ç£protected health information?Ç¥ (?Ç£PHI?Ç¥), (ii) the content required in the Notice of Privacy Practices, and (iii) the ability to use and disclose PHI based on professional judgment, to avert a threat to health or safety, or for coordination of care and case management.?á HHS proposed that compliance with the changes would be required within 180 days after the effective date of a final rule.?á HHS has requested comments on the proposed changes within 60 days after their publication in the Federal Register, which publication should occur soon.?á The Notice of Proposed Rulemaking is available here.

Investigating and Settling Potential HIPAA Privacy and Security Violations

Since the beginning of 2020, the U.S. Department of Health and Human Services, Office for Civil Rights (?Ç£OCR?Ç¥) has announced six substantial settlements with HIPAA covered entities (either health care providers or health plans) for potential violations of the HIPAA privacy and security rules (?Ç£HIPAA Rules?Ç¥) related to safeguarding protected health information (?Ç£PHI?Ç¥). OCR is the federal agency responsible for enforcement of the HIPAA Rules. These settlements generally arose from investigations pursued by OCR following the receipt of a breach report by the covered entity and involved settlement payments ranging from $25,000 to $6.85 million (the second largest HIPAA settlement payment in OCR history). The settlements also imposed a corrective action plan on each covered entity, with two years of monitoring by OCR. Findings by OCR during its investigations included one or more of the following infractions by the subject covered entity: Neglected to implement HIPAA policies and procedures; Failed… Continue Reading

December 2022
S M T W T F S
 123
45678910
11121314151617
18192021222324
25262728293031

Archives