Generally, the Americans with Disabilities Act (the “ADA“) and the Genetic Information Non-Discrimination Act (“GINA“) permit employers to offer certain wellness programs if they are “voluntary.” The EEOC issued regulations in 2016, which we discussed here, permitting wellness programs to have incentives of up to 30 percent of the cost of health plan coverage in order to align with permitted incentives under the Health Insurance Portability and Accountability Act (“HIPAA“). The AARP sued the EEOC claiming that this 30 percent limit was still coercive and was contrary to the “voluntary” requirement under the ADA and GINA. The U.S. District Court for the District of Columbia granted AARP’s motion for summary judgment, concluding that the EEOC failed to adequately explain its decision to interpret “voluntary” as permitting a 30 percent incentive level. Although governmental agencies are generally given deference, the “EEOC does not appear to have considered any factor that actually… Continue Reading
The U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) recently announced a $2.5 million HIPAA privacy and security settlement with CardioNet, a wireless health services provider and covered entity under HIPAA, based on CardioNet’s impermissible disclosure of unsecured electronic protected health information (“EPHI”). The disclosure occurred when a laptop computer belonging to a member of CardioNet’s workforce, which contained the unsecured EPHI of 1,391 individuals, was stolen from a parked vehicle outside of the workforce member’s home. CardioNet reported the breach to OCR and an investigation ensued, pursuant to which OCR determined that (i) CardioNet did not have a sufficient risk analysis and risk management process in place at the time of the theft, (ii) CardioNet had never actually implemented its draft policies and procedures for compliance with HIPAA’s security rules, and (iii) CardioNet was unable to produce any final policies or procedures regarding the implementation… Continue Reading
On April 17, 2017, the Center for Children’s Digestive Health in Illinois (“CCDH”) entered into a resolution agreement with HHS pursuant to which CCDH agreed to pay $31,000 to settle potential HIPAA privacy rule violations. The primary basis for the settlement was the lack of a business associate agreement between CCDH and one of its business associates, which HHS determined demonstrated a lack of effective control and review of CCDH’s HIPAA policies and procedures. FileFax, Inc. (“FileFax”) is an Illinois record storage and disposal company. FileFax’s clients included healthcare providers, such as CCDH. FileFax’s services to those providers included the storage and disposal of medical records. A whistleblower led to a 2015 investigation of FileFax by the Illinois Attorney General. HHS then discovered that FileFax was discarding medical records in an unlocked dumpster adjacent to its building and had also shipped a large volume of other medical records to a… Continue Reading
The U.S. Department of Health and Human Services (“HHS”) recently issued an interim final rule (the “HHS Rule”), which sets out inflation adjustments to the civil monetary penalty (“CMP”) amounts that HHS is authorized to assess or enforce, including for violations of the HIPAA privacy and security rules. The HHS Rule was issued for compliance with the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015, which was enacted on November 2, 2015 (the “2015 Act”). The 2015 Act requires federal agencies to (i) adjust the level of CMP amounts with an initial “catch up” adjustment and (ii) make subsequent annual adjustments for inflation. The HIPAA CMP amounts had not been adjusted since 2009. Under the HHS Rule, HIPAA CMP amounts are increased by 10.2% for violations of the HIPAA privacy or security rules by a covered entity or a business associate, as follows: Prior $$… Continue Reading
A HIPAA Notice of Privacy Practices must be provided to new group health plan participants at the time of enrollment and within 60 days of a material revision. In addition, participants must be notified of the availability of the notice at least once every three years. This requirement can be satisfied by distributing either a copy of the notice or a reminder of the availability of the notice. A reminder of the availability of the notice can be included in annual enrollment materials or other plan publications sent to all participants. For example, group health plans that distributed a new Notice of Privacy Practices in 2013 when the final HIPAA regulations were issued should ensure they have satisfied this reminder requirement in 2016.
The HHS Office for Civil Rights (“OCR“) recently announced an initiative to more widely investigate HIPAA privacy breaches affecting fewer than 500 individuals. Generally, all reported breaches involving 500 or more individuals are automatically investigated by OCR. Breaches involving less than 500 individuals will not automatically be investigated, but Regional Offices will increase efforts to investigate smaller breaches based on (1) the size of the breach, (2) theft or improper disposal of unencrypted protected health information (“PHI“), (3) breaches involving hacking, (4) the sensitive nature of the PHI involved, and (5) where numerous breach reports from the same entity raise similar issues. View additional information on OCR’s enforcement of HIPAA.
The U.S. Department of Health and Human Services (“HHS”) recently issued a “Fact Sheet” which discusses ransomware attack prevention and recovery under HIPAA, as well as the management of HIPAA breach notification procedures in response to a ransomware attack. According to the Fact Sheet, “ransomware” is a type of malicious software by which a hacker gains access to electronic data and then encrypts it with a key known only to the hacker, such that the data owner is denied access to it. The Fact Sheet provides helpful descriptions and specific examples of how the requirements of the security regulations under HIPAA (the “Security Rules”), which govern the confidentiality of a HIPAA covered entity’s electronic protected health information (“EPHI”), may be applied to prevent, detect, and recover from infections of EPHI by ransomware. Importantly, the Fact Sheet also explains HHS’s view that a ransomware infection of unsecured EPHI on a computer… Continue Reading
The OCR recently issued three guidance documents in response to questions received from covered entities currently under audit: (1) a list of all Q&As received from audited entities; (2) a table showing the documents OCR requested for each audit protocol and the Q&As associated with that audit protocol; and (3) slides from an OCR webinar for audited entities. The OCR is currently auditing covered entities, such as employer-sponsored group health plans, for compliance with HIPAA’s privacy and security rules. This new guidance should be helpful to plan sponsors, as well as to HIPAA Privacy and Security Officials, in their ongoing HIPAA compliance efforts. View the three guidance documents.
The U.S. Department of Health and Human Services (“HHS”), Office for Civil Rights (“OCR”), recently entered into a $5.55 million settlement agreement with Advocate Health Care Network and its subsidiaries (“Advocate”) to resolve multiple potential violations of HIPAA involving electronic protected health information (“EPHI”). The settlement results from OCR’s investigation of Advocate which began in 2013 after Advocate submitted three breach notification reports to OCR within a three-month timespan. The reported breaches involved (1) the theft from one of Advocate’s support centers of four desktop computers containing unsecured EPHI of nearly four million individuals, (2) unauthorized access of unsecured EPHI from the computer network of Advocate’s business associate (“BA”), and (3) the theft of a laptop containing unsecured EPHI from an Advocate workforce member’s vehicle. Upon its investigation, OCR determined that Advocate failed to (a) conduct an accurate and thorough risk analysis related to its utilization of EPHI, (b) implement… Continue Reading
HHS recently entered into a Resolution Agreement with North Memorial Health Care of Minnesota (“North Memorial”) to settle charges that North Memorial potentially violated HIPAA by failing to (1) enter into a business associate agreement with a major contractor and (2) implement a comprehensive risk analysis with respect to the security of its patients’ protected health information. OCR launched an investigation of North Memorial after an unencrypted laptop was stolen from the vehicle of an employee of its business associate. As part of the settlement, North Memorial agreed to pay HHS $1.55 million and to a corrective action plan under which North Memorial must, among other conditions, review and revise its HIPAA policies, procedures, and training as well as develop an organization-wide risk analysis and risk management plan. The Resolution Agreement is available here.