[firm] blog logo

HIPAA Covered Entity Incurs $300,640 Settlement Penalty Over Improper PHI Disposal

A recent settlement announced by the HHS’s Office for Civil Rights (“OCR”) is a great reminder for all covered entities, including group health plans, to remain vigilant in protecting PHI. OCR recently announced a settlement with a HIPAA covered entity over the covered entity’s improper disposal of PHI under the HIPAA privacy and security rules (“HIPAA Rules”). In this case, the covered entity was a health care provider that routinely disposed of empty specimen containers labeled with PHI by placing them in an outdoor unprotected garbage bin. A breach of PHI occurred when one of the labeled containers was found by a third-party security guard. Upon its investigation into the breach, OCR determined that (i) the covered entity did not maintain appropriate safeguards to protect the privacy of PHI, as required by the HIPAA Rules, and (ii) the covered entity impermissibly disclosed PHI to unauthorized individuals in violation of the… Continue Reading

New HIPAA Guidance: Use of Remote Technologies for Audio-Only Telehealth

HHS recently issued guidance to clarify how health plan and health care provider covered entities under HIPAA (each, a “Covered Entity”) may use remote communication technologies to deliver audio-only telehealth services (“Audio Services”) in accordance with HIPAA’s privacy and security rules. Audio Services may be offered by a Covered Entity in order to expand access to health care by individuals who are unable to use video telehealth services due to disability, limited English proficiency, lack of internet availability, or other factors.   Topics addressed by the guidance include: Reasonable safeguards that must be implemented by a Covered Entity that is providing Audio Services, including verifying the identity of the individual who is being provided the Audio Services before any PHI is disclosed; The application of the HIPAA security rule, which imposes requirements on the use and disclosure of electronic PHI, to various forms of communication technologies that may be used… Continue Reading

The OCR’s Resolution of HIPAA Matters Highlights Need for Compliance with Administrative Provisions

Recently, the Office for Civil Rights (the “OCR”) of HHS announced the resolution of three investigations and one matter before an Administration Law Judge (collectively, the “HIPAA Matters”) related to non-compliance with the HIPAA privacy rules (the “HIPAA Rules”) by certain covered entities. The OCR’s investigations and enforcement action regarding the HIPAA Matters generally stemmed from infractions of non-administrative provisions of the HIPAA Rules (including impermissible disclosures of PHI) by the HIPAA covered entity in question. Notably, however, the OCR also specifically identified certain violations of administrative provisions by the covered entities that triggered civil monetary penalties and follow up actions by the covered entities under formal corrective action plans with the OCR. The OCR’s published settlement agreements and notice of final determination regarding the HIPAA Matters (each, an “Agreement”) discussed the following administrative violations by one or more covered entities and imposed the associated remedial actions: 1. The failure to… Continue Reading

Increase in Civil Monetary Penalties for Violations of HIPAA and ACA

HHS recently issued a final rule (the “HHS Rule”), which sets out the inflation-adjusted civil monetary penalty (“CMP”) amounts that HHS is authorized to assess or enforce, including for violations of HIPAA and the Affordable Care Act (“ACA”). The following adjusted CMP amounts are applicable to violations that occur after November 2, 2015, for which CMPs are assessed on or after March 17, 2022:   Prior Amount Adjusted Amount Violations under a “did not know/would not have known through exercising reasonable diligence” standard Minimum:Maximum:Calendar Year Cap: $120 $60,226 $1,806,757 $127 $63,973$1,919,173 Violations under a “reasonable cause/not willful neglect” standard Minimum:Maximum:Calendar Year Cap: $1,205 $60,226$1,806,757 $1,280 $63,973$1,919,173 Violations under a “willful neglect” standard, with timely correction Minimum:Maximum:Calendar Year Cap: $12,045 $60,226$1,806,757 $12,794 $63,973 $1,919,173 Violations under a “willful neglect” standard, with untimely correction Minimum:Maximum:Calendar Year Cap: $60,226 $1,806,757$1,806,757 $63,973$1,919,173$1,919,173 In addition, the maximum penalty for each failure by a health insurance… Continue Reading

HIPAA Breach by Express Scripts Vendor Triggers Plan Sponsor Actions

Many employers that sponsor a group health plan which is a “covered entity” subject to the HIPAA privacy and security rules have recently received notice from Express Scripts, Inc., a pharmacy benefit manager (“ESI”), regarding a cyberattack on the computer network of its subcontractor, Medical Review Institute of America (“MRIA”). This cyberattack apparently resulted in a HIPAA breach of current or former participants’ protected health information (“PHI”) under the plans. The breach notices were sent to the employers by ESI in its capacity as a HIPAA business associate of the plans.  A breach of unsecured PHI triggers notification obligations on the part of covered entities under HIPAA’s breach notification regulations (the “Breach Rules”), including (i) notifications to the individuals whose PHI was involved in the breach (the “Impacted Individuals”), and (ii) notification to HHS. Such notifications are subject to specific requirements of the Breach Rules, including content and timing requirements.   ESI’s… Continue Reading

New Guidance Addresses HIPAA Rules and COVID-19 Vaccination Information in the Workplace

HHS recently issued guidance, in a Q&A format, to clarify when the HIPAA privacy rules apply to disclosures and requests for information about an individual’s COVID-19 vaccination status.  Among other questions, the guidance addresses whether HIPAA prohibits an employer from requiring its employees to disclose to the employer whether they have received a COVID-19 vaccination. In its answer, HHS confirms the important distinction under HIPAA between (i) an individual’s health information an employer receives in its capacity as the plan sponsor of its group health plan (generally, a “covered entity” under HIPAA), and (ii) individualized health information received by the employer in its capacity as an employer (i.e., as related to employment functions referred to by HIPAA as “employment records”). HHS confirmed that HIPAA does not apply to employment records and thus does not regulate the information, such as vaccination status, employers are permitted to request from employees as part of… Continue Reading

Agencies Issue FAQs Clarifying Wellness Program and Other Health Plan Requirements Related to COVID-19 Vaccines

The DOL, Treasury Department, and HHS have jointly issued a set of FAQs that provide helpful clarifications regarding certain requirements under the CARES Act, the HIPAA nondiscrimination rules (the “Nondiscrimination Rules”), and the Affordable Care Act (the “ACA”) related to COVID-19 vaccines (“Vaccines”).  Wellness Programs under the Nondiscrimination Rules Among other items, the FAQs provide guidance under the Nondiscrimination Rules regarding an employer’s imposition of a premium discount under a wellness program for an individual’s receipt of a Vaccine. If the wellness program is itself, or is part of, a group health plan that is not otherwise exempt from the Nondiscrimination Rules, the FAQs confirm that a premium discount would constitute a “health-contingent, activity-only” wellness program that must, among other requirements, offer a “reasonable alternative standard” to qualify for the discount for individuals for whom it is unreasonably difficult due to a medical condition, or medically inadvisable, to receive the… Continue Reading

Keeping Your Wellness Program Healthy

For years, employers have used wellness programs with the hope they would help improve employees’ overall health while simultaneously reducing group health plan costs. The pandemic has presented challenges for wellness programs though, as employees have found it more difficult to meet the requirements for discounts because of lockdowns and fears of COVID-19. To address these challenges, some employers are considering modifications to their programs to allow employees to qualify for discounts if they obtain a flu or COVID-19 vaccine. Before adopting any changes, employers should use caution, as wellness programs are subject to numerous legal requirements, including requirements under the ACA, ERISA, HIPAA, and the Americans with Disabilities Act. By carefully evaluating changes and considering the myriad of legal requirements applicable to wellness programs prior to implementing any changes, plan sponsors can avoid jeopardizing the legal health of their wellness programs.  Our prior blog posts regarding wellness program compliance… Continue Reading

Retirement Plan Cybersecurity—Truth, Justice, and the DOL Way

At a time when digital security and cyberattacks are key concerns for individuals and businesses alike, plan sponsors and other plan fiduciaries have a key role to play in protecting retirement plan assets and data. Otherwise known as “responsible plan fiduciaries,” these individuals and certain plan service providers have a fiduciary duty to ensure there is a robust cybersecurity program in place to keep plan assets and data secure. As we previously reported on our blog here, the DOL recently issued guidance in this arena to keep employers and plan fiduciaries compliant. The DOL is now specifically targeting employers and plan fiduciaries who fail to adequately protect employee retirement plan assets from hackers and cyberthieves, so the time to act is before the DOL issues a plan audit and before participants are victimized by cybercriminals or hackers. The DOL requires that plan fiduciaries responsible for prudently selecting and monitoring service… Continue Reading

Updates on Employee Benefits Regulations Impacted by the Biden Administration?ÇÖs Regulatory Freeze

On January 20, 2021, the Biden Administration issued a memorandum (the ?Ç£Memo?Ç¥) calling for a 60-day freeze on regulations that had not taken effect as of the date of the Memo, which included certain regulations related to employee benefits (see our prior blog post regarding the Memo here). The Memo also authorized additional postponement of such regulations following the 60-day period where deemed necessary for further review. Listed below are some of the previously discussed proposed and final regulations related to employee benefits that were impacted by the Memo and updates to their effective dates: Independent Contractor Status Under the Fair Labor Standards Act. Final Rule. Effective date is delayed until May 7, 2021. There is also a proposed withdrawal of this rule with comments due by April 12, 2021. Medicare Program; Secure Electronic Prior Authorization for Medicare Part D. Final Rule. Effective date was delayed until March 30, 2021.… Continue Reading

November 2022
S M T W T F S
 12345
6789101112
13141516171819
20212223242526
27282930  

Archives