An impermissible acquisition, access, use, or disclosure of HIPAA “protected health information” (“PHI”) under an employer’s group health plan (which is a “Covered Entity” under HIPAA) is not uncommon. If such a breach occurs with respect to the PHI of a Covered Entity, the employer needs to know that the Covered Entity may be required by HIPAA’s breach notification rules (the “Breach Rules”) to issue certain notices and perform other tasks. Analysis of the Impermissible Acquisition, Access, Use, or Disclosure of PHI An impermissible acquisition, access, use, or disclosure of PHI is presumed to be a “breach” unless the Covered Entity demonstrates that there is a low probability that the PHI has been compromised. The Breach Rules outline the four-factor risk assessment that a Covered Entity must perform (and document) in order to make such a demonstration. If, after completing the step above, the Covered Entity determines that a “breach”… Continue Reading
OCR Provides Informal HIPAA Guidance Regarding Disposal of Electronic Devices and Media Containing PHI
In a July 2018 newsletter, the Office of Civil Rights (“OCR”) of the U.S. Department of Health and Human Services (“HHS”), the federal agency responsible for enforcement of the HIPAA privacy, security, and breach notification regulations (collectively, the “HIPAA Rules”), provided informal guidance to HIPAA “covered entities”, such as employer-sponsored group health plans (“Covered Plans”), regarding the disposal of electronic devices and media that house “protected health information” (“PHI”). Examples of such devices and media include desktop and laptop computers, tablets, copiers, servers, smart phones, hard drives, USB drives, and other electronic storage devices. Employer-sponsors of Covered Plans should take note of the following key points raised by the newsletter’s guidance: A covered entity’s performance of a “risk analysis” (which is a required step to comply with the HIPAA Rules) plays a critical role in determining how best to protect PHI stored on electronic devices and media that has reached… Continue Reading
An administrative law judge for HHS upheld an award of $4.3 million in civil monetary penalties (the “Penalties”) against a Texas-based healthcare provider for violations of the HIPAA privacy and security rules (the “HIPAA Rules”). The provider is a “covered entity” under HIPAA (“CE”), and the Penalties are the fourth largest ever awarded to the Office of Civil Rights (“OCR”), the HHS agency that enforces the HIPAA Rules, by an administrative law judge or secured via a settlement for HIPAA violations. The Penalties stemmed from an OCR investigation of the CE in response to three separate HIPAA breach reports the CE filed with OCR during 2012 and 2013 involving the theft of an unencrypted laptop computer and the loss of two unencrypted thumb drives, which resulted in the impermissible disclosure of electronic protected health information (“EPHI”) of over 33,500 individuals. OCR’s investigation found that, although the CE had written encryption… Continue Reading
HHS recently entered into a $3.5 million settlement agreement with a health care provider (the “Provider”) on behalf of five entities under its common ownership and control for violations of the HIPAA privacy and security rules. Each of the five entities constituted a “covered entity” under HIPAA. In 2013, the Provider filed five breach reports with HHS, each of which pertained to a separate incident that implicated the “electronic protected health information” (“EPHI“) of one of those covered entities. HHS’s subsequent investigation of the breaches revealed a number of violations of the HIPAA privacy and security rules, including that certain of the covered entities: Failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of EPHI; Provided unauthorized access to EPHI for a purpose not permitted by the HIPAA privacy rules; Failed to implement policies and procedures to address security… Continue Reading
Generally, the Americans with Disabilities Act (the “ADA“) and the Genetic Information Non-Discrimination Act (“GINA“) permit employers to offer certain wellness programs if they are “voluntary.” The EEOC issued regulations in 2016, which we discussed here, permitting wellness programs to have incentives of up to 30 percent of the cost of health plan coverage in order to align with permitted incentives under the Health Insurance Portability and Accountability Act (“HIPAA“). The AARP sued the EEOC claiming that this 30 percent limit was still coercive and was contrary to the “voluntary” requirement under the ADA and GINA. The U.S. District Court for the District of Columbia granted AARP’s motion for summary judgment, concluding that the EEOC failed to adequately explain its decision to interpret “voluntary” as permitting a 30 percent incentive level. Although governmental agencies are generally given deference, the “EEOC does not appear to have considered any factor that actually… Continue Reading
The U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) recently announced a $2.5 million HIPAA privacy and security settlement with CardioNet, a wireless health services provider and covered entity under HIPAA, based on CardioNet’s impermissible disclosure of unsecured electronic protected health information (“EPHI”). The disclosure occurred when a laptop computer belonging to a member of CardioNet’s workforce, which contained the unsecured EPHI of 1,391 individuals, was stolen from a parked vehicle outside of the workforce member’s home. CardioNet reported the breach to OCR and an investigation ensued, pursuant to which OCR determined that (i) CardioNet did not have a sufficient risk analysis and risk management process in place at the time of the theft, (ii) CardioNet had never actually implemented its draft policies and procedures for compliance with HIPAA’s security rules, and (iii) CardioNet was unable to produce any final policies or procedures regarding the implementation… Continue Reading
On April 17, 2017, the Center for Children’s Digestive Health in Illinois (“CCDH”) entered into a resolution agreement with HHS pursuant to which CCDH agreed to pay $31,000 to settle potential HIPAA privacy rule violations. The primary basis for the settlement was the lack of a business associate agreement between CCDH and one of its business associates, which HHS determined demonstrated a lack of effective control and review of CCDH’s HIPAA policies and procedures. FileFax, Inc. (“FileFax”) is an Illinois record storage and disposal company. FileFax’s clients included healthcare providers, such as CCDH. FileFax’s services to those providers included the storage and disposal of medical records. A whistleblower led to a 2015 investigation of FileFax by the Illinois Attorney General. HHS then discovered that FileFax was discarding medical records in an unlocked dumpster adjacent to its building and had also shipped a large volume of other medical records to a… Continue Reading
The U.S. Department of Health and Human Services (“HHS”) recently issued an interim final rule (the “HHS Rule”), which sets out inflation adjustments to the civil monetary penalty (“CMP”) amounts that HHS is authorized to assess or enforce, including for violations of the HIPAA privacy and security rules. The HHS Rule was issued for compliance with the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015, which was enacted on November 2, 2015 (the “2015 Act”). The 2015 Act requires federal agencies to (i) adjust the level of CMP amounts with an initial “catch up” adjustment and (ii) make subsequent annual adjustments for inflation. The HIPAA CMP amounts had not been adjusted since 2009. Under the HHS Rule, HIPAA CMP amounts are increased by 10.2% for violations of the HIPAA privacy or security rules by a covered entity or a business associate, as follows: Prior $$… Continue Reading
A HIPAA Notice of Privacy Practices must be provided to new group health plan participants at the time of enrollment and within 60 days of a material revision. In addition, participants must be notified of the availability of the notice at least once every three years. This requirement can be satisfied by distributing either a copy of the notice or a reminder of the availability of the notice. A reminder of the availability of the notice can be included in annual enrollment materials or other plan publications sent to all participants. For example, group health plans that distributed a new Notice of Privacy Practices in 2013 when the final HIPAA regulations were issued should ensure they have satisfied this reminder requirement in 2016.
The HHS Office for Civil Rights (“OCR“) recently announced an initiative to more widely investigate HIPAA privacy breaches affecting fewer than 500 individuals. Generally, all reported breaches involving 500 or more individuals are automatically investigated by OCR. Breaches involving less than 500 individuals will not automatically be investigated, but Regional Offices will increase efforts to investigate smaller breaches based on (1) the size of the breach, (2) theft or improper disposal of unencrypted protected health information (“PHI“), (3) breaches involving hacking, (4) the sensitive nature of the PHI involved, and (5) where numerous breach reports from the same entity raise similar issues. View additional information on OCR’s enforcement of HIPAA.