HHS recently entered into a Resolution Agreement with North Memorial Health Care of Minnesota (?Ç£North Memorial?Ç¥) to settle charges that North Memorial potentially violated HIPAA by failing to (1) enter into a business associate agreement with a major contractor and (2) implement a comprehensive risk analysis with respect to the security of its patients?ÇÖ protected health information. OCR launched an investigation of North Memorial after an unencrypted laptop was stolen from the vehicle of an employee of its business associate. As part of the settlement, North Memorial agreed to pay HHS $1.55 million and to a corrective action plan under which North Memorial must, among other conditions, review and revise its HIPAA policies, procedures, and training as well as develop an organization-wide risk analysis and risk management plan. The Resolution Agreement is available?áhere.
The U.S. Department of Health and Human Services Office for Civil Rights (?Ç£OCR?Ç¥) recently announced it has begun its next phase of audits to assess the compliance of covered entities, such as employer-sponsored health plans, and their business associates with the Privacy, Security and Breach Notification Rules under the Health Insurance Portability and Accountability Act (?Ç£HIPAA?Ç¥). During this phase of the audit program, OCR will review the HIPAA policies and procedures adopted by covered entities and business associates, primarily through desk audits but also via some on-site audits. OCR is currently sending letters by email to covered entities and business associates to verify their contact information and will subsequently send pre-audit questionnaires to gather information that OCR will use to identify potential audit candidates. In light of this new audit program, as well as several recent high dollar and burdensome settlement agreements that the U.S. Department of Health and Human… Continue Reading
The Office of Inspector General for the U.S. Department of Health and Human Services (?Ç£HHS?Ç¥) recently released a report that recommends the HHS?ÇÖs Office for Civil Rights (?Ç£OCR?Ç¥) strengthen its oversight of covered entities?ÇÖ compliance with the Privacy Rule under the Health Insurance Portability and Accountability Act (?Ç£HIPAA?Ç¥). One specific recommendation is that OCR fully implement the audit program required under the Health Information Technology for Economic and Clinical Health (“HITECH“) Act, so that OCR can proactively gauge HIPAA compliance, rather than launching investigations of covered entities?ÇÖ privacy practices solely in response to complaints, tips, or media reports of possible noncompliance. Responding to these recommendations in a letter dated September 23, 2015, the Director of OCR stated that the second phase of the HIPAA audit program will be launched in early 2016. According to that letter, the upcoming round of audits will (1) include both ?Ç£desk reviews of policies?Ç¥ and… Continue Reading
The U.S. Department of Health and Human Services (?Ç£HHS?Ç¥) recently entered into a Resolution Agreement with St. Elizabeth?ÇÖs Medical Center (?Ç£SEMC?Ç¥) to settle charges that SEMC violated HIPAA by failing to implement sufficient security measures to safeguard protected health information (?Ç£PHI?Ç¥) when using certain Internet-based document sharing applications. In addition, SEMC allegedly failed to timely respond to, and mitigate damages caused by, the breach of unsecured PHI on an employee?ÇÖs personal laptop and thumb drive. As part of the settlement, SEMC agreed to pay HHS nearly $220,000 and to a corrective action plan under which SEMC must, among other things, review and revise its HIPAA policies, procedures, and training; retrain its workforce who have access to PHI; and submit to certain other reporting and record retention requirements. Employers that sponsor group health plans, in consultation with legal counsel, should undertake a review to ensure full compliance with HIPAA?ÇÖs privacy and… Continue Reading
On January 29, 2015, Anthem, Inc. discovered a cyber-attack that may affect members in all lines of Anthem?ÇÖs business and the BlueCard program, in which a number of independent Blue Cross and Blue Shield plans participate, such as BlueCross BlueShield of Texas. Anthem?ÇÖs investigation to date indicates that members?ÇÖ names, dates of birth, ID numbers, social security numbers, addresses, phone numbers, email addresses, and employment information was accessed. Employers who believe their employees may have been affected should consider alerting them that calls or emails purporting to be from Anthem are scams. Anthem has stated that affected individuals will receive information from Anthem via mail. Employees can also be directed to Anthem?ÇÖs toll-free hotline (877) 263-7995 and to?áwww.anthemfacts.com?áfor answers to frequently asked questions as well as for information regarding credit monitoring and identity theft protection services provided by Anthem. There have been reports that HHS wants Anthem to handle the… Continue Reading
The Centers for Medicare & Medicaid Services (?Ç£CMS?Ç¥) announced the indefinite delay of its enforcement of the requirement that health plans obtain and use a Health Plan Identifier (?Ç£HPID?Ç¥) in HIPAA transactions. Certain health plans had been required to obtain a HPID by November 5, 2014. The enforcement delay applies to all HIPAA covered entities, including health plans and healthcare providers. The CMS announcement is available?áhere.
The U.S. Department of Health and Human Services (?Ç£HHS?Ç¥) issued guidance explaining that for purposes of the HIPAA privacy rule, the term ?Ç£spouse?Ç¥ includes individuals who are in a legally valid same-sex marriage sanctioned by a state, territory, or foreign jurisdiction; the term ?Ç£marriage?Ç¥ includes both same-sex and opposite-sex marriages; and the term ?Ç£family member?Ç¥ includes dependents of those marriages. Legally married same-sex spouses, regardless of where they live, are family members for the purposes of applying rules permitting HIPAA covered entities to share an individual?ÇÖs protected health information with a family member of the individual. The HHS guidance can be found here.
The deadline is September 22, 2014 for group health plans to amend certain business associate agreements (?Ç£BAAs?Ç¥) for compliance with amendments to the Health Insurance Portability and Accountability Act (?Ç£HIPAA?Ç¥) Privacy, Security and Enforcement Rules (the ?Ç£Changes?Ç¥) that were issued by the Department of Health and Human Services (?Ç£HHS?Ç¥). The Changes impact the requirements that BAAs must meet to be compliant with HIPAA Privacy and Security Rules. However, BAAs that qualified for a transition rule (i.e., generally those BAAs which (i) were entered into on or before January 25, 2013 and (ii) were not amended or renewed between March 26, 2013 and September 23, 2013), were deemed to comply with the Changes until the earlier of (i) the date the BAA was modified or renewed on or after September 23, 2013 or (ii) September 22, 2014. Consequently, any group health plan which qualified for this transition rule must amend such… Continue Reading
Two Covered Entities Settle Potential Violations of HIPAA Privacy and Security Rules For Approximately $2 Million
The U.S. Department of Health and Human Services (?Ç£HHS?Ç¥) recently announced resolution agreements (?Ç£RAs?Ç¥) with two covered entities, a health care provider and an insurer, under HIPAA?ÇÖs privacy and security rules (the ?Ç£Rules?Ç¥), requiring combined payments of approximately $2 million to settle potential violations of the Rules.?á Both RAs stemmed from investigations conducted by HHS as a result of breach notifications the covered entities submitted to report the thefts of laptop computers containing unencrypted electronic protected health information (?Ç£ePHI?Ç¥).?á Apart from the settlement payments, the RAs impose two-year corrective action plans, including the performance of risk analysis, implementation of risk management plans and training, and periodic follow up activities with HHS. Although failure to encrypt ePHI is not a per se violation of the Rules, the HHS news release regarding the RAs underscores HHS?ÇÖ view that unencrypted laptops and other mobile devices pose significant risks to the security of ePHI,… Continue Reading
This is a reminder that September 23, 2013 is the deadline to update HIPAA policies and procedures, business associate agreements, notices of privacy practices, and HIPAA training presentations.?á There is an extended deadline for business associate agreements that were compliant and in place before January 25, 2013.