Affinity Health Plan, Inc., a managed care plan, filed a breach report with the U.S. Department of Health and Human Services (?Ç£HHS?Ç¥) after discovering that it had returned leased photocopiers to the leasing agents without first erasing the electronic protected health information (?Ç£EPHI?Ç¥) that was stored on the copiers?ÇÖ hard drives.?á The breach was estimated to have affected 344,579 individuals.?á HHS investigated the breach and concluded that Affinity had (1) impermissibly disclosed EPHI, (2) failed to perform a risk assessment of storing EPHI on the hard drives, and (3) failed to implement policies for the disposal of EPHI on the hard drives.?á Affinity entered into a settlement agreement with HHS, providing for a $1.2 million payment and a corrective action plan requiring Affinity to use best efforts to retrieve the hard drives and to take other measures to safeguard EPHI.?á A link to the HHS website discussing the settlement is… Continue Reading
A Final Rule was released which amends the Health Insurance Portability and Accountability Act (?Ç£HIPAA?Ç¥) to incorporate the changes made by the Health Information Technology for Economic and Clinical Health Act (?Ç£HITECH?Ç¥) and the Genetic Information Nondiscrimination Act (?Ç£GINA?Ç¥), and to make HIPAA more ?Ç£workable?Ç¥ for covered entities, such as employer-sponsored group health plans. An Alert discussing the Final Rule can be found here.
On March 13, 2012, HHS announced a settlement with Blue Cross Blue Shield of Tennessee (?Ç£BCBST?Ç¥) regarding potential violations of the Health Insurance Portability and Accountability Act of 1996 (?Ç£HIPAA?Ç¥) Privacy and Security Rules. The investigation by HHS arose after a November 2009 breach report notice submitted by BCBST to HHS reported that 57 unencrypted computer hard drives containing ?Ç£protected health information?Ç¥ (?Ç£PHI?Ç¥) of more than 1 million individuals were stolen from a leased facility in Tennessee. As a result of its investigation, HHS discovered that BCBST failed to implement appropriate administrative and physical safeguards to adequately protect PHI. In addition to the $1.5 million penalty, the settlement agreement requires BCBST to review, revise and maintain its Privacy and Security Policies and Procedures and to conduct regular trainings for all BCBST employees with responsibilities under HIPAA. According to HHS, this enforcement action is the first resulting from the breach report… Continue Reading
The U.S. Ninth Circuit Court of Appeals recently held that Montana?ÇÖs ?Ç£little HIPAA?Ç¥ insurance law (Mont. Code Section 33-22-526) is preempted by ERISA. In applying the ?Ç£conflict preemption?Ç¥ standard set by the U.S. Supreme Court in Aetna Health Inc. v. Davila, the court held that because the state law claim (i) could have been brought under Section 502(a) of ERISA because the state and federal law provisions were both identical and applied to group health plans, and (ii) is not independent of the federal law because it expressly applied to group health plans subject to ERISA, the state law is preempted by ERISA. Due to preemption of the state law, the state law claim was defeated on its merits. The court, however, noted that it was not expressing an opinion as to whether its holding would apply to a state HIPAA-type statute that provided additional protection beyond the federal HIPAA… Continue Reading
On May 31, 2011, the U.S. Department of Health and Human Services (?Ç£HHS?Ç¥) released a notice of proposed rulemaking containing changes to the Health Insurance Portability and Accountability Act (?Ç£HIPAA?Ç¥) Privacy Rule, pursuant to the Health Information Technology for Economic and Clinical Health Act (?Ç£HITECH?Ç¥). The proposed rules provide individuals with the right to receive an access report discussing any electronic access to their protected health information (?Ç£PHI?Ç¥). Also included in the proposed rule are changes to the accounting requirements for disclosures of PHI which are intended to better provide individuals with such disclosure information that is most likely to impact the individuals?ÇÖ legal and personal interests. Comments are requested on the proposed rule through August 1, 2011. The proposed rule can be found here.