[firm] blog logo

New Guidance Addresses HIPAA Rules and COVID-19 Vaccination Information in the Workplace

HHS recently issued guidance, in a Q&A format, to clarify when the HIPAA privacy rules apply to disclosures and requests for information about an individual’s COVID-19 vaccination status.  Among other questions, the guidance addresses whether HIPAA prohibits an employer from requiring its employees to disclose to the employer whether they have received a COVID-19 vaccination. In its answer, HHS confirms the important distinction under HIPAA between (i) an individual’s health information an employer receives in its capacity as the plan sponsor of its group health plan (generally, a “covered entity” under HIPAA), and (ii) individualized health information received by the employer in its capacity as an employer (i.e., as related to employment functions referred to by HIPAA as “employment records”). HHS confirmed that HIPAA does not apply to employment records and thus does not regulate the information, such as vaccination status, employers are permitted to request from employees as part of… Continue Reading

New Year’s Resolutions to Ensure Proper ERISA Fiduciary and HIPAA Privacy Training

With the start of the new year, a good New Year?ÇÖs resolution for employers that sponsor ERISA retirement and/or health and welfare benefit plans is to ensure that all current ERISA plan fiduciaries?Çöincluding any new members of plan administrative and investment committees?Çöhave received up-to-date ERISA fiduciary training. ERISA litigation brought against individual plan fiduciaries has significantly increased in recent years. Plan fiduciaries assume responsibilities and make decisions that could potentially subject them to substantial personal liability. To mitigate this risk exposure, each committee member (or other ERISA plan fiduciary) should receive fiduciary training initially upon becoming a plan fiduciary and at least annually thereafter. Plan fiduciaries need to understand (i) when they are acting on behalf of the plan?ÇÖs participants in a fiduciary capacity, (ii) the different fiduciary roles under a plan and how fiduciary liability can attach in different ways, (iii) the difference between fiduciary decisions and non-fiduciary (?Ç£settlor?Ç¥)… Continue Reading

Get Ready to Update HIPAA Privacy Policies Next Year

Last week, HHS issued a Notice of Proposed Rulemaking that proposes changes to the HIPAA Privacy Rule that will affect HIPAA privacy policies and procedures for employer group health plans.?á The proposed revisions affect (i) an individual?ÇÖs right to access ?Ç£protected health information?Ç¥ (?Ç£PHI?Ç¥), (ii) the content required in the Notice of Privacy Practices, and (iii) the ability to use and disclose PHI based on professional judgment, to avert a threat to health or safety, or for coordination of care and case management.?á HHS proposed that compliance with the changes would be required within 180 days after the effective date of a final rule.?á HHS has requested comments on the proposed changes within 60 days after their publication in the Federal Register, which publication should occur soon.?á The Notice of Proposed Rulemaking is available here.

Investigating and Settling Potential HIPAA Privacy and Security Violations

Since the beginning of 2020, the U.S. Department of Health and Human Services, Office for Civil Rights (?Ç£OCR?Ç¥) has announced six substantial settlements with HIPAA covered entities (either health care providers or health plans) for potential violations of the HIPAA privacy and security rules (?Ç£HIPAA Rules?Ç¥) related to safeguarding protected health information (?Ç£PHI?Ç¥). OCR is the federal agency responsible for enforcement of the HIPAA Rules. These settlements generally arose from investigations pursued by OCR following the receipt of a breach report by the covered entity and involved settlement payments ranging from $25,000 to $6.85 million (the second largest HIPAA settlement payment in OCR history). The settlements also imposed a corrective action plan on each covered entity, with two years of monitoring by OCR. Findings by OCR during its investigations included one or more of the following infractions by the subject covered entity: Neglected to implement HIPAA policies and procedures; Failed… Continue Reading

Legal Requirements Triggered by HIPAA Breach

An impermissible acquisition, access, use, or disclosure of HIPAA ?Ç£protected health information?Ç¥ (?Ç£PHI?Ç¥) under an employer?ÇÖs group health plan (which is a ?Ç£Covered Entity?Ç¥ under HIPAA) is not uncommon. If such a breach occurs with respect to the PHI of a Covered Entity, the employer needs to know that the Covered Entity may be required by HIPAA?ÇÖs breach notification rules (the ?Ç£Breach Rules?Ç¥) to issue certain notices and perform other tasks. Analysis of the Impermissible Acquisition, Access, Use, or Disclosure of PHI An impermissible acquisition, access, use, or disclosure of PHI is presumed to be a ?Ç£breach?Ç¥ unless the Covered Entity demonstrates that there is a low probability that the PHI has been compromised. The Breach Rules outline the four-factor risk assessment that a Covered Entity must perform (and document) in order to make such a demonstration. If, after completing the step above, the Covered Entity determines that a ?Ç£breach?Ç¥… Continue Reading

OCR Provides Informal HIPAA Guidance Regarding Disposal of Electronic Devices and Media Containing PHI

In a July 2018 newsletter, the Office of Civil Rights (?Ç£OCR?Ç¥) of the U.S. Department of Health and Human Services (?Ç£HHS?Ç¥), the federal agency responsible for enforcement of the HIPAA privacy, security, and breach notification regulations (collectively, the ?Ç£HIPAA Rules?Ç¥), provided informal guidance to HIPAA ?Ç£covered entities?Ç¥, such as employer-sponsored group health plans (?Ç£Covered Plans?Ç¥), regarding the disposal of electronic devices and media that house ?Ç£protected health information?Ç¥ (?Ç£PHI?Ç¥). Examples of such devices and media include desktop and laptop computers, tablets, copiers, servers, smart phones, hard drives, USB drives, and other electronic storage devices. Employer-sponsors of Covered Plans should take note of the following key points raised by the newsletter?ÇÖs guidance: A covered entity?ÇÖs performance of a ?Ç£risk analysis?Ç¥ (which is a required step to comply with the HIPAA Rules) plays a critical role in determining how best to protect PHI stored on electronic devices and media that has reached… Continue Reading

HHS Fact Sheet Provides Helpful Information in Addressing Ransomware Attacks under HIPAA

The U.S. Department of Health and Human Services (?Ç£HHS?Ç¥) recently issued a ?Ç£Fact Sheet?Ç¥ which discusses ransomware attack prevention and recovery under HIPAA, as well as the management of HIPAA breach notification procedures in response to a ransomware attack. ?áAccording to the Fact Sheet, ?Ç£ransomware?Ç¥ is a type of malicious software by which a hacker gains access to electronic data and then encrypts it with a key known only to the hacker, such that the data owner is denied access to it. The Fact Sheet provides helpful descriptions and specific examples of how the requirements of the security regulations under HIPAA (the ?Ç£Security Rules?Ç¥), which govern the confidentiality of a HIPAA covered entity?ÇÖs electronic protected health information (?Ç£EPHI?Ç¥), may be applied to prevent, detect, and recover from infections of EPHI by ransomware. ?áImportantly, the Fact Sheet also explains HHS?ÇÖs view that a ransomware infection of unsecured EPHI on a computer… Continue Reading

HHS Settlement Reminds Covered Entities of Obligations and Potential Penalties under HIPAA

The U.S. Department of Health and Human Services (?Ç£HHS?Ç¥) recently entered into a Resolution Agreement with St. Elizabeth?ÇÖs Medical Center (?Ç£SEMC?Ç¥) to settle charges that SEMC violated HIPAA by failing to implement sufficient security measures to safeguard protected health information (?Ç£PHI?Ç¥) when using certain Internet-based document sharing applications. In addition, SEMC allegedly failed to timely respond to, and mitigate damages caused by, the breach of unsecured PHI on an employee?ÇÖs personal laptop and thumb drive. As part of the settlement, SEMC agreed to pay HHS nearly $220,000 and to a corrective action plan under which SEMC must, among other things, review and revise its HIPAA policies, procedures, and training; retrain its workforce who have access to PHI; and submit to certain other reporting and record retention requirements. Employers that sponsor group health plans, in consultation with legal counsel, should undertake a review to ensure full compliance with HIPAA?ÇÖs privacy and… Continue Reading

December 2021
S M T W T F S
 1234
567891011
12131415161718
19202122232425
262728293031  

Archives