At a time when digital security and cyberattacks are key concerns for individuals and businesses alike, plan sponsors and other plan fiduciaries have a key role to play in protecting retirement plan assets and data. Otherwise known as “responsible plan fiduciaries,” these individuals and certain plan service providers have a fiduciary duty to ensure there is a robust cybersecurity program in place to keep plan assets and data secure. As we previously reported on our blog here, the DOL recently issued guidance in this arena to keep employers and plan fiduciaries compliant. The DOL is now specifically targeting employers and plan fiduciaries who fail to adequately protect employee retirement plan assets from hackers and cyberthieves, so the time to act is before the DOL issues a plan audit and before participants are victimized by cybercriminals or hackers. The DOL requires that plan fiduciaries responsible for prudently selecting and monitoring service… Continue Reading
With the start of the new year, a good New Year?ÇÖs resolution for employers that sponsor ERISA retirement and/or health and welfare benefit plans is to ensure that all current ERISA plan fiduciaries?Çöincluding any new members of plan administrative and investment committees?Çöhave received up-to-date ERISA fiduciary training. ERISA litigation brought against individual plan fiduciaries has significantly increased in recent years. Plan fiduciaries assume responsibilities and make decisions that could potentially subject them to substantial personal liability. To mitigate this risk exposure, each committee member (or other ERISA plan fiduciary) should receive fiduciary training initially upon becoming a plan fiduciary and at least annually thereafter. Plan fiduciaries need to understand (i) when they are acting on behalf of the plan?ÇÖs participants in a fiduciary capacity, (ii) the different fiduciary roles under a plan and how fiduciary liability can attach in different ways, (iii) the difference between fiduciary decisions and non-fiduciary (?Ç£settlor?Ç¥)… Continue Reading
Last week, HHS issued a Notice of Proposed Rulemaking that proposes changes to the HIPAA Privacy Rule that will affect HIPAA privacy policies and procedures for employer group health plans.?á The proposed revisions affect (i) an individual?ÇÖs right to access ?Ç£protected health information?Ç¥ (?Ç£PHI?Ç¥), (ii) the content required in the Notice of Privacy Practices, and (iii) the ability to use and disclose PHI based on professional judgment, to avert a threat to health or safety, or for coordination of care and case management.?á HHS proposed that compliance with the changes would be required within 180 days after the effective date of a final rule.?á HHS has requested comments on the proposed changes within 60 days after their publication in the Federal Register, which publication should occur soon.?á The Notice of Proposed Rulemaking is available here.
Since the beginning of 2020, the U.S. Department of Health and Human Services, Office for Civil Rights (?Ç£OCR?Ç¥) has announced six substantial settlements with HIPAA covered entities (either health care providers or health plans) for potential violations of the HIPAA privacy and security rules (?Ç£HIPAA Rules?Ç¥) related to safeguarding protected health information (?Ç£PHI?Ç¥). OCR is the federal agency responsible for enforcement of the HIPAA Rules. These settlements generally arose from investigations pursued by OCR following the receipt of a breach report by the covered entity and involved settlement payments ranging from $25,000 to $6.85 million (the second largest HIPAA settlement payment in OCR history). The settlements also imposed a corrective action plan on each covered entity, with two years of monitoring by OCR. Findings by OCR during its investigations included one or more of the following infractions by the subject covered entity: Neglected to implement HIPAA policies and procedures; Failed… Continue Reading
HHS recently issued a final rule (the ?Ç£HHS Rule?Ç¥) that sets out the inflation-adjusted civil monetary penalty (?Ç£CMP?Ç¥) amounts that HHS is authorized to assess or enforce, including for violations of the HIPAA privacy and security rules. The adjusted CMP amounts are applicable to HIPAA violations by a HIPAA covered entity or business associate that occur after November 2, 2015, for which a CMP is assessed on or after November 5, 2019?á The HHS Rule is available here.
HHS recently entered into a $3.5 million settlement agreement with a health care provider (the ?Ç£Provider?Ç¥) on behalf of five entities under its common ownership and control for violations of the HIPAA privacy and security rules. Each of the five entities constituted a ?Ç£covered entity?Ç¥ under HIPAA. In 2013, the Provider filed five breach reports with HHS, each of which pertained to a separate incident that implicated the ?Ç£electronic protected health information?Ç¥ (?Ç£EPHI“) of one of those covered entities. HHS?ÇÖs subsequent investigation of the breaches revealed a number of violations of the HIPAA privacy and security rules, including that certain of the covered entities: Failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of EPHI; Provided unauthorized access to EPHI for a purpose not permitted by the HIPAA privacy rules; Failed to implement policies and procedures to address security… Continue Reading
The U.S. Department of Health and Human Services?ÇÖ Office for Civil Rights (?Ç£OCR?Ç¥) recently announced a $2.5 million HIPAA privacy and security settlement with CardioNet, a wireless health services provider and covered entity under HIPAA, based on CardioNet?ÇÖs impermissible disclosure of unsecured electronic protected health information (?Ç£EPHI?Ç¥). The disclosure occurred when a laptop computer belonging to a member of CardioNet?ÇÖs workforce, which contained the unsecured EPHI of 1,391 individuals, was stolen from a parked vehicle outside of the workforce member?ÇÖs home. CardioNet reported the breach to OCR and an investigation ensued, pursuant to which OCR determined that (i) CardioNet did not have a sufficient risk analysis and risk management process in place at the time of the theft, (ii) CardioNet had never actually implemented its draft policies and procedures for compliance with HIPAA?ÇÖs security rules, and (iii) CardioNet was unable to produce any final policies or procedures regarding the implementation… Continue Reading
The U.S. Department of Health and Human Services (?Ç£HHS?Ç¥) recently issued an interim final rule (the ?Ç£HHS Rule?Ç¥), which sets out inflation adjustments to the civil monetary penalty (?Ç£CMP?Ç¥) amounts that HHS is authorized to assess or enforce, including for violations of the HIPAA privacy and security rules. The HHS Rule was issued for compliance with the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015, which was enacted on November 2, 2015 (the ?Ç£2015 Act?Ç¥). The 2015 Act requires federal agencies to (i) adjust the level of CMP amounts with an initial ?Ç£catch up?Ç¥ adjustment and (ii) make subsequent annual adjustments for inflation. The HIPAA CMP amounts had not been adjusted since 2009. Under the HHS Rule, HIPAA CMP amounts are increased by 10.2% for violations of the HIPAA privacy or security rules by a covered entity or a business associate, as follows: Prior $$… Continue Reading
The U.S. Department of Health and Human Services (?Ç£HHS?Ç¥) issued guidance explaining that for purposes of the HIPAA privacy rule, the term ?Ç£spouse?Ç¥ includes individuals who are in a legally valid same-sex marriage sanctioned by a state, territory, or foreign jurisdiction; the term ?Ç£marriage?Ç¥ includes both same-sex and opposite-sex marriages; and the term ?Ç£family member?Ç¥ includes dependents of those marriages. Legally married same-sex spouses, regardless of where they live, are family members for the purposes of applying rules permitting HIPAA covered entities to share an individual?ÇÖs protected health information with a family member of the individual. The HHS guidance can be found here.
Two Covered Entities Settle Potential Violations of HIPAA Privacy and Security Rules For Approximately $2 Million
The U.S. Department of Health and Human Services (?Ç£HHS?Ç¥) recently announced resolution agreements (?Ç£RAs?Ç¥) with two covered entities, a health care provider and an insurer, under HIPAA?ÇÖs privacy and security rules (the ?Ç£Rules?Ç¥), requiring combined payments of approximately $2 million to settle potential violations of the Rules.?á Both RAs stemmed from investigations conducted by HHS as a result of breach notifications the covered entities submitted to report the thefts of laptop computers containing unencrypted electronic protected health information (?Ç£ePHI?Ç¥).?á Apart from the settlement payments, the RAs impose two-year corrective action plans, including the performance of risk analysis, implementation of risk management plans and training, and periodic follow up activities with HHS. Although failure to encrypt ePHI is not a per se violation of the Rules, the HHS news release regarding the RAs underscores HHS?ÇÖ view that unencrypted laptops and other mobile devices pose significant risks to the security of ePHI,… Continue Reading