[firm] blog logo

New Guidance Addresses HIPAA Rules and COVID-19 Vaccination Information in the Workplace

HHS recently issued guidance, in a Q&A format, to clarify when the HIPAA privacy rules apply to disclosures and requests for information about an individual’s COVID-19 vaccination status.  Among other questions, the guidance addresses whether HIPAA prohibits an employer from requiring its employees to disclose to the employer whether they have received a COVID-19 vaccination. In its answer, HHS confirms the important distinction under HIPAA between (i) an individual’s health information an employer receives in its capacity as the plan sponsor of its group health plan (generally, a “covered entity” under HIPAA), and (ii) individualized health information received by the employer in its capacity as an employer (i.e., as related to employment functions referred to by HIPAA as “employment records”). HHS confirmed that HIPAA does not apply to employment records and thus does not regulate the information, such as vaccination status, employers are permitted to request from employees as part of… Continue Reading

Updates on Employee Benefits Regulations Impacted by the Biden Administration?ÇÖs Regulatory Freeze

On January 20, 2021, the Biden Administration issued a memorandum (the ?Ç£Memo?Ç¥) calling for a 60-day freeze on regulations that had not taken effect as of the date of the Memo, which included certain regulations related to employee benefits (see our prior blog post regarding the Memo here). The Memo also authorized additional postponement of such regulations following the 60-day period where deemed necessary for further review. Listed below are some of the previously discussed proposed and final regulations related to employee benefits that were impacted by the Memo and updates to their effective dates: Independent Contractor Status Under the Fair Labor Standards Act. Final Rule. Effective date is delayed until May 7, 2021. There is also a proposed withdrawal of this rule with comments due by April 12, 2021. Medicare Program; Secure Electronic Prior Authorization for Medicare Part D. Final Rule. Effective date was delayed until March 30, 2021.… Continue Reading

Before Cleaning Out Files, Brush Up on Record Retention Requirements

Our world is filled with paper and electronic records, and the HR departments at most companies are no exception. Enrollment forms, notices, plan documents, summary plan descriptions, benefit statements, and service records are just a few of the records that fill the HR department?ÇÖs file cabinets and computer storage. While it might be tempting to clean out files, plan sponsors should exercise care before disposing of any files relating to benefits under a plan. A clean desk today could create headaches tomorrow. Generally, ERISA requires an employer to retain plan records to support plan filings, including the annual Form 5500, for at least six years from the filing date (ERISA ?º107) and to maintain records for each employee sufficient to determine the benefits due or that may become due to such employee (ERISA ?º209), with no time limit on such requirement. In addition, HIPAA requires retention of the policies and… Continue Reading

New Year’s Resolutions to Ensure Proper ERISA Fiduciary and HIPAA Privacy Training

With the start of the new year, a good New Year?ÇÖs resolution for employers that sponsor ERISA retirement and/or health and welfare benefit plans is to ensure that all current ERISA plan fiduciaries?Çöincluding any new members of plan administrative and investment committees?Çöhave received up-to-date ERISA fiduciary training. ERISA litigation brought against individual plan fiduciaries has significantly increased in recent years. Plan fiduciaries assume responsibilities and make decisions that could potentially subject them to substantial personal liability. To mitigate this risk exposure, each committee member (or other ERISA plan fiduciary) should receive fiduciary training initially upon becoming a plan fiduciary and at least annually thereafter. Plan fiduciaries need to understand (i) when they are acting on behalf of the plan?ÇÖs participants in a fiduciary capacity, (ii) the different fiduciary roles under a plan and how fiduciary liability can attach in different ways, (iii) the difference between fiduciary decisions and non-fiduciary (?Ç£settlor?Ç¥)… Continue Reading

Get Ready to Update HIPAA Privacy Policies Next Year

Last week, HHS issued a Notice of Proposed Rulemaking that proposes changes to the HIPAA Privacy Rule that will affect HIPAA privacy policies and procedures for employer group health plans.?á The proposed revisions affect (i) an individual?ÇÖs right to access ?Ç£protected health information?Ç¥ (?Ç£PHI?Ç¥), (ii) the content required in the Notice of Privacy Practices, and (iii) the ability to use and disclose PHI based on professional judgment, to avert a threat to health or safety, or for coordination of care and case management.?á HHS proposed that compliance with the changes would be required within 180 days after the effective date of a final rule.?á HHS has requested comments on the proposed changes within 60 days after their publication in the Federal Register, which publication should occur soon.?á The Notice of Proposed Rulemaking is available here.

Investigating and Settling Potential HIPAA Privacy and Security Violations

Since the beginning of 2020, the U.S. Department of Health and Human Services, Office for Civil Rights (?Ç£OCR?Ç¥) has announced six substantial settlements with HIPAA covered entities (either health care providers or health plans) for potential violations of the HIPAA privacy and security rules (?Ç£HIPAA Rules?Ç¥) related to safeguarding protected health information (?Ç£PHI?Ç¥). OCR is the federal agency responsible for enforcement of the HIPAA Rules. These settlements generally arose from investigations pursued by OCR following the receipt of a breach report by the covered entity and involved settlement payments ranging from $25,000 to $6.85 million (the second largest HIPAA settlement payment in OCR history). The settlements also imposed a corrective action plan on each covered entity, with two years of monitoring by OCR. Findings by OCR during its investigations included one or more of the following infractions by the subject covered entity: Neglected to implement HIPAA policies and procedures; Failed… Continue Reading

EMPLOYEE BENEFIT/EXECUTIVE COMPENSATION CHANGES MADE BY THE CARES ACT

On March 27, 2020, Congress passed the Coronavirus Aid, Relief, and Economic Security Act (the ?Ç£CARES Act?Ç¥). This historic $2 trillion relief package received bipartisan support and is part of the third wave of federal government support as the nation copes with the acute economic fallout from the coronavirus (COVID-19) pandemic.  Some of the key provisions of the CARES Act that apply to health and welfare plans, educational assistance programs, retirement plans, executive compensation programs, and employment and payroll taxes are outlined below. Health and Welfare Plans Q1.      What COVID-19 testing and treatment is our company?ÇÖs employer-sponsored group health plan required to cover? The Families First Coronavirus Response Act (?Ç£FFCRA?Ç¥) requires an employer-sponsored group health plan (including a grandfathered plan under the Affordable Care Act (?Ç£ACA?Ç¥)) (a ?Ç£Plan?Ç¥) to provide coverage for COVID-19 diagnostic testing and services related to the diagnostic testing without any cost sharing (including deductibles, copayments, and… Continue Reading

COVID-19 EMPLOYEE BENEFIT AND EXECUTIVE COMPENSATION QUESTIONS AND ANSWERS

In light of the recent economic developments stemming from the COVID-19 pandemic, many employers are evaluating their employee benefit plans and how employee and employer costs will be impacted. The following summary provides a list of questions we have been receiving from clients over the past week, along with action items to help employers address these issues. Health and Welfare Plans and Fringe Benefits Should benefits coverage continue while an employee is on an unpaid furlough? If so, how would the employee pay the employee?ÇÖs portion of the premium? Could the employee elect to drop coverage due to the reduction in hours of active service? Could the employer pay for coverage for some or all of its furloughed employees? Continued eligibility for benefits will depend on whether the employer treats the furlough as a termination of employment or as an unpaid leave of absence. The terms of the plan, including… Continue Reading

HIPAA Covered Entity Settles Breach Notification Failure with OCR for $2.175 Million

The HHS Office for Civil Rights (?Ç£OCR?Ç¥), which is the agency responsible for enforcement of the HIPAA privacy, security, and breach notification rules (?Ç£HIPAA Rules?Ç¥), announced a recent $2.175 million settlement with a covered entity under HIPAA (the ?Ç£Covered Entity?Ç¥) for the Covered Entity?ÇÖs failure to properly notify HHS of a breach of unsecured protected health information (?Ç£PHI?Ç¥) as required by the HIPAA Rules, and other potential violations. Background OCR had investigated the Covered Entity in response to an individual complaint it received that alleged the Covered Entity had sent correspondence to the individual containing another person?ÇÖs PHI. OCR?ÇÖs investigation determined that the Covered Entity had mailed correspondence containing the PHI of 577 individuals to the wrong addresses. In some of the correspondence, the PHI consisted of the names and account numbers of the individuals and their dates of medical service. The Covered Entity had reported this incident to HHS… Continue Reading

OCR Provides Informal HIPAA Guidance Regarding Disposal of Electronic Devices and Media Containing PHI

In a July 2018 newsletter, the Office of Civil Rights (?Ç£OCR?Ç¥) of the U.S. Department of Health and Human Services (?Ç£HHS?Ç¥), the federal agency responsible for enforcement of the HIPAA privacy, security, and breach notification regulations (collectively, the ?Ç£HIPAA Rules?Ç¥), provided informal guidance to HIPAA ?Ç£covered entities?Ç¥, such as employer-sponsored group health plans (?Ç£Covered Plans?Ç¥), regarding the disposal of electronic devices and media that house ?Ç£protected health information?Ç¥ (?Ç£PHI?Ç¥). Examples of such devices and media include desktop and laptop computers, tablets, copiers, servers, smart phones, hard drives, USB drives, and other electronic storage devices. Employer-sponsors of Covered Plans should take note of the following key points raised by the newsletter?ÇÖs guidance: A covered entity?ÇÖs performance of a ?Ç£risk analysis?Ç¥ (which is a required step to comply with the HIPAA Rules) plays a critical role in determining how best to protect PHI stored on electronic devices and media that has reached… Continue Reading

December 2021
S M T W T F S
 1234
567891011
12131415161718
19202122232425
262728293031  

Archives