join our network! affiliate login  
Custom Search
GET OUR FREE EMAIL NEWSLETTERS!
Daily and Weekly Editions • Articles • Alerts • Expert Advice • Learn More

Total Articles: 47

Enhanced HHS HIPAA Breach Reporting Tool May Aid Health Care Industry Data Security Efforts

Secretary Tom Price of the U.S. Department of Health and Human Services (HHS) announced his agency needs “to focus more on the most recent breaches and clarify when entities have taken action to resolve the issues that might have led to their breaches.” Accordingly, HHS’ Office of Civil Rights has launched a revised web tool providing information about HIPAA breaches. The tool, the HIPAA Breach Reporting Tool (HBRT), features improved navigation helping those looking for information on breaches and ease-of-use for organizations reporting incidents. It also gives health care providers, health plans and business associates easy access to a database from which they can gain a better sense of the common types of breaches and the steps HHS is calling for in order to resolve HIPAA breach cases.

Improper HIPAA Disclosure Results in Termination and Legal Dispute

The Kentucky Court of Appeals recently held that a hospital acted lawfully in terminating the employment of a nurse for violating the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The nurse had been within earshot of other patients and medical personnel when she told her colleagues to wear gloves because a particular patient had Hepatitis C. The court’s decision makes clear that medical providers must handle HIPAA-related information with extreme care and that probable (not actual) disclosure may be enough to constitute a HIPAA violation—or at least serve as a basis for discharging an employee who makes an alleged disclosure. Hereford v. Norton Healthcare, Inc. d/b/a Norton Audubon Hospital and Phyllis Vissman, No. 2015-CA-001958-MR (Ky. Ct. App. July 21, 2017).

Failure to Notify Individuals and Media About HIPAA Breach Within 60 Days Proves Costly

An Illinois-based health care employer has agreed to pay the federal government $475,000 to settle claims that it failed to provide notification about a breach of protected health information (PHI) within 60 days of discovering the breach, as the Health Insurance Portability and Accountability Act (HIPAA) requires.

Smaller HIPAA Breaches To Get More Attention by Office for Civil Rights

The HIPAA breach notification rule has two buckets for classifying data breaches – those that involve “protected health information” (PHI) of 500 or more individuals and those that involve fewer than 500 individuals. Since the breach notification rule became effective, the Office of Civil Rights’ (OCR) focus has been on the 500 and over bucket. But no more.

Maintaining Patient Privacy In The Digital Age

Those in the heavily regulated healthcare industry know that patient information is sacrosanct. And for good reason; improper handling can result in hefty fines or criminal prosecution under the Health Insurance Portability and Accountability Act (HIPAA). Healthcare employers must often take intricate steps to safeguard Protected Health Information (PHI), including ensuring compliance by the workforce.

Check Your Spam Filter, You Might Have Been Selected for a HIPAA Audit!

Yesterday, the federal Office for Civil Rights (OCR) announced Phase 2 of its HIPAA Audit Program (Program). In its announcement, the OCR reports that the Program is underway and provides some helpful FAQs for covered entities and business associates about the Program. Preparation is critical and there are some key points covered entities and business associates should focus on.

HIPAA Covered Entities Not Responsible For Intercepted Transmission of PHI When Individual Requested Unsecured Transmission, Office for Civil Rights Concludes

Earlier this month, the Office for Civil Rights (OCR) issued guidance on an individual’s right to access the individual’s health information. That an individual has a broad right to access has been recognized in the HIPAA privacy regulations since they became effective in 2003. OCR has found, however, that individuals are facing obstacles to accessing their health information, and believes this needs to change. To help covered providers, plans and business associates better understand the right to access, the agency issued a comprehensive set of frequently asked questions (FAQ). These FAQs address a number of access issues, but they also provide practical insight on some key points, one of which is summarized below.

Million Dollar HIPAA Settlements Are About Compliance, Not Harm to Individuals

In the last two weeks, the Office for Civil Rights (OCR) announced two substantial settlements under HIPAA that together totaled $4.35 million. These large amounts seem to be driven not by actual harm to individuals, but in significant part by alleged HIPAA compliance failures identified by OCR following investigations commenced in response to receipt of data breach reports. It is a mistake to believe that timely and otherwise compliant reporting of supposed “no harm, no foul” data breaches will result in minor, if any, enforcement activity; that is, if the agency believes you have not satisfactorily complied with the privacy and security standards.

Healthcare Worker Gives New Employer Patient Records, Old Employer Pays $15,000 to NY Attorney General For HIPAA Violation

One of your employees discloses your organization’s patient information to a soon-to-be new employer for use in generating business at the new employer’s competing business, and your company has to settle with the New York State Attorney General for HIPAA violations. Make sense?

Lamar Odom & HIPAA: A Kardashian Takeaway for Employers

Reality television fans and others were saddened recently when news of a Kardashian family member’s overdose hit the news. Lamar Odom, sometime beau of Khloe Kardashian, was hospitalized after the incident, and his privacy was reportedly violated when staffers at the medical center where he was treated took pictures of him. The staffers were immediately fired due to this conduct. Lamar’s plight contains a teachable lesson for those employers who must comply with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, which protects the privacy of personal health information (PHI).

HIPAA Phase 2 Audits to Start in Early 2016, OCR States In Response to OIG Recommendations

Responding to a Department of Health and Human Services Office of Inspector General (OIG) report recommending stronger oversight of covered entities’ compliance with the HIPAA Privacy Rule, the Office for Civil Rights (OCR) stated that in early 2016 it will launch Phase 2 of its audit program measuring compliance with HIPAA’s privacy, security and breach notification requirements by covered entities and business associates.

HIPAA Audits Maybe, But Audit Preparedness Definitely!

According to a Bloomberg article, the second phase of HIPAA audits by the Office for Civil Rights (OCR), originally set to commence in 2014, may be coming soon. This update came at a HIPAA conference co-hosted by OCR during which OCR Director Jocelyn Samuels said the agency was in the process of confirming contact information of those entities that would be audited. Reason for the delay – budgetary limitations and gaps in personnel.

Cancer Care Group to Pay $750,000 to Settle HIPAA Breach, as KPMG Finds 81 Percent of Hospitals and Health Insurance Companies had a Breach in the Past Two Years

On September 2, the Office for Civil Rights (OCR) reported that it agreed to settle potential violations of the HIPAA privacy and security regulations with Cancer Care Group, Inc. The dollar amount of the settlement, $750,000, is significant, and the agreement to adopt a robust, multi-year corrective action plan under the watchful eye of the government is likely to be an unwanted strain on the business.

HIPAA Enforcement On The Rise

The number of claims filed under the Health Insurance Portability and Accountability Act (HIPAA) have skyrocketed in recent years. The latest figures from the U.S. Department of Health and Human Services (DHS) highlight a dramatically increased enforcement effort by the government in administering the federal privacy law.

Is Your Health Plan HIPAA Compliant?

Data breaches with respect to medical information are on the rise, given that such information is generally more valuable on the black market than stolen credit card data. The 2015 breach of healthcare company Anthem, Inc., which saw over 37.5 million records exposed, affected one in four Americans. In addition to the growing threat of data theft, plan sponsors are at a heightened risk of being subject to a HIPAA audit.

Anthem Data Breach Requires Plan Sponsor Attention

On January 29, 2015, Anthem Inc., one of the largest managed health care companies in the country, disclosed that the sensitive personal data of almost 80 million current and former participants in its network was breached in a cyber attack. This breach also impacted health plan participant data of plans that use the Blue Cross Blue Shield network of health providers. In some states, Anthem administers certain aspects of Blue Cross’s network. Those states include California, Colorado, Connecticut, Georgia, Indiana, Kentucky, Maine, Missouri, Nevada, New Hampshire, New York, Ohio, Virginia, and Wisconsin. Accordingly, health plans that have participants who received care in those states through the Blue Cross network are likely to be impacted.

Ebola Outbreak Prompts HHS Bulletin on Application of HIPAA During Emergencies.

The Health Insurance Portability and Accountability Act (HIPAA) was enacted by Congress and signed by President Bill Clinton in 1996. According to the U.S. Department of Health and Human Services (HHS), the HIPAA Privacy Rule establishes nationwide standards “to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically.” HIPAA also provides to patients the right to examine and obtain a copy of health records and to request corrections.

Ebola outbreak prompts HHS Bulletin on application of HIPAA during emergencies.

The Health Insurance Portability and Accountability Act (HIPAA) was enacted by Congress and signed by President Bill Clinton in 1996. According to the U.S. Department of Health and Human Services (HHS), the HIPAA Privacy Rule establishes nation-wide standards “to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically.” HIPAA also provides to patients the right to examine and obtain a copy of health records, and to request corrections.

Business Associate Agreements May Require Amendment

The Omnibus Final Rule (the "Omnibus Rule") under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), was issued in January, 2013 effective March 26, 2013, but with a general compliance deadline of September 23, 2013. Compliance with the Omnibus Rule required changes to many HIPAA compliance practices and related documents, including business associate agreements, the HIPAA notice of privacy practices and breach assessment policies and procedures.

Health Law Update: CMS Finalizes Modifications to HIPAA Privacy Rule and CLIA Program to Enhance Patients' Access to Laboratory Test Reports

On February 6, 2014, the Centers for Medicare and Medicaid Services (CMS) published a final rule entitled, “CLIA Program and HIPAA Privacy Rule; Patients’ Access to Test Reports.” The February 6 final rule modifies the implementing regulations to the Clinical Laboratory Improvement Amendments of 1988 (CLIA) as well as the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule to impose significant new patient access obligations on CLIA and CLIA-exempt laboratories.

How To Analyze A HIPAA Breach

The Health Information Technology for Economic and Clinical Health Act (HITECH Act) and subsequent regulations have changed several aspects of compliance with HIPAA, including the way covered entities should think about misuses of Protected Health Information (PHI).

IRS Loosens the FSA "Use-It-or-Lose-It" Rule

For nearly three decades, individuals participating in health flexible spending account plans ("FSAs") have been subject to a "Use-It-or-Lose-It" rule. This rule generally states that individuals with unused FSA balances at the end of the plan year (or applicable 2.5-month grace period) must forfeit those amounts. On October 31, 2013, the Internal Revenue Service ("IRS") issued Notice 2013-71, which permits, but does not require, employers to amend their cafeteria plans to allow participants to "carry over" up to $500 of unused funds to the following plan year. Below is a summary of the main features of the new carryover rules:

Legal Alert: IRS Modifies "Use It or Lose It" Rule for Health Flexible Spending Arrangements

Summary: On October 31, 2013, the Internal Revenue Service (IRS) issued Notice 2013 -71 (the "Notice"), which made two significant changes affecting the administration of cafeteria plans under section 125 of the Internal Revenue Code. First, the Notice modifies the proposed regulations under section 125 to add a limited exception to the "use it or lose it" rule for health flexible spending arrangements ("FSAs"). Next, the Notice clarifies the "transition relief" that was provided in the preamble to those regulations allowing certain participants in non-calendar-year plans to make mid-year elections that are necessitated by the Affordable Care Act, even though there may not be a "change in status."

At Last, A Little Good FSA News

Ironically, one of the first things that employees probably heard about the health care reform law back in 2010 had a decidedly anti-reform sound to it: It would halve the legal limits on health flexible spending account (FSA) contributions to $2,500 in 2013.

New HIPAA Deadline Around the Corner: Be Prepared!

Don’t look now, but another HIPAA deadline is just around the corner.

Deadline To Update HIPAA Materials Is September 23, 2013

On January 25, 2013, Health and Human Services (HHS), the federal agency in charge of implementing the Health Information Privacy and Accountability Act of 1996 (HIPAA) issued regulations modifying the HIPAA Privacy and Security enforcement rules. These regulations finalized the amendments to HIPAA that were made by the Health Information Technology for Economic and Clinical Health Act (HITECH Act), modifying the HITECH Act’s interim-breach notification rules and modifying the HIPAA Privacy Rules to implement the Genetic Information Nondiscrimination Act of 2008 (GINA).

HIPAA Omnibus Final Rule: Highlights for Business Associates

The omnibus final rule, published on January 25, 2013, finalizes changes to the privacy, security and enforcement rules1 promulgated under the Health Insurance Portability and Accountability Act of 1996 (the statute and rules together, HIPAA), which affect business associates in two primary ways. First, the final rule significantly broadens the definition of business associate, effectively bringing many new organizations under the authority of HIPAA. Second, the final rule clarifies which requirements and liabilities pertain to business associates as a result of changes enacted by the Health Information Technology for Economic and Clinical Health Act (HITECH Act).

What Employers Need To Know About The New HIPAA Rule

A summary of the new omnibus final HIPAA rule.

Legal Alert: Final HIPAA Regulations Released: Time to Review Your HIPAA Policies?

Executive Summary: The U.S. Department of Health and Human Services ("HHS") recently released long-awaited final HIPAA Regulations. The new regulations finalize many changes previously proposed to the Privacy, Security, and Enforcement Rules, and modify the Breach Notification Rule initially adopted in August 2009. In addition, the new regulations extend HIPAA application to Business Associates.

No Harm, No Foul, No More—New HIPAA “Breach” Standards Seek to Provide Consistency, Objectivity

Beginning this fall, employer health plans—or their business associates—will have to make more comprehensive and methodical risk assessments following the discovery of an impermissible use or disclosure of unsecured “protected health information” under revised Health Insurance Portability and Accountability Act of 1996 (HIPAA) breach notification rules recently issued by the U.S. Department of Health and Human Services (HHS).

No Harm, No Foul, No More—New HIPAA “Breach” Standards Seek to Provide Consistency, Objectivity

Beginning this fall, employer health plans—or their business associates—will have to make more comprehensive and methodical risk assessments following the discovery of an impermissible use or disclosure of unsecured “protected health information” under revised Health Insurance Portability and Accountability Act of 1996 (HIPAA) breach notification rules recently issued by the U.S. Department of Health and Human Services (HHS).

FSA Rules Changing

Beginning in 2013, employee pre-tax contributions to a flexible spending account (FSA) will be limited to $2,500. In the past, companies could impose their own limits on these employee contributions. Here's what you need to know:

Employment Law Made Un-Scary: HIPAA

Everything you need to know about HIPAA in one handy post.

IRS Guidance Puts In Extended Date For FSA Limits, Relieves The Pressure On Plan Sponsors

Employers around the country are waking up to a serious and unexpected problem with their health care flexible spending accounts. The health reform law enacted several years ago quietly limited these popular "FSA" benefits to $2,500 per year, effective January 1, 2013. But the express terms of the law conflict with the explanation provided by Congress, and many employers have been scratching their heads trying to figure out when plans must be changed to meet the requirements of the new law, and what amendment language must say.

IRS Provides Much Needed Guidance for Health FSAs

Employers are getting some welcome relief in the form of IRS guidance that provides helpful details and clarity on how to implement the upcoming $2,500 limit on salary reduction contributions to health flexible spending accounts (FSAs) set by the Patient Protection and Affordable Care Act (PPACA).

HHS Begins HIPAA Privacy and Security Audits

s you may recall, the HITECH Act required Health and Human Services (HHS), the federal agency in charge of administering HIPAA, to affirmatively conduct periodic audits to ensure that covered entities and business associates are complying with HIPAA's privacy and security rules. Before HITECH, HHS was mostly responding to complaints and not conducting random audits of HIPAA compliance.

Dramatic Increases In HIPAA Privacy And Security Enforcement

Health and Human Services' (HHS) Office for Civil Rights (OCR) has sent a strong message about its commitment to enforcement of the HIPAA Privacy and Security Rules by announcing two HIPAA Privacy Rule enforcements within one week, one of which includes the first ever use of civil monetary penalties for a HIPAA Privacy Rule violation.

HHS Imposes First Civil Monetary Penalty for HIPAA Violation

In the first civil monetary penalty (CMP) imposed by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) for a covered entity’s violation of the provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), HHS notified Cignet Health, Cignet Health Center, Cignet Health Plan, and/or Cignet Health Care (Cignet) in a Notice of Final Determination, dated February 4, 2011, that Cignet had violated HIPAA and was subject to a CMP in the amount of approximately $4.3 million.

Mass General Hospital Pays $1Million to Settle Potential HIPAA Violations.

On February 14, 2011, The General Hospital Corporation and Massachusetts General Physician Organization, Inc. (Mass General) entered into a Resolution Agreement with the U.S. Department of Health and Human Services (HHS), Office of Civil Rights (OCR) to settle claims that Mass General violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) by failing to safeguard the protected health information (PHI) of 192 patients of Mass General’s Infectious Disease Associates outpatient practice, including patients with HIV/AIDS.

HIPAA Training: An Often Underutilized Tool in an Organization's Effort to Prevent Breaches.

On February 17, 2009, the Health Information Technology For Economic and Clinical Health Act, also known as the “HITECH Act,” was signed into law. The HITECH Act was one of the provisions contained in President Obama’s American Recovery and Reinvestment Act (ARRA), which in addition to describing Federal initiatives designed to encourage the use of health information technology, made some significant changes to the existing Privacy and Security Regulations that are a part of the Health Insurance Portability and Accountability Act or “HIPAA.” These changes, many of which became effective in February 2010, include new rules regarding an individual’s right to receive an accounting of disclosures of their protected health information (PHI), provisions regarding business associate accountability and liability, and new limitations on the use and disclosure of PHI. The HITECH Act strengthened HIPAA’s enforcement provisions, by, among other things, giving State attorneys general the right to bring civil actions in federal courts for violations of the privacy and security rules, and also increased HIPAA’s penalty provisions by creating a tiered penalty approach to violations, such that the more severe the violation, the higher the penalty. For example, whereas prior to the passage of the HITECH Act, the U.S. Department of Health and Human Services (HHS) could have imposed a fine of not more than $25,000 per entity per calendar year, penalties now can be as high as $1.5 million per entity per calendar year

HIPAA Training: An Often Underutilized Tool in an Organization's Effort to Prevent Breaches

On February 17, 2009, the Health Information Technology For Economic and Clinical Health Act, also known as the “HITECH Act,” was signed into law. The HITECH Act was one of the provisions contained in President Obama’s American Recovery and Reinvestment Act (ARRA), which in addition to describing Federal initiatives designed to encourage the use of health information technology, made some significant changes to the existing Privacy and Security Regulations that are a part of the Health Insurance Portability and Accountability Act or “HIPAA.” These changes, many of which became effective in February 2010, include new rules regarding an individual’s right to receive an accounting of disclosures of their protected health information (PHI), provisions regarding business associate accountability and liability, and new limitations on the use and disclosure of PHI.

HHS Issues HIPAA Security-Breach-Notification Rules: Compliance Deadline Looming

On August 24, 2009, the Department of Health and Human Services (HHS) issued interim final rules regarding the new security-breach-notification requirement of the Health Insurance Portability and Accountability Act (HIPAA). Covered entities and their business associates (service providers to covered entities) only have 30 days after publication (or until September 23, 2009) to comply with these new rules.

A HITECH World - New Law Expands HIPAA Enforcement Power.

The Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into law on February 17 as part of the American Recovery and Reinvestment Act of 2009 (H.R. 1), also known as the economic stimulus bill. The legislation was designed to advance the use of health information technology, such as electronic health records.

Privacy Notice Reminder.

Group health plans that were required to comply with privacy requirements of the Health Insurance Portability and Accountability Act (HIPAA) by April 14, 2003 (i.e., large health plans) now have an obligation to notify individuals who are covered by the plan that the privacy notice is available, and to tell them how to obtain the notice. This reminder notice must be sent at least once every three years.

Stimulus Bill's HIPAA Changes.

The American Recovery and Reinvestment Act (ARRA), signed by President Obama into law on February 17, 2009, included changes to the health information privacy and security rules under HIPAA, the Health Insurance Portability and Accountability Act of 1996.

HEART Act Guidance Clarifies Health FSA Distributions For Reservists.

Under new guidance issued by the Internal Revenue Service (IRS), employers will more easily be able to allow workers who have been called up to active military duty to take full advantage of “qualified reservist distributions” from their health flexible spending accounts (FSAs).

New HIPAA Wellness Regulations.

In 2006, the IRS, HHS and DOL, issued HIPAA regulations for wellness programs, outlining how those programs should be designed.