Resolution Agreement Also 1st Announced With Health Plan
Health plans and other covered entities beware and prepare! Health plans and other covered entities that report large breaches of unsecured protected health information to the Department of Health & Human Services (HHS) Office of Civil Rights and face potential civil monetary penalties (CMPs) for violating the Privacy & Security Rules of the Health Insurance Portability & Accountability Act of 1996 (HIPAA).
The HIPAA investigation and exposures to CMPs likely to result following the report of a large breach of unsecured protected health information is demonstrated by a new Resolution Agreement announced March 13, 2012 by OCR.
Blue Cross Blue Shield of Tennessee (BCBST) has agreed to pay the U.S. Department of Health and Human Services (HHS) $1,500,000 and to take certain other actions specified in a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. The BCBST Resolution Agreement is particularly significant, both as:
- The first reported enforcement action directly resulting from the filing by a covered entity of a breach report required by the Health Information Technology for Economic and Clinical Health (HITECH) Act Breach Notification Rule; and
- The first reported resolution agreement reached with a covered entity that is a health plan.
These notable enforcement firsts prove both the importance the HITECH Breach Notification Rule’s significance as an OCR HIPAA enforcement tool, and the readiness of OCR to sanction health plans that breach HIPAA’s Privacy or Security Rules.
The OCR investigation that lead to the BCBST settlement began in response to the submission by BCBST of a notice required under the Breach Notification Rule of the theft of 57 unencrypted computer hard drives from a leased facility in Tennessee, which contained the protected health information (PHI) of over 1 million individuals. Read more details here.
The Breach Notification Rule requires covered entities to report an impermissible use or disclosure of protected health information, or a “breach,” of 500 individuals or more to HHS and the media as well as an annual consolidated report of smaller breeches to HHS.[1]
To resolve being officially sanctioned for HIPAA violations stemming from these findings under the strengthened enforcement rules and sanctions enacted as part of the HITECH Act, BCBST has agreed to pay $1,500,000 and adopt other corrective actions detailed in a corrective action plan.
Enforcement Actions Highlight Growing HIPAA Exposures For Covered Entities
The BCBST Resolution Agreements, like the 1st-ever $4.3 million HIPAA CMP that OCR imposed against Cignet Health of Prince George’s County, Md. (Cignet) in 2011 and a series of high dollar Resolution Agreements OCR has announced against various health care providers over the past few years highlight the significance of the HITECH Act amendments to HIPAA’s enforcement and CMP rules, as well as use of its Breach Notification Rule as a tool in OCR’s investigation and enforcement efforts.
“This settlement sends an important message that OCR expects health plans and health care providers to have in place a carefully designed, delivered, and monitored HIPAA compliance program,” said OCR Director Leon Rodriguez. “The HITECH Breach Notification Rule is an important enforcement tool and OCR will continue to vigorously protect patients’ right to private and secure health information.”
BCBST’s breach notification report clearly prompted the investigation that lead to the Resolution Agreement. The opening of the investigation in response to the BCBST Breach Notification report reflects the need for covered entities to be prepared to respond to an investigation when these reports are made. OCR officials previously have stated that it is the practice of OCR to conduct an investigation into all breaches of the protected health information of 500 individuals or more reported to it under the Breach Notification Rule.
The BCBST Resolution Agreement provides yet another reminder to covered entities and their business associates of the need to carefully and appropriately manage their HIPAA responsibilities. See HIPAA Heats Up: HITECH Act Changes Take Effect & OCR Begins Posting Names, Other Details Of Unsecured PHI Breach Reports On Website. Covered entities are urged to heed these warning by strengthening their HIPAA compliance and adopting other suitable safeguards to minimize HIPAA exposures. For more tips, see here.
[1] The Breach Notification Rule also requires that covered entities report smaller breaches annually to OCR as part of a consolidated disclosure.
For Help or More Information
If you need help reviewing and updating, administering or defending your group health or other employee benefit, human resources, insurance, health care matters or related documents or practices, please contact the author of this update, Cynthia Marcotte Stamer.
A Fellow in the American College of Employee Benefit Council, immediate past Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Group and current Co-Chair of its Welfare Benefit Committee, Vice-Chair of the ABA TIPS Employee Benefits Committee, a council member of the ABA Joint Committee on Employee Benefits, and past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Ms. Stamer is recognized, internationally, nationally and locally for her more than 24 years of work, advocacy, education and publications on cutting edge health and managed care, employee benefit, human resources and related workforce, insurance and financial services, and health care matters.
A board certified labor and employment attorney widely known for her extensive and creative knowledge and experienced with these and other employment, employee benefit and compensation matters, Ms. Stamer continuously advises and assists employers, employee benefit plans, their sponsoring employers, fiduciaries, insurers, administrators, service providers, insurers and others to monitor and respond to evolving legal and operational requirements and to design, administer, document and defend medical and other welfare benefit, qualified and non-qualified deferred compensation and retirement, severance and other employee benefit, compensation, and human resources, management and other programs and practices tailored to the client’s human resources, employee benefits or other management goals. A primary drafter of the Bolivian Social Security pension privatization law, Ms. Stamer also works extensively with management, service provider and other clients to monitor legislative and regulatory developments and to deal with Congressional and state legislators, regulators, and enforcement officials concerning regulatory, investigatory or enforcement concerns.
Recognized in Who’s Who In American Professionals and both an American Bar Association (ABA) and a State Bar of Texas Fellow, Ms. Stamer serves on the Editorial Advisory Board of Employee Benefits News, the editor and publisher of Solutions Law Press HR & Benefits Update and other Solutions Law Press Publications, and active in a multitude of other employee benefits, human resources and other professional and civic organizations. She also is a widely published author and highly regarded speaker on these matters. Her insights on these and other matters appear in the Bureau of National Affairs, Spencer Publications, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, Modern and many other national and local publications. You can learn more about Ms. Stamer and her experience, review some of her other training, speaking, publications and other resources, and register to receive future updates about developments on these and other concerns from Ms. Stamer here.
Other Resources
If you found this update of interest, you also may be interested in reviewing some of the other updates and publications authored by Ms. Stamer available including:
- New Guidance On Fiduciary Duties In Handling ACA Group Health Plan Premium Rebates Highlight Advisability Of Tightening Funding Terms & Fund Handling Practices To Manage Fiduciary Risks
- Mental Health Parity Guidance On Mental Health & Substance Abuse Copays, Utilization Management Limits Released
- DFW Hospital Council Foundation Among 26 Organizations Selected To Lead Quality Effort
- Group Health Plans & Insurer To Get More Time To Meet Affordable Care Act Summary of Benefits and Coverage Requirements
- CMS Final Medicare Rule Imposes Many Conditions On Access To Medicare Claims Data To Evaluate Providers & Suppliers
- OSHA Updates Safety Resources To Prevent Construction, Other “Top 10″ Exposures
- OSHA Silo Safety Citations Heads Up To Grain Operators To Manage Safety
- OSHA Updates Safety Resources To Prevent Construction, Other “Top 10″ Exposures
- EBSA Releases Collection of New M-1 and Other Guidance Impacting Multiple Employer Welfare Plans
- New Obama Administration Affirmative Action Guidance Highlights Organization’s Need To Tighten Nondiscrimination Practices
- Incentives To Get Employee Into Wellness Education Requires Legal Risk Management
- HR Key Player In Managing Rising Risk of Disability, Other Discrimination Suits Under Obama Administration Justice Department
- HHS Chides Insurer For “Excessive” Premium Increases After Affordable Care Act Rate Audit
- IRS U-Tube Video Discusses 2012 Flexible Benefit Plan Rule Change
- Employers Considering Using New IRS Voluntary Worker Classification Settlement Program To Resolve Payroll Tax Risks Must Also Manage Other Legal Exposures
- Participant Notification Added To Required Procedures For Church Plan Determination Letter Requests
- HHS Credits Affordable Care Act Adult Dependent Child Coverage Rule With Getting 1 Million Young Adults Health Coverage
- 2010 Webcast Series on Federal Employer Employment of Persons With Disabilities Planned
- EBSA Plans To Include Health Care Reform Compliance In Health Plan Audits Beginning In FY 2012; Disputes OIG Criticism Of ACA Enforcement Efforts
- New Labor Department Video Tries To Educate Young Workers About Benefits & Benefit Rights
- Employer Assistance and Resource Network Offers Free Webinars For Employers During October In Honor of Disability Employment Awareness Month on Thursdays in October from 2:00 – 2:30 p.m. Eastern Time. Topics will include Employer Preparedness to Include Veterans with Disabilities
- HHS Projects Medicare Advantage Enrollment Will Rise As Premiums Decline In 2012; Plans Face Increased Regulation & Enforcement
- HHS Credits Health Reform For Getting Health Coverage For Added 1 Million Young Adults
- 4th Circuit Rejects Two Challenges To Affordable Care Act Constitutionality
- Stamer Named Fellow In American College of Employee Benefits Counsel
- ABA TIPS Section Appoints Cynthia Marcotte Stamer Vice Chair of Employee Benefits General Committee
- Affordable Care Act To Require Health Plans Cover Contraception & Other Women’s Health Procedures In 2012
- Company Executives, Plan Sponsors & Others May Face Personal Liability When Others Defraud Plans or Mismanage Employee Benefit Plan Responsibilities
- EEOC Finalizes Updates To Disability Regulations In Response to ADA Amendments Act: Employers Should Manage Risks
- Employer Charged With Misclassifying & Underpaying Workers To Pay $754,578 FLSA Back pay Settlement
- HHS Imposes 1st HIPAA Privacy Civil Penalty of $4.3 Million
- NLRB Settlement Shows Care Necessary When Employers Use Social Networking & Other Policies Restricting Employee Communications
- Wage & Hour Law Settlements Highlight Rising Wage & Hour Risks of U.S. Employers
- OCR Requires Rhode Island DHS To Provide Translation, Other Services For Limited English, Other Language Impaired Accommodations
- Incentives To Get Employee Into Wellness Education Requires Legal Risk Management
- HHS Chides Insurer For “Excessive” Premium Increases After Affordable Care Act Rate Audit
- Bill Extending Funding For Certain Veteran Medical and Other Projects Heads To President
- Texas Health Care Organizations Among 26 Organizations Receiving Awards To Promote Health Care Quality, Safety & Affordability
- Education Key To Helping Low-Income Families Make Better Health Choices
- Poor Planning & Execution Often Tank Wellness Programs
- Health Care Reform’s Pre-Existing Condition Insurance Plan Covers Fewer Than 50,000 of Millions With Pre-Existing Conditions
- Personal Responsibility: How Should It Play Into Who Gets Help Under Health Care Reform?
- ONC Awards Key Contract To Develop Patient Electronic Consent Trial Project
- Finding Ways To Pay For Mental Health: Kaiser Studies Examine Medicaid & Other Mental Health Financing Needs & Options
- Recap of IRS Employee Plans 2011 1st Quarter Guidance
- CMS Adds “Physician Compare” Feature To Healthcare Provider Directory
- Join Project COPE: Help Develop Real Tools To Meaningfully Empower Patients & Improve Health Care Access, Affordability & Quality
About Solutions Law Press
Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources available at ww.solutionslawpress.com.
THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS. ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.
©2011 Cynthia Marcotte Stamer, P.C. Non-exclusive license to republish granted to Solutions Law Press. All other rights reserved.