Rising Enforcement and Changing Rules Require Prompt Review & Update of Health Plan Privacy & Data Security Policies & Procedures

Health plans and their business associates should review and update their practices and policies concerning the use access and disclosure of protected health information in response to changing requirements and expanding enforcement exposures under the Health Insurance Portability & Accountability Act of 1996 (HIPAA) Privacy and Security Rules.

A series of Office of Civil Rights (OCR) enforcement action against health plans highlights the need for group health plans and insurers to exercise care to comply with HIPAA’s Privacy & Security Rules.  For example, OCR recently required a HMO to take a series of corrective actions based on findings from its investigation of a complaint that the HMO impermissibly disclosed a member’s protected health information by sending her entire medical record to a disability insurance company without her authorization.  Based on its investigation, OCR found the HMO violated HIPAA by relying on a form to make the disclosure that failed to meet the Privacy Rule requirements to qualify as a valid authorization under the Privacy Rule.  Based on these findings, OCR required the HMO among other things:

  • To create a new HIPAA-compliant authorization form that specifies what records and/or portions of the files will be disclosed, that the respective authorization will be kept in the patient’s record, together with the disclosed information and otherwise to meet the content requirements of the Privacy Rule for an authorization; and
  • To implement a new policy that directs staff to obtain patient signatures on these forms before responding to any disclosure requests, even if patients bring in their own “authorization” form.

Another action resulted after a national health maintenance organization sent explanation of benefits (EOB) by mail to a complainant’s unauthorized family member. OCR’s investigation determined that a flaw in the health plan’s computer system put the protected health information of approximately 2,000 families at risk of disclosure in violation of the Privacy Rule.  To resolve this case, OCR required among other things that the insurer to correct the flaw in its computer system, review all transactions for a six month period and correct all corrupted patient information.

In yet another case, OCR found an employee of a major health insurer impermissibly disclosed the PHI of one of its members without following the insurer’s authorization and verification procedures. Among other corrective actions to resolve the specific issues in the case, OCR required the health insurer to train its staff on the applicable policies and procedures, to take action to mitigate the harm to the individual and to counsel and give a written warning to an employee who made the disclosure.

While OCR declined to impose any civil penalties in any of these three instances, violations of the Privacy Rules have resulted in both criminal prosecutions by the Department of Justice and the payment of large civil settlements to OCR.  See, e.g., 2 New HIPAA Criminal Actions Highlight Risks From Wrongful Use/Access of Health Information  HIPAA Risks Soar As CVS Agrees to Pay $2.25 Million To Resolve HIPAA Charges & Stimulus Bill Amends HIPAA.  Furthermore, recent amendments to the Privacy Rules increase the likelihood that health plans and other covered entities violating the Privacy Rules will incur civil penalties.  The American Recovery and Reinvestment Act of 2009 (ARRA) amended the Privacy Rules effective October, 2009 to increase the civil penalties for Privacy Rule violations and to include new breach notification requirements for covered entities.  Additional ARRA amendments to HIPAA scheduled to take effect February 17, 2010 will further tighten the conditions under which covered entities may use, access or disclose PHI under the Privacy Rules, will expand the circumstances under which health plans and other covered entities will be required to account for dealings with PHI under HIPAA, and will extend the duty to comply with and liability for violations of the Privacy Rules to business associates.  In the meanwhile, employees increasingly are alleging Privacy Rule violations as part of their whistleblower or other wrongful discharge claims.  See, e.g. Retaliation For Filing HIPAA Complaint Recognized As Basis For State Retaliatory Discharge Claim.

In light of these changing rules and expanding liabilities, health plans and their business associates need to review and update their Privacy and Security practices, business associate agreements and privacy notices for compliance in light of the expanding enforcement activities of OCR and these evolving Privacy and Security Rules.  These and other developments make it imperative that health plans and other covered entities and their business associates immediately review and update their HIPAA and other data security and privacy practices to guard against growing liability exposures under HIPAA and other federal and state laws.

If your organization needs assistance reviewing, updating, administering or defending privacy and data security practices under HIPAA, state data breach or other laws, Curran Tomko Tarski LLP can help.  The author of this update, Curran Tomko Tarski LLP Partner Cynthia Marcotte Stamer has extensive experience advising and assisting health plans, health insurers, and other covered entities and business associates to review, update, document, enforce and defend their HIPAA and other privacy and data security policies and practices.  The author of numerous publications on HIPAA and other privacy and data security rules, she also speaks and conducts training extensively on these concerns. 

Ms. Stamer is experienced with assisting employers, insurers, administrators, and others to design and administer group health plans cost-effectively in accordance with HIPAA and other applicable federal regulations as well as well as advising and defending employers, health plans, insurers and others against privacy, tax, employment discrimination and other labor and employment, and other related audits, investigations and litigation, charges, audits, claims and investigations by the OCR, DOJ,IRS, Department of Labor and other federal and state regulators.. Chair of the American Bar Association RPTE Employee Benefits & Other Compensation Group, a representative to the ABA Joint Committee on Employee Benefits Council, past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, Ms. Stamer has advised and represented employers on these and other labor and employment, compensation, employee benefit and other personnel and staffing matters for more than 22 years. Ms. Stamer also speaks and writes extensively on these and other related matters. For additional information about Ms. Stamer and her experience or to access other publications by Ms. Stamer see here or contact Ms. Stamer directly.   For additional information about the experience and services of Ms. Stamer and other members of the Curran Tomko Tarksi LLP team, see here.

Other Information & Resources

We hope that this information is useful to you. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here or e-mailing this information here or registering to participate in the distribution of our Solutions Law Press HR & Benefits Update distributions here.  Some other recent updates that may be of interested include the following, which you can access by clicking on the article title:


For important information concerning this communication click here.   If you do not wish to receive these updates in the future, send an e-mail with the word “Remove” in the Subject here.

©2009 Cynthia Marcotte Stamer. All rights reserved. 

Comments are closed.

%d bloggers like this: