Covered Entities |

Encrypt Mobile Devices & Clean Up Management Documentation Key HIPAA Compliance Messages In New HIPAA Settlements

April 27, 2014

“Encrypt your laptops and other mobile devices” is only one of the key lessons leaders of health plans, health care providers, health care clearinghouses (“Covered Entities”) and their business associates should take away from the Department of Health and Human Services Office for Civil Rights (OCR)’s April 22 announcement that Concentra Health Services (Concentra) and QCA Health Plan, Inc. of Arkansas (QCA) collectively are paying $1,975,220 under separate Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rule resolution agreements resulting from thefts of unencrypted laptops. Along with the importance of encryption, however, these Resolution Agreements also contain equally significant, more broadly applicable lessons to Covered Entities, business associates and their leaders about some of the specific processes, actions and documentation that OCR them to implement and be prepared to defend the adequacy of their HIPAA “culture of compliance” if they file a breach report or otherwise face a HIPAA audit or investigation from OCR.

Consequently, while confirming the adequacy of their organization’s existing encryption of laptops and mobile devices, Covered Entities and their leaders should also consider using these and other Resolution Agreements as a road map for reviewing and tightening their management oversight and other HIPAA compliance documentation and practices generally.

Concentra Resolution Agreement

Under the Concentra Resolution Agreement, Concentra agrees to pay OCR a monetary settlement of $1,725,220 and adopt a corrective action plan to settle potential violations of the HIPAA Privacy and Security Rules and evidence their remediation of OCR’s findings.

OCR opened a compliance review of Concentra after receiving a breach report that an unencrypted laptop was stolen from its the Springfield Missouri Physical Therapy Center on November 30, 2011. OCR’s investigation concluded that Concentra previously had recognized in multiple risk analyses that a lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information (ePHI) was a critical risk. While steps were taken to begin encryption, Concentra’s efforts were incomplete and inconsistent over time leaving patient PHI vulnerable throughout the organization. OCR’s investigation further found Concentra had insufficient security management processes in place to safeguard patient information.

In particular, the Resolution Agreement states that HHS’ investigation found that the following conduct occurred (Covered Conduct):

Concentra failed to adequately remediate and manage its identified lack of encryption or, alternatively, document why encryption was not reasonable and appropriate and implement an equivalent alternative measure to encryption, if reasonable and appropriate, from October 27, 2008, until June 22, 2012 (date on which a complete inventory assessment was completed and Concentra immediately took action to begin encrypting all unencrypted devices) (see 45 C.F.R. § 164.312(a)(2)(iv))

Concentra did not sufficiently implement policies and procedures to prevent, detect, contain, and correct security violations under the security management process standard when it failed to adequately execute risk management measures to reduce its identified lack of encryption to a reasonable and appropriate level from October 27, 2008, (date of Concentra’s last project report indicating that 434 out of 597 laptops were encrypted) until June 22, 2012 (date on which a complete inventory assessment was completed and Concentra immediately took action to begin encrypting all unencrypted devices) (see 45 C.F.R. § 164.308(a)(1)(i)). 3.

In the Resolution Agreement, Concentra has agreed to pay OCR $1,725,220 to settle potential violations and will adopt a corrective action plan to evidence their remediation of these findings.

QCA Resolution Agreement

QCA’s much smaller $250,000 monetary penalty under the QCA Resolution Agreement also resulted from a breach notification of the theft of an unencrypted laptop and also requires corrective actions in addition to a monetary settlement. OCR opened its investigation after QCA reported in February 2012 that an unencrypted laptop computer containing the ePHI of 148 individuals was stolen from a workforce member’s car. OCR’s investigation revealed that while QCA encrypted their devices following discovery of the breach, QCA failed to comply with multiple requirements of the HIPAA Privacy and Security Rules, beginning from the compliance date of the Security Rule in April 2005 and ending in June 2012.

To resolve OCR’s charges it violated HIPAA, QCA agreed to a $250,000 monetary settlement and is required to provide HHS with an updated risk analysis and corresponding risk management plan that includes specific security measures substantially similar to those imposed on the Concentra Resolution Agreement to reduce the risks to and vulnerabilities of its ePHI. QCA is also required to retrain its workforce and document its ongoing compliance efforts.

Corrective Action Plan Lessons For Other Covered Entities & Business Associates

Unquestionably, laptop and other mobile device encryption is a key take away of the two separate resolution agreements against Concentra and QCA. OCR Deputy Director of Health Information Privacy Susan McAndrew made this point clear in the announcement of the Concentra and QCA Resolution Agreements, stating “Covered entities and business associates must understand that mobile device security is their obligation,” and “Our message to these organizations is simple: encryption is your best defense against these incidents.”

As important as this encryption warning is, however, leaders of Covered Entities and business associates must not overlook the more subtle but equally important messages in these Resolution Agreements share about the management oversight and other specific actions, documentation and other evidence that OCR may expect their organizations and its leadership to produce if OCR investigates or audits its HIPAA compliance.

OCR officials have stated that Covered Entities and their business associates should use the corrective action plans in resolution agreements to help guide their own compliance efforts. While the message to encrypt mobile device is important, it is not the only lesson that leaders should learn. The Concentra and QCA Resolution Agreements, as well as their predecessors also contain detailed information about various other processes and procedures that OCR views as necessary or helpful to the compliance efforts of Covered Entities and their business associates. Privacy officers and other leaders of Covered Entities and business associates should avoid the mistake of allowing the Resolution Agreement’s clear messaging about mobile device encryption to lure them or their organization into overlooking broader and more generalized messages the corrective action plans included in the Concentra, QCA and other Resolution Agreements share about the compliance processes and analysis, management review and oversight, training and other compliance practices and documentation that OCR may expect their organizations to create and produce.

The requirement of officer attestation that his organization completed the detailed corrective actions required by OCR and that the reports submitted to OCR are accuratein the Concentra and QCA Resolution Agreements Corrective Action Plans, for instance, reflects OCR’s expectation that senior management take ownership of ensuring the adequacy of their organization’s HIPAA compliance. In this respect, leaders of Covered Entities and business associates particularly should note that both the Concentra and QCA Resolution Agreements, as well as the Skagit County Resolution Agreement announced in March, 2014 require specific attestations from an “officer” of the entity that the officer reviewed the reports, made reasonable inquiry regarding its content and believes that, upon such inquiry, the information is accurate and truthful. These attestation requirements, like those required by OCR in the Skagit County Resolution Agreement OCR announced in March send a clear message that OCR views leaders as responsible for taking appropriate steps to require and confirm adequate HIPAA compliance in the same manner as typically applies to other Federal Sentencing Guideline compliance efforts. See HIPAA Covered Entities Should Review & Correct HIPAA Policies In Response To New County Hospital Resolution Agreement, Other Developments. These attestation requirements send a strong message that OCR expects the leadership of Covered Entities, business associates to take ownership of and keep tabs on their organization’s HIPAA compliance. In light of this, leadership of all Covered Entities and their business associates should evaluate the adequacy of their current HIPAA management oversight and documentation in proving the “culture of compliance” expected by HIPAA.

Viewed from this perspective, the corrective action steps and reporting requirements imposed by the Concentra, QCA and other Resolution Agreements are valuable road maps to both privacy officers and other management of Covered Entities and business associates about the processes, steps and documentation that management should consider requiring as part of its direction and oversight of their organizations’ Privacy, Security and Breach Notification compliance.

In this respect, management should note that both Resolution Agreements require that Concentra and QCA conduct, document, and report to OCR on a series of specific steps toward compliance. In both cases, for instance, OCR requires Concentra and QCA among other things, to conduct a ‘thorough risk assessment’ of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI, then develop and implement a ‘detailed risk management plan’ that addresses the identified compliance concerns, the plan and timeline for their redress and steps for monitoring and verifying those actions are taken.

From the Resolution Agreements’ discussion, leaders should expect that the documentation and evidence that OCR may require their organizations to produce will include:

A detailed risk management plan that documents and explains its strategy for implementing security measures sufficient to reduce the risks and vulnerabilities identified in the risk analysis to a reasonable and appropriate level based on the organization’s circumstances;
With the risk management plan, include material evidence of all implemented and all planned remediation actions associated with the risk management plan along with specific timelines for their expected completion and identify the compensating controls that will be in place in the interim to safeguard Concentra ePHI;
Requires for any changes to its information technology (IT) infrastructure, software or other components, an updated risk analysis in association with any changes or updates to its organizational IT infrastructure (security environment) that affect the risks and vulnerabilities to ePHI received or maintained by Concentra containing all of these elements;
Require that their team track and document the encryption status of mobile and other devices and PHI that both shows that the organization both requires and tracks compliance with requirements to encrypt devices containing ePHI and that the organization requires specific review and documentation that ePHI will not be used on computer or other devices that are unencrypted.
Not only that required workforce training is completed but also whether existing and future documentation requires and retains the documentation that would enable the organization to demonstrate to OCR that the leadership of the organization requires monitoring and documentation that all workforce members have completed the required training, the training materials used for the training, the topics covered, the length of the session(s), when training session(s) were held, and the attestations or other documentation from individual workforce members that the organization requires to verify participation, understanding and affirmation of the individual of the need to comply with HIPAA.

Accordingly, management of Covered Entities and business associates should consider verifying that these organizations have, or take the steps necessary, to be able to provide this documentation and other evidence.

The reporting requirements that OCR imposes under the Resolution Agreements also may be helpful to leaders of Covered Entities or their business associates about the importance of requiring periodic detailed and documented reporting from the Privacy Officer on their organization’s compliance with HIPAA, and some of the types of information that they should expect to receive in these reports. In this regard, leaders may wish to take note that the Resolution Agreements in Concentra, QCA, and Skagit each required that their organizations prepare and provide reports, accompanied by the required officer attestations containing among other things:

A summary of the organization’s security management process and the security measures taken during the Reporting Period, including, if applicable, any documentation of training related to those measures;
A summary of the organization’s encryption efforts taken during the Reporting Period; and
A summary of the organization’s security awareness training efforts taken during the Reporting Period.

In light of these requirements, leaders of Covered Entities or business associates also should consider establishing policies that both require periodic reporting to management and management review of reports on their organization’s ePHI and other Privacy and Security compliance that will produce documentation of similar periodic management oversight as an ongoing process within their organizations.

Since the Concentra and QCA Resolutions are only two of several existing Resolution Agreements, and likely will be supplemented by others in the future, management also should ensure that past and future Resolution Agreements as well as other guidance and developments under HIPAA are systematically reviewed and responded to in a similar, well documented manner.

Learn More At Upcoming Workshops and Teleconferences

Leaders, privacy officers, internet security officers, technology professionals and others concerned about HIPAA and other privacy and security management for Covered Entities, business associates and others can learn more about HIPAA Privacy, Security and Data Breach compliance and risk management by participating in one of the following upcoming HIPAA educational events that the author of this update, Cynthia Marcotte Stamer, will be a featured presenter:

HIPAA Compliance: Are You Ready If A Breach Occurs? Privacy, Security, HITECH, Record Retention Teleconference presented by the American Bar Association Joint Committee on Employee Benefits on April 29, 2014;and
ISSA-LA and HIMSS Southern California 2nd Annual Healthcare Privacy and Security Summit scheduled for May 15-16 at the Universal City Hilton, Universal City, California.

For Representation, Training & Other Resources

If you need assistance monitoring these and other regulatory policy, enforcement, litigation or other developments, or to review or respond to these or other workforce, benefits and compensation, performance and risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.

Board Certified in Labor & Employment Law, Past Chair of the ABA RPTE Employee Benefit & Other Compensation Arrangements Group, Co-Chair and Past Chair of the ABA RPTE Welfare Plan Committee, Vice Chair of the ABA TIPS Employee Benefit Plans Committee, Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 25 years’ experience advising health plan and employee benefit, insurance, financial services, employer and health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical privacy and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. The scribe for the ABA JCEB Annual Agency Meeting with the Office of Civil Rights (OCR) for the past several years who has worked on medical and other privacy concerns throughout her career, she regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others, defends covered entities and business associates against OCR, FTC and other privacy and data security investigations, serves as special counsel in litigation arising from these concerns and is the author of several highly regarded publications on HIPAA and other privacy and security concerns.

Ms. Stamer also regularly works with OCR, FTC, USSS, FBI and state and local law enforcement on privacy, data security, health care, benefits and insurance and other matters, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. For instance, Ms. Stamer for the third year will serve as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR. Her insights on HIPAA risk management and compliance often appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others. You can get more information about her HIPAA and other experience here.

You can review other recent human resources, employee benefits and internal controls publications and resources and additional information about the employment, employee benefits and other experience of the Cynthia Marcotte Stamer, PC here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile www.cynthiastamer.com or by registering to participate in the distribution of these and other updates on our HR & Employee Benefits Update distributions here including:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here. For important information about this communication click here. ©2014 Cynthia Marcotte Stamer. Limited, non-exclusive right to republished granted to Solutions Law Press, Inc. All other rights reserved.

Comments Off on Encrypt Mobile Devices & Clean Up Management Documentation Key HIPAA Compliance Messages In New HIPAA Settlements | Employers, ERISA, Health Plans, HIPAA, Human Resources, Insurance | Tagged: "Encrypt your laptops and other mobile devices" is only one of the key lessons leaders of health plans, 220 under separate Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rule resolution agreements resulting from thefts of unencrypted laptops. Along with the importance o, 975, actions and documentation that OCR them to implement and be prepared to defend the adequacy of their HIPAA "culture of compliance" if they file a breach report or otherwise face a HIPAA audit or inves, business associates and their leaders about some of the specific processes, Covered Entities, Health Care, health care clearinghouses ("Covered Entities") and their business associates should take away from the Department of Health and Human Services Office for Civil Rights (OCR)'s April 22 announcement th, health care providers, Health Plans, HIPAA OCR, however, Inc. of Arkansas (QCA) collectively are paying $1, more broadly applicable lessons to Covered Entities, PHI, Privacy, these Resolution Agreements also contain equally significant | Permalink
Posted by Cynthia Marcotte Stamer

ONC HIPAA Security Risk Assessment Tool Intended To Help Covered Entities Assess Compliance

March 31, 2014

Health care providers, health plans, health care clearinghouses and their business associates Health Insurance Portability and Accountability Act (HIPAA) should check out the new Security Risk Assessment (SRA) Tool (Tool) application from the Office of the National Coordinator for Health IT (ONC). ONC says the Tool will help users take a self-directed tour of and assess compliance with the HIPAA Security Rule more understandable and security risk assessments easier. The Tool includes:

Context sections to help understand potential threats, vulnerabilities, and impacts
Examples of safeguards that could be instituted
Ability to export the report as an Excel or pdf document to share or analyze the information in a convenient format.

Download the Windows version of the tool at http://www.HealthIT.gov/security-risk-assessment or the iOS iPad version from the Apple App Store (search under “HHS SRA Tool”).

Public comments on the SRA Tool will be accepted at http://www.HealthIT.gov/security-risk-assessment until June 2. ONC says it will use comments to improve the SRA Tool in future update cycles.

For Representation, Training & Other Resources

Ms. Stamer also regularly works with OCR, FTC, USSS, FBI and state and local law enforcement on privacy, data security, health care, benefits and insurance and other matters, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. For instance, Ms. Stamer for the third year will serve as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR. Her insights on HIPAA risk management and compliance frequently appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others. You can get more information about her HIPAA and other experience here.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here. For important information concerning this communication click here. ©2014 Cynthia Marcotte Stamer. Limited, non-exclusive right to republished granted to Solutions Law Press, Inc. All other rights reserved.

Comments Off on ONC HIPAA Security Risk Assessment Tool Intended To Help Covered Entities Assess Compliance | Employers, ERISA, Health Plans, HIPAA, Human Resources, Insurance | Tagged: Covered Entities, Health Care, Health Plans, HIPAA OCR, PHI, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

HHS Extends Health Plan Certification of Compliance Comment Period

March 18, 2014

The Department of Health and Human Services (HHS) has extended the comment period for the proposed rule, “Administrative Simplification: Health Plan Certification of Compliance” to April 3, 2014 in hopes of receiving additional input from third party administrators (TPAs) and self-insured plans.

HHS is now accepting public comments on the proposed rule through April 3, 2014.

The Certification of Compliance for Health Plans proposed rule is different from previous Health Insurance Portability and Accountability Act (HIPAA) Administrative Simplification regulations because it affects more and different types of entities.

For example, many third party administrators, self-funded health plans, and group health plans that have not been impacted by previous HIPAA Administrative Simplification requirements will be affected by this rule, even if they do not directly conduct HIPAA covered transactions.

The proposed rule would require controlling health plans to submit documentation on or before December 31, 2015. It would also establish penalty fees for a controlling health plan that fails to comply with the Certification of Compliance requirements.

HHS says the goal of the extension of the comment period is to provide self-insured health plans and their TPAs time to understand and offer feedback on the business impacts of the Certification of Compliance proposed rule. HHS encourages these entities to submit feedback so that their comments and suggestions can be considered during the policy-making process.

The proposed rules will require self-insured health plans and their TPAs to incur financial and operational expense to implement the necessary technology, data collection and other arrangements to come into compliance with the proposed rules. To help minimize these burdens to the extent possible, these and other concerned parties should review the rules and share their concerns and input as soon as possible. Accordingly, self-insured health plans, their sponsors, TPAs and advisors should review the proposed rules and provide relevant input as soon as possible and no later than the extended April 3, 2014 due date.

For Representation, Training & Other Resources

Ms. Stamer also regularly works with OCR, FTC, USSS, FBI and state and local law enforcement on privacy, data security, health care, benefits and insurance and other matters, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. For instance, Ms. Stamer for the third year will serve as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR. Her insights on HIPAA risk management and compliance frequently appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others. You can get more information about her HIPAA and other experience here.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here. For important information concerning this communication click here. ©2014 Cynthia Marcotte Stamer. Limited, non-exclusive right to republished granted to Solutions Law Press, Inc. All other rights reserved.

Comments Off on HHS Extends Health Plan Certification of Compliance Comment Period | Employers, ERISA, Health Plans, HIPAA, Human Resources, Insurance | Tagged: Covered Entities, Health Care, Health Plans, HIPAA OCR, PHI, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

HIPAA Covered Entities Should Review & Correct HIPAA Policies In Response To New County Hospital Resolution Agreement, Other Developments

March 16, 2014

Health Department HIPAA Violations Cost County $250,000, Requires Sweeping HIPAA Reforms

Hear Update On Resolution Agreement & Other New HIPAA Developments At 3/18 North Texas Healthcare Professionals Association Meeting

Skagit County, Washington will pay a $215,000 monetary settlement and work closely with the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) to correct deficiencies in its HIPAA compliance program to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules by the Skagit County Public Health Department (Health Department) under a Resolution Agreement announced by OCR on March 7, 2014. The Resolution Agreement makes clear the need for health care providers, health plans, health care clearinghouses and their business associates to update and maintain their policies and practices in compliance with the constantly evolving OCR guidance and resolution agreements, as well as to timely investigate and report breaches. Interested persons are invited to hear a briefing on a series of new developments including this latest Resolution Agreement at the March 18, 2014 North Texas Healthcare Professionals Association Meeting.

OCR investigated the Health Department after receiving a breach report that unknown parties accessed money receipts with electronic protected health information (ePHI) of seven individuals after the ePHI had been inadvertently moved to a publicly accessible server maintained by the County.

OCR reports its investigation revealed a broader exposure of protected health information involved in the incident, which included the ePHI of 1,581 individuals. Many of the accessible files involved sensitive information, including protected health information about the testing and treatment of infectious diseases.

OCR’s investigation further uncovered general and widespread non-compliance by Skagit County with the HIPAA Privacy, Security, and Breach Notification Rules.

Specifically, the Resolution Agreement between OCR and the Health Department states that OCR found the following conduct occurred (“Covered Conduct”).

From approximately September 14, 2011 until September 28, 2011, Skagit County disclosed the ePHI of 1,581 individuals in violation of the Privacy Rule by providing access to ePHI on its public web server;
From November 28, 2011 until present, Skagit County failed to provide notification as required by the Breach Notification Rule to all of the individuals for whom it knew or should have known that the privacy or security of the individual’s ePHI had been compromised as a result of the breach incident;
From April 20, 2005 until present, Skagit County failed to implement sufficient policies and procedures to prevent, detect, contain, and correct security violations;
From April 20, 2005 until June 1, 2012, Skagit County failed to implement and maintain in written or electronic form policies and procedures reasonably designed to ensure compliance with the Security Rule; and
From April 20, 2005 until present, Skagit County failed to provide security awareness and training to all workforce members, including its Information Security staff members, as necessary and appropriate for the workforce members to carry out their functions within Skagit County.

To resolve OCR’s allegations of these breaches, Skagit County agrees under the Resolution Agreement to pay HHS $215,000.00 and to ensure that the Health Department implements a series of corrective actions. Among other things, the Resolution Agreement requires that the Health Department:

Provide substitute Breach Notification to individuals not previously notified of the breach of their ePHI in accordance with the Resolution Agreement
Revise to the satisfaction of OCR and adopt revised accounting for disclosure, hybrid entity designations, policies on safeguarding PHI, including its sample business associate agreements;
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by the covered health care components of Skagit County as identified in its hybrid entity documentation approved by HHS and implement security measures sufficient to reduce the risks and vulnerabilities identified in the risk analysis to a reasonable and appropriate level.
Create and revise, as necessary, written policies and procedures for its covered health care components to comply with the Federal standards that govern the privacy, security, and breach notification of individually identifiable health information;
Comply with strict workforce training requirements;
Notify and OCR of the occurrence of some reported breaches, its investigation and corrective actions;
Provide a summary of the reported events and the status of any corrective and preventative action relating to all such Reportable Events; and
Provide OCR with an attestation signed by an officer of Skagit County attesting that he or she has reviewed the Annual Report, has made a reasonable inquiry regarding its content and believes that, upon such inquiry, the information is accurate and truthful.

In addition to bringing its policies and practices up to date with OCR regulations in effect at the time of the breach that resulted in the Resolution Agreement, the Health Department also will have to update its policies and practices to meet changes to OCR’s HIPAA rules that have taken effect since the breach under the revised rules published by OCR in its Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule (Omnibus Final Rule) OCR published January 25, 2013 as well as a series of recently issued OCR rules such as the following:

HIPAA Privacy Rule and Sharing Information Related to Mental Health published on
Spanish Language Model Notices of Privacy Practices published on 2/13/14
CLIA Program and HIPAA Privacy Rule; Patients’ Access to Test Reports published on 2/3/14; and
Proposed Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and the National Instant Criminal Background Check System (NICS) published on 1/7/14
HIPAA Privacy Rule: Disclosures for Emergency Preparedness – A Decision Tool
The HIPAA Privacy Rule and Refill Reminders and Other Communications about a Drug or Biologic Currently Being Prescribed for the Individual
Health Information of Deceased Individuals
Student Immunizations; and
Model Notices of Privacy Practices (English).With OCR stepping up both audits and enforcement and penalties for violations higher than ever since the HITECH Act amended HIPAA, Covered Entities and business associates should act quickly to review and update their policies, practices and training to implement any adjustments needed to maintain compliance and manage other risks under these ever-evolving HIPAA standards.

Covered Entities & Business Associates Should Review & Tighten Practices in Response To Resolution Agreement & Other New Guidance

Other covered entities and their business associates should carefully evaluate and tighten their existing practices in response to the Resolution Agreement and other recent guidance. In the past, OCR officials have stated it expects that other health care providers, health plans, health care clearinghouses and their business associates will review resolution agreements like this one along with other emerging OCR guidance and update their practices as necessary to address concerns within their own organization that might be similar to those reflected in the applicable resolution agreement. The Resolution Agreement documents this expectation by specifically incorporating this requirement as part of its terms.

When conducting these efforts, Covered Entities and business associates not only carefully watch for and react promptly to new OCR guidance and enforcement actions, but also document their commitment and ongoing compliance and risk management activities to help support their ability to show their organization maintains the necessary “culture of compliance” commitment needed to mitigate risks in the event of a breach or other HIPAA violation and take well-documented, reasonable steps to encourage their business associates to do the same. When carrying out these activities, most covered entities and business associates also will want to take steps to monitor potential responsibilities and exposures under other federal and state laws like the privacy and data security requirements that often apply to personal financial information, trade secrets or other sensitive data under applicable federal and state laws and judicial precedent.

Hear Stamer’s Update On Resolution Agreement & Other New HIPAA Developments At 3/18 North Texas Healthcare Professionals Association Meeting

Scribe for the American Bar Association Annual Agency Meeting with OCR for the fourth year, attorney Cynthia Marcotte Stamer will overview these and other HIPAA developments when she presents “Tutoring On OCR’s Latest HIPAA Homework” at the North Texas Healthcare Professionals Association Study Group Luncheon on Tuesday, March 18, 2014 from 11:30 p.m. to 1:00 p.m. at the offices of the Dallas Ft Worth Hospital Council, 250 Decker Drive, Irving, TX 75062-2706. A complimentary luncheon will be served to guests to who register in advance. There is no charge to particulate but space is limited. RSVP here by Noon on March 17, 2014.

For Representation, Training & Other Resources

Ms. Stamer also regularly works with OCR, FTC, USSS, FBI and state and local law enforcement on privacy, data security, health care, benefits and insurance and other matters, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. For instance, Ms. Stamer for the third year will serve as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR. Her insights on HIPAA risk management and compliance frequently appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others. You can get more information about her HIPAA and other experience here.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here. For important information concerning this communication click here. ©2014 Cynthia Marcotte Stamer. Limited, non-exclusive right to republished granted to Solutions Law Press, Inc. All other rights reserved.

Comments Off on HIPAA Covered Entities Should Review & Correct HIPAA Policies In Response To New County Hospital Resolution Agreement, Other Developments | Employers, ERISA, Health Plans, HIPAA, Human Resources, Insurance | Tagged: Covered Entities, Health Care, Health Plans, HIPAA OCR, PHI, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

HHS Share Model HIPAA Notices 1 Week Before Deadline For Updating Business Associate Agreements

September 16, 2013

A week before the September 23, 2013 deadline for all health care providers, health plans, health care clearinghouses (Covered Entities) and their business associates to have updated their business associate agreements to comply with the Final Omnibus HIPAA Rule, the Department of Health & Human Services Office of the National Coordinator for Health Information Technology (ONC) and the Office for Civil Rights (OCR) today (September 16, 2013) released Model Notices of Privacy Practices (Notices) for health care providers and health plans to use to communicate with their patients and plan members. With penalties and enforcement continuing to rise, Covered Entities and their business associates should take appropriate steps to review and update their privacy and breach notification policies and procedures, privacy officer appointments, notices of privacy practices, business associate agreements and other HIPAA compliance and risk management documentation, practices, procedures and coverage, breach notification and other HIPAA compliance and risk management practice.

Model HIPAA Notices

Developed collaboratively by ONC and OCR the Notices available here designed in the following three different styles are designed for users to customize to fit their specific needs and practices:

A notice in the form of a booklet;
A layered notice with a summary of the information on the first page and full content on the following pages; and
A notice with the design elements of the booklet, but that is formatted for full-page presentation.

Use of these model Notices is optional. While the agencies designed the Notices to let Covered Entities to use these models by entering some of their own information into the model, such as contact information, and then printing for distribution and posting on their websites, Covered Entities should consult with legal counsel to determine the suitability of the Notices generally for their entity’s use and any customization, if any, that may be recommended or required to a Notice if the Covered Entity decides rely upon a model Notice to prepare its Notice of Privacy Practices. To facilitate any tailoring, the agencies provided a text-only version for Covered Entities wishing only wish to use the content with or without tailoring.

September 23 Business Associate Agreement Update Deadline

September 23, 2013 also is the final deadline established in the Final Omnibus HIPAA Rule for Covered Entities and their business associations to update the business associate agreements required by HIPAA to reflect application of the breach notification, business associate, and many of HIPAA’s requirements to directly cover business associates and other aspects of the Health Information Technology for Economic and Clinical Health (HITECH) Act enacted as part of the American Recovery and Reinvestment Act of 2009. While HHS published a Sample Business Associate Agreement last June to aid Covered Entities and their business associates with understanding the business associate agreement requirements as impacted by the Omnibus Final HIPAA Rule, it also made clear that Covered Entities and their business associates should tailor their business associate agreements to fit their specific circumstances and relationships. OCR National Office and regional officials speaking about their findings about past business associate agreement compliance have indicated that their audit and enforcement activities show widespread compliance issues among Covered Entities and business associates with the original business associate agreements. OCR clearly expects Covered Entities and their business associates to address and resolve these compliance issues going forward.

Covered Entities and their business associates are increasingly at peril if caught violating HIPAA’s Privacy, Security or Breach Notification rules. With the HITECH Act Breach Notification rules now requiring Covered Entities to self-disclose breaches, OCR becomes aware of breaches much more easily. Coupled with the HITECH Act’s increase in sanctions for HIPAA violations, Covered Entities and, beginning September 23, 2013, their business associates face rising risks for violating HIPAA. See, e.g. HHS Settles with Health Plan in Photocopier Breach Case; WellPoint Settles HIPAA Security Case for $1,700,000; Shasta Regional Medical Center Settles HIPAA Security Case for $275,000; Idaho State University Settles HIPAA Security Case for $400,000; and HHS announces first HIPAA breach settlement involving less than 500 patients.

In response to the updated Final Regulations and these expanding HIPAA enforcement and exposures, all Covered Entities should review critically and carefully the adequacy of their current HIPAA Privacy and Security compliance policies, monitoring, training, breach notification and other practices taking into consideration OCR’s investigation and enforcement actions, emerging litigation and other enforcement data; their own and reports of other security and privacy breaches and near misses; and other developments to decide if additional steps are necessary or advisable. In response to these expanding exposures, all covered entities and their business associates should review critically and carefully the adequacy of their current HIPAA Privacy and Security compliance policies, monitoring, training, breach notification and other practices taking into consideration OCR’s investigation and enforcement actions, emerging litigation and other enforcement data; their own and reports of other security and privacy breaches and near misses, and other developments to decide if tightening their policies, practices, documentation or training is necessary or advisable.

For Help or More Information

If you need assistance responding to HIPAA or other health industry regulatory, enforcement or other developments, reviewing or tightening your policies and procedures, conducting training or audits, responding to or defending an investigation or other enforcement actions; with 2014 health plan decision-making, or with reviewing and updating, administering or defending your group health or other employee benefit, human resources, insurance, health care matters or related documents or practices, please contact the author of this update, Cynthia Marcotte Stamer for help.

A board certified labor and employment attorney widely known for her extensive and creative knowledge and experienced with these and other employment, employee benefit and compensation matters, Ms. Stamer is widely recognized for her extensive work, publications, and thought leadership on HIPAA and other privacy and data security issues. Scribe for the ABA JCEB annual Technical Sessions meeting with OCR for the past three years, Ms. Stamer’s experience includes extensive work advising, representing and training health plan, health insurance, health IT, health care and other clients on HIPAA and other privacy, data protection and breach and other related matters and represents and advises these and other clients in responding to OCR Privacy and Civil Rights and other HHS agencies, Labor Department, IRS regulations, investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. She also is recognized for her extensive publications and programs including numerous highly regarding publications and programs on HIPAA and other privacy and data security concerns as well as a wide range of other workshops, programs and publications.

Beyond her HIPAA involvement, Ms. Stamer also continuously advises and assists employers, employee benefit plans, their sponsoring employers, fiduciaries, insurers, administrators, service providers, insurers and others to monitor and respond to evolving legal and operational requirements and to design, administer, document and defend medical and other welfare benefit, qualified and non-qualified deferred compensation and retirement, severance and other employee benefit, compensation, and human resources, management and other programs and practices tailored to the client’s human resources, employee benefits or other management goals. A primary drafter of the Bolivian Social Security pension privatization law, Ms. Stamer also works extensively with management, service provider and other clients to monitor legislative and regulatory developments and to deal with Congressional and state legislators, regulators, and enforcement officials concerning regulatory, investigatory or enforcement concerns.

Recognized in Who’s Who In American Professionals and both an American Bar Association (ABA) and a State Bar of Texas Fellow, Ms. Stamer serves on the Editorial Advisory Board of Employee Benefits News, HR.com, Insurance Thought Leadership, Solutions Law Press, Inc. and other publications, and active in a multitude of other employee benefits, human resources and other professional and civic organizations. She also is a widely published author and highly regarded speaker on these matters. Her insights on these and other matters appear in the Bureau of National Affairs, Spencer Publications, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, Modern and many other national and local publications. You can learn more about Ms. Stamer and her experience, review some of her other training, speaking, publications and other resources, and register to receive future updates about developments on these and other concerns from Ms. Stamer here.

Other Resources

If you found this update of interest, you also may be interested in reviewing some of the other updates and publications authored by Ms. Stamer available including:

For important information about this communication see here. THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS. ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

Nonexclusive license to republish granted to Solutions Law Press, Inc. All other rights reserved.

[*] On January 24, 2013, the Department of Labor (the Department) issued guidance stating the Department’s conclusion that the notice requirement under FLSA section 18B will not take effect on March 1, 2013 for several reasons until further guidance setting the extended deadline was published.

Comments Off on HHS Share Model HIPAA Notices 1 Week Before Deadline For Updating Business Associate Agreements | ADA, Affordable Care Act, Claims Administration, Corporate Compliance, Data Security, Disability, EEOC, Employee Benefits, Employers, ERISA, Excise Tax, Fiduciary Responsibility, GINA, Health Care Reform, Health Plans, HIPAA, Human Resources, Insurance, MEWA, Patient Protection and Affordable Care Act, Reporting & Disclosure, Tax, Uncategorized, Wellness Programs | Tagged: 4980H, ACA, Afffordable Care Act, Breah Notification, Covered Entities, Exchange Notice, Health Care Provider, Health Care Reform, Health Plans, health reform, HIPAA, OCR, Pay or Play, SBC | Permalink
Posted by Cynthia Marcotte Stamer

IRS Publishes Final Health Reform Individual Shared Responsibility Rules

September 1, 2013

Starting in 2014, the Individual Shared Responsibility mandate of the Patient Protection & Affordable Care Act (ACA) dictates that each individual American either have minimum essential coverage for each month, qualify for an exemption, or make a payment when filing his or her federal income tax return. In anticipation of the implementation of this Individual Shared Responsibility mandate, the Department of the Treasury and the Internal Revenue Service (IRS) published final regulations implementing the Individual Shared Responsibility mandate in the Internal Revenue Code. The guidance contained in these final regulations provide each American with critical information about their families’ potential exposure to liability for the individual shared responsibility tax in 2014 as well as key insights for employers. Solutions Law Press, Inc. authors are finalizing various articles on certain key aspects of these new regulations for publication over the next few days. Stay tuned for more details!

For each month beginning after December 31, 2013, Internal Revenue Code Section 5000A’s Individual Shared Responsibility mandate requires that individual Americans either qualify as exempt, maintain minimum essential coverage for themselves and any nonexempt family members, or pay an individual shared responsibility payment when paying their Federal income tax return. A taxpayer will be obligated to pay the individual shared responsibility tax under Internal Revenue Code Section 5000A for any non-exempt individual the taxpayer claims on his or her individual tax return as a dependent who is not exempt or enrolled in minimum essential coverage.

Under § 5000A(f)(2), minimum essential coverage includes coverage under an eligible employer-sponsored plan.

The final regulations set the rules that the IRS will use to decide when an individual American will become liable for paying the tax imposed by ACA for failing to maintain the minimum required health insurance coverage mandated by ACA beginning January 1, 2013 and other related rules. While specifically addressing the obligations of individual Americans to pay the Individual Shared Responsibility payment, the final rules coupled with the availability of the new option for individual Americans to buy coverage through an ACA-qualified federal health care exchange and, depending on the adjusted household income of the individual, potentially also to receive tax credits for enrolling in coverage through an exchange is likely to impact the enrollment choices that employed individuals make about enrolling in coverage offered by their employer versus in coverage through a federally qualified health insurance exchange. Accordingly, both individual Americans and the businesses that employ them should act quickly to understand the key aspects of the final regulations and their implications.

When considering the effect of these final regulations, employers and individual Americans should keep in mind that Notice 2013-42, issued on June 26, 2013, provides limited transition relief from the Individual Shared Responsibility mandate for employees and their families who are eligible to enroll in certain employer-sponsored health plans with a plan year other than a calendar year if the plan year begins in 2013 and ends in 2014. For additional information on the Individual Shared Responsibility provision, the final regulations and Notice 2013-42, see the IRS questions and answers.

Coming slightly less than a month before the October 1, 2013 scheduled opening of the first enrollment period for individual Americans to enroll in health care coverage through a federally qualified health insurance exchange created pursuant to ACA and the deadline for employers to deliver the notice of the availability of this option dictated by Fair Labor Standards Act 18B, the final regulations and Obama Administration’s announced plans to enforce its provisions has drawn criticism from a number of groups. While the Obama Administration has indicated that it still plans to enforce the Individual Shared Responsibility mandate against individual Americans, it announced in July, 2013 that it would delay enforcement of the Employer Shared Responsibility Mandate rules of Internal Revenue Code Section 4980H until 2015. Many consumer rights groups and others are arguing that the Administration should also delay its enforcement of the Individual Shared Responsibility Mandate in light of its delay of enforcement of Internal Revenue Code Section 4980H against businesses. Pending a reversal of its position or Congressional relief, the final regulation signal to individual Americans and their employers to prepare to deal with the new Individual Shared Responsibility Mandate beginning in January, 2014.

While the delay in enforcement of the Section 4980H employer shared responsibility payment until 2015 means that employers will not incur liability for failing to provide coverage meeting the minimum essential coverage, minimum value and affordability standards of Internal Revenue Code Section 4980H, the impending implementation of the Individual Shared Responsibility mandate of Internal Revenue Code Section 5000A and the impending availability of tax credits for certain individuals with Household Adjusted Gross Incomes of less than 400 percent of the poverty level almost certainly will influence enrollment decisions that employees make concerning coverage offered by their employer, if any. Employers can expect that employee choices about enrolling in employer-sponsored group health coverage will be influenced by the impending obligation to enroll in coverage or pay the individual shared responsibility tax in 2014 governed by the final regulations. Employers can expect that employee concern about these exposures will prompt many employees to carefully scrutinize and in some cases question the information and implications of information provided by the employer or its plan such as the Section 18B notice that employers must provide by October 1, 2013, the summary of benefits and coverage (SBC) that the Affordable Care Act obligations the employer or plan to provide as the employees work to sort out their choices. As these and other plan communications are likely to face significant scrutiny, employers and their employee benefit plan fiduciaries and administrators should use extra care to ensure that these and other plan documents and communications are carefully and precisely tailored to accurately convey all material plan terms.

For Help or More Information

If you need help understanding or dealing with these impending notification requirements, with other 2014 health plan decision-making or preparation, or with reviewing and updating, administering or defending your group health or other employee benefit, human resources, insurance, health care matters or related documents or practices, please contact the author of this update, Cynthia Marcotte Stamer.

A board certified labor and employment attorney widely known for her extensive and creative knowledge and experienced with these and other employment, employee benefit and compensation matters, Ms. Stamer continuously advises and assists employers, employee benefit plans, their sponsoring employers, fiduciaries, insurers, administrators, service providers, insurers and others to monitor and respond to evolving legal and operational requirements and to design, administer, document and defend medical and other welfare benefit, qualified and non-qualified deferred compensation and retirement, severance and other employee benefit, compensation, and human resources, management and other programs and practices tailored to the client’s human resources, employee benefits or other management goals. A primary drafter of the Bolivian Social Security pension privatization law, Ms. Stamer also works extensively with management, service provider and other clients to monitor legislative and regulatory developments and to deal with Congressional and state legislators, regulators, and enforcement officials concerning regulatory, investigatory or enforcement concerns.

Other Resources

If you found this update of interest, you also may be interested in reviewing some of the other updates and publications authored by Ms. Stamer available including:

Nonexclusive license to republish granted to Solutions Law Press, Inc. All other rights reserved.

Comments Off on IRS Publishes Final Health Reform Individual Shared Responsibility Rules | ADA, Affordable Care Act, Claims Administration, Corporate Compliance, Data Security, Disability, EEOC, Employee Benefits, Employers, ERISA, Excise Tax, Fiduciary Responsibility, GINA, Health Care Reform, Health Plans, HIPAA, Human Resources, Insurance, MEWA, Patient Protection and Affordable Care Act, Reporting & Disclosure, Tax, Uncategorized, Wellness Programs | Tagged: 4980H, ACA, Afffordable Care Act, Breah Notification, Covered Entities, Exchange Notice, Health Care Provider, Health Care Reform, Health Plans, health reform, HIPAA, OCR, Pay or Play, SBC | Permalink
Posted by Cynthia Marcotte Stamer

Impending 10/1 Exchange Notice & Other New Notice Deadlines Cut Time Short For Employers To Finalize 2014 Health Plan Terms & Contracts

August 21, 2013

Employer and union group health plan sponsors and insurers of group and individual health plans (Health Plans) agonizing over 2014 plan design decisions are running out of time. Impending deadlines to update and deliver the initial Exchange Notice by October 1, 2013, the Summary of Benefits and Communications (SBC) disclosure before their next enrollment period begins, and 60-day prior notice of material reductions in benefits or services under the plan mandated by the Patient Protection and Affordable Care Act (ACA) require employers or other sponsors to finalize design decisions and amendments well in advance of January 1, 2014. These new notification obligations create added urgency and pressure for Health Plans and their employer and other sponsors to finalize and implement their decisions on their Health Plans 2014 plan designs and coverages and make the necessary determinations to prepare and timely deliver the required notifications in accordance with these new notification mandates well before the start of the 2014 plan year or its enrollment period. Employers who in the past have put off these decisions until the last month of the plan year no longer can legally do so.

ACA Exchange Notices Due By October 1

One of the biggest time constraints for finalizing 2014 plan designs, contracts and terms is the impending October 1, 2014 deadline for employers to provide the notice required by Fair Labor Standards Act Section 18B.

Regardless of if the employer sponsors a health plan or when the next plan enrollment period begins, all employers covered by the FLSA generally are required deliver a notice to employees about the new option beginning January 1, 2014 to get health care coverage through a health care exchange (now rebranded by the Obama Administration as a “Marketplace”)(Marketplace) created by ACA that meets the requirements of new FLSA Section 18B enacted Section 1512 of ACA.

Absent a delay or other reprieve from the Obama Administration or Congress, Open enrollment for health insurance coverage through the Marketplace begins October 1, 2013. Individuals and employees of small businesses beginning October 1, 2013 can apply for and, beginning January 1, 2014 to buy health care coverage offered through the Marketplace established under ACA for their state (including the Federal Marketplace for states that did not elect to establish their own Marketplace). Some individuals who earn less than 400% of the federal poverty level and meet certain other conditions also are slated to qualify to receive federal subsidies that will pay all or part of the cost of buying coverage through a Marketplace.

To promote awareness among employees of the Marketplace as an option for getting health coverage, creates a new FLSA Section 18B requiring a notice (Exchange Notice) to employees of coverage options available through the Marketplace. Originally required by March 1, 2013,[*] the Department of Labor (DOL) extended the deadline for providing the Exchange Notice to October 1, 2013. Employers must provide a notice of coverage options to each employee, regardless of plan enrollment status (if applicable) or of part-time or full-time status. Employers are not required to provide a separate notice to dependents or other individuals who are or may become eligible for coverage under the plan but who are not employees.

All FLSA-Covered Employers Must Provide Exchange Notices Beginning October 1, 2013

Under FLSA Section 18B of the FLSA, each applicable employer must provide each employee at the time of hiring (or with respect to current employees, by October 1, 2013), a written notice that fulfills the applicable Exchange Notice requirements as set forth in the DOL Regulations.

The FLSA section 18B requirement to provide a notice to employees of coverage options applies to all employers subject to the FLSA. In general, the FLSA applies to employers that employ one or more employees who are engaged in, or produce goods for, interstate commerce. For most firms, a test of not less than $500,000 in annual dollar volume of business applies. The FLSA also specifically covers the following entities: hospitals; institutions primarily engaged in the care of the sick, the aged, mentally ill, or disabled who reside on the premises; schools for children who are mentally or physically disabled or gifted; preschools, elementary and secondary schools, and institutions of higher education; and federal, state and local government agencies. Employers questioning whether their business is subject to the FLSA should seek the assistance of legal counsel experienced with the FLSA.

Timing and Delivery of Notice

Employers are required to provide the Exchange Notice to each new employee at the time of hiring beginning October 1, 2013. For 2014, the Department will consider a notice to be provided at the time of hiring if the notice is provided within 14 days of an employee’s start date.

For employees who are current employees before October 1, 2013, employers must provide the Exchange Notice no later than October 1, 2013.

The Exchange Notice must be provided in writing in a manner calculated to be understood by the average employee. Employers may deliver the Exchange Notice by first-class mail or, if the electronic notification requirements of the Department of Labor’s electronic disclosure safe harbor at 29 CFR 2520.104b-1(c) are met, electronically.

Required Content of Exchange Notice

The Exchange Notice content mandated by FLSA Section 18B is fairly limited. Section 18B requires that the Exchange Notice only dictates three required elements:

Inform employees of coverage options, including information about the existence of the new Marketplace as well as contact information and description of the services provided by a Marketplace;
Inform the employee that the employee may be eligible for a premium tax credit under Section 36B of the Code if the employee purchases a qualified health plan through the Marketplace; and
Include a statement informing the employee that if the employee purchases a qualified health plan through the Marketplace, the employee may lose the employer contribution (if any) to any health benefits plan offered by the employer and that all or a portion of such contribution may be excludable from income for Federal income tax purposes. At minimum, this generally requires that the Exchange Notice distributed by an employer must inform the employee.

Interim DOL guidance implementing these requirements construes the content requirements as requiring that the Exchange Notice tell the employee:

Of the existence of the Marketplace (referred to in the statute as the Exchange) including a description of the services provided by the Marketplace, and the way the employee may contact the Marketplace to request assistance;
That the employee may be eligible for a premium tax credit or subsidy under Section 36B of the Internal Revenue Code (the Code) if the employee purchases a qualified health plan through the Marketplace and the employer does not offer coverage to the employee under a group health plan that is considered to provide “Minimum Value” for purposes of ACA; and
That if the employee purchases a qualified health plan through the Marketplace, the employee may lose the employer contribution (if any) to any health benefits plan offered by the employer and that all or a portion of such contribution may be excludable from income for Federal income tax purposes.

Allow Adequate Time To Do Analysis, Complete Other Steps To Prepare Exchange Notices

Employers should resist the urge to allow the shortness of the list of information required that FLSA Section 18B requires in the Exchange Notice lure them into underestimating the time and effort required to prepare the Exchange Notification. For many employers, determining if the Health Plan provides Minimum Value can be time-consuming and complex.

For this, the SBC notice discussed later in this update and other purposes, Code Section 36B(c)(2)(C)(ii) provides that an employer-sponsored Health Plan provides Minimum Value if the ratio of the share of total costs paid by the Health Plan relative to the total costs of covered services is no less than 60% of the anticipated covered medical spending for covered benefits paid by a group health plan for a standard population, computed in accordance with the plan’s cost-sharing, and divided by the total anticipated allowed charges for covered benefits provided to a standard population is no less than 60%. See Patient Protection and ACA: Standards Related to Essential Health Benefits, Actuarial Value, and Accreditation Regulation.

Existing regulations require the employers to get an actuarial certification to determine if its Health Plan provides Minimum Value unless the employer can show that the Health Plan fits the criteria to use and satisfies this test using either the Minimum Value Calculator or an applicable safe harbor design approved by HHS, Treasury and DOL. These determinations often are time consuming and complex requiring careful review and analysis of the group health plan coverage and benefits. Many self-insured or other group health plans have plan designs that prevent the employer from relying on the Minimum Value Calculator or design safe harbors. If the employer cannot rely upon the Minimum Value Calculator or one of the design safe harbors, an actuarial certification will be needed. Employers need to allow sufficient time to make these determinations in time to complete and deliver the Exchange Notices.

Employers should particularly expect to need to obtain an actuarial certification to determine if the Health Plan provides Minimum Value determination if the Health Plan is taking advantage of temporary relief from the cost sharing limitations of ACA for 2014 announced by the Obama Administration in February and reconfirmed in July, that for 2014 allows Health Plans to apply a separate ACA-compliant out-of-pocket maximum to prescription drug benefits from the ACA-compliant out-of-pocket maximum applied to all other benefits subject to ACA’s cost sharing restrictions. Since the Minimum Value Calculator cannot take into account this option, however, employers planning to apply a separate out-of-pocket maximum for prescription drug coverage versus other plan benefits should be prepared to get an actuarial certification of whether the plan provides Minimum Value.

DOL Model Exchange Notices Not Panacea

Employers may want to use some or all of the language that the DOL included in Model Notices that DOL published in conjunction with its publication of interim guidance on FLSA Section 18B in Technical Release No. 2013-02 on May 8, 2013 here. Because employers must tailor the content of the Exchange Notice for their group health plan based on specific information about their group health plan, employers are cautioned not to underestimate the time or effort that will be required to properly prepare the Exchange Notice for their group health plan, whether or not the employer makes use of the Model Notices in whole or part.

DOL published three model exchange notices (Model Notices) to assist employers in preparing the Exchange Notice for their Health Plan for 2014. One Model Notice is intended for employers who do not offer a Health Plan. The second Model Notice is designed for employers who offer a health plan to some or all employees. The third Model Notice is designed for employers to use to notify individuals who are enrolled or eligible to enroll in continuation coverage under the Health Plan under the Consolidated Omnibus Budget Reconciliation Act of 1985 (COBRA). Technical Release No. 2013-02 says employers may use the applicable of these models or a modified version, provided the Exchange Notice meets the content requirements described above.

Despite the availability of these Model Notices, preparing and providing the required Exchange Notices required by Section 18B typically requires significant evaluation and presents a variety of challenges for most employers. While intended to facilitate the ability of employers to prepare and provide the required Exchange Notices, preparing the Model Notices generally is challenging for many employers.

First, even using the Model Notices, the employer must decide if the Health Plan provides Minimum Value.

Another challenge with wholesale use of the Model Notices involves deciding how much of the optional language contained in the Model Notices to include in the Exchange Notice and what optional information, if any, to provide as part of that Notice.

For one thing, the Model Notices propose that the Exchange Notice include statements that many critics view as inappropriately promoting enrollment in coverage through the Marketplace rather than employer sponsored group health plans. Critics complain, for instance that the Model Notice’s statement that the Marketplaces offer “one-stop shopping” that allows the employee to get coverage that the Model Notice states is more “affordable” are inaccurate or misleading. Many critics view the assertion that coverage obtained through the exchange is more “affordable” to be inaccurate as it does not take into account a comparison of the actual benefits and costs of the respective plan options and whether the employee can afford the typically richer (and therefore often more expensive) benefit packages ACA’s essential health benefits mandates require be included in coverage offered for sale through the Marketplaces and presumes that these higher costs will be defrayed by tax credits or subsidies that are only available if the employee earns less than 400% of the federal poverty level and is not offered the option to enroll in an employer sponsored group health plan coverage that provides “minimum essential coverage” (MEC) and Minimum Value and is “affordable” within the meaning of ACA.

Employers considering using the Model Notices also need to decide if their Exchange Notices will include the optional factual disclosures about their group health plan suggested in the Model Notices, but not required to fulfill the requirements of FLSA Section 18B.

The Model Notices propose that an employer also voluntarily provide a significant amount of other information about its group health plan that FLSA Section permits, but does not require that the Exchange Notice include. The DOL says it designed the Model Notices to help employers to identify and disclose information that the DOL expects employees interested in the tax credit to subsidize the employee’s cost of enrolling in coverage through the Marketplace will need to get from employers to show eligibility. DOL assumes that many employers might want to voluntarily provide this information in the Exchange Notice to avoid receiving a multitude of anticipated inquiries from employees interested seeking tax credits to subsidize their enrollment in coverage through the Marketplace. Since collection the data necessary to make these optional disclosures can add significant complexity and time to the preparation of the Exchange Notice, employers should carefully weigh the pros and cons of making the optional disclosures. The anticipated demand for this information has declined since the Obama Administration announced it plans to use an “honor system” approach to determine if individuals can claim eligibility for tax credit subsidies for buying coverage through the Marketplaces in 2014. Meanwhile, the interim nature of the existing guidance on the Exchange Notice and other key aspects of ACA make it reasonable to expect further changes in the expected content of the Exchange Notice, ACA requirements that it is intended to communicate or both which could impact the need for or accuracy of these disclosures. For this reason, employers should carefully consider whether and what optional disclosures to include in their Exchange Notices.

Don’t Forget To Notify COBRA Qualified Beneficiaries

Technical Release No. 2013-02 indicates that in addition to sending an Exchange Notice to employees, employers or their group health plan administrators also must notify COBRA eligible or enrolled individuals.

In general, under COBRA, an individual who was covered by a group health plan on the day before a qualifying event occurred may be able to elect COBRA continuation coverage upon a qualifying event (such as termination of employment or reduction in hours that causes loss of coverage under the plan). Individuals with such a right are called qualified beneficiaries. A group health plan must provide qualified beneficiaries with an election notice, which describes their rights to continuation coverage and how to make an election. The election notice must be provided to the qualified beneficiaries within 14 days after the plan administrator receives the notice of a qualifying event.

Technical Release No. 2013-02 says that the DOL considers the required disclosures for the Exchange Notice information to be disclosed to qualified beneficiaries and that the DOL is revising previously published model COBRA notices to incorporate this information.

DOL says in Technical Release No. 2013-02 that the group health plans can use the revised model COBRA election notice to satisfy the requirement to provide the election notice under COBRA including the disclosure of information required by FLSA Section 18B. The DOL cautions that as with the earlier model COBRA notices, in order to use this model election notice properly, the plan administrator must complete it by filling in the blanks with the appropriate plan information. Technical Release 2013-02 states that use of the model election notice, appropriately completed, will be considered by the Department of Labor to be good faith compliance with the election notice content requirements of COBRA.

ACA SBC Mandate Overview

In addition to the Exchange Notice requirement, the need to prepare and timely delivery the “Summary of Benefits and Coverage or “SBC”) required by ACA also pressures employers to finalize their health plan terms and contracts for 2014 as soon as possible.

ACA amended the Public Health Services Act (PHS) Section 2715, Employee Retirement Income Security Act (ERISA) Section 715 and the Internal Revenue Code (Code) Section 9815 to require that Health Plans and health insurance issuers provide a SBC and a “Uniform Glossary” that “accurately describes the benefits and coverage under the applicable plan or coverage” in a way that meets the format, content and other detailed SBC standards set for ACA as implemented by the Departments regulatory guidance. Like the Exchange Notice, proper preparation of the SBC requires determination of whether the Health Plan provides Minimum Value, as well as other detailed analysis of the plan terms and coverages to complete the other disclosures required in the SBC.

The Summary of Benefits and Coverage and Uniform Glossary Final Regulation (Final Regulation) implementing this requirement published February 14, 2012 generally requires Health Plans at specified times including before the first offer of coverage under the Plan as well as following certain material changes to the Plan. For Health Plans providing group health plan coverage, FAQs About ACA Implementation (Part VII)[*] set the deadline for Health Plan to deliver a SBC as follows, while at the same time indicating that the Departments would not impose penalties on plans and issuers “working diligently and in good faith” to provide the required SBC content in an appearance consistent with the Final Regulations:

To covered persons enrolling or re-enrolling in an open enrollment period (including late enrollees and re-enrollees) as the first day of the first open enrollment period that begins on or after September 23, 2012; and
For individuals enrolling in coverage other than through an open enrollment period (including individuals who are newly eligible for coverage and special enrollees) as the first day of the first plan year that begins on or after September 23, 2012. See FAQs About ACA Implementation (Part VIII).

While the SBC doesn’t prohibit an employer from amending its Health Plan terms after the enrollment period begins, employers that change Health Plan terms or designs after distributing a SBC must incur the expense and effort to prepare and redistribute an updated SBC. Accordingly, most Health Plans and their sponsors or insurers will want to finalize Health Plan terms before the enrollment period begins to avoid the need to and expense of sending updated SBCs as a result of a later change in Health Plan terms.

The Final Regulation and other existing guidance generally dictates that Health Plans follow a required template for providing the SBC and accompanying glossary. When publishing the Final Regulation, the Departments also published the required SBC template form (2013 SBC Template) and instructions for Health Plans to use to prepare and provide the required SBC for coverage beginning before January 1, 2014 and promised updated guidance and templates for use in providing SBCs for post-2013 coverage. While the Agencies clarified certain other details about the SBC rules, they did not materially change the required content or form of the 2013 SBC Template until their April 23, 2013 release of FAQs About ACA Implementation (Part XIV). See e.g. FAQs About ACA Implementation Part IX and Part X.

FAQ Part XIV Requires MEC and Minimum Value Disclosures In SBC

FAQs About ACA Implementation (Part XIV) published April 23, 2013 announces the updated required 2014 SBC Template that the Agencies are requiring to SBCs for periods of health coverage from January 1, 2014 to December 31, 2014. Along with the 2014 SBC Template, the Agencies also published 2014 Sample Completed SBC, which provides an example of a SBC completed for a hypothetical health plan prepared by the Agencies.

The 2014 SBC Template updates the 2013 SBC Template and Sample Completed Template to add information the Agencies believe individuals eligible for Health Plan coverage should know in light of the impending implementation of the individual shared responsibility requirements of Internal Revenue Code (Code) Section 5000A and the employer shared responsibility rules of Code Section 4980H commonly called ACA’s “pay-or-play” rules. These were the “penalty” provisions that the Supreme Court ruled are taxes in 2013.

The April 23, 2013 FAQ expressly requires that SBCs for periods of coverage after December 31, 2013 disclose if the Health Plans provide MEC and Minimum Value to enable participants and beneficiaries to understand if enrollment in the Health Plan will suffice to allow the employee to avoid paying the individual penalty under Code Section 5000(a)’s individual “shared responsibility” rules, to compare the coverage and costs to enroll in the employer’s Health Plan versus to enroll in health care coverage through a Marketplace and to predict how their eligibility for enrollment in the employer’s Health Plan will impact their eligibility to qualify to claim tax credits under Code Section 32G to help subsidize the cost to purchase coverage through a Marketplace.

Code Section 5000A generally imposes a penalty tax on individuals that fail to maintain enrollment in MEC within the meaning of Code Section 5000A(f) and not otherwise exempt under Code Section 5000A(d). As of the publication of this update, the Obama Administration has not announced any delay in the enforcement of this penalty against individuals, but legislation is pending in Congress that would delay its applicability, along with approving the delay of enforcement of the Code Section 4980H penalties previously announced by the Obama Administration.

Although the Obama Administration announced in early July, 2013 that it will not enforce collection of the Code Section 4980H provisions against employers until 2015, Code Section 4980H generally requires employers of 50 or more full-time employees to pay a penalty if the employer fails to offer a group health plan providing MEC and Minimum Value Minimum Value is determined for this purpose in the same manner that it is determined for purposes of making the required disclosure in the Exchange Notice.

60-Day Advance Notice of Material Changes Requirement

In addition to providing the required Exchange Notice and SBCs, employers, group health plans and their plan administrators also must ensure that participants and beneficiaries are given at least 60 days prior notice before the effective date of any “material reduction in covered services or benefits.” See 29

CFR Section 2520.104b-3(d)(3); also see 29 CFR Section 2520.104b-3(d)(2) regarding a 90-day alternative rule.

Section 102 of ERISA has been amended to require 60-day advance notice of material plan changes for plan years beginning on or after September 23, 2012 before the change can be effective. The 60-day advance notification requirement is a modification to the summary plan description/summary of material modification requirements generally applicable to employee benefit plans under ERISA.

The rule’s definition of “material modification” is the same as the definition in the summary of material modifications rule generally applicable to employee benefit plans under ERISA Section 102.

DOL guidance indicates that group health plans can meet the 60-day advance notice requirement by providing an updated Summary of Benefits and Coverage if the change is reflected on the summary or by sending a separate written notice describing the material modification.

Group health plan issuers or sponsors that willfully (intentionally) fail to provide the notice of material modification can face a fine of up to $1,000 for each failure. Each covered individual equates to a separate offense for purposes of these penalties.

Employer and other group health sponsors, issuers, fiduciaries and administrators also should keep in mind that courts historically refuse to enforce reductions in benefits or services provided under the plan until participants and beneficiaries are notified of the change. For purposes of the ERISA notification rules, group health plans, their sponsors, insurers, administrators and fiduciaries are cautioned to take into account whether health care providers or other parties who have assignments of benefits should be provided with notification under these or other ERISA rules in addition to the employees and dependents who are enrolled in coverage under the group health plan.

Notice Deadlines Mean Time Short To Adopt & Communicate 2014 Plan Terms

Employer and other health plan sponsors, insurers, administrators and others involved in 2014 group health plan decisions and preparations must take into account these notification deadlines and allow adequate lead time to properly finalize, adopt and communicate their 2014 health plan terms.

Since group health plan design decisions must be finalized to properly prepare the Minimum Value disclosures required in the Exchange Notice and the SBC and any material reductions required by the 60-day advance notice requirement, time running short to finalize 2014 plan designs.

Employer and other plan sponsors, fiduciaries, administrators, and insurers are cautioned that their preparations should ensure both the necessary disclosures are made and that all disclosures are carefully prepared so that the notifications and the plan terms are consistent.

These preparations should include the critical review and coordination of the language of health plan documents and summary plan descriptions in light of these other notifications to identify and address potential differences between the government-mandated terms and language in the Glossary and SBC, the Exchange Notice and 60-day notice and the plan terms and summary plan description.

Arrangements also must include proper structuring and formatting of all of these documents and timely distribution in accordance with applicable regulations to participants and beneficiaries entitled to receive these documents in a manner that positions the employer, the group health plan and its fiduciaries and insurers to show compliance. In regard to distributions, parties planning to distribute notifications electronically need to ensure that any electronic or other methods of distribution meet applicable requirements and that the Health Plans timely send copies to all entitled parties – employees and dependents – in accordance with the applicable rules.

When planning these activities, group health plans, their sponsors, insurers and administrators also generally will want to minimize distribution costs by coordinating distribution of these ACA mandated notices with other notifications required for group health plans about privacy, coverage for newborns and mothers, mental health coverage, post-mastectomy reconstructive surgery and the like.

For Help or More Information

A board certified labor and employment attorney widely known for her extensive and creative knowledge and experienced with these and other employment, employee benefit and compensation matters, Ms. Stamer continuously advises and assists employers, employee benefit plans, their sponsoring employers, fiduciaries, insurers, administrators, service providers, insurers and others to monitor and respond to evolving legal and operational requirements and to design, administer, document and defend medical and other welfare benefit, qualified and non-qualified deferred compensation and retirement, severance and other employee benefit, compensation, and human resources, management and other programs and practices tailored to the client’s human resources, employee benefits or other management goals. A primary drafter of the Bolivian Social Security pension privatization law, Ms. Stamer also works extensively with management, service provider and other clients to monitor legislative and regulatory developments and to deal with Congressional and state legislators, regulators, and enforcement officials concerning regulatory, investigatory or enforcement concerns.

Other Resources

If you found this update of interest, you also may be interested in reviewing some of the other updates and publications authored by Ms. Stamer available including:

Nonexclusive license to republish granted to Solutions Law Press, Inc. All other rights reserved.

Comments Off on Impending 10/1 Exchange Notice & Other New Notice Deadlines Cut Time Short For Employers To Finalize 2014 Health Plan Terms & Contracts | ADA, Affordable Care Act, Claims Administration, Corporate Compliance, Data Security, Disability, EEOC, Employee Benefits, Employers, ERISA, Excise Tax, Fiduciary Responsibility, GINA, Health Care Reform, Health Plans, HIPAA, Human Resources, Insurance, MEWA, Patient Protection and Affordable Care Act, Reporting & Disclosure, Tax, Uncategorized, Wellness Programs | Tagged: 4980H, ACA, Afffordable Care Act, Breah Notification, Covered Entities, Exchange Notice, Health Care Provider, Health Care Reform, Health Plans, health reform, HIPAA, OCR, Pay or Play, SBC | Permalink
Posted by Cynthia Marcotte Stamer

Health Plan Pays $1.2M+ HIPAA Settlement For Not Protecting PHI On Copiers

August 15, 2013

Affinity Health Plan, Inc. (Affinity) will pay $1,215,780 and take other corrective actions to settle alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules under the Affinity Resolution Agreement and CAP (Affinity Settlement) with the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR). The settlement comes as the September 24, 2013 deadline for health plans, health care providers, health care clearinghouses (Covered Entities) and their business associates to update the written business associate agreements that HIPAA requires exist before business associates can be allowed to create, use, access or disclose personally identifiable health care information protected by HIPAA (PHI) to carry out HIPAA-covered functions on behalf of a Covered Entity to comply with changes to HIPAA’s implementing regulations adopted by OCR earlier this year. Health plans and other Covered Entities should take timely action to confirm that their existing procedures appropriate safeguards to protect PHI when using or disposing of copiers or other equipment or media as well as to implement business associate or other policy, procedures or training updates required to comply with the updated HIPAA rules.

HIPAA Updates Require Breach Notification, Tightened Other HIPAA Requirements

HIPAA generally requires that Covered Entities (and after September 24, 2013, their business associates) safeguard and restrict the use, access or disclosure of PHI as required by HIPAA. The HITECH Act amended these requirements to tighten certain of these requirements and restrictions, to expand the sanctions for violation of these requirements, to require Covered Entities and their business associates to provide notification of breaches of unsecured PHI to individuals whose information was breached, OCR and in some cases, the media, and made certain other changes to the original requirements of HIPAA. Earlier this year, OCR amended and restated its original Privacy and Security Rules here (2013 Final Rule) to comply with changes in the regulations resulting from these HITECH Act amendments beginning last March, but set the deadline for updating business associate agreements to meet these updated requirements at September 23, 2013.

The 2013 Final Rule and other OCR guidance makes clear that OCR expects Covered Entities and their business associates appropriately to safeguard PHI stored in computers, hard drives, and other digital media until it is properly disposed in accordance with the updated standards required by HIPAA as implemented under the 2013 Final Rule. HITECH Breach Notification Rule requires HIPAA-covered entities to tell HHS of a breach of unsecured protected health information, including breaches resulting from failure to properly secure PHI stored in digital format until it has been destroyed in accordance with the standards established by the 2013 Final Rule. OCR previously has sanctioned other Covered Entities for failed to properly destroy or safeguard PHI stored in digital format on computer or other equipment before abandoning or disposing of that equipment. The Affinity Settlement reaffirms OCR’s concern that Covered Entities meet these disposal requirements when replacing or abandoning equipment containing electronic PHI.

Affinity Settlement Highlights

According to the August 14, 2013 OCR announcement of the settlement, the settlement resulted from an investigation initiated after Affinity filed a breach report with OCR on April 15, 2010, as required by the Health Information Technology for Economic and Clinical Health Act (HITECH Act.)

In its breach report, Affinity indicated that a representative of CBS Evening News told Affinity that, as part of an investigatory report, CBS had purchased a photocopier previously leased by Affinity. CBS informed Affinity that the copier that Affinity had used contained confidential medical information on the hard drive.

Affinity estimated in its breach report that up to 344,579 individuals may have been affected by this breach. OCR’s investigation indicated that Affinity impermissibly disclosed the protected health information of these affected individuals when it returned multiple photocopiers to leasing agents without erasing the data contained on the copier hard drives. In addition, OCR reports its investigation revealed that Affinity failed to incorporate the electronic protected health information (ePHI) stored on photocopier hard drives in its analysis of risks and vulnerabilities as required by the Security Rule, and failed to implement policies and procedures when returning the photocopiers to its leasing agents.

In addition to the $1,215,780 payment, the Affinity Settlement includes a corrective action plan requiring Affinity to use its best efforts to retrieve all hard drives that were contained on photocopiers previously leased by the plan that remain in the possession of the leasing agent, and to take certain measures to safeguard all ePHI.

Learn From Affinity Lesson On Proper Disposal Procedures

Like prior OCR settlements stemming from inadequate security for PHI when transitioning equipment, media or facilities, the Affinity Settlement sends another reminder to Covered Entities and their business associates again of the importance of using appropriate procedures to protect or dispose of PHI when replacing or redeploying equipment or media that may contain PHI.

“This settlement illustrates an important reminder about equipment designed to retain electronic information: Make sure that all personal information is wiped from hardware before it’s recycled, thrown away or sent back to a leasing agent,” said OCR Director Leon Rodriguez. “HIPAA covered entities are required to undertake a careful risk analysis to understand the threats and vulnerabilities to individuals’ data, and have appropriate safeguards in place to protect this information.”

OCR has published guidance concerning HIPAA’s requirements for the proper safeguarding and disposal of media and equipment in the 2013 Final Rule and other guidance. Concerning the proper disposition of copiers that may have PHI stored on their hard drives or in other digital formal, OCR in the Affinity Settlement recommended that Covered Entities and their associates also review the Federal Trade Commission’s Guidance On Safeguarding Sensitive Data Stored In The Hard Drives Of Digital Copiers and the National Institute of Standards and Technology has issued Guidance On Assessing The Security Of Multipurpose Office Machines. Covered Entities and their business associates should use this and other guidance to ensure that they can demonstrate that appropriate practices and procedures have been used to when disposing of or repurposing copies or other equipment that may contain electronic PHI.

HIPAA Regulation Updates Require Other Updates Beyond Disposal Procedures

In addition to addressing the concerns that lead to the Affinity Settlement, Covered Entities and their business associates also should verify that their practices, policies, privacy notices, business associate agreements, and training also are updated to comply with updates to the updated 2013 Final Rule adopted by OCR earlier this year here.

Since passage of the HITECH Act, OCR officials have warned Covered Entities to expect an omnibus restatement of its original regulations. While OCR had issued certain regulations implementing some of the HITECH Act changes, it waited to publish certain regulations necessary to implement other HITECH Act changes until it could complete a more comprehensive restatement of its previously published HIPAA regulations to reflect both the HITECH Act amendments and other refinements to its HIPAA Rules. The 2013 Regulations published today fulfill that promise by restating OCR’s HIPAA Regulations to reflect the HITECH Act Amendments and other changes and clarifications to OCR’s interpretation and enforcement of HIPAA.

For Help or More Information

If you need help monitoring or providing input on this legislation or to understand and respond to these or other legislation, laws and regulations, or with reviewing and updating, administering or defending your group health or other employee benefit, human resources, insurance, health care matters or related documents or practices, please contact the author of this update, Cynthia Marcotte Stamer.

A Fellow in the American College of Employee Benefit Council, immediate past Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Group and current Co-Chair of its Welfare Benefit Committee, Vice-Chair of the ABA TIPS Employee Benefits Committee, a council member of the ABA Joint Committee on Employee Benefits, and past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Ms. Stamer is recognized, internationally, nationally and locally for her more than 25 years of work, advocacy, education and publications on cutting edge health and managed care, employee benefit, human resources and related workforce, insurance and financial services, and health care matters including extensive experience on HIPAA and other privacy and data security issues. Author of numerous prominent publications on HIPAA and other data security and privacy concerns impacting health plans, health care providers, employers, financial services providers and others, Ms. Stamer also serves as the scribe for the ABA JCEB annual Technical Sessions meeting with OCR and has represented numerous health plans, employers, health care providers and others in investigating, redressing, reporting data breach, identity theft and other compliance concerns.

She advises clients on, publishes, and speaks on HIPAA and other health plan, qualified and non-qualified deferred compensation and retirement, severance and other employee benefit, compensation, and human resources, management and other programs and practices tailored to the client’s human resources, employee benefits or other management goals. A primary drafter of the Bolivian Social Security pension privatization law, Ms. Stamer also works extensively with management, service provider and other clients to monitor legislative and regulatory developments and to deal with Congressional and state legislators, regulators, and enforcement officials about regulatory, investigatory or enforcement concerns.

Recognized in Who’s Who In American Professionals and both an American Bar Association (ABA) and a State Bar of Texas Fellow, Ms. Stamer serves on the Editorial Advisory Board of Employee Benefits News, the editor and publisher of Solutions Law Press HR & Benefits Update and other Solutions Law Press Publications, and active in a multitude of other employee benefits, human resources and other professional and civic organizations. She also is a widely published author and highly regarded speaker on these matters. Her insights on these and other matters appear in the Bureau of National Affairs, Spencer Publications, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, Modern and many other national and local publications. You can learn more about Ms. Stamer and her experience, review some of her other training, speaking, publications and other resources, and register to receive future updates about developments on these and other concerns from Ms. Stamer here.

Other Resources

If you found this update of interest, you also may be interested in reviewing some of the other updates and publications authored by Ms. Stamer available including:

For important information about this communication click here. THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS. ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

Comments Off on Health Plan Pays $1.2M+ HIPAA Settlement For Not Protecting PHI On Copiers | ADA, Affordable Care Act, Claims Administration, Corporate Compliance, Data Security, Disability, EEOC, Employee Benefits, Employers, ERISA, Excise Tax, Fiduciary Responsibility, GINA, Health Care Reform, Health Plans, HIPAA, Human Resources, Insurance, MEWA, Patient Protection and Affordable Care Act, Reporting & Disclosure, Tax, Uncategorized, Wellness Programs | Tagged: 4980H, ACA, Afffordable Care Act, Breah Notification, Covered Entities, Health Care Provider, Health Care Reform, Health Plans, health reform, HIPAA, OCR, Pay or Play, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

Encrypt Mobile Devices & Clean Up Management Documentation Key HIPAA Compliance Messages In New HIPAA Settlements

ONC HIPAA Security Risk Assessment Tool Intended To Help Covered Entities Assess Compliance

HHS Extends Health Plan Certification of Compliance Comment Period

HIPAA Covered Entities Should Review & Correct HIPAA Policies In Response To New County Hospital Resolution Agreement, Other Developments

HHS Share Model HIPAA Notices 1 Week Before Deadline For Updating Business Associate Agreements

IRS Publishes Final Health Reform Individual Shared Responsibility Rules

Impending 10/1 Exchange Notice & Other New Notice Deadlines Cut Time Short For Employers To Finalize 2014 Health Plan Terms & Contracts

Health Plan Pays $1.2M+ HIPAA Settlement For Not Protecting PHI On Copiers

Email Subscription

Pages

Recent Posts

Archives

Share this blog

Blogroll

Solutions Law

Solutions Law Press HR & Benefits Update