Employer & Other Health Plans & Other HIPAA-Covered Entities & Their Business Associates Must Comply With New HHS Health Information Data Breach Rules By September 23

August 24, 2009

Employer and other health plans, health care providers, health clearinghouses and their business associates must start complying with new federal data breach notification rules on September 23, 2009.   

The new “Breach Notification For Unsecured Protected Health Information” regulation (Breach Regulation) published here  in today’s Federal Register requires health plans, health care providers, health care clearinghouses and their business associates (Covered Entities) covered under the personal health information privacy and security rules of the Health Insurance Portability & Accountability Act (HIPAA) to notify affected individuals following a “breach” of “unsecured” protected health information.The Breach Regulation is part of a series of guidance that HHS is issuing to implement new and stricter personal health information privacy and data security requirements for Covered Entities added to HIPAA under the Health Information Technology for Economic and Clinical Health (HITECH) Act signed into law on February 17, 2009 as part of American Recovery and Reinvestment Act of 2009 (ARRA). 

You are invited to catch up on what these new rules mean for your organization and how it must respond by participating in the “HITECH Act Health Data Security & Breach Update” on Wednesday, September 9 2009 from Noon to 1:30 P.M. Central Time.  

HITECH Act Data Breach and Unsecured PHI Rules 

Published in the August 24, 2009 Federal Register, the new Breach Regulation implements the HITECH Act requirement that Covered Entities and their business associates notify affected individuals, the Secretary of HHS, and in some cases, the media, when a breach of “unsecured protected health information” happens and the form, manner, and timing of that notification. Covered Entities must begin complying with the new Breach Regulation on September 23, 2009.

Part of a series of new HHS rules implementing recent changes to HIPAA enacted under the HITECH Act to strengthen existing federally mandates requiring Covered Entities to safeguard protected health information, the Breach Regulation will obligate Covered Entities and business associates to provide certain notifications following a breach of “protected health information” that not secured at the time of the breach through the use of a technology or methodology meeting minimum standards issued by HHS pursuant to other provisions of the HITECH Act.

Under the HITECH Act, the breach notification obligations contained in the Breach Notification only apply to a breach of “unsecured protected health information.” The Breach Regulation exempts breaches of protected health information that qualify as “secured” under separately issued HHS and Federal Trade Commission (FTC) standards for encryption and destruction of protected health information from its breach notification requirements.  

 For purposes of the HITECH Act, electronic protected health information is considered “unsecured” unless the Covered Entity has satisfied certain minimum standards for the protection of that data established pursuant to the HITECH Act.  Earlier this year, HHS and the FTC issued interim rules defining the minimum encryption and destruction technologies and methodologies that Covered Entities must use to render protected health information unusable, unreadable, or indecipherable to unauthorized individuals for purposes of determining when protected health information is “unsecured” for purposes of the HITECH Act.  Concurrent with its publication of the Breach Regulation, HHS also released guidance updating and clarifying this previously issued guidance. 

Read the Breach Regulation here .  To review the HITECH Act Breach Notification Guidance and Request for Information, see here .

Register For September 9, 2009  “HITECH Act Health Data Security & Breach Update”

Interested persons are invited to register here now  to learn what these new rules mean for your organization and how it must respond by participating in the “HITECH Act Health Data Security & Breach Update” on Wednesday, September 9, 2009 from Noon to 1:30 P.M. Central Time. For a registration fee of $45.00, registrants will have the option to participate via teleconference or in person at the offices of Curran Tomko Tarski LLP, 2001 Bryan Street, Suite 2050, Dallas Texas 75201.  For questions or other information about this program, e-mail here.

Conducted by Curran Tomko and Tarski LLP Partner Cynthia Marcotte Stamer, the briefing will cover: 

  • Who must comply
  • What your organization must do
  • How to qualify protected health information as exempt from the breach regulations as “secure” protected health information
  • What is considered a breach of unsecured protected health information
  • What steps must a covered entity take if a breach of unsecured protected information happens
  • What liabilities do covered entities face for non-compliance
  • What new contractual requirements, policies and procedures Covered Entities and Business Associates will need
  • How the Breach Regulation, the Privacy Regulation, impending FTC red flag rules and state data breach and privacy rules interrelate
  •  Other recent developments
  • Practical tips for assessing, planning, moving to and defending compliance
  • Participant questions
  • More

About The Presenter

The program will be presented by Curran Tomko Tarski LLP Partner Cynthia Marcotte Stamer.  Ms. Stamer is nationally known for her work, publications and presentations on privacy and security of health and other sensitive information in health and managed care, employment, employee benefits, financial services, education and other contexts. 

 Past Chair of the ABA Health Law Section Managed Care & Insurance Section and currently the Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Section and a Council Representative of the ABA Joint Committee On Employee Benefits, Ms. Stamer has more than 20 years experience advising clients about health and other privacy and security matters.  A popular lecturer and widely published author on privacy and data security and other related health care and health plan matters, Ms. Stamer is the Editor in Chief of the forthcoming 2010 edition of the Information Security Guide to be published by the American Bar Association Information Security Committee in 2010, as well as the author of “Protecting & Using Patient Data In Disease Management: Opportunities, Liabilities And Prescriptions,” “Privacy Invasions of Medical Care-An Emerging Perspective,” “Cybercrime and Identity Theft: Health Information Security Beyond HIPAA,” and a host of other highly regarded publications. She has continuously advises employers, health care providers, health insurers and administrators, health plan sponsors, employee benefit plan fiduciaries, schools, financial services providers, governments and others about privacy and data security, health care, insurance, human resources, technology, and other legal and operational concerns. Ms. Stamer also publishes and speaks extensively on health and managed care industry privacy, data security and other technology, regulatory and operational risk management matters.  Her insights on health care, health insurance, human resources and related matters appear in the Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Managed Healthcare, Health Leaders, and a many other national and local publications.  For additional information about Ms. Stamer, her experience, involvements, programs or publications, see here.  

We hope that this information is useful to you.  If you need assistance monitoring, evaluating or responding to these or other compliance, risk management, transaction or operation concerns, please contact the author of this update, Cynthia Marcotte Stamer, at (214) 270-2402, cstamer@cttlegal.com or another Curran Tomko Tarski LLP Partner of your choice.

Other Helpful Resources & Other Information

If you found these updates of interest, you also be interested in one or more of the following other recent articles published on our electronic Curran Tomko Tarski LLP publications available for review here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail- by creating or updating your profile at here. You can access other recent updates and other informative publications and resources provided by Curran Tomko Tarski LLP attorneys and get information about its attorneys’ experience, briefings, speeches and other credentials here.

For important information concerning this communication click here.  If you do not wish to receive these updates in the future, send an e-mail with the word “Remove” in the Subject to support@cttlegal.com.

©2009 Cynthia Marcotte Stamer.   All rights reserved. 


Registration Open For June 23 Dallas HR 2009 Health Plan Eligibility Update Program

June 9, 2009

Amid soaring health care costs and tightening corporate budgets, employers and other group health plan sponsors, fiduciaries and administrations now also must update their group health plan eligibility and enrollment practices to comply with the American Recovery and Reinvestment Act of 2009 (the “Stimulus Bill”), COBRA subsidy mandates, HIPAA special enrollment rule amendments and a host of other changes to federal eligibility mandates that already have or will take effect this year.  Meanwhile, employers must keep a careful watch on Congress as it considers enacting sweeping health care reforms that are likely to place more obligations on employers.

Health plan eligibility design and administration plays a critical role in controlling health benefit costs and is a leading and growing source of health plan legal risk for employers, fiduciaries and administrators.  Understanding and properly managing these concerns is imperative for employers and others sponsoring or administering these programs.

Stamer Discusses Health Plan Eligibility Rules June 23

Cynthia Marcotte Stamer will explain newly effective COBRA Subsidy Rules, genetic information nondiscrimination rules and other recent and impending changes to federal health plan eligibility mandates will be explained on June 23, 2009 during a 2009 Health Plan Eligibility Update briefing hosted by the Dallas Human Resources Management Association including:

Cynthia Stamer will explain to attendees what they need to know and do about:

  • New Stimulus Bill COBRA Subsidy Rules and other special COBRA rules that took effect on February 17
  • New GINA group health plan information scheduled to take place in 2009
  • Changes to HIPAA special enrollment and nondiscrimination rules
  • Implications for group health plans based on recent changes to FMLA and USERRA regulations
  • Medicare, Medicaid and CHIP nondiscrimination rules
  • Impending college student continuation mandates
  • And more….

Get  details or register on line here or by telephoning Dallas Human Resources Management Association at 214-631-8775.

Stamer’s Health Plan Experience Extensive

The immediate past Chair of the American Bar Association’s Managed Care & Insurance Section, Cynthia Marcotte Stamer is a highly regarded legal advisor, author and speaker recognized both nationally and internationally for her expertise in the areas of health benefits and other human resource compliance matters. Board Certified in Labor and Employment Law by the Texas Board of Legal Specialization, “Cindy” recently joined Curran Tomko Tarski, LLP as the Chair of its Labor & Employment and Health Care Practices April 1, 2009.

The Managing Editor of Solutions Law Press and an Editorial Advisory Board Member and author for Employee Benefit News and other publications, Ms. Stamer is a widely published author and popular speaker. In addition to hundreds of publications on health plan and other human resources, employee benefit and internal controls issues, Ms. Stamer is the author of the “Health Plan Eligibility Toolkit.” Her work has been featured and published by the American Bar Association, BNA, SHRM, World At Work, Employee Benefit News and the American Health Lawyers Association. Her insights on human resources risk management matters have been quoted in The Wall Street Journal, the Dallas Business Journal, Managed Care Executive, HealthLeaders, Business Insurance, Employee Benefit News and the Dallas Morning News.

Ms. Stamer also serves in a number of professional leadership roles including the leadership council of the ABA Joint Committee on Employee Benefits, Vice Chair of the ABA Real Property, Probate & Trust Section and Employee Benefits & Compensation Group.

Cynthia Marcotte Stamer and other members of Curran Tomko and Tarski LLP are experienced with advising and assisting employers with these and other health plan and other employee benefit,  labor and employment, compensation, and internal controls matters. If your organization needs assistance with assessing, managing or defending its wage and hour or other labor and employment, compensation or benefit practices, please contact Ms. Stamer via e-mail here, or by calling (214) 270-2402.  For additional information about the experience, services, publications and involvements of Ms. Stamer specifically or to access some of her many publications, see here,   For more information and other members of the Curran Tomko Tarksi, LLP team, see the Curran Tomko Tarski Website.

We hope that this information is useful to you. For additional information about the experience, services, publications and involvements of Ms. Stamer specifically or to access some of her many publications, see here,   For more information and other members of the Curran Tomko Tarksi, LLP team, see the Curran Tomko Tarski Website.

You can register to receive future updates and information about upcoming programs, access other publications by Ms. Stamer and access other helpful resources here.  If you or someone else you know would like to receive updates about developments on these and other human resources and employee benefits concerns, please be sure that we have your current contact information – including your preferred e-mail- by creating or updating your profile at here.  If you would prefer not to receive these updates, please send a reply e-mail with “Remove” in the subject line to support@SolutionsLawyer.net. You also can register to participate in the distribution of these updates by registering to participate in the Solutions Law Press HR & Benefits Update Blog here.

 ©2009 Cynthia Marcotte Stamer. All rights reserved.


COBRA Premium Reduction and Extended Eligibility Provisions in the American Recovery and Reinvestment Act of 2009

May 2, 2009

The U.S. Department of Labor (“DOL”) today (May 1, 2009) continued its efforts to increase awareness of the Consolidated Omnibus Budget Reconciliation Act of 1985 (COBRA) provisions in the American Recovery and Reinvestment Act of 2009 (“ARRA”) by sharing information with state agencies and asking their assistance in helping dislocated workers, businesses, and partners in understanding the new law.

Under ARRA, employees involuntarily terminated between September 1, 2008 and December 31, 2009 and their dependents may be able to qualify for a 65% discount in the required premium they must pay to maintain COBRA coverage under their former employer’s group health plan for up to 9 months.  Special rules also apply to former employees who qualify for Trade Adjustment Assistance or affected by certain Pension Benefit Guarantee Corporation insurance programs.

Employers must pay the remaining amount of the otherwise required COBRA premium, but can request reimbursement from the Internal Revenue Service by filing for a payroll tax credit under the provisions of ARRA. 

Group health plans were required to begin complying with the new ARRA rules beginning February 17, 2009 and to notify workers of the new rules no later than April 18, 2009.  Many employers and their group health plan sponsors are still working to complete the necessary arrangements to comply with these new requirements.

The communication of information about the new provisions by the DOL, group health plans, employers and the media have prompted an outpouring of questions from many employees and their dependents, confused about their eligibility for the ARRA COBRA Subsidy and its workings.

In Training And Employment Notice No. 42-08, which is addressed to state workforce agencies, labor commissioners and other state workforce regulators, the Employment and Training Administration (“ETA”):

  •  Shared certain basic information about ARRA’s COBRA, Trade Adjustment Assistance and other workforce assistance relief;
  • Detailed some of the training and other resources provided by the DOL to help States and their citizens understand these new provisions and the procedures for their use; and
  • Asked the regulators to assist in communicating and disseminating the information to individuals who might qualify for benefits and other interested parties.

Interested persons can review the announcement at http://wdr.doleta.gov/directives/attach/TEN/ten2008/TEN42-08acc.pdf.

Cynthia Marcotte Stamer is nationally known for her knowledge and experience on COBRA and other health benefit and employee benefit matters,.  You will find several of these previous publications on the new ARRA COBRA provisions on prior editions of the Solutions Law Press HR & Benefits Update.  You also can access some of the many practical updates that she has prepared on these and other COBRA matters by e-mailing or contacting her.  She and other members of Curren Tomko and Tarski LLP are experienced with advising and assisting employers with these and other labor and employment, employee benefit, compensation, and internal controls matters. If your organization needs assistance with assessing, managing or defending its COBRA or other employee benefit or human resources practices, please contact Ms. Stamer at cstamer@cttlegal.com, (214) 270-2402 or your favorite Curren Tomko Tarski, LLP attorney. 

For additional information about the experience and services of Ms. Stamer and other members of the Curren Tomko Tarksi, LLP team, see the http://www.cttlegal.com.


DOL Releases Stimulus Bill Model COBRA Notices, Other Guidance

March 19, 2009

The U.S. Department of Labor (“DOL”) this morning (March 19, 2009) posted Model Notices and other additional guidance about temporary requirements added to the group health plan medical coverage continuation requirements of the Consolidated Omnibus Budget Reconciliation Act of 1985, as amended (“COBRA”) by the American Recovery and Reinvestment Act of 2009 (“Stimulus Bill”). Employers, health plan administrators, and health insurers involved in the sponsorship or administration of COBRA-covered group health plans should consult with counsel about the suitability of using the Model Notices to provide required notifications of the new Stimulus Bill COBRA rules and other steps necessary to comply with the new requirements.  Compliance with the Stimulus Bill COBRA rules is mandatory for all COBRA-covered group health plans and certain other arrangements including group health plans sponsored by businesses in bankruptcy where the entity or a commonly controlled or affiliated entity continues to maintain a group health plan.

 

The new guidance posed today includes:

 

  • Various  Model Notices
  •  New FAQs for Employers on the COBRA Premium Reduction
  •  Expanded FAQs for Employees on the COBRA Premium Reduction
  •  Updated FAQs for Employees on General COBRA Provisions

 

While the Model Notices and other guidance provides helpful insights about the new requirements, many group health plan sponsors, administrators and fiduciaries are likely to find it necessary or desirable to specifically tailor the notifications and other procedures they provide to more clearly communicate the workings of the new requirements as they relate to their specific plans so as to minimize administrative burdens of compliance and fiduciary risks.

 

The Stimulus Bill provisions that took effect on February 17, 2009 require special COBRA treatment for “assistance eligible individuals.” See “Stimulus Bill COBRA Amendments Require Immediate Group Health Plan Action” for more information. The Stimulus Bill COBRA amendments are intended to help certain involuntarily terminated former employees and their dependents maintain COBRA coverage.  Employers must amend their plans to comply with these mandates and, if they wish to seek reimbursement for COBRA Subsidies, must comply with IRS requirements. Meanwhile, group health plan administrators and insurers must take immediate action to provide required notifications and implement other administrative changes necessary to comply with the new rules.

 

The Stimulus Bill definition of “assistance eligible individual” generally includes any COBRA “qualified beneficiary” who meets all of the following requirements:

  • Is eligible for COBRA continuation coverage at any time during the period beginning September 1, 2008 and ending December 31, 2009;
  • Elects COBRA coverage (when first offered or during the additional election period): and
  • Has a qualifying event for COBRA coverage that is the employee’s involuntary termination during the period beginning September 1, 2008 and ending December 31, 2009.

 

This definition includes both involuntarily terminated employees and their dependents who lost coverage under a group health plan due to the involuntary termination. 

 

As part of their COBRA amendments, the Stimulus Bill limits the COBRA premium that a COBRA-covered group health plan can charge an “assistance eligible individual” to 35% of the otherwise applicable COBRA premium for a period of up to 9 months (the “Subsidy Period”) beginning March 1, 2009.  Employers sponsoring these group health plans must pay the remaining 65% of the COBRA premium (the “COBRA Subsidy”) for the assistance eligible individual during the Subsidy Period.  However, the Stimulus Bill allows an employer to seek reimbursement by claiming a payroll tax credit for these COBRA Subsidy payments by complying with applicable IRS procedures. 

 

The Stimulus Bill also requires certain assistance eligible individuals whose employment terminated between September 1, 2008 and February 16, 2009 and did not elect COBRA coverage when previously offered or who allowed COBRA coverage to lapse after electing that coverage be offered a second COBRA enrollment period in which to elect prospectively to enroll in COBRA coverage.  It also requires that group health plans that offer employees different plan options allow assistance eligible individuals the option to change their coverage choice.  Also Group health plan administrators must provide certain notifications to assistance eligible individuals concerning these changes.

 

The guidance posted today supplements preliminary guidance previously posted by the Internal Revenue Service and the Department of Labor over the past month. You can review the current Deparment of Labor Guidance at http://www.dol.gov/ebsa/COBRA.html and the current IRS Guidance at http://www.irs.gov/newsroom/article/0,,id=204505,00.html/COBRA.html .

 

The Stimulus Bill COBRA rules were among the updates discussed by Cynthia Marcotte Stamer during a March 11, 2009 Health Plan Update Teleconference.  If you are an employer or other group health plan sponsor, administrator, insurer or fiduciary and need assistance in preparing required notifications or with other matters relating to the Stimulus Bill COBRA Rules or any other health or other employee benefits matter, contact Cynthia Marcotte Stamer at CStamer@SolutionsLawyer.net or via telephone at 972.419.7188.

 

For information about how to purchase a recording of this teleconference or to review other breaking news updates about these Stimulus Bill COBRA Rules, register at Cynthia Stamer.com.

 

©2009 Cynthia Marcotte Stamer, P.C.