The HHS Office of Civil Rights (OCR) has announced the opening of its "Phase 2" HIPAA audit program. We have been anticipating this program for some time. It potentially affects all HIPAA covered entities, including employer-sponsored group health plans, as well as business associates of those covered entities, such as third-party administrators for self-insured health plans.

The purpose of the audit program is to "assess compliance" with the HIPAA privacy, security, and breach notification rules. Accordingly, these audits will be directed at a cross-section of HIPAA covered entities and business associates, rather than based on specific complaints or news reports.

Covered entities and business associates that are potential candidates for audit will be contacted by email (check your spam filter!) and asked to complete a pre-audit questionnaire. Not all covered entities and business associates that go through the pre-audit process will be selected for audit. But those who fail to respond to the pre-audit questionnaire will still be included in the potential audit pool, and it seems fair to assume that a failure to respond may increase OCR's interest in conducting a full-scope audit. 

Based on the updated audit protocol that OCR is using to train its auditors, we have a good idea what OCR will be looking for if it conducts an audit. In the case of an employer-sponsored group health plan, the audit is likely to include a review of the following:

• The plan document (to determine whether the proper HIPAA plan language has been adopted)
     Continue Reading...

The latest announcement by HHS regarding settlement of an investigation under the HIPAA privacy, security, and breach-notification rules reflects an increased focus by HHS on security-related issues and the need for health plans and other covered entities to take reasonable steps to protect PHI from hacking, viruses, and malware attacks.

Background. The covered entity in this case (a non-profit community mental health services organization) reported a breach affecting the PHI of approximately 2,700 individuals. The breach was caused by a malware attack on the covered entity’s IT system. The system was using outdated software that made it vulnerable to attack. Following the HHS investigation, the covered entity agreed to a settlement that included a cash payment of $150,000 and a two-year corrective action plan.

Keep Your Software Updated! A key takeaway from this case is that covered entities will be held responsible for maintaining a sound IT infrastructure. System software must be kept up-to-date, and appropriate technical security measures must be implemented, such as firewalls capable of threat monitoring.

Common Sense Approach. Although covered entities may have varying degrees of technical sophistication, HHS’s press release emphasized the need for a “common sense approach” to risk mitigation. “This includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave [PHI] susceptible to malware and other risks.”

Adopting Policies Isn’t Enough. Another key takeaway is that adopting policies and procedures to address the HIPAA privacy and security rules is only the beginning of an appropriate HIPAA compliance program. The policies must be implemented, followed, and      Continue Reading...

On the eve of the deadline for large controlling health plans (CHPs) to obtain an HPID, CMS has announced that it is indefinitely delaying enforcement of the regulations that require obtaining an HPID and using the HPID in covered transactions. The announcement is effective October 31, 2014 and applies “to all HIPAA covered entities, including healthcare providers, health plans, and healthcare clearinghouses.”

What Does This Mean for Large Health Plans? The immediate impact of this announcement appears to be that large CHPs are no longer required to obtain an HPID by the November 5, 2014 deadline. Whether or when they may be required to do so in the future will depend on when (or if) CMS decides to begin enforcing the regulations again.

What Does This Mean for Small Health Plans? The deadline for small CHPs to obtain an HPID was November 5, 2015. Technically, that deadline has been suspended as well, although with a year between now and then, it’s possible that CMS could reverse course and begin enforcing the rule again before then. So small plans should monitor the status of the rule, but likely will not want to attempt to obtain an HPID until further notice.

Where Did This Come From? The CMS announcement references a September 23, 2014 report from the National Committee on Vital and Health Statistics (NCVHS). In that report, the NCVHS unequivocally recommended that covered entities not begin using an HPID in transactions involving health plans. The report argues that there is already a      Continue Reading...

Adding to a flurry of recent activity (see here and here), the EEOC has challenged the wellness plan maintained by Honeywell International, alleging that it violates both the ADA and GINA. The EEOC is seeking a preliminary injunction against Honeywell that would stop further implementation of the plan.

Plan Terms. Based on the facts described in the EEOC’s court filings, Honeywell employees are asked to undergo a biometric screening that includes a blood draw. If the employee has family coverage, the employee’s spouse is asked to complete the biometric screening as well. If employees (or their spouses) do not complete the screening, they pay a “surcharge” on their annual premium of up to $2,500 (a base surcharge of $500, plus tobacco-related surcharges of $1,000 for individual coverage or $2,000 for family coverage). They also lose up to $1,500 in employer contributions to an HSA.

ADA - Voluntariness. The EEOC’s argument under the ADA is that the biometric screening under Honeywell’s plan is not voluntary and, thus, is a prohibited medical examination. Although employees are not required to submit to the biometric screening, the premium surcharges and lost HSA contributions are enough to render the screening involuntary.

ADA - Underwriting Safe Harbor. The EEOC also argues that the wellness plan is not protected by the ADA’s underwriting safe harbor. That safe harbor permits “establishing, sponsoring, observing or administering the terms of a bona fide benefit plan that are based on underwriting risks, classifying risks, or administering such risks that are based on      Continue Reading...

Health plans, including some employer-sponsored plans, face a looming deadline to obtain a HIPAA health plan identifier (HPID). There have been many questions surrounding this requirement, particularly as it applies to employer-sponsored plans. Recent FAQ guidance from CMS (here) has provided some key clarifications, although questions remain. Here's what you need to know.

Background. HIPAA requires health plans and other covered entities to engage in certain covered transactions in a standardized way. This is sometimes referred to as the HIPAA "transactions rule." The details of that rule are beyond what can be addressed here. But the key thing to understand is that the ACA amended the transactions rule to require health plans to obtain a specific identifier (the HPID) to be used in connection with covered transactions.

Deadline. For plans that are required to get an HPID, the deadline is November 5, 2014, unless the plan is a "small" health plan, in which case the deadline is November 5, 2015.

Small Health Plan. A small health plan is a plan that has $5 million or less in annual receipts. The CMS FAQs tell us that annual receipts mean premiums paid during the last full fiscal year, in the case of fully insured plans, and health care claims paid during the last full fiscal year, in the case of self-insured plans. Plans that are partially insured and partially self-insured combine the premiums and health care claims paid to determine their total annual receipts.

Stop-Loss Premiums. It's not clear whether annual receipts are intended to      Continue Reading...

The HHS Office for Civil Rights (OCR) has provided guidance on the status of same-sex spouses under the HIPAA privacy rule.

In light of the Supreme Court's Windsor decision, same-sex spouses are recognized as lawful spouses for purposes of all federal law, including HIPAA. Under the HIPAA privacy rule, spouses are "family members" of a protected individual, which is relevant for at least the following two purposes:

• Under certain circumstances, a covered entity (including a health plan) is permitted to share an individual's protected health information with the individual's family members. The guidance makes clear that a family member includes an individual's same-sex spouse.
   
• The privacy rule prohibits health plans from using or disclosing genetic information for underwriting purposes. Genetic information includes, for example, genetic tests of an individual's family member or information regarding the manifestation of a disease or disorder in an individual's family member. The guidance makes clear that a family member for this purposes also includes an individual's same-sex spouse.

An individual's same-sex spouse may also qualify as the "personal representative" of an individual under the privacy rule, which, among other things, would allow the same-sex spouse to act on behalf of the individual in some circumstances. OCR indicates that further clarification regarding treatment of same-sex spouses as personal representatives will be forthcoming.

The bottom line for health plans and other covered entities is that same-sex spouses will be treated the same as opposite-sex spouses for purposes of the HIPAA      Continue Reading...

HHS has announced another significant HIPAA privacy settlement (see press release here), this time involving a managed care plan that failed to remove protected health information from the hard drive of a photocopier it had been leasing.

The enforcement action stemmed - not surprisingly - from a breach report filed by the health plan in which the plan estimated that over 340,000 individuals may have been affected by the breach. Of greater interest, however, is the manner in which the health plan discovered the breach. It was contacted by a representative of the CBS Evening News and informed that CBS had purchased the photocopier as part of an investigative report and identified confidential medical information on the photocopier's hard drive.

Ouch.

In the settlement with HHS (see agreement here), the health plan agreed to pay a $1,200,000 resolution amount and implement a corrective action plan that includes using its best efforts to retrieve all hard drives contained on photocopiers previously leased by the plan.

I've been fairly diligent in reporting on enforcement actions taken by HHS under the HIPAA privacy and security rules over the past year or so. If you've followed those posts, the outcome of the following case will not surprise you. 

In a recent press release, HHS announced a $400,000 settlement and resolution agreement with Idaho State University relating to violations of the HIPAA security rule that resulted in a data breach with respect to 17,500 patients of a primary care clinic operated by the university. The breach occurred when a firewall providing security for a server storing patient data was disabled, leaving the data unsecured. The press release and resolution agreement do not indicate that any actual disclosure of the patient data occurred. But the firewall had been disabled for 10 months before the clinic or university realized it. 

Yes, 10 months.

Quoting from the press release: "[HHS] concluded that ISU did not apply proper security measures and policies to address risks to ePHI and did not have procedures for routine review of their information system in place, which could have detected the firewall breach much sooner." In other words, they weren't trying hard enough - maybe not at all.

Here are a few takeaways:

• The HIPAA security rule is just as potent as the HIPAA privacy rule. Failure to comply with the security rule won't be excused just because there was no actual loss of privacy.
• You have to try. The security rule is written in relative rather      Continue Reading...

All covered entities and business associates will need to review their business associate agreements in light of the new final HIPAA regulations (see prior coverage here). The new rules are effective March 26, 2013, with a general compliance deadline of September 23, 2013. So what is the deadline for reviewing and updating a business associate agreement?

Transition Rule. Under a transition rule in the new regulations, covered entities and business associates (and business associates and their subcontractors) may continue to operate under certain existing agreements for up to one year beyond the general compliance date of September 23, 2013.

There are two conditions for this rule:

(1) Already in existence. A written business associate agreement must have been in existence on January 25, 2013 (the date the new final rule was released) and must satisfy the requirements of the prior HIPAA rule.

(2) Not renewed or modified. The business associate agreement must not be renewed or modified between March 26, 2013 and September 23, 2013.

If these conditions are satisfied, the agreement will be deemed to satisfy the new rules until the earlier of (i) the date the agreement is renewed or modified on or after September 23, 2013, or (ii) September 22, 2014. In other words, if these conditions are met, covered entities and business associates will have until as late as September 22, 2014 to update their agreements to comply with the final rule.

Evergreen Agreements. This transition rule is available for agreements that automatically renew between March 26, 2013 and September 23,      Continue Reading...

The updated sample agreement is here. It reflects changes in the HIPAA privacy, security, and breach-notification rules made by the final omnibus regulation (prior coverage here).

The template is a helpful starting point for drafting and reviewing business associate agreements in light of the new rules. Although it does not purport to address all issues that might merit consideration in an agreement, health plans, brokers, TPAs, and other covered entities or business associates will want to be familiar with it, if for no other reason than it is likely to form the backbone of many standard BAA templates.

Reminder: The final omnibus rule is effective March 26, 2013, with a general compliance date of September 23, 2013. 

HHS has finally released its long-anticipated final “omnibus” regulation (here) addressing the 2009 HITECH Act changes and making other updates to the privacy, security, breach notification, and enforcement rules.

Foulston Siefkin’s health care practice has already posted an issue alert (here) providing an overview of the regulation.

Compliance Date. The advance copy of the regulation runs 563 pages, so there is a considerable detail to digest. Luckily, HHS gave us a little time to get our heads around it. The regulation is effective March 26, 2013, and covered entities and business associates are generally required to begin complying with the final rules by September 23, 2013.

Some Key Points. Here are a few key points to understand about the final rules:

1. Business associate agreements may require modification. Business associates are now directly liable for compliance with portions of the HIPAA privacy and security rules. This requirement and other HITECH Act changes will require review and possible modification of business associate agreements to ensure they are in compliance.

2. Notices of privacy practices will require attention. The final rule changes some of the information that is required to be provided in the notice of privacy practices and generally requires re-distribution of an updated notice.

3. The standard for breach notification has changed. Under current rules, a covered entity is required to provide notification of a breach of protected health information (PHI) only if there is a substantial risk of harm from the breach. That “harm” standard has been replaced. There is now a presumption      Continue Reading...

HHS has announced a Resolution Agreement (here) with a nonprofit hospice organization in Idaho, resolving its investigation of a HIPAA breach involving the theft of a laptop computer. Although much about this case is similar to others like it that HHS has settled in the past few months (see, for example, here), the noteworthy points in this case are the ways in which it differs.

Size of Breach. The breach in this case involved electronic protected health information of 441 individuals. That’s a lot of people, but it is the first case HHS has resolved involving a breach affecting fewer than 500 individuals. (Because the breach affected fewer than 500 individuals, it would not have been disclosed to HHS immediately, but rather would have been identified on a log as part of the annual breach-notification requirement.) 

The point: HHS takes these cases seriously, whether they involve thousands of individuals or just a few hundred. A breach will not stay below the governments radar just because there is no separate notification requirement.

Resolution Amount and Corrective Action Plan. The case was resolved for a resolution amount of $50,000 (compared to over $1M in other recent cases), and HHS demanded a relatively light corrective action plan. Why would HHS be more lenient here? Reading between the lines, the answer seems to be based on the covered entity’s voluntary efforts to correct its error and take steps to prevent similar problems from occurring in the future.

The Resolution Agreement indicates that once the covered      Continue Reading...

HHS continues to show it is serious about investigating and enforcing breaches of the HIPAA privacy and security rules. It recently announced a $1.5 million settlement with two non-profit medical service and research organizations in Massachusetts stemming from the theft of an unencrypted laptop that contained electronic PHI. The two organizations reported the theft to HHS, as required by the HITECH breach-notification rule.

In its news release, HHS had particularly stringent things to say about the covered entities' security practices.

• "[HHS's] investigation indicated that [the covered entities] failed to take necessary steps to comply with certain requirements of the Security Rule, such as conducting a thorough analysis of the risk to the confidentiality of ePHI maintained on portable devices . . . ."
• "[HHS's] investigation indicated that these failures continued over an extended period of time, demonstrating a long-term, organizational disregard for the requirements of the Security Rule."
• "This enforcement action emphasizes that compliance with the HIPAA Privacy and Security Rules must be prioritized by management and implemented throughout an organization, from top to bottom."

As in other recent cases, HHS entered into a resolution agreement with the covered entities that not only required payment of the $1.5 million "resolution amount," but also outlined the terms of a corrective action plan to be followed by the covered entities over the next three years.

A few takeaways:

1. This case happened to involve a medical provider and a research organization, but nothing      Continue Reading...

The federal Department of Health and Human Services (HHS) recently announced that it has entered into a resolution agreement with the Alaska Department of Health and Social Services (which operates the Alaska Medicaid program) to settle potential violations of the HIPAA security rule.

The underlying facts are painfully simple. [read: Yes, this could happen to you.] A computer technician for the Alaska agency had a USB thumb drive stolen from the technician's car. The thumb drive potentially contained electronic protected health information about individuals covered through the Alaska Medicaid program. (There was no evidence that data on the drive had, in fact, been accessed.) The agency reported the potential breach to HHS, as required under the HITECH breach-notification rules. HHS began its investigation within three months after the notification.

To resolve this potential violation of the HIPAA security rule, the Alaska agency agreed to pay a "resolution amount" of $1.7 million and enter into a corrective-action plan that, among other things, allows HHS to closely monitor the agency's HIPAA compliance for the next three years.

Although a state Medicaid program operates on a much larger scale than a private employer's group health plan, this investigation and resolution agreement show that HHS will take HIPAA compliance by health plans just as seriously as compliance by health-care providers and other covered entities. It is imperative that health plans have proper privacy and security policies and procedures in effect and assess security risks. Those policies, procedures, and assessments must be periodically reviewed and updated to      Continue Reading...

The federal department of Health and Human Services (HHS) has released a comprehensive audit protocol that describes in detail the manner in which it will audit compliance by covered entities with the HIPAA privacy, security, and breach-notification rules. The protocol gives group health plans and other covered entities a useful (albeit thorough) checklist for evaluating their compliance with these rules and, if necessary, taking steps to shore up their records, policies, and procedures on issues HHS is sure to review in the event of an audit.

There are 165 separate audit points in the protocol, and not all of them will be relevant for every covered entity. But for group health plans, the following will be of particular interest:

• Organizational Requirements for Group Health Plans. "Inquire of management as to whether the plan documents restrict the use and disclosure of PHI by the plan sponsor. Obtain and review a sample of plan documents. Verify if the use and disclosure of PHI by the plan sponsor is restricted. Verify what information the sponsor does obtain and how it is used."
• Notice of Privacy Practices. "Obtain and review the notice of privacy practices and evaluate the content relative to the specified criteria given to individuals by the covered entity." And for group health plans specifically: "Obtain and review the formal or informal policies and procedures in place regarding the provision of the notice of privacy practices. For a selection of individuals, obtain and review the individuals'      Continue Reading...

A federal appeals court in Boston ruled late last week that a portion of the Defense of Marriage Act (DOMA) is unconstitutional because it violates the rights of same-sex couples who are validly married under Massachusetts law. At issue in the case was a provision of DOMA that says only opposite-sex spouses may be recognized as spouses for purposes of federal law.

This has important implications for employee-benefit plans because several provisions of federal law grant spouses special rights. For example, spouses have survivor rights under retirement plans, and spouses can receive tax-free coverage and have special-enrollment and COBRA rights under group health plans. Under DOMA, these rights do not apply to same-sex spouses, but that could change if DOMA is struck down.

The case does not disturb existing state statutes and constitutional provisions that prohibit the recognition of same-sex marriages. But difficult questions may arise if a same-sex couple that is validly married in one state seeks to enforce rights under federal law against an employer or employee-benefit plan in a state that does not recognize same-sex marriage.

Ultimately, this is an issue that will be addressed by the Supreme Court, and now that a federal appeals court has ruled, review by the Supreme Court could come as early as next year.