HHS Announces Opening of Phase 2 HIPAA Audit Program
|
04/23/2016
|
By: Jason Lacey
|
The
HHS
Office
of
Civil
Rights
(OCR)
has
announced
the
opening
of
its
"Phase
2"
HIPAA
audit
program.
We
have
been
anticipating
this
program
for
some
time.
It
potentially
affects
all
HIPAA
covered
entities,
including
employer-sponsored
group
health
plans,
as
well
as
business
associates
of
those
covered
entities,
such
as
third-party
administrators
for
self-insured
health
plans.
The
purpose
of
the
audit
program
is
to
"assess
compliance"
with
the
HIPAA
privacy,
security,
and
breach
notification
rules.
Accordingly,
these
audits
will
be
directed
at
a
cross-section
of
HIPAA
covered
entities
and
business
associates,
rather
than
based
on
specific
complaints
or
news
reports.
Covered
entities
and
business
associates
that
are
potential
candidates
for
audit
will
be
contacted
by
email
(check
your
spam
filter!)
and
asked
to
complete
a
pre-audit
questionnaire.
Not
all
covered
entities
and
business
associates
that
go
through
the
pre-audit
process
will
be
selected
for
audit.
But
those
who
fail
to
respond
to
the
pre-audit
questionnaire
will
still
be
included
in
the
potential
audit
pool,
and
it
seems
fair
to
assume
that
a
failure
to
respond
may
increase
OCR's
interest
in
conducting
a
full-scope
audit.
Based
on
the
updated
audit
protocol that
OCR
is
using
to
train
its
auditors,
we
have
a
good
idea
what
OCR
will
be
looking
for
if
it
conducts
an
audit.
In
the
case
of
an
employer-sponsored
group
health
plan,
the
audit
is
likely
to
include
a
review
of
the
following:
- The
plan
document
(to
determine
whether
the
proper
HIPAA plan
language
has
been
adopted)
Continue Reading...
|
|
HIPAA Settlement Highlights Focus on Security Concerns
|
12/15/2014
|
By: Jason Lacey
|
The
latest
announcement
by
HHS
regarding
settlement
of
an
investigation
under
the
HIPAA
privacy,
security,
and
breach-notification
rules
reflects
an
increased
focus
by
HHS
on
security-related
issues
and
the
need
for
health
plans
and
other
covered
entities
to
take
reasonable
steps
to
protect
PHI
from
hacking,
viruses,
and
malware
attacks.
Background.
The
covered
entity
in
this
case
(a
non-profit
community
mental
health
services
organization)
reported
a
breach
affecting
the
PHI
of
approximately
2,700
individuals.
The
breach
was
caused
by
a
malware
attack
on
the
covered
entity’s
IT
system.
The
system
was
using
outdated
software
that
made
it
vulnerable
to
attack. Following
the
HHS
investigation,
the
covered
entity
agreed
to
a
settlement
that
included
a
cash
payment
of
$150,000
and
a
two-year
corrective
action
plan.
Keep
Your
Software
Updated!
A
key
takeaway
from
this
case
is
that
covered
entities
will
be
held
responsible
for
maintaining
a
sound
IT
infrastructure.
System
software
must
be
kept
up-to-date,
and
appropriate
technical
security
measures
must
be
implemented,
such
as
firewalls
capable
of
threat
monitoring.
Common
Sense
Approach.
Although
covered
entities
may
have
varying
degrees
of
technical
sophistication,
HHS’s
press
release
emphasized
the
need
for
a
“common
sense
approach”
to
risk
mitigation.
“This
includes
reviewing
systems
for
unpatched
vulnerabilities
and
unsupported
software
that
can
leave
[PHI]
susceptible
to
malware
and
other
risks.”
Adopting
Policies
Isn’t
Enough.
Another
key
takeaway
is
that
adopting
policies
and
procedures
to
address
the
HIPAA
privacy
and
security
rules
is
only
the
beginning
of
an
appropriate
HIPAA
compliance
program.
The
policies
must
be
implemented,
followed,
and
Continue Reading...
|
|
CMS Indefinitely Delays HPID Implementation
|
11/01/2014
|
By: Jason Lacey
|
On
the
eve
of
the
deadline
for
large
controlling
health
plans
(CHPs)
to
obtain
an
HPID,
CMS
has
announced
that
it
is
indefinitely
delaying
enforcement
of
the
regulations
that
require
obtaining
an
HPID
and
using
the
HPID
in
covered
transactions.
The
announcement
is
effective
October
31,
2014
and
applies
“to
all
HIPAA
covered
entities,
including
healthcare
providers,
health
plans,
and
healthcare
clearinghouses.”
What
Does
This
Mean
for
Large
Health
Plans?
The
immediate
impact
of
this
announcement
appears
to
be
that
large
CHPs
are
no
longer
required
to
obtain
an
HPID
by
the
November
5,
2014
deadline.
Whether
or
when
they
may
be
required
to
do
so
in
the
future
will
depend
on
when
(or
if)
CMS
decides
to
begin
enforcing
the
regulations
again.
What
Does
This
Mean
for
Small
Health
Plans?
The
deadline
for
small
CHPs
to
obtain
an
HPID
was
November
5,
2015.
Technically,
that
deadline
has
been
suspended
as
well,
although
with
a
year
between
now
and
then,
it’s
possible
that
CMS
could
reverse
course
and
begin
enforcing
the
rule
again
before
then.
So
small
plans
should
monitor
the
status
of
the
rule,
but
likely
will
not
want
to
attempt
to
obtain
an
HPID
until
further
notice.
Where
Did
This
Come
From?
The
CMS
announcement
references
a
September
23,
2014
report
from
the
National
Committee
on
Vital
and
Health
Statistics
(NCVHS).
In
that
report,
the
NCVHS
unequivocally
recommended
that
covered
entities
not
begin
using
an
HPID
in
transactions
involving
health
plans.
The
report
argues
that
there
is
already
a
Continue Reading...
|
|
EEOC Turns Up the Heat on Employer Wellness Plans
|
10/31/2014
|
By: Jason Lacey
|
Adding
to
a
flurry
of
recent
activity
(see
here
and
here),
the
EEOC
has
challenged
the
wellness
plan
maintained
by
Honeywell
International,
alleging
that
it
violates
both
the
ADA
and
GINA.
The
EEOC
is
seeking
a
preliminary
injunction
against
Honeywell
that
would
stop
further
implementation
of
the
plan.
Plan
Terms.
Based
on
the
facts
described
in
the
EEOC’s
court
filings,
Honeywell
employees
are
asked
to
undergo
a
biometric
screening
that
includes
a
blood
draw.
If
the
employee
has
family
coverage,
the
employee’s
spouse
is
asked
to
complete
the
biometric
screening
as
well.
If
employees
(or
their
spouses)
do
not
complete
the
screening,
they
pay
a
“surcharge”
on
their
annual
premium
of
up
to
$2,500
(a
base
surcharge
of
$500,
plus
tobacco-related
surcharges
of
$1,000
for
individual
coverage
or
$2,000
for
family
coverage).
They
also
lose
up
to
$1,500
in
employer
contributions
to
an
HSA.
ADA
-
Voluntariness.
The
EEOC’s
argument
under
the
ADA
is
that
the
biometric
screening
under
Honeywell’s
plan
is
not
voluntary
and,
thus,
is
a
prohibited
medical
examination.
Although
employees
are
not
required
to
submit
to
the
biometric
screening,
the
premium
surcharges
and
lost
HSA
contributions
are
enough
to
render
the
screening
involuntary.
ADA
-
Underwriting
Safe
Harbor.
The
EEOC
also
argues
that
the
wellness
plan
is
not
protected
by
the
ADA’s
underwriting
safe
harbor.
That
safe
harbor
permits
“establishing,
sponsoring,
observing
or
administering
the
terms
of
a
bona
fide
benefit
plan
that
are
based
on
underwriting
risks,
classifying
risks,
or
administering
such
risks
that
are
based
on
Continue Reading...
|
|
CMS FAQs Clarify HIPAA Health Plan Identifier (HPID) Requirement
|
10/13/2014
|
By: Jason Lacey
|
Health
plans,
including
some
employer-sponsored
plans,
face
a
looming
deadline
to
obtain
a
HIPAA
health
plan
identifier
(HPID).
There
have
been
many
questions
surrounding
this
requirement,
particularly
as
it
applies
to
employer-sponsored
plans.
Recent
FAQ
guidance
from
CMS
(here)
has
provided
some
key
clarifications,
although
questions
remain.
Here's
what
you
need
to
know.
Background.
HIPAA
requires
health
plans
and
other
covered
entities
to
engage
in
certain
covered
transactions
in
a
standardized
way.
This
is
sometimes
referred
to
as
the
HIPAA
"transactions
rule."
The
details
of
that
rule
are
beyond
what
can
be
addressed
here.
But
the
key
thing
to
understand
is
that
the
ACA
amended
the
transactions
rule
to
require
health
plans
to
obtain
a
specific
identifier
(the
HPID)
to
be
used
in
connection
with
covered
transactions.
Deadline.
For
plans
that
are
required
to
get
an
HPID,
the
deadline
is
November
5,
2014,
unless
the
plan
is
a
"small"
health
plan,
in
which
case
the
deadline
is
November
5,
2015.
Small
Health
Plan.
A
small
health
plan
is
a
plan
that
has
$5
million
or
less
in
annual
receipts.
The
CMS
FAQs
tell
us
that
annual
receipts
mean
premiums
paid
during
the
last
full
fiscal
year,
in
the
case
of
fully
insured
plans,
and
health
care
claims
paid
during
the
last
full
fiscal
year,
in
the
case
of
self-insured
plans.
Plans
that
are
partially
insured
and
partially
self-insured
combine
the
premiums
and
health
care
claims
paid
to
determine
their
total
annual
receipts.
Stop-Loss
Premiums.
It's
not
clear
whether
annual
receipts
are
intended
to
Continue Reading...
|
|
HHS Addresses Same-Sex Spouses Under HIPAA
|
09/19/2014
|
By: Jason Lacey
|
The
HHS
Office
for
Civil
Rights
(OCR)
has
provided
guidance
on
the
status
of
same-sex
spouses
under
the
HIPAA
privacy
rule.
In
light
of
the
Supreme
Court's
Windsor
decision,
same-sex
spouses
are
recognized
as
lawful
spouses
for
purposes
of
all
federal
law,
including
HIPAA.
Under the
HIPAA
privacy
rule,
spouses
are
"family
members"
of
a
protected
individual,
which
is
relevant
for
at
least
the
following
two
purposes:
- Under
certain
circumstances,
a
covered
entity
(including
a
health
plan)
is
permitted
to
share
an
individual's
protected
health
information
with
the
individual's
family
members.
The
guidance
makes
clear
that
a
family
member
includes
an
individual's
same-sex
spouse.
- The
privacy
rule
prohibits
health
plans
from
using
or
disclosing
genetic
information
for
underwriting
purposes.
Genetic
information
includes,
for
example,
genetic
tests
of
an
individual's
family
member
or
information
regarding
the
manifestation
of
a
disease
or
disorder
in
an
individual's
family
member.
The
guidance
makes
clear
that
a
family
member
for
this
purposes
also
includes
an
individual's
same-sex
spouse.
An
individual's
same-sex
spouse
may
also
qualify
as
the
"personal
representative"
of
an
individual
under
the
privacy
rule,
which,
among
other
things,
would
allow
the
same-sex
spouse
to
act
on
behalf
of
the
individual
in
some
circumstances.
OCR
indicates
that
further
clarification
regarding
treatment
of
same-sex
spouses
as
personal
representatives
will
be
forthcoming.
The
bottom
line
for
health
plans
and
other
covered
entities
is
that
same-sex
spouses
will
be
treated
the
same
as
opposite-sex
spouses
for
purposes
of
the
HIPAA
Continue Reading...
|
|
Health Plan's Photocopier Prints a $1.2M HIPAA Fine
|
08/14/2013
|
By: Jason Lacey
|
HHS
has
announced
another
significant
HIPAA
privacy
settlement
(see
press
release
here),
this
time
involving
a
managed
care
plan
that
failed
to
remove
protected
health
information
from
the
hard
drive
of
a
photocopier
it
had
been
leasing.
The
enforcement
action
stemmed
-
not
surprisingly
-
from
a
breach
report
filed
by
the
health
plan
in
which
the
plan
estimated
that
over
340,000
individuals
may
have
been
affected
by
the
breach.
Of
greater
interest,
however,
is
the
manner
in
which
the
health
plan
discovered
the
breach.
It
was
contacted
by
a
representative
of
the
CBS
Evening
News
and
informed
that
CBS
had
purchased
the
photocopier
as
part
of
an
investigative
report
and
identified
confidential
medical
information
on
the
photocopier's
hard
drive.
Ouch.
In
the
settlement
with
HHS
(see
agreement
here),
the
health
plan
agreed
to
pay
a
$1,200,000
resolution
amount
and
implement
a
corrective
action
plan
that
includes
using
its
best
efforts
to
retrieve
all
hard
drives
contained
on
photocopiers
previously
leased
by
the
plan.
|
|
HIPAA Enforcement: Watch Out for Disabled Firewalls
|
05/31/2013
|
By: Jason Lacey
|
I've
been
fairly
diligent
in
reporting
on
enforcement
actions
taken
by
HHS
under
the
HIPAA
privacy
and
security
rules
over
the
past
year
or
so.
If
you've
followed
those
posts,
the
outcome
of
the
following
case
will
not
surprise
you.
In
a
recent press
release,
HHS
announced
a
$400,000
settlement
and resolution
agreement with
Idaho
State
University
relating
to
violations
of
the
HIPAA
security
rule
that
resulted
in
a
data
breach
with
respect
to
17,500
patients
of
a
primary
care
clinic
operated
by
the
university.
The
breach
occurred
when
a
firewall
providing
security
for
a
server
storing
patient
data
was
disabled,
leaving
the
data
unsecured.
The
press
release
and
resolution
agreement
do
not
indicate
that
any
actual
disclosure
of
the
patient
data
occurred.
But
the
firewall
had
been
disabled
for
10
months
before
the
clinic
or
university
realized
it.
Yes,
10
months.
Quoting
from
the
press
release:
"[HHS]
concluded
that
ISU
did
not
apply
proper
security
measures
and
policies
to
address
risks
to
ePHI
and
did
not
have
procedures
for
routine
review
of
their
information
system
in
place,
which
could
have
detected
the
firewall
breach
much
sooner."
In
other
words,
they
weren't
trying
hard
enough
-
maybe
not
at
all.
Here
are
a
few
takeaways:
- The
HIPAA
security
rule
is
just
as
potent
as
the
HIPAA
privacy
rule.
Failure
to
comply
with
the
security
rule
won't
be
excused
just
because
there
was
no
actual
loss
of
privacy.
- You
have
to
try.
The
security
rule
is
written
in
relative
rather
Continue Reading...
|
|
What Is the Deadline for Updating Business Associate Agreements?
|
03/12/2013
|
By: Jason Lacey
|
All
covered
entities
and
business
associates
will
need
to
review
their
business
associate
agreements
in
light
of
the
new
final
HIPAA
regulations
(see
prior
coverage
here).
The
new
rules
are
effective
March
26,
2013,
with
a
general
compliance
deadline
of
September
23,
2013.
So
what
is
the
deadline
for
reviewing
and
updating
a
business
associate
agreement?
Transition
Rule.
Under
a
transition
rule
in
the
new
regulations,
covered
entities
and
business
associates
(and
business
associates
and
their
subcontractors)
may
continue
to
operate
under
certain
existing
agreements
for
up
to
one
year
beyond
the
general
compliance
date
of
September
23,
2013.
There
are
two
conditions
for
this
rule:
(1)
Already
in
existence.
A
written
business
associate
agreement
must
have
been
in
existence
on
January
25,
2013
(the
date
the
new
final
rule
was
released)
and
must
satisfy
the
requirements
of
the
prior
HIPAA
rule.
(2)
Not
renewed
or
modified.
The
business
associate
agreement
must
not
be
renewed
or
modified
between
March
26,
2013
and
September
23,
2013.
If
these
conditions
are
satisfied,
the
agreement
will
be
deemed
to
satisfy
the
new
rules
until
the
earlier
of
(i)
the
date
the
agreement
is
renewed
or
modified
on
or
after
September
23,
2013,
or
(ii)
September
22,
2014.
In
other
words,
if
these
conditions
are
met,
covered
entities
and
business
associates
will
have
until
as
late
as
September
22,
2014
to
update
their
agreements
to
comply
with
the
final
rule.
Evergreen
Agreements.
This
transition
rule
is
available
for
agreements
that
automatically
renew
between
March
26,
2013
and
September
23,
Continue Reading...
|
|
HHS Has Updated Its Sample Business Associate Agreement
|
02/02/2013
|
By: Jason Lacey
|
The
updated
sample
agreement
is
here.
It
reflects
changes
in
the
HIPAA
privacy,
security,
and
breach-notification
rules
made
by
the
final
omnibus
regulation
(prior
coverage
here).
The
template
is
a
helpful
starting
point
for
drafting
and
reviewing
business
associate
agreements
in
light
of
the
new
rules.
Although
it
does
not
purport
to
address
all
issues
that
might
merit
consideration
in
an
agreement,
health
plans,
brokers,
TPAs,
and
other
covered
entities
or
business
associates
will
want
to
be
familiar
with
it,
if
for
no
other
reason
than
it
is
likely
to
form
the
backbone
of
many
standard
BAA
templates.
Reminder:
The
final
omnibus
rule
is
effective
March
26,
2013,
with
a
general
compliance
date
of
September
23,
2013.
|
|
Comprehensive Final HIPAA Regulation Released
|
01/23/2013
|
By: Jason Lacey
|
HHS
has
finally
released
its
long-anticipated
final
“omnibus”
regulation
(here)
addressing
the
2009
HITECH
Act
changes
and
making
other
updates
to
the
privacy,
security,
breach
notification,
and
enforcement
rules.
Foulston
Siefkin’s
health
care
practice
has
already
posted
an
issue
alert
(here)
providing
an
overview
of
the
regulation.
Compliance
Date.
The
advance
copy
of
the
regulation
runs
563
pages,
so
there
is
a
considerable
detail
to
digest.
Luckily,
HHS
gave
us
a
little
time
to
get
our
heads
around
it.
The
regulation
is
effective
March
26,
2013,
and
covered
entities
and
business
associates
are
generally
required
to
begin
complying
with
the
final
rules
by
September
23,
2013.
Some
Key
Points.
Here
are
a
few
key
points
to
understand
about
the
final
rules:
1.
Business
associate
agreements
may
require
modification.
Business
associates
are
now
directly
liable
for
compliance
with
portions
of
the
HIPAA
privacy
and
security
rules.
This
requirement
and
other
HITECH
Act
changes
will
require
review
and
possible
modification
of
business
associate
agreements
to
ensure
they
are
in
compliance.
2.
Notices
of
privacy
practices
will
require
attention.
The
final
rule
changes
some
of
the
information
that
is
required
to
be
provided
in
the
notice
of
privacy
practices
and
generally
requires
re-distribution
of
an
updated
notice.
3.
The
standard
for
breach
notification
has
changed.
Under
current
rules,
a
covered
entity
is
required
to
provide
notification
of
a
breach
of
protected
health
information
(PHI)
only
if
there
is
a
substantial
risk
of
harm
from
the
breach.
That
“harm”
standard
has
been
replaced.
There
is
now
a
presumption
Continue Reading...
|
|
HHS Shows Some Leniency in Recent HIPAA Settlement
|
01/08/2013
|
By: Jason Lacey
|
HHS
has
announced
a
Resolution
Agreement
(here)
with
a
nonprofit
hospice
organization
in
Idaho,
resolving
its
investigation
of
a
HIPAA
breach
involving
the
theft
of
a
laptop
computer.
Although
much
about
this
case
is
similar
to
others
like
it
that
HHS
has
settled
in
the
past
few
months
(see,
for
example,
here),
the
noteworthy
points
in
this
case
are
the
ways
in
which
it
differs.
Size
of
Breach.
The
breach
in
this
case
involved
electronic
protected
health
information
of
441
individuals.
That’s
a
lot
of
people,
but
it
is
the
first
case
HHS
has
resolved
involving
a
breach
affecting
fewer
than
500
individuals.
(Because
the
breach
affected
fewer
than
500
individuals,
it
would
not
have
been
disclosed
to
HHS
immediately,
but
rather
would
have
been
identified
on
a
log
as
part
of
the
annual
breach-notification
requirement.)
The
point:
HHS
takes
these
cases
seriously,
whether
they
involve
thousands
of
individuals
or
just
a
few
hundred.
A
breach
will
not
stay
below
the
governments
radar
just
because
there
is
no
separate
notification
requirement.
Resolution
Amount
and
Corrective
Action
Plan.
The
case
was
resolved
for
a
resolution
amount
of
$50,000
(compared
to
over
$1M
in
other
recent
cases),
and
HHS
demanded
a
relatively
light
corrective
action
plan.
Why
would
HHS
be
more
lenient
here?
Reading
between
the
lines,
the
answer
seems
to
be
based
on
the
covered
entity’s
voluntary
efforts
to
correct
its
error
and
take
steps
to
prevent
similar
problems
from
occurring
in
the
future.
The
Resolution
Agreement
indicates
that
once
the
covered
Continue Reading...
|
|
HHS Settles Another HIPAA Enforcement Matter for $1.5 Million
|
09/28/2012
|
By: Jason Lacey
|
HHS
continues
to
show
it
is
serious
about
investigating
and
enforcing
breaches
of
the
HIPAA
privacy
and
security
rules.
It
recently
announced a
$1.5
million
settlement
with
two
non-profit
medical
service
and
research
organizations
in
Massachusetts
stemming
from
the
theft
of
an
unencrypted
laptop
that
contained
electronic
PHI.
The
two
organizations
reported
the
theft
to
HHS,
as
required
by
the
HITECH
breach-notification
rule.
In
its
news
release,
HHS
had
particularly
stringent
things
to
say
about
the
covered
entities'
security
practices.
- "[HHS's]
investigation
indicated
that
[the
covered
entities]
failed
to
take
necessary
steps
to
comply
with
certain
requirements
of
the
Security
Rule,
such
as
conducting
a
thorough
analysis
of
the
risk
to
the
confidentiality
of
ePHI
maintained
on
portable
devices
.
.
.
."
- "[HHS's]
investigation
indicated
that
these
failures
continued
over
an
extended
period
of
time,
demonstrating
a
long-term,
organizational
disregard
for
the
requirements
of
the
Security
Rule."
- "This
enforcement
action
emphasizes
that
compliance
with
the
HIPAA
Privacy
and
Security
Rules
must
be
prioritized
by
management
and
implemented
throughout
an
organization,
from
top
to
bottom."
As
in
other
recent
cases,
HHS
entered
into
a
resolution
agreement
with
the
covered
entities
that
not
only
required
payment
of
the
$1.5
million
"resolution
amount,"
but
also
outlined
the
terms
of
a
corrective
action
plan
to
be
followed
by
the
covered
entities
over
the
next
three
years.
A
few
takeaways:
- This
case
happened
to
involve
a
medical
provider
and
a
research
organization,
but
nothing
Continue Reading...
|
|
HIPAA Privacy and Security Enforcement Heats Up for Health Plans: Even States Aren't Exempt
|
07/30/2012
|
By: Jason Lacey
|
The
federal
Department
of
Health
and
Human
Services
(HHS)
recently
announced that
it
has
entered
into
a
resolution
agreement
with
the
Alaska
Department
of
Health
and
Social
Services
(which
operates
the
Alaska
Medicaid
program)
to
settle
potential
violations
of
the
HIPAA
security
rule.
The
underlying
facts
are
painfully
simple.
[read:
Yes,
this
could
happen
to
you.]
A
computer
technician
for
the
Alaska
agency
had
a
USB
thumb
drive
stolen
from
the
technician's
car.
The
thumb
drive
potentially
contained
electronic
protected
health
information
about
individuals
covered
through
the
Alaska
Medicaid
program.
(There
was
no
evidence
that
data
on
the
drive
had,
in
fact,
been
accessed.)
The
agency
reported
the
potential
breach
to
HHS,
as
required
under
the
HITECH
breach-notification
rules.
HHS
began
its
investigation
within
three
months
after
the
notification.
To
resolve
this
potential
violation
of
the
HIPAA
security
rule,
the
Alaska
agency
agreed
to
pay
a
"resolution
amount"
of
$1.7
million
and
enter
into
a
corrective-action
plan
that,
among
other
things,
allows
HHS
to
closely
monitor
the
agency's
HIPAA
compliance
for
the
next
three
years.
Although
a
state
Medicaid
program
operates
on
a
much
larger
scale
than
a
private
employer's
group
health
plan,
this
investigation
and
resolution
agreement
show
that
HHS
will
take
HIPAA
compliance
by
health
plans
just
as
seriously
as
compliance
by
health-care
providers
and
other
covered
entities.
It
is
imperative
that
health
plans
have
proper
privacy
and
security
policies
and
procedures
in
effect
and
assess
security
risks.
Those
policies,
procedures,
and
assessments
must
be
periodically
reviewed
and
updated
to
Continue Reading...
|
|
HHS Releases Audit Protocol for HIPAA Audits
|
07/02/2012
|
By: Jason Lacey
|
The
federal
department
of
Health
and
Human
Services
(HHS)
has
released
a
comprehensive
audit
protocol
that
describes
in
detail
the
manner
in
which
it
will
audit
compliance
by
covered
entities
with
the
HIPAA
privacy,
security,
and
breach-notification
rules.
The
protocol
gives
group
health
plans
and
other
covered
entities
a
useful
(albeit
thorough)
checklist
for
evaluating
their
compliance
with
these
rules
and,
if
necessary,
taking
steps
to
shore
up
their
records,
policies,
and
procedures
on
issues
HHS
is
sure
to
review
in
the
event
of
an
audit.
There
are
165
separate
audit
points
in
the
protocol,
and
not
all
of
them
will
be
relevant
for
every
covered
entity.
But
for
group
health
plans,
the
following
will
be
of
particular
interest:
- Organizational
Requirements
for
Group
Health
Plans.
"Inquire
of
management
as
to
whether
the
plan
documents
restrict
the
use
and
disclosure
of
PHI
by
the
plan
sponsor.
Obtain
and
review
a
sample
of
plan
documents.
Verify
if
the
use
and
disclosure
of
PHI
by
the
plan
sponsor
is
restricted.
Verify
what
information
the
sponsor
does
obtain
and
how
it
is
used."
- Notice
of
Privacy
Practices.
"Obtain
and
review
the
notice
of
privacy
practices
and
evaluate
the
content
relative
to
the
specified
criteria
given
to
individuals
by
the
covered
entity."
And
for
group
health
plans
specifically:
"Obtain
and
review
the
formal
or
informal
policies
and
procedures
in
place
regarding
the
provision
of
the
notice
of
privacy
practices.
For
a
selection
of
individuals,
obtain
and
review
the
individuals'
Continue Reading...
|
|
Federal Appeals Court Rules Against Defense of Marriage Act
|
06/04/2012
|
By: Jason Lacey
|
A
federal
appeals
court
in
Boston
ruled
late
last
week
that
a
portion
of
the
Defense
of
Marriage
Act
(DOMA)
is
unconstitutional
because
it
violates
the
rights
of
same-sex
couples
who
are
validly
married
under Massachusetts
law.
At
issue
in
the
case
was
a
provision
of
DOMA that
says
only
opposite-sex
spouses
may
be
recognized
as
spouses
for
purposes
of
federal
law.
This
has
important
implications
for
employee-benefit
plans
because
several
provisions
of
federal
law
grant
spouses
special
rights.
For
example,
spouses
have
survivor
rights
under
retirement
plans,
and
spouses
can
receive
tax-free
coverage
and
have
special-enrollment
and
COBRA
rights
under
group
health
plans.
Under
DOMA,
these
rights
do
not
apply
to
same-sex
spouses,
but
that
could
change
if
DOMA is
struck
down.
The
case
does
not
disturb
existing
state
statutes
and
constitutional
provisions
that
prohibit
the
recognition
of
same-sex
marriages.
But
difficult
questions
may
arise
if
a
same-sex
couple
that
is
validly
married
in
one
state
seeks
to
enforce
rights
under
federal
law
against
an
employer
or
employee-benefit
plan
in
a
state
that
does
not
recognize
same-sex
marriage.
Ultimately,
this
is
an
issue
that
will
be
addressed
by
the
Supreme
Court,
and
now
that
a
federal
appeals
court
has
ruled,
review
by
the
Supreme
Court
could
come
as
early
as
next
year.
|
|
|
Editors
Don Berner, the Labor Law, OSHA, & Immigration Law Guy
Boyd Byers, the General Employment Law Guy
Jason Lacey, the Employee Benefits Guy
Additional Sources

|