Tag Archives: Health Insurance Portability and Accountability Act

Done in by the photocopier….Do you have policies in place to protect your company from disclosing sensitive information?

Contributed by Michael D. Wong, Tim Lessman and Colin Gainer

Recently Affinity Health Plan, Inc. (Affinity) entered into a $1,215,780 settlement with the U.S. Department of Health and Human Resources (DHHS) as a result of inadvertently disclosing medical records stored on a leased photocopier’s internal hard drive.  Affinity had leased photocopiers and then failed to properly erase the photocopiers’ internal hard drives when returning them to the leasing company.  Affinity was unceremoniously notified of this breach of data security by CBS evening news, which contacted Affinity regarding an investigative report it was conducting where it had been able to purchase a photocopier previously leased by Affinity that contained personal identifying information and medical information for over 300,000 people.  Affinity subsequently self-reported this breach to the DHHS and entered into the $1,215,780 settlement. 

That settlement is a prime example of how technology has changed and so must company security policies and protocol.  Now an individual can store more data and documents on a cell phone or in a “cloud” on the World Wide Web than on some of the first computers and floppy disks.  As Affinity learned many modern photocopiers have internal hard drives that store data from scans, faxes or copies.  Technology has created significant security concerns for companies on how to handle and manage sensitive data, employment records, medical records and other documents that include personal identifying information, social security numbers, health/medical information, credit/background reports, and confidential or proprietary business information.  Disclosure of such information can create liability through claims for privacy violations, fines for violating HIPAA and claims by the Federal Trade Commission, DHHS and other governmental agencies. 

Now more than ever, identifying sensitive data and implementing a formidable policy to safeguard it are crucial steps in protecting a company from any potential data and privacy breaches.  Any policy should address the procedure for securing data processed on any electronic device that stores data, including photocopiers, printers, personal computers, laptops, tablets/iPads, smart phones, flash drives, and other electronic devices.  Options often include having data on the electronic device encrypted, set the device to overwrite the data, and having a procedure for how to dispose of devices and return leased devices.  Of specific concern are leased devices as such are typically re-leased or sold to third parties.  Prior to the return of a leased device to a vendor, make arrangements for any data on the device’s hard drive to be removed, secured, overwritten or wiped to ensure that any data on it is unreadable and/or unusable by anyone else.  While a leasing company or vendor may provide this service, you should still make sure that such is done prior to the return of the device.  Additionally, if you have a contract with a leasing company or vendor for this service, make sure you carefully review the contract and understand any release of liability or indemnity clause relating to the service.   

Just as important as having policies and procedures in place to safeguard information, however, is having a plan in place to swiftly address any breaches and to minimize the potential adverse consequences. Companies may also consider cyber liability insurance coverage as part of a plan.  This type of coverage is specifically designed to protect companies when data breaches occur, as standard insurance policies may not offer sufficient protection.

The extent of the potential liabilities faced by companies related to data breaches can be daunting.  However, with proper planning, preparation and implementation, companies can minimize the risks they face.

HITECH Act – What Should An Employer Worry About?

Contributed by Rebecca Dobbs Bush

On January 25, 2013, the Federal Register published final rules issued by Health and Human Services (HHS) to modify the HIPAA Privacy, Security and Breach Notification and Enforcement Rules.  The compliance deadline for almost every provision of these rules is September 23, 2013. 

The bulk of the provisions of HITECH do not have much implication on the average employer that is only worried about HIPAA Privacy with regard to how it may implicate the administration of their group health plan.  Primarily, employers (in their capacity as group health plan administrators) would need to become familiar with the slight changes HITECH imposes for privacy notices.

Before getting too worried about what’s in your Privacy Notice, remember that a group health plan that provides benefits only through one or more contracts of insurance with health insurance issuers or HMOs, and that does not create or receive protected health information other than summary health information or enrollment or disenrollment information is not required to develop a Privacy Notice.  See 45 CFR 164.520(a).

For those that are required to distribute Privacy Notices in the administration of their group health plans, HITECH regulations impose the following additions to the privacy notice:

  • A description of the types of disclosure that require an individual authorization, such as a release of PHI for sale, and marketing activities, or if the information that is released is psychotherapy notes.
  • A statement that other uses and disclosures of PHI not mentioned in the privacy notice will only be made with the individual’s authorization.
  • A statement of the right to restrict disclosures of protected health information to a health plan where the individual pays out of pocket in full for the healthcare item or service (only applies to notices from health providers, not health plans).
  • A statement of the obligation to notify affected individuals following a breach of unsecured PHI.

To the extent that a plan’s privacy notice already meets the regulations requirements, HHS has clarified that the plan is not required to revise and distribute another privacy notice on account of the final rules.  This is good news for employers who have already updated their privacy notices in response to the proposed version of the regulations which were issued in 2010.

New HIPAA Rules Raise the Stakes for Employers – UPDATED!

Contributed by Caryl Flannery and Rebecca Dobbs

If your business sponsors a self-insured or fully insured HIPAA-covered group health plan (including medical, dental, vision, long-term care, and employee assistance programs), your duties under HIPAA (Health Insurance Portability and Accountability Act) and exposure to liability just increased significantly.  On January 17, the Department of Health and Human Services issued the final rule implementing the 2009 HITECH act which significantly upgraded HIPAA responsibilities and enforcement.  The new rule has implications for many employers because it expands the definition of who is covered by HIPAA and adds new protections for employees and penalties for plan sponsors. 

Under the new rules, an employer who contracts out health plan services to third parties needs to ensure that those third parties’ obligations as a Business Associate (“BA”) are met.  BAs must sign a Business Associate Agreement with the plan sponsor spelling out the safeguards the BA will take to protect PHI and clarifying the BA’s role in the use of the PHI. 

Being directly covered by HIPAA carries significant duties including designing policies and systems to ensure that PHI is used only for purposes consistent with the law; implementing safeguards for electronically stored PHI; tracking all disclosures of PHI; instituting additional protections for genetic information; complying with Health and Human Services (HHS) investigations and requests for information; and providing notice to employees whose PHI has been deemed inappropriately disclosed pursuant to the new materially lower “breach” threshold.  HIPAA-covered entities are also subject to the newly‑enhanced penalties for breaches.  Penalties for willful neglect and failure to correct will be at least $50,000 per violation and could be as much as $1.5 million in a calendar year.  Under the new rules, HHS is no longer required to enter into informal resolution with covered entities and may immediately seek penalties through adversarial proceedings. 

The new HIPAA requirements are complex and can only be summarized here.  For more information on how the new HIPAA rules may affect your business, contact your employment or healthcare attorney.  In the meantime, employers should begin taking the following actions:

  • Work with your insurance providers to make sure that you have the smallest possible role in collecting, accessing or receiving employee PHI. 
  • Review existing Business Associate Agreements to ensure that they reflect the new regulations.  Monitor all BAs with whom you share PHI. 
  • Post the revised Notice of Privacy Practices on your benefits website and distribute the notice to plan participants.
  • Revise employee documents to eliminate all reference to or requirement for genetic information including family medical history.
  • Audit your privacy practices to determine risks and weaknesses in your system then address those areas.