Tag Archives: health plans

OCR Nails Hospice For $50K In First HIPAA Breach Settlement Involving Small Data Breach

Properly encrypt and protected electronic protected health information (ePHI) on laptops and in other mediums!

That’s the clear message of the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) in its announcement of its first settlement under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule involving a breach of ePHI of fewer than 500 individuals by a HIPAA-covered entity, Hospice of North Idaho (HONI).

The settlement shows that the Office of Civil Rights stands ready to penalize these healthcare providers, health plans, healthcare clearinghouses and their business associates (covered entities) when their failure to properly secure and protect ePHI on laptops or in other systems results in a breach of ePHI even when the breach affects fewer than 500 individuals.

HIPAA Security & Breach Notification For ePHI
Under the originally enacted requirements of HIPAA, covered entities and their business associates are required to restrict the use, access and disclosure of protected health information and establish and administer various other policies and safeguards in relation to protected health information. Additionally, the Security Rules require specific encryption and other safeguards when covered entities collect, create, use, access, retain or disclose ePHI.

The Health Information Technology for Economic and Clinical Health (HITECH) Act amended HIPAA, among other things to tighten certain HIPAA requirements, expand its provisions to directly apply to business associates, as well as covered entities and to impose specific breach notification requirements. The HITECH Act Breach Notification Rule requires covered entities to report an impermissible use or disclosure of protected health information, or a “breach,” of 500 individuals or more (Large Breach) to the Secretary of HHS and the media within 60 days after the discovery of the breach. Smaller breaches affecting less than 500 individuals (Small Breach) must be reported to the Secretary on an annual basis.

Since the Breach Notification Rule took effect, the Office of Civil Rights’ announced policy has been to investigate all Large Breaches and such investigations have resulted in settlements or other corrective action in relation to various Large Breaches. Until now, however, the Office of Civil Rights has not made public any resolution agreements requiring settlement payments involving any Small Breaches.

Hospice Of North Idaho Settlement
On January 2, 2013, the Office of Civil Rights announced that Hospice of North Idaho will pay the Office of Civil Rights $50,000 to settle potential HIPAA violations that occurred in connection with the theft of an unencrypted laptop computer containing ePHI. The Hospice of North Idaho settlement is the first settlement involving a breach of ePHI affecting fewer than 500 individuals. Read the full HONI Resolution Agreement here.

The Office of Civil Rights opened an investigation after Hospice of North Idaho reported to the Department of Health and Human Services that an unencrypted laptop computer containing ePHI of 441 patients had been stolen in June 2010. Hospice of North Idaho team members regularly use laptops containing ePHI in their field work.

Over the course of the investigation, the Office of Civil Rights discovered that Hospice of North Idaho had not conducted a risk analysis to safeguard ePHI or have in place policies or procedures to address mobile device security as required by the HIPAA Security Rule. Since the June 2010 theft, Hospice of North Idaho has taken extensive additional steps to improve their HIPAA Privacy and Security compliance program.

Enforcement Actions Highlight Growing HIPAA Exposures For Covered Entities
While the Hospice of North Idaho settlement marks the first settlement on a small breach, this is not the first time the Office of Civil Rights has sought sanctions against a covered entity for data breaches involving the loss or theft of unencrypted data on a laptop, storage device or other computer device. In fact, the Office of Civil Rights’ first resolution agreement — reached before the enactment of the HIPAA Breach Notification Rules — stemmed from such a breach (see Providence To Pay $100000 & Implement Other Safeguards).

Breaches resulting from the loss or theft of unencrypted ePHI on mobile or other computer devices or systems has been a common basis of investigation and sanctions since that time, particularly since the Breach Notification rules took effect. See, e.g., OCR Hits Alaska Medicaid For $1.7M+ For HIPAA Security Breach. Coupled with statements by the Office of Civil Rights about its intolerance, the Hospice of North Idaho and other settlements provide a strong warning to covered entities to properly encrypt ePHI on mobile and other devices.

Furthermore, the Hospice of North Idaho settlement also adds to growing evidence of the growing exposures that health care providers, health plans, health care clearinghouses and their business associates need to carefully and appropriately manage their HIPAA encryption and other Privacy and Security responsibilities. See OCR Audit Program Kickoff Further Heats HIPAA Privacy Risks; $1.5 Million HIPAA Settlement Reached To Resolve 1st OCR Enforcement Action Prompted By HITECH Act Breach Report; and, HIPAA Heats Up: HITECH Act Changes Take Effect & OCR Begins Posting Names, Other Details Of Unsecured PHI Breach Reports On Website. Covered entities are urged to heed these warnings by strengthening their HIPAA compliance and adopting other suitable safeguards to minimize HIPAA exposures.

Office of Civil Rights Director Leon Rodriguez, in OCR’s announcement of the Hospice of North Idaho settlement, reiterated the Office of Civil Rights’ expectation that covered entities will properly encrypt ePHI on mobile or other devices. “This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.” said Rodriguez. “Encryption is an easy method for making lost information unusable, unreadable and undecipherable.”

In the face of rising enforcement and fines, the Office of Civil Rights’ initiation of HIPAA audits and other recent developments, covered entities and their business associates should tighten privacy policies, breach and other monitoring, training and other practices to reduce potential HIPAA exposures in light of recently tightened requirements and new enforcement risks.

In response to these expanding exposures, all covered entities and their business associates should review critically and carefully the adequacy of their current HIPAA Privacy and Security compliance policies, monitoring, training, breach notification and other practices taking into consideration the Office of Civil Rights’ investigation and enforcement actions, emerging litigation and other enforcement data, their own and reports of other security and privacy breaches and near misses, and other developments to determine if additional steps are necessary or advisable.

New Office Of Civil Rights HIPAA Mobile Device Educational Tool
While the Office of Civil Rights’ enforcement of HIPAA has significantly increased, compliance and enforcement of the encryption and other Security Rule requirements of HIPAA are a special focus of the Office of Civil Rights.

To further promote compliance with the Breach Notification Rule as it relates to ePHI on mobile devices, the Office of Civil Rights and the HHS Office of the National Coordinator for Health Information Technology (ONC) recently kicked off a new educational initiative, Mobile Devices: Know the RISKS. Take the STEPS. PROTECT and SECURE Health Information. The program offers health care providers and organizations practical tips on ways to protect their patients’ health information when using mobile devices such as laptops, tablets, and smartphones. For more information, see here.

For more information on HIPAA compliance and risk management tips, see here.

Supreme Court Decision Means Health Plans Under Fire …

… To Complete ACA-Required Summary of Benefits & Communications & Other Health Plan Updates

The June 28, 2012 Supreme Court National Federation of Independent Business v. Sebelius ruling rejecting constitutional challenges to the Patient Protection and Affordable Care Act (Affordable Care Act) means most health plans, their employers and other sponsors, fiduciaries and administrators, and insurers must rush to update their health plan documents, summary plan descriptions and other communications, administrative procedures and contracts, reporting and other arrangements to meet the “Summary of Benefits & Coverage” (SBC) and other requirements of Affordable Care Act and other federal rules that have, or by year end will, apply to their group health plans.

Final SBC Regulations1 implementing the Affordable Care Act’s summary of benefits and coverage requirements jointly published February 14, 2012 by the Departments of Labor, Health and Human Services (HHS), and the Treasury (the Departments) will require most health plans and health insurers begin providing the SBC and Uniform Glossary meeting Department standards to covered persons and coverage applicants beginning on the opening day of the first enrollment period beginning after September 22, 2012.

Parties responsible for completing these arrangements should expect to need significant lead time to properly tailor a SBC and Glossary to their health plan, and complete other necessary arrangements to comply in a timely manner with the Final SBC Regulations. Most health plans will need significant time to complete the analysis needed to prepare a SBC appropriately tailored to their health plan. In addition, most group health plans and insurers, their sponsors, administrators and fiduciaries also generally want to identify and make changes to their health plan design, documents, summary plan descriptions and other materials and practices in response to the new requirements.

Completing the preparations to meet the deadline for providing SBCs won’t be easy for most health plans and insurers planning to conduct annual or other enrollment periods this Fall. Most employer and other health plan sponsors, fiduciaries, insurers and administrators can expect to experience significant challenges completing the arrangements necessary to comply with the highly technical and extremely rigid requirements of the SBC rules. Most health plan sponsors, fiduciaries and administrators also will want to consider tightening plan document, summary plan description, claims and appeals notices and other plan documentation and associated administrative procedures to coordinate with the SBC language and other Affordable Care Act requirements.

Regulations implementing the SBC requirements published in February, 2012 and subsequent regulatory guidance dictate detailed requirements about the required content of the SBC, as well as dictate that health plans and insurers covered by the SBC rules provide a Uniform Glossary of terms, many of which are likely to differ from definitions of the same or similar terms in plan documents, summary plan descriptions or other plan related documents. To help further clarify these requirements, the Departments on March 19, 2012 published a new FAQ2 that clarifies certain information about the SBC Regulation and its deadline and other requirements. When plans cover a culturally diverse workforce, health plans also will need to make the necessary arrangements to prepare their plans where necessary to comply with the Affordable Care Act’s requirement that health plans and insurers communicate in a culturally and linguistic manner.

Taking time to make changes needed to identify and resolve potential conflicts and other ambiguities between required terms of the SBC and Glossary and existing health plan documentation, communications and procedures is particularly important in light of the United States Supreme Court’s May 16, 2011 ruling in Cigna Corp. v. Amara.

In Amara, the Supreme Court ruled that federal courts may use equitable remedies provided for under the Employee Retirement Income Security Act to give a remedy to individuals hurt because summary plan descriptions or other communication or disclosure documents provided by the health plan contain terms that conflict with the official health plan documents under certain conditions. Health plans, their fiduciaries, sponsoring employers and unions, insurers, administrative service providers and their management also generally will want to carefully craft the SBC and other related plan materials and processes to manage these risks and support the enforceability of the intended plan design.

1See 26 CFR 54.9815-2715, 29 CFR 2590.715-2715, and 45 CFR 147.200, published February 14, 2012 at 77 FR 8668.

2See FAQS About Affordable Care Act Implementation (Part VIII).

Women's Health Services And The Patient Protection & Affordable Care Act

Effective August 1, 2012, federal regulators expanded the list of prevention-related services that the Patient Protection & Affordable Care Act (Affordable Care Act) requires that non-grandfathered group health plans cover in-network at no cost to covered persons to include eight more prevention-related health services for women including coverage for the mandate to cover certain contraceptive services that has engendered much debate and opposition from various religious organizations and others.

Employers and other sponsors and insurers of group health plans should review and update their health plan documents, contracts, communications and administration practices to ensure that their health plans and policies appropriately cover these and other prevention-related services that current federal regulations mandate that group health plans (other than grandfathered plans) must cover to comply with the Affordable Care Act.

Affordable Care Act Requires Non-Grandfathered Health Plans Cover Lengthy List of Prevention-Related Care With No Cost Sharing

As part of the sweeping reforms enacted by the Affordable Care Act, Congress has mandated that except for certain plans that qualify as “grandfathered,” group health plans and insurers generally must pay for 100% of the cost to cover hundreds of prevention-related health care services for individuals covered under their health plans without any co-payments or other cost-sharing.

Federal regulations have mandated since 2010 that group health plans and insurers provide in-network coverage in accordance with federal regulations implementing the Affordable Care Act’s prevention-related health services mandates for more than 800 prevention-related services listed in regulations originally published in 2009. See Agencies Release Regulations Implementing Affordable Care Act Preventive Care Mandates. The Affordable Care Act gives federal authorities the power to expand or modify this list.

Following publication of the original list, the Obama Administration engaged in lengthy discussion considerations about the scope of contraceptive and other women’s health services that would qualify as prevention related services including lengthy discussions and negotiations about mandates to provide contraceptive services viewed as highly controversial by many religious organizations and several other employers. See Affordable Care Act To Require Health Plans Cover Contraception & Other Women’s Health Procedures.

Obama Administration Adds Contraceptive & Other Women’s Health Services To Required Prevention-Related Coverage List Effective 8/1/2012

The Obama Administration moved forward on its promise to add contraceptive services and a broad list of other women’s health services to the list of prevention-related health services that employer-sponsored health plans must cover without cost to employees despite objections from religious organizations and others that the contraception mandate violates the Constitution’s freedom of religion protections.

The Obama Administration’s announcement earlier this year that it intended to move forward with plans to mandate that group health plans — including those of certain employers affiliated with religious organizations to cover contraceptive counseling and other services as prevention-related services has prompted outcry and legal challenges from a broad range of religious organizations and others. See e.g., University of Notre Dame v. Sebelius; Hercules Industries, Inc. v. Sebelius. On July 27, 2012, a Colorado District Court granted a temporary injunction barring enforcement of the contraceptive coverage mandate against a small, Catholic family-owned business challenging the mandate as a violation of the Constitutional religious freedoms of its owners. See Hercules Industries, Inc. v. Sebelius.

While these and other litigants continue to challenge the contraceptive mandates, Obama Administration officials continue to voice their commitment to standby and enforce the contraceptive and other prevention-related services mandates as implemented by current regulation. Employer and other health plan sponsors and fiduciaries that do not wish to risk exposure for violating these mandates should review and update their health plan documents, summary plan descriptions and other communications, and administrative and other procedures as necessary to comply with the applicable requirements of the regulations.