Health Insurance Portability and Accountability Act Archives

Hospital Settles With OCR for $4.75 Million Over HIPAA Violations

by McDermott Will & Emery | Apr 17, 2024 | Health and Welfare Plans, Privacy and Data Security

The US Department of Health and Human Services Office for Civil Rights (OCR) recently reached a $4.75 million settlement with a New York City hospital for alleged violations of the Health Insurance Portability and Accountability Act (HIPAA).

According to OCR, in 2013, a former hospital employee sold the electronically protected medical records of 12,517 patients to an identity theft group, and the NYC hospital did not detect or report the breach to OCR until 2015. OCR’s investigation found several potential HIPAA violations, and in addition to the settlement, the hospital agreed to conduct a thorough security risk assessment, revise HIPAA policies, provide additional training to staff, begin recording and tracking all electronic health record (EHR) activity to monitor who is accessing patient information, and create a risk management plan. OCR will also monitor the hospital for two years for compliance with HIPAA.

How Dobbs Has Changed the Data Privacy Landscape

by Scott Weinstein | Jul 26, 2023 | Employee Benefits, Health and Welfare Plans, Privacy and Data Security

Companies are taking a fresh look at their privacy policies in the wake of Dobbs v. Jackson Women’s Health Organization. According to this Law360 article, policymakers are putting more pressure on companies to tighten their restrictions on collecting and disclosing personal health and location data.

Access the article.

Putting Employee Wellness Programs to Work

by Scott Weinstein and Sarah Raaii | Jul 19, 2023 | Digital Health, Employee Benefits, Health and Welfare Plans

What are the opportunities and challenges of digital health wellness programs? In a recent discussion, McDermott Partners Scott A. Weinstein and Sarah G. Raaii discussed a wide range of issues, including accessibility to employees, navigating the health plan regulatory landscape, budgetary constraints and the reality of rising healthcare costs.

Read more here.

Preparing for the End of the COVID-19 Emergency: Deadline Tolling

by Jacob Mattinson, Sarah Raaii, Alden Bianchi and Teal Trujillo | May 18, 2023 | Employee Benefits, Health and Welfare Plans

The Biden administration previously announced its intent to end the COVID-19 National Emergency (NE) and the COVID-19 Public Health Emergency (PHE) on May 11, 2023 (read our series introduction for more information). On April 10, 2023, President Biden signed a resolution moving up the end of the NE to April 10, 2023 (the PHE ended on May 11). The US Departments of Labor (DOL), Health and Human Services, and the Treasury (the Departments) issued a set of FAQs (available here) on March 29, 2023 (FAQs), which anticipated that the NE would end on May 11, 2023 (see our prior article explaining the FAQs). Plan sponsors should continue to treat May 11 as the end of the NE consistent with the FAQs until the Departments say otherwise.

During the COVID-19 pandemic, the Departments provided relief from certain benefit plan deadlines, including:

The minimum 60-day election period for the Consolidated Omnibus Budget Reconciliation Act (COBRA) continuation coverage.
The date for making COBRA premium payments (45 days for the initial, then minimum 30-day grace periods).
The date for individuals to notify the plan of certain qualifying events (divorce, dependent child aging out of plan coverage) or determination of disability as it relates to COBRA coverage.
The date for providing a COBRA election notice (typically within 14 days after the plan receives notice of a qualifying event).
The 30-day period (or 60-day period, if applicable) to request Health Insurance Portability and Accountability Act (HIPAA) special enrollment.
The date within which individuals may file a benefit claim or an appeal of an adverse benefit determination under a plan’s claims procedures.
The date within which claimants may file a request for an external review after receipt of an adverse benefit determination or final internal adverse benefit determination.

This article discusses how the affected tolled deadlines will be phased out and what actions employers may need to take.

BACKGROUND

EBSA Disaster Relief Notice 2020-01, later extended by EBSA Disaster Relief Notice 2021-01, provided that the deadline by which action needs to be taken for the events described above was tolled until the earlier of: (i) one year from the date the deadline would have first started running for that individual or (ii) sixty (60) days from the end of the NE (the Outbreak Period). This guidance created a tolling deadline specific to each affected individual. Where the individual has not reached the one-year anniversary of the date of the initial deadline, timeframes will begin to run again sixty (60) days after the end of the NE (i.e., July 10, 2023).

The FAQs released by the Departments at the end of March provided much-needed clarification and various helpful examples for employers of how the outbreak period should be taken into consideration when calculating the tolled deadlines. For example, if an employee experiences a qualifying event under COBRA and loses coverage on April 1, 2023, the deadline for the individual to make a COBRA election is tolled until the earlier [...]

Continue Reading

Washington State Legislature Passes My Health My Data Act

by David Saunders, Alya Sulaiman, Sam Siegfried and Austin Mooney | May 2, 2023 | Digital Health, Employee Benefits, Health and Welfare Plans

The My Health My Data Act in Washington State (the Act) is expected to be signed into law by Governor Jay Inslee this year, after being passed by both the Washington Senate and House in different versions. Unlike recent state privacy laws, the Act specifically targets consumer health data that is not covered by the Health Insurance Portability and Accountability Act (HIPAA). It includes provisions that apply to processors and third parties who may handle a broadly defined set of consumer health data, beyond healthcare-adjacent businesses. The Act could have a significant impact on various entities, including advertisers, mobile app providers, wearable device manufacturers, healthcare companies and their data processors who handle non-HIPAA-regulated health information.

Read more here.

Preparing for the End of the COVID-19 Emergency: Tri-Agencies Issue FAQs to Assist Plans and Issuers

by Jacob Mattinson, Sarah Raaii, Alden Bianchi and Teal Trujillo | Apr 5, 2023 | Employee Benefits, Health and Welfare Plans

The Biden administration has announced its intention to end the COVID-19 National Emergency (NE) and the COVID-19 Public Health Emergency (PHE) on May 11, 2023 (read our series introduction for more information).

On March 29, 2023, the US Departments of Labor, Health and Human Services, and Treasury (the Departments) issued a set of Frequently Asked Questions (available here), which answered questions from stakeholders relating to the various laws, regulations and other guidance enacted or adopted in connection with the NE and PHE. The FAQs include eight questions related to the anticipated end of the “Outbreak Period” on July 10, 2023, which is 60 days after the end of the NE and PHE on May 11 (rules regarding the Outbreak Period are set forth in our earlier articles here and here). Below are the highlights:

Following the end of the PHE, plans and issuers can impose cost-sharing, prior authorization or other medical management requirements for COVID-19 diagnostic tests, although the Departments encourage plans not to do so.
Plans and issuers are encouraged to notify plan participants of changes regarding COVID-19 diagnosis, testing and treatment. Special rules apply under which Summaries of Benefits and Coverage (SBCs) need not be amended mid-year.
While plans and issuers will no longer be required to post prices for diagnostic tests furnished after May 11, they are nevertheless encouraged to do so.
Plans must continue to cover vaccines that qualify as preventive services, without cost-sharing, when provided in-network.
The FAQs provide examples relating to the application and termination of extended time periods for elections under the Consolidated Omnibus Budget Reconciliation Act (COBRA) and the Health Insurance Portability and Accountability Act (HIPAA).
In what is a welcome surprise, the FAQs confirm that individuals covered by a High-Deductible Health Plan (HDHP) will remain Health Savings Account (HSA)-eligible until further notice even if the HDHP in which they are enrolled provides medical care services and items purchased related to testing for and treatment of COVID-19 prior to the satisfaction of the HDHP’s applicable minimum deductible.

To keep employers apprised of the rules and to assist with providing notice to plan participants of the changes that will accompany the end of the NE and PHE, the Department of Labor has issued two blog posts, which are available here and here.

Action Items: We urge plan sponsors to pay particular attention to notifying employees of the upcoming changes that will accompany the end of the PHE and NE and to ensure that participants covered under an HDHP understand that they may continue to contribute to their HSAs. Employers should consider communicating these changes to their employees.

For any questions regarding the end of the PHE and/or NE, please contact your regular McDermott lawyer or one of the authors.

Mental Health Parity, Quantitative Treatment Limitations, Employee Assistance Plans and the End of the COVID-19 Emergency

by Jacob Mattinson, Sarah Raaii, Alden Bianchi and Teal Trujillo | Mar 29, 2023 | Employee Benefits, Health and Welfare Plans, Mental Health Parity and Addiction Equity Act

The Biden administration has announced its intention to end the COVID-19 National Emergency (NE) and the COVID-19 Public Health Emergency (PHE) on May 11, 2023 (read our series introduction for more information). Among other things:

The NE and the PHE modified the rules governing financial requirements and quantitative treatment limitations under the Mental Health Parity and Addiction Equity Act (MHPAEA). The end of the NE and the PHE will require modifications to group health plans’ and health insurance issuers’ MHPAEA testing as it relates to financial requirements and quantitative treatment limits. The NE and the PHE also affect the design and operation of some employee assistance plans (EAPs).
The NE and the PHE allowed plan sponsors to expand coverage under excepted benefit EAPs in certain respects without risking their status as the Health Insurance Portability and Accountability Act (HIPAA)-excepted benefits.

MHPAEA

MHPAEA requires that the financial requirements (such as coinsurance and copays) and quantitative treatment limits (such as visit limits) imposed on mental health or substance use disorder (MH/SUD) benefits cannot be more restrictive than the predominant financial requirements and treatment limitations that apply to substantially all medical/surgical benefits in a particular benefit classification. During the public health emergency period, group health plans and health insurance issuers were permitted to disregard certain items and services related to testing for the detection of SARS-CoV-2, the virus that causes COVID-19, when performing the “substantially all” and “predominant” tests. Absent this relief, the costs of covering COVID-19 testing items and services without cost-sharing would be the amounts allocated to medical/surgical benefits, thereby putting group health plans and health insurance issuers at risk of running afoul of MHPAEA quantitative treatment limits.

From and after the end of the PHE, group health plans and health insurance issuers must include the cost of covering COVID-19 tests, either diagnostic or over-the-counter, or testing-related services, when calculating MHPAEA quantitative treatment limits.

Action Items: Employers should revisit their MHPAEA compliance testing to ensure that the coverage of COVID-19 tests is properly accounted for in applying the relevant quantitative treatment limits. There is, however, no longer a requirement that a group health plan or health insurance issuer cover these services without charge.

EMPLOYEE ASSISTANCE PLANS

The end of the NE and the PHE could have various impacts on EAPs depending on the specific plan design. Employers may, for example, see a spike in the need for mental health support that could be met through EAP services. While the pandemic may be winding down, the mental health impacts of the past three years may continue for by many employees. Employers may need to continue to offer mental health services and resources through their EAPs, and potentially explore expanding mental health services through an EAP or otherwise, to support employees who are struggling with anxiety, depression or other mental health issues related to the pandemic.

Particular attention is required in the case of excepted benefit EAPs. Excepted benefit EAPs do not provide minimum essential coverage for Affordable Care [...]

Continue Reading

HIPAA Faces Test in New Abortion Reality

by Scott Weinstein | Sep 16, 2022 | Employee Benefits, Health and Welfare Plans

Doctors across the country are encountering a minefield of legal risks as they navigate a post-Roe reality. In this Axios article, McDermott Partner Scott Weinstein offers perspective on the Health Insurance Portability and Accountability Act (HIPAA) and health information disclosure.

Access the article.

Navigating Data Privacy Questions Post-Dobbs

by Scott Weinstein, Jayda Greco, David Quinn Gacioch, Daniel F. Gottlieb and Carolyn Metnick | Aug 10, 2022 | Digital Health, Employee Benefits, Health and Welfare Plans

The US Supreme Court’s recent decision to overturn Roe v. Wade in Dobbs v. Jackson Women’s Health Organization has raised many questions about potential efforts by law enforcement agencies to obtain data from healthcare and other service providers to detect the performance of a possibly unlawful abortion. For example, data collected by period-tracking apps, patients’ self-reported symptoms, or diagnostic-testing results might be used to establish the timeframe in which an individual became pregnant, and then demonstrate that a pregnancy was terminated, as part of investigative or enforcement efforts against individuals or organizations allegedly involved in such termination.

On June 29, 2022, the office within the US Department of Health and Human Services (HHS) that is responsible for enforcing the Health Insurance Portability and Accountability Act (HIPAA), the Office for Civil Rights (OCR), issued guidance addressing how HIPAA limits disclosures by covered entities and business associates to law enforcement agencies in the absence of a court order or other legal mandate. The guidance provides helpful insight on how OCR may use HIPAA enforcement to discourage unauthorized disclosures of protected health information (PHI) to law enforcement officials in the wake of new state laws outlawing abortion. The guidance also implicitly confirms, however, that HIPAA does not provide a complete shield against law enforcement and litigation-driven requests for abortion-related information.

Read more here.

Workers’ Abortion Privacy at Risk as Texas Targets Employer Aid

by Scott Weinstein | Jul 25, 2022 | Benefit Controversies, Employee Benefits, Health and Welfare Plans

A group of conservative Texas lawmakers is warning employers of potential civil or criminal consequences if they offer out-of-state abortion access to their employees. In this Bloomberg Law article, McDermott Partner Scott Weinstein said many companies offering reproductive healthcare benefits are making sure such benefits aren’t tied to a particular procedure.

“The goal is not to know,” Weinstein said.

Read more here.

BLOG EDITORS

STAY CONNECTED

TOPICS

ARCHIVES

RECENT POSTS