Health Insurance Portability and Accountability Act Archives

American Health Care Act: Considerations for Employers

by McDermott Will & Emery | Mar 9, 2017 | Employee Benefits, Health and Welfare Plans

On Monday March 6, 2017, the House Republican leadership in the Energy and Commerce and Ways and Means Committees unveiled their signature bill to “repeal and replace” the Affordable Care Act (ACA). The “American Health Care Act” (AHCA) is an effort to make good on President Trump’s promise to dismantle the ACA. Democrats are united in their opposition to the AHCA and other stakeholders have also come out against the bill – while the proposed legislation is subject to modification as it is marked up in committee and debated in Congress, certain provisions of the AHCA, if enacted, will be of particular importance to employers and provide the framework for a strategic road map as employers plan and design future health care benefits for their employees.

Read the full article.

Guidance on Ransomware Attacks under HIPAA and State Data Breach Notification Laws

by Anthony A. Bongiorno and Michael G. Morgan | Jan 12, 2017 | Health and Welfare Plans, Privacy and Data Security

The US Department of Health and Human Services has recently issued guidance under the Health Insurance Portability and Accountability Act on what covered entities and business associates can do to prevent and recover from ransomware attacks; however, other state data breach notification laws can also be triggered by a ransomware attack. The authors of this article explain the guidance and what to do if you are subject to a ransomware attack.

Read the full article here.

Guidance on Ransomware Attacks under HIPAA and State Data Breach Notification Laws

by Anthony A. Bongiorno and Michael G. Morgan | Aug 15, 2016 | Privacy and Data Security

On July 28, 2016, US Department of Health and Human Services (HHS) issued guidance (guidance) under the Health Insurance Portability and Accountability Act (HIPAA) on what covered entities and business associates can do to prevent and recover from ransomware attacks. Ransomware attacks can also trigger concerns under state data breach notification laws.

Ransomware is a type of malware (malicious software). It is deployed through devices and systems through spam, phishing messages, websites and email attachments, or it can be directly installed by an attacker who has hacked into a system. In many instances, when a user clicks on the malicious link or opens the attachment, it infects the user’s data. Ransomware attempts to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker who deployed the malware. After the user’s data is encrypted, the ransomware attacker directs the user to pay a ransom in order to receive a decryption key. However, the attacker may also deploy ransomware that destroys or impermissibly transfers information from an information system to a remote location controlled by the attacker. Paying the ransom may result in the attacker providing the key necessary needed to decrypt the information, but it is not guaranteed. In 2016, at least four hospitals have reported attacks by ransomware, but additional attacks are believed to go unreported.

Read the full article here to learn about the indications of a ransomware attack, what do in the event of a ransomware attack and what circumstances constitute a HIPAA breach.

HHS Office of Inspector General Calls for Increased Oversight and Enforcement of HIPAA

by Amy C. Pimentel, Edward G. Zacharias and Daniel F. Gottlieb | Nov 19, 2015 | Employment, Health and Welfare Plans, Privacy and Data Security

On September 29, 2015, the U.S. Department of Health and Human Services Office of the Inspector General (OIG), Office of Evaluation and Inspections, released two studies calling on the HHS Office for Civil Rights (OCR) to strengthen its efforts in both general enforcement of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Standards and enforcement of security breach reporting requirements. OIG commissioned both studies out of concern for the increased risk of an invasion of privacy and exposure to fraud, identity theft and other harm that patients face in an ever-expanding digital health environment.

Read the full On the Subject.

With No Federal Law in Sight, States Continue to Refine Their Own Data Privacy Laws

by David Quinn Gacioch | Aug 26, 2015 | Employment, Privacy and Data Security

With no Congressional consensus to adopt a federal data privacy and breach notification statute, states are updating and refining their already-existing laws to enact more stringent requirements for companies. Two states recently passed updated data privacy laws with significant changes.

Read the full post here.