HIPAA
Subscribe to HIPAA's Posts

How Dobbs Has Changed the Data Privacy Landscape

Companies are taking a fresh look at their privacy policies in the wake of Dobbs v. Jackson Women’s Health Organization. According to this Law360 article, policymakers are putting more pressure on companies to tighten their restrictions on collecting and disclosing personal health and location data.

Access the article.




read more

Putting Employee Wellness Programs to Work

What are the opportunities and challenges of digital health wellness programs? In a recent discussion, McDermott Partners Scott A. Weinstein and Sarah G. Raaii discussed a wide range of issues, including accessibility to employees, navigating the health plan regulatory landscape, budgetary constraints and the reality of rising healthcare costs.

Read more here.




read more

HIPAA Compliance 101: Lessons from a Recent OCR Settlement

The US Department of Health and Human Services Office for Civil Rights (OCR) recently announced a settlement with a community hospital resolving an investigation under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy and security rules. While the settlement involved a medical provider, it offers some important lessons for other HIPAA-covered entities, including employer-sponsored group health plans.

The settlement involved impermissible data breaches by non-medical staff who, allegedly, used their login credentials to access patient medical records maintained in the hospital’s electronic medical record system without a job-related purpose. The lesson here is straightforward: all HIPAA-covered entities must “protect the privacy and security of health information.”

The HIPAA privacy and security rules are complex, and full compliance requires substantial resources that are, as a practical matter, beyond the reach of many organizations. While OCR routinely refers to these rules as “scalable,” that claim is difficult to square with our experience. Full compliance with the particulars of the rule is costly and time-consuming, and it requires no shortage of expertise. Thankfully, in practice, OCR tends to focus its investigative resources on certain features of these rules. These features include the following items which covered entities must perform to comply:

  • Conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic protected health information;
  • Develop and implement a risk management plan to address and mitigate identified security risks and vulnerabilities identified in the risk analysis;
  • Develop, maintain and revise, as necessary, written HIPAA policies and procedures;
  • Enhance HIPAA and security training programs to provide workforce training on the updated HIPAA policies and procedures; and
  • Review relationships with vendors and third-party service providers to identify business associates and obtain business associate agreements with business associates if not already in place.

Where group health plans are concerned, fully insured plans routinely rely on their carriers for HIPAA compliance, which requires that plan sponsors get only “summary” health information at renewal. This option is not available to self-funded plans, however, even those that contract with a carrier for administrative services. Employers in this latter category should be reasonably confident of surviving an OCR audit or investigation only, at a minimum, by taking the actions listed above.




read more

FTC Proposes Health Breach Notification Rule Amendments

At a recent open Commission meeting, the Federal Trade Commission (FTC) voted unanimously to issue a Notice of Proposed Rulemaking to amend the Health Breach Notification Rule (HBNR). The FTC’s proposed amendment aims to codify the HBNR’s application to digital health and mobile technologies. However, several aspects of the proposed amendment lack clarity and are likely to cause confusion unless further clarified through the ongoing rulemaking process.

Read more here.




read more

Preparing for the End of the COVID-19 Emergency: Deadline Tolling

The Biden administration previously announced its intent to end the COVID-19 National Emergency (NE) and the COVID-19 Public Health Emergency (PHE) on May 11, 2023 (read our series introduction for more information). On April 10, 2023, President Biden signed a resolution moving up the end of the NE to April 10, 2023 (the PHE ended on May 11). The US Departments of Labor (DOL), Health and Human Services, and the Treasury (the Departments) issued a set of FAQs (available here) on March 29, 2023 (FAQs), which anticipated that the NE would end on May 11, 2023 (see our prior article explaining the FAQs). Plan sponsors should continue to treat May 11 as the end of the NE consistent with the FAQs until the Departments say otherwise.

During the COVID-19 pandemic, the Departments provided relief from certain benefit plan deadlines, including:

  • The minimum 60-day election period for the Consolidated Omnibus Budget Reconciliation Act (COBRA) continuation coverage.
  • The date for making COBRA premium payments (45 days for the initial, then minimum 30-day grace periods).
  • The date for individuals to notify the plan of certain qualifying events (divorce, dependent child aging out of plan coverage) or determination of disability as it relates to COBRA coverage.
  • The date for providing a COBRA election notice (typically within 14 days after the plan receives notice of a qualifying event).
  • The 30-day period (or 60-day period, if applicable) to request Health Insurance Portability and Accountability Act (HIPAA) special enrollment.
  • The date within which individuals may file a benefit claim or an appeal of an adverse benefit determination under a plan’s claims procedures.
  • The date within which claimants may file a request for an external review after receipt of an adverse benefit determination or final internal adverse benefit determination.

This article discusses how the affected tolled deadlines will be phased out and what actions employers may need to take.

BACKGROUND

EBSA Disaster Relief Notice 2020-01, later extended by EBSA Disaster Relief Notice 2021-01, provided that the deadline by which action needs to be taken for the events described above was tolled until the earlier of: (i) one year from the date the deadline would have first started running for that individual or (ii) sixty (60) days from the end of the NE (the Outbreak Period). This guidance created a tolling deadline specific to each affected individual. Where the individual has not reached the one-year anniversary of the date of the initial deadline, timeframes will begin to run again sixty (60) days after the end of the NE (i.e., July 10, 2023).

The FAQs released by the Departments at the end of March provided much-needed clarification and various helpful examples for employers of how the outbreak period should be taken into consideration when calculating the tolled deadlines. For example, if an employee experiences a qualifying event under COBRA and loses coverage on April 1, 2023, the deadline for the individual to make a COBRA election is tolled until the earlier [...]

Continue Reading




read more

Washington State Legislature Passes My Health My Data Act

The My Health My Data Act in Washington State (the Act) is expected to be signed into law by Governor Jay Inslee this year, after being passed by both the Washington Senate and House in different versions. Unlike recent state privacy laws, the Act specifically targets consumer health data that is not covered by the Health Insurance Portability and Accountability Act (HIPAA). It includes provisions that apply to processors and third parties who may handle a broadly defined set of consumer health data, beyond healthcare-adjacent businesses. The Act could have a significant impact on various entities, including advertisers, mobile app providers, wearable device manufacturers, healthcare companies and their data processors who handle non-HIPAA-regulated health information.

Read more here.




read more

Telehealth Trends to Watch: Increased Focus on Privacy and Security

We expect to see continued focus on privacy and security at the federal and state level. For example, California, Virginia, Colorado, Utah and Connecticut have new privacy laws coming into effect in 2023. As part of our State Law Privacy Video Series, McDermott described how these laws will affect health data and healthcare entities—in particular, those entities that are regulated by HIPAA.

In addition, at the end of 2022, the US Department of Health and Human Services (HHS) proposed long-awaited changes to the regulations protecting the confidentiality of substance-use disorder patient records under Part 2 of Title 42 of the Code of Federal Regulations (42 CFR Part 2, or Part 2). Specifically, the proposed rule would implement provisions of Section 3221 of the Coronavirus Aid, Relief, and Economic Security Act (CARES Act), which required HHS to align Part 2 with certain provisions of HIPAA and to make certain changes to the HIPAA Notice of Privacy Practices, the form given to patients and plan members that describes patient privacy rights, covered entity duties, and the covered entity’s uses and disclosures of protected health information.

Read more here.




read more

Mental Health Parity, Quantitative Treatment Limitations, Employee Assistance Plans and the End of the COVID-19 Emergency

The Biden administration has announced its intention to end the COVID-19 National Emergency (NE) and the COVID-19 Public Health Emergency (PHE) on May 11, 2023 (read our series introduction for more information). Among other things:

  • The NE and the PHE modified the rules governing financial requirements and quantitative treatment limitations under the Mental Health Parity and Addiction Equity Act (MHPAEA). The end of the NE and the PHE will require modifications to group health plans’ and health insurance issuers’ MHPAEA testing as it relates to financial requirements and quantitative treatment limits. The NE and the PHE also affect the design and operation of some employee assistance plans (EAPs).
  • The NE and the PHE allowed plan sponsors to expand coverage under excepted benefit EAPs in certain respects without risking their status as the Health Insurance Portability and Accountability Act (HIPAA)-excepted benefits.

MHPAEA 

MHPAEA requires that the financial requirements (such as coinsurance and copays) and quantitative treatment limits (such as visit limits) imposed on mental health or substance use disorder (MH/SUD) benefits cannot be more restrictive than the predominant financial requirements and treatment limitations that apply to substantially all medical/surgical benefits in a particular benefit classification. During the public health emergency period, group health plans and health insurance issuers were permitted to disregard certain items and services related to testing for the detection of SARS-CoV-2, the virus that causes COVID-19, when performing the “substantially all” and “predominant” tests. Absent this relief, the costs of covering COVID-19 testing items and services without cost-sharing would be the amounts allocated to medical/surgical benefits, thereby putting group health plans and health insurance issuers at risk of running afoul of MHPAEA quantitative treatment limits.

From and after the end of the PHE, group health plans and health insurance issuers must include the cost of covering COVID-19 tests, either diagnostic or over-the-counter, or testing-related services, when calculating MHPAEA quantitative treatment limits.

Action Items: Employers should revisit their MHPAEA compliance testing to ensure that the coverage of COVID-19 tests is properly accounted for in applying the relevant quantitative treatment limits. There is, however, no longer a requirement that a group health plan or health insurance issuer cover these services without charge.

EMPLOYEE ASSISTANCE PLANS

The end of the NE and the PHE could have various impacts on EAPs depending on the specific plan design. Employers may, for example, see a spike in the need for mental health support that could be met through EAP services. While the pandemic may be winding down, the mental health impacts of the past three years may continue for by many employees. Employers may need to continue to offer mental health services and resources through their EAPs, and potentially explore expanding mental health services through an EAP or otherwise, to support employees who are struggling with anxiety, depression or other mental health issues related to the pandemic.

Particular attention is required in the case of excepted benefit EAPs. Excepted benefit EAPs do not provide minimum essential coverage for Affordable Care [...]

Continue Reading




read more

Coverage of COVID-19 Testing and the End of the COVID-19 Emergency

A key feature of the COVID-19 National Emergency (NE) and the COVID-19 Public Health Emergency (PHE) was the government’s ability to provide access and coverage of COVID-19 tests. This resulted in overlapping legislation targeted at providing tests to benefit plan participants for free.

With the end of the NE and PHE set for May 11, 2023, there is confusion about what will happen to COVID-19 testing.

Starting on March 18, 2020, the Families First Coronavirus Response Act (FFCRA) required all public and private insurance coverage, including self-funded plans, to cover COVID-19 tests and costs associated with diagnostic testing with no cost-sharing for the duration of the PHE. The Coronavirus Aid, Relief, and Economic Security (CARES) Act enacted shortly after expanded this requirement to cover out-of-network tests during the PHE. The Consolidated Appropriations Act of 2021 (CAA) then took a new approach and applied the requirement to over-the-counter (OTC) COVID-19 tests and added additional obligations. Under guidance issued by the US Departments of Labor, Health and Human Services, and Treasury, effective January 15, 2022, health plans were required to cover up to eight free OTC at-home tests per covered individual per month. Health plans could limit the reimbursement of these tests to the lesser of the actual or negotiated price or $12 per test. Health plans could also provide tests through participating network providers, such as pharmacies or retailers.

When the PHE ends, health plans will no longer be required to cover COVID-19 tests, either diagnostic or OTC, or testing-related services with no cost-sharing.

Employers should consider whether they want to continue to cover COVID-19 tests as required by a doctor or OTC without cost sharing. There is no requirement to stop doing this after the PHE but doing so may have some implications on group health plans. Importantly, if an employer decides to continue covering testing at no cost, they should consider how this affects any employer-sponsored high-deductible health plan (HDHP). IRS Notice 2020-15 permitted HDHP coverage of COVID-19 testing with no cost-sharing without conflicting with HSA eligibility (see our article here). This relief continues until further guidance is issued. Though COVID-19 testing could be considered preventative care under Section 223 of the Internal Revenue Code, the US Department of Treasury will need to provide further clarification. Employers should also consider whether they want to continue to apply a $12 reimbursement cap on COVID-19 or some other limitation.

After the PHE, employers who choose to continue to cover COVID-19 tests at no cost or apply a reimbursement cap may need to amend their plans or summary plan descriptions for these practices. They will also need to coordinate with any insurer or third-party administrator of the employer’s group health plan to ensure proper administration. Depending on the timing of these amendments, they may also need to provide a summary of material modifications to participants. Employers who decide not to continue coverage of COVID-19 tests or apply a reimbursement cap may need to amend their plans, depending on whether [...]

Continue Reading




read more

STAY CONNECTED

TOPICS

ARCHIVES

Top ranked chambers 2022
US leading firm 2022