HIPAA Archives - EMPLOYEE BENEFITS BLOG

2018 Digital Health Data Developments – Navigating Change in 2019

by McDermott Will & Emery | Feb 14, 2019 | Privacy and Data Security

Data privacy and security legislation and enforcement saw significant activity in 2018 and early 2019. McDermott’s 2018 Digital Health Year in Review: Focus on Data report – the first in a four-part series – highlights notable developments and guidance that health care providers, digital health companies and other health care industry stakeholders should navigate in 2019. Here, we summarize four key issues that stakeholders should watch in the coming year. For more in-depth discussion of these and other notable issues, access the full report.

EU General Data Protection Regulation (GDPR) enhances protections for certain personal data on an international scale. US-based digital health providers and vendors that either (a) offer health care or other services or monitor the behavior of individuals residing in the EU, or (b) process personal data on behalf of entities conducting such activities should be mindful of the GDPR’s potential applicability to their operations and take heed of any GDPR obligations, including, but not limited to, enhanced notice and consent requirements and data subject rights, as well as obligations to execute GDPR-compliant contracts with vendors processing personal data on their behalf.
California passes groundbreaking data privacy law. The California Consumer Privacy Act (CCPA), which takes effect on January 1, 2020, will regulate the collection, use and disclosure of personal information pertaining to California residents by for-profit businesses – even those that are not based in California – that meet one or more revenue or volume thresholds. Similar in substance to the GDPR, the CCPA gives California consumers more visibility and control over their personal information. The CCPA will affect clinical and other scientific research activities of academic medical centers and other research organizations in the United States if the research involves information about California consumers.
US Department of Health and Human Services (HHS) Office of Civil Rights (OCR) continues aggressive HIPAA enforcement. OCR announced 10 enforcement actions and collected approximately $25.68 million in settlements and civil money penalties from HIPAA-regulated entities in 2018. OCR also published two pieces of guidance and one tool for organizations navigating HIPAA compliance challenges in the digital health space.
Interoperability and the flow of information in the health care ecosystem continues to be a priority. The Office of the National Coordinator for Health Information Technology (ONC) submitted its proposed rule to implement various provisions of the 21st Century Cures Act to the Office of Management and Budget (OMB) in September 2018; this is one of the final steps before a proposed rule is published in the Federal Register and public comment period opens. The Centers for Medicare & Medicaid Services (CMS) released its own interoperability proposed rule and finalized changes to the Promoting Interoperability (PI) programs to reduce burden and emphasize interoperability of inpatient prospective payment systems and long-term care hospital prospective payment systems.

7 Tips to Avoid Compliance Missteps During Open Enrollment

by Jacob Mattinson and Megan Mardy | Nov 6, 2018 | Employee Benefits, Health and Welfare Plans, Privacy and Data Security

One of the busiest times of year for an employee benefits professional is open enrollment. It is a crucial and yet stressful time of year that typically results in numerous employee questions and complaints and is a time of year with high potential for both employer and employee mistakes. Despite the stress and potential for problems, open enrollment provides an opportunity for a company to set itself up for success for the following year.

The Employee Retirement Income Security Act (ERISA) does not require an annual opportunity for employees to change benefit plan elections. However, because of compliance issues that can spring from not offering a regular enrollment period, most companies choose to offer an “open enrollment” period, usually taking place in mid- to late fall for calendar-year health and welfare benefit plans.

Employee attention to employer communications during this period is often high, and attention to detail in participant communications behooves an employer during this period. Well-written and timely notices may be relied upon to satisfy many compliance obligations. Inaccurate or incomplete open enrollment materials, however, can create employee confusion and result in legal liability under the complex network of federal laws governing employer-sponsored benefit programs.

Read the full article here for a sampling of key issues to consider to help you avoid compliance missteps during this year’s open enrollment period.

Originally published in BenefitsPRO.com, October 2018.

Digital Health Year in Review: 2017 Trends and Looking Ahead to 2018

by McDermott Will & Emery, Bernadette M. Broccolo, Dale C. Van Demark, Jennifer S. Geetter, Jiayan Chen, Lisa Schmitz Mazur, Michael Ryan, Ryan Marcus, Scott Weinstein, Sarah T. Hogan and Vernessa T. Pollard | Feb 8, 2018 | Health and Welfare Plans, Privacy and Data Security

Throughout 2017, the health care and life sciences industries experienced a widespread proliferation of digital health innovation that presents challenges to traditional notions of health care delivery and payment as well as product research, development and commercialization for both long-standing and new stakeholders. At the same time, lawmakers and regulators made meaningful progress toward modernizing the existing legal framework in a way that will both adequately protect patients and consumers and support and encourage continued innovation, but their efforts have not kept pace with what has become the light speed of innovation. As a result, some obstacles, misalignment and ambiguity remain.

We are pleased to bring you this review of key developments that shaped digital health in 2017, along with planning considerations and predictions for the digital health frontier in the year ahead.

Court to the Equal Employment Opportunity Commission: “Try Again” on Wellness Rules

by Anthony A. Bongiorno and Megan Mardy | Aug 29, 2017 | Employee Benefits, Employment, Health and Welfare Plans

In October 2016, the American Association of Retired Persons (AARP) sued the US Equal Employment Opportunity Commission (EEOC) in the US District Court for the District of Columbia seeking an injunction against the latest iteration of wellness program regulations. The final EEOC regulations issued last year offer employers a roadmap for offering employee wellness programs that pass muster as “voluntary” examinations under the Americans with Disabilities Act (ADA) and the Genetic Information Nondiscrimination Act of 2008 (GINA). In response, AARP argued that the EEOC failed to adequately justify the new rules and abused its regulatory power by reversing course on its long-standing position against wellness programs.

Digital Health Governance: Management and Strategy for the 21st Century Digital Economy

by Dale C. Van Demark and Jennifer S. Geetter | Aug 15, 2017 | Employee Benefits, Health and Welfare Plans, Privacy and Data Security

Jennifer Geetter and Dale Van Demark wrote this bylined article on how companies must manage and govern their use of digital healthcare information assets. “Organizations will need to design and implement digital governance structures that … include additional components and organizational stakeholders, in order to meet the business and strategic demands of the digital health revolution,” the authors wrote.

Highlights of Record Retention Requirements Applicable to Employee Benefit Plans

by Todd Solomon | Jan 31, 2017 | Employee Benefits, Retirement Plans

In the presentation “Highlights of Record Retention Requirements Applicable to Employee Benefit Plans,” Todd A. Solomon detailed the general rules of The Employee Retirement Income Security Act of 1974 (ERISA). He discussed several specific record-keeping requirements for employee benefit plans and a number of general requirements that imply a duty to retain records, for example general fiduciary duties, plan distribution requirements, COBRA requirements and qualified medical child support requirements.

View the presentation slides here.

Guidance on Ransomware Attacks under HIPAA and State Data Breach Notification Laws

by Anthony A. Bongiorno and Michael G. Morgan | Jan 12, 2017 | Health and Welfare Plans, Privacy and Data Security

The US Department of Health and Human Services has recently issued guidance under the Health Insurance Portability and Accountability Act on what covered entities and business associates can do to prevent and recover from ransomware attacks; however, other state data breach notification laws can also be triggered by a ransomware attack. The authors of this article explain the guidance and what to do if you are subject to a ransomware attack.

Read the full article here.

Legal Update on Select Health and Welfare Plan Issues

by McDermott Will & Emery | Dec 15, 2016 | Health and Welfare Plans

In a presentation to the Silicon Valley Employers Forum, Susan M. Nash discussed recent updates to select health and welfare plans while outlining some potential issues. The agenda included changes to exchange notices, corrections to Form 1094 and 1095, issues regarding the Affordable Care Act (ACA) Section 1557 and the Equal Employment Opportunity Commission’s (EEOC) wellness program regulations under the Americans with Disabilities Act (ADA) and the Genetic Information Nondiscrimination Act (GINA).

View the presentations slides here.

HIPAA Privacy and Security Compliance for Group Health Plan Sponsors

by McDermott Will & Emery | Aug 18, 2016 | Health and Welfare Plans, Privacy and Data Security

Joanna Kerpen authored an article on final HIPAA rules for privacy enforcement and audit programs, particularly those with additional requirements aimed at group health plan sponsors. This report focuses on the final regulations issued under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), in January 2013, HIPAA enforcement and audit programs, HIPAA-related additional requirements of group health plan sponsors, and the actions that must be taken by group health plan sponsors to ensure compliance with the final regulations and requirements and to prepare for potential audits and enforcement actions.

“The final HIPAA regulations made many changes to the existing HIPAA privacy and security rules that are applicable to covered entities,” Ms. Kerpen wrote, and she urged plan sponsors to conduct a comprehensive review of their compliance plans to prepare for audits or enforcement action.

Read the full article here.

Guidance on Ransomware Attacks under HIPAA and State Data Breach Notification Laws

by Anthony A. Bongiorno and Michael G. Morgan | Aug 15, 2016 | Privacy and Data Security

On July 28, 2016, US Department of Health and Human Services (HHS) issued guidance (guidance) under the Health Insurance Portability and Accountability Act (HIPAA) on what covered entities and business associates can do to prevent and recover from ransomware attacks. Ransomware attacks can also trigger concerns under state data breach notification laws.

Ransomware is a type of malware (malicious software). It is deployed through devices and systems through spam, phishing messages, websites and email attachments, or it can be directly installed by an attacker who has hacked into a system. In many instances, when a user clicks on the malicious link or opens the attachment, it infects the user’s data. Ransomware attempts to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker who deployed the malware. After the user’s data is encrypted, the ransomware attacker directs the user to pay a ransom in order to receive a decryption key. However, the attacker may also deploy ransomware that destroys or impermissibly transfers information from an information system to a remote location controlled by the attacker. Paying the ransom may result in the attacker providing the key necessary needed to decrypt the information, but it is not guaranteed. In 2016, at least four hospitals have reported attacks by ransomware, but additional attacks are believed to go unreported.

Read the full article here to learn about the indications of a ransomware attack, what do in the event of a ransomware attack and what circumstances constitute a HIPAA breach.

BLOG EDITORS

STAY CONNECTED

TOPICS

ARCHIVES

RECENT POSTS