HIPAA

Businesses are rapidly developing strategies to continue functioning and protect their workforces in the face of the growing Coronavirus COVID-19 outbreak. For obvious reasons, businesses may want to deploy health screening, testing, and professional medical advice services—including telemedicine—to their employees and dependents. It is critical that employers’ health plans support these efforts and not get

A new post on Covington’s eHealth blog discusses HIPAA-related provisions in the Twenty-First Century Cures Act, signed by President Obama on December 13.   These provisions direct HHS to consider HIPAA’s effects on mental health treatment and the availability of health data for research purposes.  Read the full post here.

Most group health plans must apply to the Centers for Medicare & Medicaid Services by November 5 for a unique health plan identifying number (HPID).  Although self-insured health plans must apply for HPIDs, the application process was not designed with these plans in mind.

In a post this summer, we identified several deficiencies in the HPID rules that will make the application process difficult for employers.  CMS has recently fixed a few problems; but with the November 5 deadline fast approaching, the agency still has not addressed other fundamental shortcomings of the HPID rules.
Continue Reading CMS Fixes Some HPID Problems, But Other Problems Remain

Group health plans with 50 or more participants, including self-insured plans, must be able to conduct electronic transactions in accordance with HHS standards and operating rules.  One of the more challenging aspects of the electronic transaction rules has been the transition to the new International Classification of Diseases, 10th Revision (ICD-10) codes for health claims.
Continue Reading Health Plans Have an Extra Year to Prepare for ICD-10—And They Might Need It

Group health plan sponsors and administrators focused on compliance with ACA’s shared responsibility rules might not be aware that another compliance deadline is looming.   By November 5, 2014, most group health plans must apply to the Centers for Medicare & Medicaid Services (CMS) for a unique health plan identifying number.  (Please visit the “Deadlines” page of our blog for information about other approaching deadlines.)


Continue Reading Health Plan I.D. Application Deadline Is Approaching

Recently, HHS Office of Civil Rights (OCR) announced that it has entered into settlement agreements with two entities following enforcement actions, both arising from stolen laptops that were not encrypted in accordance with the Security Rule.

According to HHS, an unencrypted laptop was stolen from a physical therapy center in Springfield, Missouri.  The center was part of a larger health system, Concentra Health Services.  Through conducting required HIPAA risk analyses, Concentra had previously recognized that the lack of encryption on its devices posed a security risk.  However, HHS found that Concentra’s efforts to address this risk were “incomplete and inconsistent over time.”  Concentra has agreed to pay over $1.7 million to settle potential violations, as well as to submit a corrective action plan.  This significant monetary penalty suggests HHS will not look favorably upon violations of the Security Rule that the covered entity has documented but not taken reasonable efforts to correct.
Continue Reading Two HIPAA Settlements Follow Stolen Laptops

Employers should be aware that the Department of Human Services (“HHS”) is stepping up its enforcement of requirements for covered entities, such as group health plans, to adopt and implement policies and procedures for protecting and securing protected health information in accordance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).  As our

The Equal Employment Opportunity Commission held a hearing this week on “Wellness Programs Under Federal Equal Employment Opportunity Laws.”  Amy Moore testified at the hearing on behalf of long-time Covington client The ERISA Industry Committee (“ERIC”), a non-profit association committed to the advancement of the employee retirement, health, and other benefit programs of America’s largest employers.

The hearing focused on the treatment of wellness programs under the Americans With Disabilities Act (“ADA”).  The ADA permits employers to offer voluntary medical examinations or request voluntary medical histories as long as they keep the information confidential and do not use it for discriminatory purposes.  The EEOC issued enforcement guidance in 2000 stating that voluntary wellness programs can qualify for this exception; but the EEOC has never made it clear whether a wellness program is “voluntary” if it offers employees incentives to participate in the program. 
Continue Reading EEOC Holds Hearing on Workplace Wellness Programs

The HIPAA / HITECH omnibus rule published in the Federal Register late last week includes a number of changes that will require action by employers, health plans, and business associates in the coming months.  The new requirements take effect on March 26, although group health plans and business associates have until September 23, 2013, to comply with most of the new requirements. 
Continue Reading New HIPAA / HITECH Rule Requires Health Plan Changes

The U.S. Department of Health and Human Services (HHS) recently released guidance on methods for de-identification of protected health information (PHI) in accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.  The guidance, which was required under Section 13424(c) of the Health Information Technology for Economic and Clinical Health (HITECH) Act, answers questions about the two methods that can be used to satisfy the HIPAA de-identification standard in  45 C.F.R. § 164.514.  It also incorporates input from stakeholders that HHS received at a workshop held in March 2010.

As summarized in the figure below, the two methods by which health information can be designated as de-identified under HIPAA are (1) the “expert determination” method and (2) the “safe harbor” method.

 

Source:HHS Guidance Regarding Methods for De-identification of PHI in Accordance with the HIPAA Privacy RuleContinue Reading HHS Releases Guidance on HIPAA De-Identification Standard