Spencer Fane LLP Logo

HIPAA Privacy and Security

Cyber-attacks – A Universal Issue

The Federal Bureau of Investigation has cautioned organizations, regardless of industry, that cyber-attacks continue to increase and evolve. Cyber-attacks often target digital files containing sensitive and proprietary data. Thus, the operational, financial and reputational impact caused by cyber-attacks to an organization, either directly or through its service providers, can be significant.

To illustrate the widespread acknowledgement across industries of the importance of cybersecurity, this article describes: 1) best practices identified by the Securities and Exchange Commission Office of Compliance Inspections and Examinations for designing cybersecurity programs, and 2) guidance issued by the Department of Health and Human Services Office for Civil Rights under the Health Insurance Portability and Accountability Act for responding to cyber-attacks.

You Can Run But You Can’t Hide: HIPAA Audits are Coming

On March 21, 2016, the HHS Office for Civil Rights (OCR) announced that it has begun “Phase 2” of audits of covered entities and their business associates for compliance with the HIPAA Privacy, Security and Breach Notification Rules (“HIPAA Rules”). Phase 1 was limited to a pilot program designed to develop a standard set of audit protocols.

HIPAA Hodgepodge

After more than ten years, HIPAA is still a hot topic. Here is a rundown of recent developments.

Anthem Security Breach May Require Plan Sponsor Action

The well-publicized cyber-attack on Anthem, Inc.’s information technology system may require employers to take prompt action to protect the rights of their health plan participants. Although neither the scope nor the cause of the security breach has yet been determined, the attack has been described as both “massive” and “sophisticated.”

Don’t Forget About HIPAA When Addressing Data Security

Among the many data security and breach laws that exist, covered health care providers and health plans must also contend with the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

National Health Plan Identifiers Required by November

The HIPAA Electronic Transactions and Code Sets rule requires most group health plans to obtain new health plan identifier numbers (HPIDs) by November 5, 2014.  While insurers will likely obtain the HPID on behalf of fully insured plans, the task of obtaining the HPID for a self-funded plan will fall upon the plan sponsor.  While the process is relatively simple, plan sponsors should begin identifying which group health plan arrangements are subject to the HPID requirement and communicating with plan vendors regarding the requirements.

HIPAA Changes on the Horizon

The Department of Health and Human Services has issued final regulations on the HIPAA privacy and security rules (the “HIPAA Rules”) for health plan sponsors and their business associates. The regulations make several changes to the HIPAA Rules, including a significant change in the standards requiring a “breach notification,” additional content for the notice of privacy practices, and incorporation of the “direct liability” rules for business associates.  The general effective date of the final regulations is March 26, 2013 and compliance with most of the changes will be required by September 23, 2013.  Plan sponsors (and business associates) will need to review, and potentially revise, their policies and procedures, privacy notices, and business associate agreements in light of the final regulations. 

The “HIPAA Police” Are Here

After years of somewhat lenient enforcement of the HIPAA Privacy and Security Rules, the Department of Health and Human Services (“HHS”) appears to be ramping up its enforcement efforts.  A recently announced settlement between a medical provider and HHS is the latest in a string of recent civil penalties and settlements involving alleged HIPAA Privacy Rule and/or Security Rule violations.  Although the penalties referenced in this Alert have thus far been assessed against health care providers, they might just as easily be assessed against health care plans that commit the same types of HIPAA violations.  For that reason, health plan sponsors should take note and review their existing policies and procedures.

HHS Posts Online Breach Notification Form

As explained in our March 2009 and September 2009 articles, employer health plans and other “covered entities” are required to notify affected individuals and the Department of Health and Human Services (“HHS”) when they breach certain of the privacy requirements imposed by the Health Insurance Portability and Accountability Act (“HIPAA”). HHS has now posted on its website an online form by which such breaches may be reported to HHS.

HHS Issues Interim Final Rule On HIPAA Breach Notification

As we reported in our March 2009 article, the Health Information Technology for Economic and Clinical Health (“HITECH”) Act created a new notification requirement in the event of a breach involving protected health information (“PHI”). The Department of Health and Human Services (“HHS”) recently published interim final regulations clarifying when and how such breach notices must be provided.

1 2 Showing 1-10 of 15 results View All