Contact Cindy
phone: (608) 283-7543
fax: (608) 283-1709
Previous Employee Benefits Updates can be found by clicking here.
Employee Benefits Update: HIPAA Breaches Now Listed on Public HHS Website
By Cindy Van Bogaert
April 26, 2010
Here is your latest Employee Benefits Update from Cindy Van Bogaert, Partner and Chair of the Employee Benefits Practice Group at Boardman Law Firm LLP. This Employee Benefits Update provides information about HIPAA privacy breach notice rules for employers with group health plans.
Under HIPAA (the Health Insurance Portability and Accountability Act) privacy rules, employer group health plans must report certain breaches to the Federal Department of Health and Human Services ("HHS"). Although any size breach that meets the regulatory definition must be reported, large breaches (involving 500 or more individuals) are posted to the HHS public website.
The current list can be viewed at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/postedbreaches.html. The list may be of interest to plans which conduct risk analyses for their HIPAA policies and procedures. For example, it is interesting to see that the type of breach is given as theft in many cases. Other reasons include unauthorized access, hacking, and phishing scam as well as incorrect mailing and misdirected email.
The location of the breached information also listed on the HHS website includes many incidents involving laptops or other portable electronic devices. Other locations of breached information are paper records, desktop computer, email, hard drives, network server, CDs, backup tapes, postcards, and mailings.
In several instances, the name of a business associate involved in the breach is listed on the HHS website.
The HHS website listing is a reminder to employer plans that HIPAA privacy can involve unpleasant public disclosures. In addition, last year's HITECH Act (Health Insurance Technology for Economic and Clinical Health Act) significantly increased the penalties for and enforcement relating to HIPAA violations. The best protection against such a disclosure or penalty is to have a thorough risk analysis and a comprehensive set of HIPAA privacy and security policies and procedures and related documentation. The risk analysis should take various types of breach and different location types into consideration. This HHS website listing is instructive in showing where reported breaches are occurring. For example, if an employer plan has not carefully evaluated and implemented steps to prevent loss or theft of laptops or other portable electronic devices, the employer plan certainly should do so.
As a reminder, the HITECH Act included several changes that were effective February 17, 2010 and should now be part of employer plan revised policies and procedures and other documentation, like business associate agreements.
What should employers do?
- Make sure that plans have up to date HIPAA-compliant policies and procedures and other required documentation.
- Engage in review and updating of policies and procedures to reflect changes in the plans, employer, personnel, technology, business associates, and other factors.
- Report any reportable breaches at http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html (see also http://transparency.cit.nih.gov/breach/index.cfm). (Also use the HHS form as a tool to review the employer plan risk analysis.)
- Obtain the policies and procedures of any business associate involved with the employer plan.
Please contact me if I can be of assistance.
Upcoming seminars:
- "HIPAA Privacy Heats Up," at the Midwest Claims Conference in Lake Geneva, WI on May 6, 2010.
- "Health Care Reform - Tax Credits and Opportunities Only for Small Employers," at the Evansville Inventors and Entrepreneurs Club in Evansville, WI on May 12, 2010.
- "How Health Care Reform Affects Employer Group Health Plans" Seminar in Madison, WI on May 18, 2010. For information: click here.
- "Fiduciary Responsibility," at Wisconsin Retirement Plan Professionals, Ltd in Milwaukee, WI on May 27, 2010. For contact information: http://wrppl.org/Home/tabid/88/Default.aspx.
- "HIPAA Privacy: Tougher Rules; Tougher Enforcement," at the Society for Human Resource Management (SHRM) Annual Conference & Exposition in San Diego, CA on June 28, 2010. For information and to register: http://www.shrm.org/CONFERENCES/annual/Pages/default.aspx.
- "401(k) Plans" Seminar in Madison, WI on September 14, 2010. For information: click here.
- "HIPAA Privacy Training" two seminars, one for the basics and one for new developments, both on October 26, 2010. If you work with employer health benefits, you should consider these training seminars to meet your legal obligations. For information: click here.
- "Fundamentals of Employee Benefit Plans," for the American Law Institute-American Bar Association, in Philadelphia, PA on April 6-8, 2011.
This update is not legal advice. Individuals should seek advice based on their particular circumstances from their own counsel.
If you have any questions or need assistance, please contact Cindy Van Bogaert at (608) 283-7543 or Email.
Would you like to have Cindy's Employee Benefits Update sent directly to your e-mail inbox? If so, please send your request, with e-mail address, to Cindy Van Bogaert at Email.
