The US Department of Health and Human Services has recently issued guidance under the Health Insurance Portability and Accountability Act on what covered entities and business associates can do to prevent and recover from ransomware attacks; however, other state data breach notification laws can also be triggered by a ransomware attack. The authors of this article explain the guidance and what to do if you are subject to a ransomware attack.
In a presentation to the Silicon Valley Employers Forum, Susan M. Nash discussed recent updates to select health and welfare plans while outlining some potential issues. The agenda included changes to exchange notices, corrections to Form 1094 and 1095, issues regarding the Affordable Care Act (ACA) Section 1557 and the Equal Employment Opportunity Commission’s (EEOC) wellness program regulations under the Americans with Disabilities Act (ADA) and the Genetic Information Nondiscrimination Act (GINA).
Joanna Kerpen authored an article on final HIPAA rules for privacy enforcement and audit programs, particularly those with additional requirements aimed at group health plan sponsors. This report focuses on the final regulations issued under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), in January 2013, HIPAA enforcement and audit programs, HIPAA-related additional requirements of group health plan sponsors, and the actions that must be taken by group health plan sponsors to ensure compliance with the final regulations and requirements and to prepare for potential audits and enforcement actions.
“The final HIPAA regulations made many changes to the existing HIPAA privacy and security rules that are applicable to covered entities,” Ms. Kerpen wrote, and she urged plan sponsors to conduct a comprehensive review of their compliance plans to prepare for audits or enforcement action.
Read the full article here.
On July 28, 2016, US Department of Health and Human Services (HHS) issued guidance (guidance) under the Health Insurance Portability and Accountability Act (HIPAA) on what covered entities and business associates can do to prevent and recover from ransomware attacks. Ransomware attacks can also trigger concerns under state data breach notification laws.
Ransomware is a type of malware (malicious software). It is deployed through devices and systems through spam, phishing messages, websites and email attachments, or it can be directly installed by an attacker who has hacked into a system. In many instances, when a user clicks on the malicious link or opens the attachment, it infects the user’s data. Ransomware attempts to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker who deployed the malware. After the user’s data is encrypted, the ransomware attacker directs the user to pay a ransom in order to receive a decryption key. However, the attacker may also deploy ransomware that destroys or impermissibly transfers information from an information system to a remote location controlled by the attacker. Paying the ransom may result in the attacker providing the key necessary needed to decrypt the information, but it is not guaranteed. In 2016, at least four hospitals have reported attacks by ransomware, but additional attacks are believed to go unreported.
Read the full article here to learn about the indications of a ransomware attack, what do in the event of a ransomware attack and what circumstances constitute a HIPAA breach.
The US Department of Health and Human Services Office for Civil Rights (OCR) will soon begin a second phase of audits for compliance with HIPAA privacy, security and breach notification standards as required by the HITECH Act. In this second phase, OCR will audit both covered entities and their business associates, unlike the pilot audits of 2011 and 2012, which focused on covered entities alone. This On the Subject details practical steps that covered entities, including employer-sponsored group health plans, and their business associates can take to prepare for a potential audit.
Webcast Details:
March 23, 2016
1:00 – 2:00 pm EDT / 12:00 – 1:00 pm CDT
McDermott Will & Emery invites you to a webcast to hear how employers and third-party administrators protect the privacy of employee participants’ personal information. On March 23, 2016, Ann Killilea and Andrew Liazos will discuss complex issues faced by employers and the impact on employee benefit plan sponsors, and address the following topics related to managing data breaches:
Ann Killilea is counsel in the law firm of McDermott Will & Emery LLP and brings to the Firm and to its Global Privacy and Data Protection Affinity Group more than 25 years of experience as senior in-house corporate counsel advising Hewlett-Packard Company (HP), and its predecessor companies Compaq Computer Corporation and Digital Equipment Corporation, all multinational companies in the information technology industry.
Andrew C. Liazos is a partner in the law firm of McDermott Will & Emery LLP and regularly represents Fortune 500 companies, public companies, large closely held businesses and compensation committees on all aspects of executive compensation; ERISA fiduciary and compensation plan governance; employee benefits in business transactions; initial public offerings and bankruptcy; international compensation planning and related litigation matters. He also counsels executives in employment agreement and joint-venture negotiations.
CLE credit for the live presentation of this program is pending in the states of California, Illinois, New York and Texas. A Uniform Certificate of Attendance will be made available to participants requesting CLE credit in all other states. Please be advised that CLE credit will not be approved for on-demand/recorded viewings of this program in the states listed above. Attendees seeking credit in other states should consult their state CLE accrediting agency to determine whether self-study credit can be earned for on demand/recorded viewing of this program.
On September 29, 2015, the U.S. Department of Health and Human Services Office of the Inspector General (OIG), Office of Evaluation and Inspections, released two studies calling on the HHS Office for Civil Rights (OCR) to strengthen its efforts in both general enforcement of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Standards and enforcement of security breach reporting requirements. OIG commissioned both studies out of concern for the increased risk of an invasion of privacy and exposure to fraud, identity theft and other harm that patients face in an ever-expanding digital health environment.
Susan M. Nash wrote this bylined article about the Equal Employment Opportunity Commission’s (EEOC) long-awaited guidance on when it will enforce the Americans with Disabilities Act (ADA) against employers who sponsor certain types of employee wellness programs. “Although still in proposed form, the proposed rule provides insight into EEOC’s approach toward regulating employer wellness programs,” Ms. Nash wrote.
With no Congressional consensus to adopt a federal data privacy and breach notification statute, states are updating and refining their already-existing laws to enact more stringent requirements for companies. Two states recently passed updated data privacy laws with significant changes.
Read the full post here.
HIPAA covered entities have reported that the HHS Office for Civil Rights recently sent pre-audit screening surveys to a pool of covered entities that may be selected for the previously delayed second phase of HIPAA compliance audits. This On the Subject describes the phase two audit program and identifies steps that covered entities and business associates should take to prepare for these audits.
Subscribe
