HIPAA Archives - Page 6 of 13 - EMPLOYEE BENEFITS BLOG

Consumer Health Information Update from Both Sides of the Atlantic

by Jennifer S. Geetter and Scott Weinstein | Apr 21, 2015 | Privacy and Data Security

As we reported in May 2014, the Federal Trade Commission (FTC) convened stakeholders to explore whether health-related information collected from and about consumers — known as consumer-generated health information (CHI) — through use of the internet and increasingly-popular lifestyle and fitness mobile apps is more sensitive and in need of more privacy-sensitive treatment than other consumer-generated data.

One of the key questions raised during the FTC’s CHI seminar is: “what is consumer healthinformation”? Information gathered during traditional medical encounters is clearly health-related. Information gathered from mobile apps designed as sophisticated diagnostic tools also is clearly health-related — and may even be “Protected Health Information,” as defined and regulated by Health Information Portability and Accountability Act (HIPAA), depending on the interplay of the app and the health care provider or payor community. But, other information, such as diet and exercise, may be viewed by some as wellness or consumer preference data (for example, the types of foods purchased). Other information (e.g., shopping habits) may not look like health information but, when aggregated with other information generated by and collected from consumers, may become health-related information. Information, therefore, may be “health information,” and may be more sensitive as such, depending on (i) the individual from whom it is collected, (ii) the context in which it is initially collected; (iii) the other information which it is combined; (iv) the purpose for which the information was initially collected; and (v) the downstream uses of the information.

Notably, the FTC is not the only regulatory body struggling with how to define CHI. On February 5, 2015, the European Union’s Article 29 Working Party (an EU representative body tasked with advising EU Member States on data protection) published a letter in response to a request from the European Commission to clarify the definitional scope of “data concerning health in relation to lifestyle and wellbeing apps.”

The EU’s efforts to define CHI underscore the importance of understanding CHI. The EU and the U.S. data privacy and security regimes differ fundamentally in that the EU regime broadly protects personally identifiable information. The US does not currently provide universal protections for personally identifiable information. The U.S. approach varies by jurisdiction and type of information and does not uniformly regulate the mobile app industry or the CHI captured by such apps. These different regulatory regimes make the EU’s struggle to define the precise scope and definition of “lifestyle and wellbeing” data (CHI) and develop best practices going forward all the more striking because, even absent such a definition, the EU privacy regime would offer protections.

The Article 29 Working Party letter acknowledges the European Commission’s work to date, including the European Commission’s “Green Paper on Mobile Health,” which emphasized the need for strong privacy and security protections, transparency – particularly with respect to how CHI interoperates with big data – and the need for specific legislation on CHI-related apps or regulatory guidance that will promote “the safety and performance of lifestyle and wellbeing apps.” But, in [...]

Continue Reading

Employers with Group Health Plans: Have You Notified State Regulators of the Breach?

by Anthony A. Bongiorno and Amy C. Pimentel | Feb 23, 2015 | Health and Welfare Plans, Privacy and Data Security

Data security breaches affecting large segments of the U.S. population continue to dominate the news. Over the past few years, there has been considerable confusion among employers with group health plans regarding the extent of their responsibility to notify state agencies of security breaches when a vendor or other third party with access to participant information suffers a breach. This On the Subject provides answers to several frequently asked questions to help employers with group health plans navigate the challenging regulatory maze.

Read the full article.

OCR to Begin Phase 2 of HIPAA Audit Program

by Edward G. Zacharias and Daniel F. Gottlieb | Aug 26, 2014 | Health and Welfare Plans, Privacy and Data Security

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) will soon begin a second phase of audits (Phase 2 Audits) of compliance with Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy, security and breach notification standards (HIPAA Standards) as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act. Unlike the pilot audits during 2011 and 2012 (Phase 1 Audits), which focused on covered entities, OCR will conduct Phase 2 Audits of both covered entities and business associates. The Phase 2 Audit Program will focus on areas of greater risk to the security of protected health information (PHI) and pervasive noncompliance based on OCR’s Phase I Audit findings and observations, rather than a comprehensive review of all of the HIPAA Standards. The Phase 2 Audits are also intended to identify best practices and uncover risks and vulnerabilities that OCR has not identified through other enforcement activities. OCR will use the Phase 2 Audit findings to identify technical assistance that it should develop for covered entities and business associates. In circumstances where an audit reveals a serious compliance concern, OCR may initiate a compliance review of the audited organization that could lead to civil money penalties.

The following sections summarize OCR’s Phase 1 Audit findings, describe the Phase 2 Audit program and identify steps that covered entities and business associates should take to prepare for the Phase 2 Audits.

Read the full article.

Upcoming Health and Welfare Plan Requirements Checklist for Employers

by McDermott Will & Emery | Aug 21, 2014 | Health and Welfare Plans

As the mid-way point of 2014 approaches, employers should actively turn their attention to several upcoming compliance obligations for the health and welfare benefit plans they sponsor. Following is a checklist of upcoming health and welfare compliance initiatives that require action by employers, including preparation for upcoming fees and penalties under the Affordable Care Act, the filing of required forms and distribution of relevant notices.

Read the full article.

Proposed Regulations Expand the Definition of Excepted Benefits

by Megan Mardy | Feb 6, 2014 | Health and Welfare Plans

Recently issued proposed regulations would expand the categories of excepted benefits under the Employee Retirement Income Security Act of 1974 (ERISA), the Internal Revenue Code (the Code) and the Public Health Service Act. In general, excepted benefits are exempt from the market reform and certain other requirements added to ERISA and the Code by the Affordable Care Act.

Click here to read the full article.

HIPAA Omnibus Final Rule Compliance Date Is Less Than Two Months Away

by McDermott Will & Emery | Aug 6, 2013 | Health and Welfare Plans, Privacy and Data Security

by Daniel F. Gottlieb and Edward G. Zacharias

The compliance date for the omnibus final rule amending the privacy, security, breach notification and enforcement regulations under the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act is less than two months away for health care providers, health plans, other covered entities and their business associates. The changes require covered entities and their business associates to conduct a security risk assessment; revise their existing privacy, security and breach notification policies and procedures; amend their business associate agreements; and retrain their workforce on the revised policies.

The final rule includes the following changes:

Business associates are directly liable for civil money penalties and criminal penalties for violations of the Privacy Rule and Security Rule.
The definition of business associate is expanded to include a subcontractor of a business associate so that subcontractors also are liable for violations of the privacy, security and breach notification standards.
The definition of a breach of unsecured protected health information (PHI) is revised to make it more difficult for a covered entity or business associate to avoid reporting an unauthorized use or disclosure of PHI to the affected individuals and the Office of Civil Rights.
A covered entity generally may not receive cash or other financial remuneration for marketing communications made for a third party’s products or services.
Certain restrictions on the use of compound authorizations in connection with research studies were changed in a way that will simplify secondary uses of PHI for research purposes.

ACA Guidance on 90-Day Waiting Periods and Certificates of Creditable Coverage

by McDermott Will & Emery | Apr 16, 2013 | Health and Welfare Plans

by Amy M. Gordon, Jamie A. Weyeneth and Megan Mardy

Recently issued Affordable Care Act guidance clarifies the prohibition on waiting periods in excess of 90 days and eliminates the requirement to issue HIPAA group health plan certificates of creditable coverage after December 31, 2014.

To read the full article, click here.

New HIPAA Regulations Require Action by Group Health Plans

by McDermott Will & Emery | Mar 19, 2013 | Health and Welfare Plans, Privacy and Data Security

by Amy M. Gordon and Jamie A. Weyeneth

Final HIPAA privacy and security regulations issued by the U.S. Department of Health and Human services will require action by group health plan sponsors by September 2013.

To read the full article, click here.

OCR Issues Final Modifications to the HIPAA Privacy, Security, Breach Notification and Enforcement Rules to Implement the HITECH Act

by McDermott Will & Emery | Mar 7, 2013 | Privacy and Data Security

by Bernadette Broccolo, Daniel F. Gottlieb, Jennifer S. Geetter, Ryan S. Higgins, Amy Hooper Kearbey and Edward G. Zacharias

The Office for Civil Rights of the U.S. Department of Health and Human Services published final modifications to the privacy, security and breach notification standards under HIPAA and the HITECH Act, which require covered entities and business associates to update their policies, procedures, agreements, security measures and operations to comply with new restrictions and requirements, and to benefit from new flexibility.

To read the full White Paper, click here.

New HIPAA Regulations Affect Business Associates and Subcontractors

by McDermott Will & Emery | Feb 14, 2013 | Privacy and Data Security

by Amy M. Gordon, Susan M. Nash and Jamie A. Weyeneth

The Health Insurance Portability and Accountability Act omnibus regulations recently released by the U.S. Department of Health and Human Services have significant ramifications for business associates and subcontractors of business associates.

To read the full article, click here.

BLOG EDITORS

STAY CONNECTED

TOPICS

ARCHIVES

RECENT POSTS