Benefits Bryan Cave

Benefits BCLP

Health Insurance Portability and Accountability Act (HIPAA)

Main Content

Bryan Cave Publishes 2018 In-House Counsel Guide to Data Privacy and Security

January 31, 2018

Authors

David Zetoony

Bryan Cave Publishes 2018 In-House Counsel Guide to Data Privacy and Security

January 31, 2018

by: David Zetoony

Bryan Cave is proud to present the third version of our in-house counsel’s guide to data privacy and security. The guide provides an overview of laws relevant to a variety of data matters topics, statistics that illustrate data privacy and security issues, and a breakdown of these data-related issues. It covers a range of privacy and security issues that apply in the HR and employee benefits areas, including HIPAA compliance and enforcement.

You may download a copy of the 2018 guide by clicking here.

Read More

Button up Your Business Associates Agreements or Pay the Price

May 9, 2017

Authors

Serena Yee and Steven Schaffer

Button up Your Business Associates Agreements or Pay the Price

May 9, 2017

by: Serena Yee and Steven Schaffer

480652321Last month, the Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) announced a resolution agreement with the Center for Children’s Digestive Health (CCDH) which included a $31,000 penalty.

This isn’t the first time a covered entity has paid a “resolution amount” to settle potential violations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules with respect to a business associate agreement (or lack thereof).

New ACA FAQs – Special Enrollment, Women’s Preventive Care and a Cure for the HRA that Ails You (If You’re Small Enough)

December 28, 2016

Authors

Katharine Finley and Chris Rylands

New ACA FAQs – Special Enrollment, Women’s Preventive Care and a Cure for the HRA that Ails You (If You’re Small Enough)

December 28, 2016

by: Katharine Finley and Chris Rylands

In the latest round of FAQs on ACA implementation (now up to 35 if you’re keeping track), the DOL, HHS and Treasury Department addressed questions regarding HIPAA special enrollment rights, ACA coverage for preventive services, and HRA-like arrangements under the 21st Century Cures Act.

Special Enrollment for Group Health Plans. Under HIPAA, group health plans generally must allow current employees and dependents to enroll in the group health plan if the employee or dependents lose eligibility for coverage in which they were previously enrolled.  This FAQ clarifies that an individual is entitled to a special enrollment period if they lose individual market coverage.  This could happen, for example, if an insurer covering the employee or dependent stops offering that individual market coverage.  However, a loss of coverage due to a failure to timely pay premiums or for cause will not give the employee

Read More

Clouds, With A Nearly 100% Chance of a Business Associate Agreement

October 25, 2016

Authors

Chris Rylands and Jennifer Stokes

Clouds, With A Nearly 100% Chance of a Business Associate Agreement

October 25, 2016

by: Chris Rylands and Jennifer Stokes

HHScloud recently posted guidance on its website addressing HIPAA’s approach to cloud computing.  Basically, any time a cloud service provider has electronic protected health information (ePHI), it’s a business associate.  This is true even if the cloud provider only stores encrypted ePHI and even if the cloud provider does not have the encryption key (and therefore, in theory, could not access the data).  This means that both health plans and their business associates who use outsourced cloud computing services must have business associate agreements with those services.

At first blush, this might seem like it doesn’t directly touch the health plan, but cloud computing can take many forms. For example, if your company has an off-site data server that is managed by a third party and ePHI is stored

Read More

EEOC Takes Aim at Erroneous Application of ADA “Safe Harbor” to Wellness Programs

June 3, 2016

Authors

Katharine Finley and Serena Yee

EEOC Takes Aim at Erroneous Application of ADA “Safe Harbor” to Wellness Programs

June 3, 2016

by: Katharine Finley and Serena Yee

Challenges AheadIn its preamble to the final regulations under the Americans with Disabilities Act (“ADA”) published May 17, 2016, which will be the topic of an upcoming blog post, the Equal Employment Opportunity Commission (“EEOC”) once again reiterated its disagreement with the district courts’ application of the bona fide plan safe harbor to the wellness programs in Seff v. Broward County and EEOC v. Flambeau, Inc. (discussed in a prior post).

Seff and Flambeau

In both Seff and Flambeau, plaintiffs brought suit arguing that the wellness programs violated the ADA’s prohibition on mandatory medical examinations and inquiries. Both courts disagreed and held that the wellness programs fell under the safe harbor provision, which in pertinent part state that an insurer or any entity that

Read More

Have You Checked Your SPAM Folder Recently?

April 5, 2016

Authors

Serena Yee

Have You Checked Your SPAM Folder Recently?

April 5, 2016

by: Serena Yee

SecurityNearly two years after the Office of Civil Rights (“OCR”) first announced its preparation for another round of HIPAA audits, Phase II of OCR’s HIPAA audit program is finally underway.

On March 21, OCR began emailing various types of entities to verify their e-mail addresses and contact information.   OCR acknowledged that its email communication may be treated by email filters as spam, but has advised that it expects entities to check their junk or spam email folder for emails from OCR. Recipients have 14 days to verify their email address or provide OCR with updated primary and secondary contact information.

A pre-screening questionnaire will follow seeking details regarding the entity’s size, geographic location, services and scope of operations. Covered entities will also be asked to identify their business associates. Presumably, OCR

Read More

The Anthem Breach – What Next?

February 12, 2015

Authors

David Zetoony and Lisa Van Fleet

The Anthem Breach – What Next?

February 12, 2015

by: David Zetoony and Lisa Van Fleet

The facts surrounding the Anthem breach continue to evolve as does Anthem’s handling of the situation.

Based on the current status of the investigation, and Anthem’s current reactions to the incident, there are steps which group health plan sponsors should consider taking to fulfill their own HIPAA and fiduciary obligations with respect to group health plans affected by the Anthem breach. These steps include the following:

  • Have business associate agreements and other relevant documents reviewed to assess the plan sponsor’s rights and obligations with respect to the breach.
  • Request from Anthem:
    • additional information about the breach;
    • confirmation concerning the steps that will be taken to protect the plan sponsor’s employees and affected individuals;
    • more extensive victim protection, client indemnification, and paid notification than Anthem is currently proposing to offer; and
    • confirmation that any state notification requirements will be satisfied on behalf plans
      Read More

Anthem Data Breach Implications for Employers

February 5, 2015

Authors

Chris Rylands

Anthem Data Breach Implications for Employers

February 5, 2015

by: Chris Rylands

Security ThreatAs has now been widely reported, Anthem, Inc. was the unfortunate target of a cyber-attack potentially impacting 80 million current and former customers. Some reports have indicated that the HIPAA breach notification rules will not apply to this breach. However, the information stolen appears to include individually identifiable information, potentially including health plan enrollment information. Enrollment information, in the hands of a health plan, is protected health information (PHI), so it is possible that the HIPAA data breach notification rules are applicable. As such, both insured and self-funded customers utilizing Anthem as their TPA should review information concerning the Anthem breach carefully before concluding that the HIPAA breach notification rules do not apply.

Additionally, given that claims for other Blue Cross Blue Shield customers may have been submitted through

Read More

Act Now to Obtain a Controlling Health Plan HPID

October 21, 2014

Authors

Lisa Van Fleet and Serena Yee

Act Now to Obtain a Controlling Health Plan HPID

October 21, 2014

by: Lisa Van Fleet and Serena Yee

Health PlanIn light of the numerous unresolved issues surrounding the process for plan sponsors to obtain a health plan identifier (“HPID”) for their  self-funded health plan, we suggested in an earlier post that plan sponsors consider delaying the application process in the hope that regulators would address at least some of the unanswered questions.  Since that time, the Centers for Medicare and Medicaid Services (“CMS”) has updated its Health Plan and Other Entity Enumeration System User Manual and issued a set of Frequently Asked Questions.  As the deadline for obtaining an HPID approaches, the time for waiting is over.

HPIDs are obtained through the Health Plan and Other Entity Enumeration System (“HPOES”) portal, which is a component of the CMS Health Insurance Oversight System (“HIOS”).   However, plan sponsors must first obtain access to the CMS Enterprise

Read More

Check it Out and Check it Off: 2015 Group Health Plan Checklist

October 14, 2014

Authors

benefitsbclp

Check it Out and Check it Off: 2015 Group Health Plan Checklist

October 14, 2014

by: benefitsbclp

460326385With 2015 just around the corner, certain mandates under the Patient Protection and Affordable Care Act, as amended (“ACA”) are about to become effective. Health plans also have several existing enrollment and annual notice requirements. Below is a checklist of upcoming ACA mandates that employers must implement in preparation for or in 2015 and a summary of existing enrollment and annual notice requirements.

For a refresher on the ACA mandates which became effective this year, please see our 2014 group health plan checklist here.

I. ACA Requirements That Apply to All Group Health Plans (Whether Grandfathered or Not)

On or beginning with the dates specified below, a group health plan must comply with the following requirements, regardless of its status as a “grandfathered health plan”:

Obtain a Health Plan Identifier Number (HPID).

Read More
The attorneys of Bryan Cave LLP make this site available to you only for the educational purposes of imparting general information and a general understanding of the law. This site does not offer specific legal advice. Your use of this site does not create an attorney-client relationship between you and Bryan Cave LLP or any of its attorneys. Do not use this site as a substitute for specific legal advice from a licensed attorney. Much of the information on this site is based upon preliminary discussions in the absence of definitive advice or policy statements and therefore may change as soon as more definitive advice is available. Please review our full disclaimer.