OCR Launches Phase 2 of HIPAA Audit Program

As a part of its continued efforts to assess compliance with the HIPAA Privacy, Security and Breach Notification Rules, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has begun its next phase of audits of covered entities and their business associates.  Audits are an important compliance tool for OCR that supplements OCR’s other enforcement tools, such as complaint investigations and compliance reviews.  These tools enable OCR to identify best practices and proactively uncover and address risks and vulnerabilities to protected health information (PHI).

In its 2016 Phase 2 HIPAA Audit Program, OCR will review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules.  These audits will primarily be desk audits, although some on-site audits will be conducted.

The 2016 audit process begins with verification of an entity’s address and contact information.  An email is being sent to covered entities and business associates requesting that contact information be provided to OCR in a timely manner.  OCR will then transmit a pre-audit questionnaire to gather data about the size, type, and operations of potential auditees; this data will be used with other information to create potential audit subject pools.

If an entity does not respond to OCR’s request to verify its contact information or pre-audit questionnaire, OCR will use publically available information about the entity to create its audit subject pool.  Therefore an entity that does not respond to OCR may still be selected for an audit or subject to a compliance review.  Communications from OCR will be sent via email and may be incorrectly classified as spam.

Learn more about OCR’s Phase 2 Audit program.

Posted in HIPAA, Privacy and Security Rules | Tagged , , , , | Leave a comment

Improper Disclosure of Research Participants’ Protected Health Information Results In $3.9 Million HIPAA Settlement

Feinstein Institute for Medical Research agreed to pay the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) $3.9 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules and will undertake a substantial corrective action plan to bring its operations into compliance. This case demonstrates OCR’s commitment to promoting the privacy and security protections so critical to build and maintain trust in health research.  Feinstein is a biomedical research institute that is organized as a New York not-for-profit corporation

OCR’s investigation began after Feinstein filed a breach report indicating that on September 2, 2012, a laptop computer containing the electronic protected health information (ePHI) of approximately 13,000 patients and research participants was stolen from an employee’s car.  The ePHI stored in the laptop included the names of research participants, dates of birth, addresses, social security numbers, diagnoses, laboratory results, medications and medical information relating to potential participation in a research study.

OCR’s investigation discovered that Feinstein’s security management process was limited in scope, incomplete, and insufficient to address potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI held by the entity.  Further, Feinstein lacked policies and procedures for authorizing access to ePHI by its workforce members, failed to implement safeguards to restrict access to unauthorized users, and lacked policies and procedures to govern the receipt and removal of laptops that contained ePHI into and out of its facilities.  For electronic equipment procured outside of Feinstein’s standard acquisition process, Feinstein failed to implement proper mechanisms for safeguarding ePHI as required by the Security Rule.

Read the entire U.S. Department of Health and Human Services press release.

Read the resolution agreement.

Posted in HIPAA, Privacy and Security Rules | Tagged , , , , | Leave a comment

$1.55 Million Settlement Underscores the Importance of Executing HIPAA Business Associate Agreements

North Memorial Health Care has agreed to settle charges that it potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by failing to implement a business associate agreement with a major contractor and failing to institute an organization-wide risk analysis to address risks and vulnerabilities to its patient information. North Memorial is a comprehensive, not-for-profit health care system in Minnesota that serves the Twin Cities and surrounding communities. The settlement includes a monetary payment of $1,550,000 and a robust corrective action plan.

Read the entire U.S. Department of Health and Human Services press release.

Read the resolution agreement.

Posted in HIPAA, Privacy and Security Rules | Tagged , , , , | Leave a comment

Yellow Light: IRS Delays Reporting Requirements Again!

Earlier today, the IRS announced an extension of the due dates for IRS Forms 1094 and 1095. In IRS Notice 2016-4, the IRS states that employers are not required to furnish individuals with either Form 1095-B or 1095-C until March 31, 2016. The deadline was previously February 1, 2016. In addition, employers are not required to file Form 1094-B or Form 1094-C with the IRS until May 31, 2016 if filing paper returns, or June 30, 2016 if filing electronically. The prior deadlines were February 29, 2016 (paper) and March 31, 2016 (electronic).

This is now the second delay of the ACA reporting requirements. On July 2, 2013 (coincidentally, also adjacent to a national holiday), the U.S. Department of the Treasury issued a blog post that announced a delay of the ACA shared responsibility penalties and the accompanying reporting requirements until the 2015 taxable year. A copy of my summary of the prior delay is available here.

The IRS now anticipates that many people will now file their individual tax returns (Form 1040) prior to receiving the Form 1095-B or 1095-C from their employers or other coverage providers. Accordingly, the IRS will allow individuals to rely on other information from their employers or other coverage providers for purposes of filing their returns in 2015.

As most large employers are well aware, the IRS Forms 1094-C and 1095-C are complicated and impose significant administrative burdens. Any delay or simplification of these forms is welcome news. However, at this point, the IRS has lost all credibility on ACA matters, after insisting that there would be no delay of the 2015 reporting deadlines. It is now manifestly clear that the IRS is struggling with the ACA shared responsibility rules as much as the rest of the country.

Please consult your attorney or contact Jim Hamilton at Bose McKinney & Evans with any questions on this issue.

Posted in health insurance, Health Plans, Patient Protection and Affordable Care Act, Self-funded Health Plans | Tagged , , , , , , , , , , , , | Leave a comment

Proposed EEOC Rules Address Wellness Programs

Authored by John Westercamp

On April 20, 2015, the Equal Employment Opportunity Commission (“EEOC”) published proposed regulations addressing wellness programs.  The EEOC estimates that approximately 400,000-600,000 employers offer wellness programs which are regulated by the Americans with Disabilities Act (“ADA”).  Smoking cessation programs, weight loss initiatives and health classes are examples of such wellness programs.  The proposed regulations aim to provide timely guidance to employers concerning how to navigate the law while administering wellness programs.

The EEOC proposed these regulations because of tension among the ADA, the Health Insurance Portability and Accountability Act (“HIPAA”) and the Affordable Care Act (“ACA”).  In the proposed regulations, the EEOC states that “it has a responsibility to interpret the ADA in a manner that reflects both the ADA’s goal of limiting employer access to medical information and HIPAA’s and the Affordable Care Act’s provisions promoting wellness programs.”

A policy underlying HIPAA is to protect the confidentiality of individuals’ health information, while a policy of the ACA is to promote wellness.  The ADA generally prohibits employers from medically examining employees or asking questions about employees’ disabilities.  The ADA also generally prohibits employers from discriminating against employees based on disability.  These different public policies potentially conflict when an employer rewards an employee based on achieving certain health goals.  In order to administer the wellness program, the employer may need some medical information about the employee.  Moreover, if a wellness program rewards participants based on outcome, this program could be discriminatory against individuals with disabilities.

Voluntary wellness programs are an exception in the ADA to the general prohibition against medical examinations.  Therefore, it is critical for employers to understand the definition of “voluntary” to comply with the law.  The proposed regulations offer such a definition for employers to consider.

A program is voluntary if it satisfies four requirements: a) the employer does not require employee participation, b) the employer does not deny the employee health plan coverage for not participating, c) the employer does not retaliate against an employee who does not participate or coerce an employee into participating, and d) if the wellness program is part of a health plan, the employer must disclose what medical information of the employee will be shared along with who the information will be shared.  If the program meets each of the four requirements, the EEOC considers it “voluntary.”  Obviously, voluntarism is only one aspect of compliance with the law.

Wellness programs must also be “reasonably designed to promote health or prevent disease.”  A wellness program which is overly burdensome fails this standard.  Similarly, a program which is an end run to the ADA or is highly suspect also fails the standard the EEOC proposes.  The EEOC likely adopted a “reasonableness” approach to prohibit employers from introducing extreme, novel or questionable wellness programs.

Even if a program reasonably promotes health or prevents disease, the proposed regulations limit the amount of incentives employers may offer employees.  If a program involves disability-related inquiries or medical examinations, the program may offer incentives or penalties of up to 30% of the cost of employee-only coverage.  A smoking cessation program that merely asks employees whether or not they use tobacco is not an employee health program that includes disability-related inquiries or medical examinations.  Accordingly, employers generally may offer rewards of up to 50% of the cost of employee coverage for smoking cessation programs.

Applying the ADA in the wellness program context, employers must make reasonable accommodations to individuals with disabilities so that they may participate in the program and receive the same reward unless the accommodation would be an undue hardship for the employer.  Therefore, employers should consider how they can ensure all employees the opportunity to participate in wellness programs.  The 2013 final regulations issued by the Departments of Labor, Treasury, and Health and Human Services may be helpful to employers who wish to address this issue.

To protect address the confidentiality of employees’ health information, the EEOC proposes to limit employers’ receipt of employee medical information collected through a wellness program through aggregation.  Through aggregation, the information received should not disclose or be likely to disclose individuals’ identities.  However, if individualized information is necessary to administer health plans, then the proposed regulation provides an exception.

The proposed regulation also restricts the uses of such medical information.  For instance, employee health information collected through a wellness program may not be used to limit insurance eligibility.  The EEOC suggests that the best practice to administer a program is to have a person without hiring and firing authority manage the program.  This could be achieved through a third party or someone within the company who does not have the ability (or temptation) to fire an individual based on his or her knowledge of the individual’s medical information.  These rules and guidance attempt to balance the needs of employer to administer a wellness program against the interest of employees in keeping their medical information confidential.

The proposed regulation is complex, but attempts to resolve the tension among the ADA, HIPAA and the ACA.  Clearly the EEOC is attempting to balance the policy of prohibiting discrimination while permitting employers to have flexibility to encourage healthy lifestyles.  The proposed regulations have not been finalized and are subject to a comment period; however, the proposed regulations offer employers insight into how the EEOC is currently thinking about enforcement of HIPAA and the ADA.

Posted in Uncategorized | Tagged , , , ,

U.S. Supreme Court hears ACA employer mandate case

Following is a news release issued March 4, 2015 from the Attorney General of the State of Indiana:

U.S. Supreme Court hears ACA employer mandate case 
Outcome will impact case brought by Indiana, 39 schools

INDIANAPOLIS – A case of interest and importance to state government and 39 Indiana school corporations was argued today in the United States Supreme Court and its outcome will have direct bearing on a separate lawsuit Indiana and the schools filed challenging the tax penalties of the employer mandate.

The Supreme Court today heard oral argument in King v. Burwell, an appeal from the 4th Circuit in which petitioners contend the Internal Revenue Service is improperly interpreting the Affordable Care Act to require tax credits and employer mandate penalties in the 27 states that do not operate a health-insurance purchasing exchange. The King petitioners argued the plain language of the ACA says the tax credits and employer mandate penalties apply only in those states that have established an exchange – and don’t apply in states that opted against establishing one where the federal government operates an exchange.

The Supreme Court’s eventual decision in King v. Burwell will have a direct bearing on the lawsuit the State of Indiana and 39 school corporations as government employers filed against the IRS to negate the burdensome ACA employer mandate penalties of $2,000 per employee for every worker their organization employs.  That case, State of Indiana et al. v. IRS et al., was argued last Oct. 9 in the U.S. District Court for the Southern District of Indiana, and further proceedings in the case have been stayed until after the Supreme Court rules on King v. Burwell.  Although not parties to the King case, the State and 39 schools on Dec. 29 filed an amicus brief in the Supreme Court offering legal arguments in support of the petitioners’ side.

“Whether the IRS’s actions have exceeded the authority granted it under the act Congress passed is a legal question of great importance that only the U.S. Supreme Court can answer.  As government employers with personnel management responsibilities over large numbers of public employees, the State and schools need clarity on whether we will be subject to the employer mandate tax penalties; so we are pleased the justices heard the King case and we hope the Supreme Court will render a decision that resolves clearly this question of the IRS’s interpretation,” Indiana Attorney General Greg Zoeller said.

The Attorney General’s Office represents state government in the Indiana v. IRS case; it does not represent private employers or private individuals.  The 39 school corporations are represented by a private law firm, Bose McKinney & Evans LLP.  In their complaint in the Indiana v. IRS case and in their joint amicus brief in the King case, Indiana and the schools do not ask the Supreme Court to cancel private insurance policies obtained with tax credits and do not ask for repayment of tax credits already paid.  Instead, the complaint and amicus brief both note the ACA employer mandate would be a direct tax on the State and its political subdivisions, in violation of intergovernmental tax immunity.

At the oral argument today in the Supreme Court in the King v. Burwell case, the justices directed questions at both sides.  The Court is expected to rule by the end of June.  Further proceedings in the Indiana v. IRS case in federal court in Indianapolis will await the outcome of that ruling.

Posted in Patient Protection and Affordable Care Act, Uncategorized | Tagged , , , , , , , | Leave a comment

Federal Insurance Office Releases Report on Global Reinsurance Market

Here is another useful post from our friends at the Bose Insurance Blog:

Back in December, the Federal Insurance Office released its first report on the global reinsurance market, creatively titled “The Breadth and Scope of the Global Reinsurance Market and the Critical Role Such Market Plays in Supporting Insurance in the United States.”

At 47 pages, it’s a surprisingly quick read. (Spoiler alert: the global reinsurance market is big and plays a critical role in supporting insurance in the U.S.) What’s more, it provides a nice overview of the history of reinsurance and its various forms. So, no more citing to Second Circuit opinions for that background stuff.

I know many in the industry were–and still are–very concerned about just what the Federal Insurance Office will actually do. If reports like this are any indication of what the FIO will be doing, I don’t think we have anything to worry about…

…yet.

Posted in Uncategorized | Tagged , , | Leave a comment