Advocate Health Care Settles Potential HIPAA Penalties for $5.55 Million

The following information was released by the HHS Office for Civil Rights in Action on August 4, 2016.

Advocate Health Care Network (Advocate) has agreed to a settlement with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), for multiple potential violations of the Health Insurance Portability and Accountability Act (HIPAA) involving electronic protected health information (ePHI). Advocate has agreed to pay a settlement amount of $5.55 million and adopt a corrective action plan.  This significant settlement, the largest to-date against a single entity, is a result of the extent and duration of the alleged noncompliance (dating back to the inception of the Security Rule in some instances), the involvement of the State Attorney General in a corresponding investigation, and the large number of individuals whose information was affected by Advocate, one of the largest health systems in the country.

OCR began its investigation in 2013, when Advocate submitted three breach notification reports pertaining to separate and distinct incidents involving its subsidiary, Advocate Medical Group (“AMG”). The combined breaches affected the ePHI of approximately 4 million individuals.  The ePHI included demographic information, clinical information, health insurance information, patient names, addresses, credit card numbers and their expiration dates, and dates of birth. OCR’s investigations into these incidents revealed that Advocate failed to:

  • conduct an accurate and thorough assessment of the potential risks and vulnerabilities to all of its ePHI;
  • implement policies and procedures and facility access controls to limit physical access to the electronic information systems housed within a large data support center;
  • obtain satisfactory assurances in the form of a written business associate contract that its business associate would appropriately safeguard all ePHI in its possession; and
  • reasonably safeguard an unencrypted laptop when left in an unlocked vehicle overnight.

Advocate Health Care Network is the largest fully-integrated health care system in Illinois, with more than 250 treatment locations, including ten acute-care hospitals and two integrated children’s hospitals. Its subsidiary, AMG, is a nonprofit physician-led medical group that provides primary care, medical imaging, outpatient and specialty services throughout the Chicago area and in Bloomington-Normal, Illinois.

Read the press release, resolution agreement and corrective action plan on the HHS website.

Posted in HIPAA, Patient Protection and Affordable Care Act | Tagged , , | Leave a comment

OCR Launches Phase 2 of HIPAA Audit Program

As a part of its continued efforts to assess compliance with the HIPAA Privacy, Security and Breach Notification Rules, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has begun its next phase of audits of covered entities and their business associates.  Audits are an important compliance tool for OCR that supplements OCR’s other enforcement tools, such as complaint investigations and compliance reviews.  These tools enable OCR to identify best practices and proactively uncover and address risks and vulnerabilities to protected health information (PHI).

In its 2016 Phase 2 HIPAA Audit Program, OCR will review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules.  These audits will primarily be desk audits, although some on-site audits will be conducted.

The 2016 audit process begins with verification of an entity’s address and contact information.  An email is being sent to covered entities and business associates requesting that contact information be provided to OCR in a timely manner.  OCR will then transmit a pre-audit questionnaire to gather data about the size, type, and operations of potential auditees; this data will be used with other information to create potential audit subject pools.

If an entity does not respond to OCR’s request to verify its contact information or pre-audit questionnaire, OCR will use publically available information about the entity to create its audit subject pool.  Therefore an entity that does not respond to OCR may still be selected for an audit or subject to a compliance review.  Communications from OCR will be sent via email and may be incorrectly classified as spam.

Learn more about OCR’s Phase 2 Audit program.

Posted in HIPAA, Privacy and Security Rules | Tagged , , , , | Leave a comment

Improper Disclosure of Research Participants’ Protected Health Information Results In $3.9 Million HIPAA Settlement

Feinstein Institute for Medical Research agreed to pay the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) $3.9 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules and will undertake a substantial corrective action plan to bring its operations into compliance. This case demonstrates OCR’s commitment to promoting the privacy and security protections so critical to build and maintain trust in health research.  Feinstein is a biomedical research institute that is organized as a New York not-for-profit corporation

OCR’s investigation began after Feinstein filed a breach report indicating that on September 2, 2012, a laptop computer containing the electronic protected health information (ePHI) of approximately 13,000 patients and research participants was stolen from an employee’s car.  The ePHI stored in the laptop included the names of research participants, dates of birth, addresses, social security numbers, diagnoses, laboratory results, medications and medical information relating to potential participation in a research study.

OCR’s investigation discovered that Feinstein’s security management process was limited in scope, incomplete, and insufficient to address potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI held by the entity.  Further, Feinstein lacked policies and procedures for authorizing access to ePHI by its workforce members, failed to implement safeguards to restrict access to unauthorized users, and lacked policies and procedures to govern the receipt and removal of laptops that contained ePHI into and out of its facilities.  For electronic equipment procured outside of Feinstein’s standard acquisition process, Feinstein failed to implement proper mechanisms for safeguarding ePHI as required by the Security Rule.

Read the entire U.S. Department of Health and Human Services press release.

Read the resolution agreement.

Posted in HIPAA, Privacy and Security Rules | Tagged , , , , | Leave a comment

$1.55 Million Settlement Underscores the Importance of Executing HIPAA Business Associate Agreements

North Memorial Health Care has agreed to settle charges that it potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by failing to implement a business associate agreement with a major contractor and failing to institute an organization-wide risk analysis to address risks and vulnerabilities to its patient information. North Memorial is a comprehensive, not-for-profit health care system in Minnesota that serves the Twin Cities and surrounding communities. The settlement includes a monetary payment of $1,550,000 and a robust corrective action plan.

Read the entire U.S. Department of Health and Human Services press release.

Read the resolution agreement.

Posted in HIPAA, Privacy and Security Rules | Tagged , , , , | Leave a comment

Yellow Light: IRS Delays Reporting Requirements Again!

Earlier today, the IRS announced an extension of the due dates for IRS Forms 1094 and 1095. In IRS Notice 2016-4, the IRS states that employers are not required to furnish individuals with either Form 1095-B or 1095-C until March 31, 2016. The deadline was previously February 1, 2016. In addition, employers are not required to file Form 1094-B or Form 1094-C with the IRS until May 31, 2016 if filing paper returns, or June 30, 2016 if filing electronically. The prior deadlines were February 29, 2016 (paper) and March 31, 2016 (electronic).

This is now the second delay of the ACA reporting requirements. On July 2, 2013 (coincidentally, also adjacent to a national holiday), the U.S. Department of the Treasury issued a blog post that announced a delay of the ACA shared responsibility penalties and the accompanying reporting requirements until the 2015 taxable year. A copy of my summary of the prior delay is available here.

The IRS now anticipates that many people will now file their individual tax returns (Form 1040) prior to receiving the Form 1095-B or 1095-C from their employers or other coverage providers. Accordingly, the IRS will allow individuals to rely on other information from their employers or other coverage providers for purposes of filing their returns in 2015.

As most large employers are well aware, the IRS Forms 1094-C and 1095-C are complicated and impose significant administrative burdens. Any delay or simplification of these forms is welcome news. However, at this point, the IRS has lost all credibility on ACA matters, after insisting that there would be no delay of the 2015 reporting deadlines. It is now manifestly clear that the IRS is struggling with the ACA shared responsibility rules as much as the rest of the country.

Please consult your attorney or contact Jim Hamilton at Bose McKinney & Evans with any questions on this issue.

Posted in health insurance, Health Plans, Patient Protection and Affordable Care Act, Self-funded Health Plans | Tagged , , , , , , , , , , , , | Leave a comment

Proposed EEOC Rules Address Wellness Programs

Authored by John Westercamp

On April 20, 2015, the Equal Employment Opportunity Commission (“EEOC”) published proposed regulations addressing wellness programs.  The EEOC estimates that approximately 400,000-600,000 employers offer wellness programs which are regulated by the Americans with Disabilities Act (“ADA”).  Smoking cessation programs, weight loss initiatives and health classes are examples of such wellness programs.  The proposed regulations aim to provide timely guidance to employers concerning how to navigate the law while administering wellness programs.

The EEOC proposed these regulations because of tension among the ADA, the Health Insurance Portability and Accountability Act (“HIPAA”) and the Affordable Care Act (“ACA”).  In the proposed regulations, the EEOC states that “it has a responsibility to interpret the ADA in a manner that reflects both the ADA’s goal of limiting employer access to medical information and HIPAA’s and the Affordable Care Act’s provisions promoting wellness programs.”

A policy underlying HIPAA is to protect the confidentiality of individuals’ health information, while a policy of the ACA is to promote wellness.  The ADA generally prohibits employers from medically examining employees or asking questions about employees’ disabilities.  The ADA also generally prohibits employers from discriminating against employees based on disability.  These different public policies potentially conflict when an employer rewards an employee based on achieving certain health goals.  In order to administer the wellness program, the employer may need some medical information about the employee.  Moreover, if a wellness program rewards participants based on outcome, this program could be discriminatory against individuals with disabilities.

Voluntary wellness programs are an exception in the ADA to the general prohibition against medical examinations.  Therefore, it is critical for employers to understand the definition of “voluntary” to comply with the law.  The proposed regulations offer such a definition for employers to consider.

A program is voluntary if it satisfies four requirements: a) the employer does not require employee participation, b) the employer does not deny the employee health plan coverage for not participating, c) the employer does not retaliate against an employee who does not participate or coerce an employee into participating, and d) if the wellness program is part of a health plan, the employer must disclose what medical information of the employee will be shared along with who the information will be shared.  If the program meets each of the four requirements, the EEOC considers it “voluntary.”  Obviously, voluntarism is only one aspect of compliance with the law.

Wellness programs must also be “reasonably designed to promote health or prevent disease.”  A wellness program which is overly burdensome fails this standard.  Similarly, a program which is an end run to the ADA or is highly suspect also fails the standard the EEOC proposes.  The EEOC likely adopted a “reasonableness” approach to prohibit employers from introducing extreme, novel or questionable wellness programs.

Even if a program reasonably promotes health or prevents disease, the proposed regulations limit the amount of incentives employers may offer employees.  If a program involves disability-related inquiries or medical examinations, the program may offer incentives or penalties of up to 30% of the cost of employee-only coverage.  A smoking cessation program that merely asks employees whether or not they use tobacco is not an employee health program that includes disability-related inquiries or medical examinations.  Accordingly, employers generally may offer rewards of up to 50% of the cost of employee coverage for smoking cessation programs.

Applying the ADA in the wellness program context, employers must make reasonable accommodations to individuals with disabilities so that they may participate in the program and receive the same reward unless the accommodation would be an undue hardship for the employer.  Therefore, employers should consider how they can ensure all employees the opportunity to participate in wellness programs.  The 2013 final regulations issued by the Departments of Labor, Treasury, and Health and Human Services may be helpful to employers who wish to address this issue.

To protect address the confidentiality of employees’ health information, the EEOC proposes to limit employers’ receipt of employee medical information collected through a wellness program through aggregation.  Through aggregation, the information received should not disclose or be likely to disclose individuals’ identities.  However, if individualized information is necessary to administer health plans, then the proposed regulation provides an exception.

The proposed regulation also restricts the uses of such medical information.  For instance, employee health information collected through a wellness program may not be used to limit insurance eligibility.  The EEOC suggests that the best practice to administer a program is to have a person without hiring and firing authority manage the program.  This could be achieved through a third party or someone within the company who does not have the ability (or temptation) to fire an individual based on his or her knowledge of the individual’s medical information.  These rules and guidance attempt to balance the needs of employer to administer a wellness program against the interest of employees in keeping their medical information confidential.

The proposed regulation is complex, but attempts to resolve the tension among the ADA, HIPAA and the ACA.  Clearly the EEOC is attempting to balance the policy of prohibiting discrimination while permitting employers to have flexibility to encourage healthy lifestyles.  The proposed regulations have not been finalized and are subject to a comment period; however, the proposed regulations offer employers insight into how the EEOC is currently thinking about enforcement of HIPAA and the ADA.

Posted in Uncategorized | Tagged , , , ,

U.S. Supreme Court hears ACA employer mandate case

Following is a news release issued March 4, 2015 from the Attorney General of the State of Indiana:

U.S. Supreme Court hears ACA employer mandate case 
Outcome will impact case brought by Indiana, 39 schools

INDIANAPOLIS – A case of interest and importance to state government and 39 Indiana school corporations was argued today in the United States Supreme Court and its outcome will have direct bearing on a separate lawsuit Indiana and the schools filed challenging the tax penalties of the employer mandate.

The Supreme Court today heard oral argument in King v. Burwell, an appeal from the 4th Circuit in which petitioners contend the Internal Revenue Service is improperly interpreting the Affordable Care Act to require tax credits and employer mandate penalties in the 27 states that do not operate a health-insurance purchasing exchange. The King petitioners argued the plain language of the ACA says the tax credits and employer mandate penalties apply only in those states that have established an exchange – and don’t apply in states that opted against establishing one where the federal government operates an exchange.

The Supreme Court’s eventual decision in King v. Burwell will have a direct bearing on the lawsuit the State of Indiana and 39 school corporations as government employers filed against the IRS to negate the burdensome ACA employer mandate penalties of $2,000 per employee for every worker their organization employs.  That case, State of Indiana et al. v. IRS et al., was argued last Oct. 9 in the U.S. District Court for the Southern District of Indiana, and further proceedings in the case have been stayed until after the Supreme Court rules on King v. Burwell.  Although not parties to the King case, the State and 39 schools on Dec. 29 filed an amicus brief in the Supreme Court offering legal arguments in support of the petitioners’ side.

“Whether the IRS’s actions have exceeded the authority granted it under the act Congress passed is a legal question of great importance that only the U.S. Supreme Court can answer.  As government employers with personnel management responsibilities over large numbers of public employees, the State and schools need clarity on whether we will be subject to the employer mandate tax penalties; so we are pleased the justices heard the King case and we hope the Supreme Court will render a decision that resolves clearly this question of the IRS’s interpretation,” Indiana Attorney General Greg Zoeller said.

The Attorney General’s Office represents state government in the Indiana v. IRS case; it does not represent private employers or private individuals.  The 39 school corporations are represented by a private law firm, Bose McKinney & Evans LLP.  In their complaint in the Indiana v. IRS case and in their joint amicus brief in the King case, Indiana and the schools do not ask the Supreme Court to cancel private insurance policies obtained with tax credits and do not ask for repayment of tax credits already paid.  Instead, the complaint and amicus brief both note the ACA employer mandate would be a direct tax on the State and its political subdivisions, in violation of intergovernmental tax immunity.

At the oral argument today in the Supreme Court in the King v. Burwell case, the justices directed questions at both sides.  The Court is expected to rule by the end of June.  Further proceedings in the Indiana v. IRS case in federal court in Indianapolis will await the outcome of that ruling.

Posted in Patient Protection and Affordable Care Act, Uncategorized | Tagged , , , , , , , | Leave a comment