What to do about ACA Reporting

I have been advising employers to wait until February 1, 2017 before starting work on the 2016 1094 and 1095 forms. My hope was that, based upon all of the campaign rhetoric, the ACA reporting obligations would either be further delayed or repealed during the first couple of weeks of the Trump administration.

President Trump did issue an executive order on January 20, 2017 instructing all federal government agencies “to waive, defer, grant exemptions from, or delay the implementation of any provision or requirement” of the ACA. Unfortunately, as of February 1, a lengthy delay or repeal of the reporting requirements has not occurred.

I now believe that employers need to start working on the 1094 and 1095 forms to meet the applicable filing and distribution deadlines.  The deadline to file 1094-B, 1095-B, 1095-C and 1095-C (as applicable) with the IRS is February 28, 2017, or March 31, 2017 if filing electronically.  Form 1095-B or Form 1095-C (as applicable) must be distributed to employees by March 2, 2017.

Posted in Patient Protection and Affordable Care Act | Tagged , , , , | Leave a comment

Executive Order Issued on ACA

[Official Guidance]  The White House, via Fox News

Text of President Trump’s Executive Order: ‘Minimizing the Economic Burden of the Patient Protection and Affordable Care Act Pending Repeal’
Signed on Jan. 20, 2017. “To the maximum extent permitted by law, the Secretary of Health and Human Services and the heads of all other executive departments and agencies with authorities and responsibilities under the Act shall exercise all authority and discretion available to them to waive, defer, grant exemptions from, or delay the implementation of any provision or requirement of the Act that would impose a fiscal burden on any State or a cost, fee, tax, penalty, or regulatory burden on individuals, families, healthcare providers, health insurers, patients, recipients of healthcare services, purchasers of health insurance, or makers of medical devices, products, or medications…. To the maximum extent permitted by law, the head of each department or agency with responsibilities relating to healthcare or health insurance shall encourage the development of a free and open market in interstate commerce for the offering of healthcare services and health insurance, with the goal of achieving and preserving maximum options for patients and consumers.”

Posted in Patient Protection and Affordable Care Act | Tagged , , ,

UMass settles potential HIPAA violations following malware infection

The following is text sent on November 22, 2016 from the HHS Office for Civil Rights Action.  For more information, contact Jim Hamilton at jhamilton@boselaw.com.

 

The University of Massachusetts Amherst (UMass) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. The settlement includes a corrective action plan and a monetary payment of $650,000, which is reflective of the fact that the University operated at a financial loss in 2015.

On June 18, 2013, UMass reported to the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) that a workstation in its Center for Language, Speech, and Hearing (the “Center”) was infected with a malware program, which resulted in the impermissible disclosure of electronic protected health information (ePHI) of 1,670 individuals, including names, addresses, social security numbers, dates of birth, health insurance information, diagnoses and procedure codes. The University determined that the malware was a generic remote access Trojan that infiltrated their system, providing impermissible access to ePHI, because UMass did not have a firewall in place.

OCR’s investigation indicated the following potential violations of the HIPAA Rules:

  • UMass had failed to designate all of its health care components when hybridizing, incorrectly determining that while its University Health Services was a covered health care component, other components, including the Center where the breach of ePHI occurred, were not covered components.  Because UMass failed to designate the Center a health care component, UMass did not implement policies and procedures at the Center to ensure compliance with the HIPAA Privacy and Security Rules. (Note:  The HIPAA Privacy Rule permits legal entities that have some functions that are covered by HIPAA and some that are not to elect to become a “hybrid entity.”  To successfully “hybridize,” the entity must designate in writing the health care components that perform functions covered by HIPAA and assure HIPAA compliance for its covered health care components.)
  • UMass failed to implement technical security measures at the Center to guard against unauthorized access to ePHI transmitted over an electronic communications network by ensuring that firewalls were in place at the Center.
  • Finally, UMass did not conduct an accurate and thorough risk analysis until September 2015.

In addition to the monetary settlement, UMass has agreed to a corrective action plan that requires the organization to conduct an enterprise-wide risk analysis; develop and implement a risk management plan; revise its policies and procedures, and train its staff on these policies and procedures.  The Resolution Agreement and Corrective Action Plan may be found on the OCR website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/umass.

OCR offers guidance to covered entities and their business associates on compliance with the HIPAA Security Rule at: http://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html.

To learn more about non-discrimination and health information privacy laws, your civil rights, and privacy rights in health care and human service settings, and to find information on filing a complaint, visit us at http://www.hhs.gov/hipaa/index.html.

Follow OCR on Twitter at http://twitter.com/HHSOCR

###

Posted in Privacy and Security Rules | Tagged , , , , , | Leave a comment

Yellow Light (Again): IRS Extends ACA Deadline to Furnish Forms

On November 18, 2016, the IRS extended the due date for employers to furnish 2016 Form 1095-B and Form 1095-C to individuals from January 31, 2017 until March 2, 2017. The IRS stated that the extension is appropriate because a substantial number of employers need additional time to gather and analyze the information necessary to prepare the forms.

Notice 2016-70 does not extend the deadline for filing the 1094-B, 1095-B, 1094-C or 1095-C with the IRS. The deadline to file these forms is February 28, 2017, or March 31, 2017 if filing electronically.

President-Elect Trump will take office on January 20, 2017. In light of the IRS extension and campaign rhetoric, it is becoming increasingly likely that employers will not be required to distribute and/or file the 2016 1094 and 1095 forms at all.  It would be helpful to all employers if the federal government would provide definitive guidance on this issue no later than the end of January.

Posted in Health Plans, Patient Protection and Affordable Care Act | Tagged , , , , , | Leave a comment

Advocate Health Care Settles Potential HIPAA Penalties for $5.55 Million

The following information was released by the HHS Office for Civil Rights in Action on August 4, 2016.

Advocate Health Care Network (Advocate) has agreed to a settlement with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), for multiple potential violations of the Health Insurance Portability and Accountability Act (HIPAA) involving electronic protected health information (ePHI). Advocate has agreed to pay a settlement amount of $5.55 million and adopt a corrective action plan.  This significant settlement, the largest to-date against a single entity, is a result of the extent and duration of the alleged noncompliance (dating back to the inception of the Security Rule in some instances), the involvement of the State Attorney General in a corresponding investigation, and the large number of individuals whose information was affected by Advocate, one of the largest health systems in the country.

OCR began its investigation in 2013, when Advocate submitted three breach notification reports pertaining to separate and distinct incidents involving its subsidiary, Advocate Medical Group (“AMG”). The combined breaches affected the ePHI of approximately 4 million individuals.  The ePHI included demographic information, clinical information, health insurance information, patient names, addresses, credit card numbers and their expiration dates, and dates of birth. OCR’s investigations into these incidents revealed that Advocate failed to:

  • conduct an accurate and thorough assessment of the potential risks and vulnerabilities to all of its ePHI;
  • implement policies and procedures and facility access controls to limit physical access to the electronic information systems housed within a large data support center;
  • obtain satisfactory assurances in the form of a written business associate contract that its business associate would appropriately safeguard all ePHI in its possession; and
  • reasonably safeguard an unencrypted laptop when left in an unlocked vehicle overnight.

Advocate Health Care Network is the largest fully-integrated health care system in Illinois, with more than 250 treatment locations, including ten acute-care hospitals and two integrated children’s hospitals. Its subsidiary, AMG, is a nonprofit physician-led medical group that provides primary care, medical imaging, outpatient and specialty services throughout the Chicago area and in Bloomington-Normal, Illinois.

Read the press release, resolution agreement and corrective action plan on the HHS website.

Posted in HIPAA, Patient Protection and Affordable Care Act | Tagged , , | Leave a comment

OCR Launches Phase 2 of HIPAA Audit Program

As a part of its continued efforts to assess compliance with the HIPAA Privacy, Security and Breach Notification Rules, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has begun its next phase of audits of covered entities and their business associates.  Audits are an important compliance tool for OCR that supplements OCR’s other enforcement tools, such as complaint investigations and compliance reviews.  These tools enable OCR to identify best practices and proactively uncover and address risks and vulnerabilities to protected health information (PHI).

In its 2016 Phase 2 HIPAA Audit Program, OCR will review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules.  These audits will primarily be desk audits, although some on-site audits will be conducted.

The 2016 audit process begins with verification of an entity’s address and contact information.  An email is being sent to covered entities and business associates requesting that contact information be provided to OCR in a timely manner.  OCR will then transmit a pre-audit questionnaire to gather data about the size, type, and operations of potential auditees; this data will be used with other information to create potential audit subject pools.

If an entity does not respond to OCR’s request to verify its contact information or pre-audit questionnaire, OCR will use publically available information about the entity to create its audit subject pool.  Therefore an entity that does not respond to OCR may still be selected for an audit or subject to a compliance review.  Communications from OCR will be sent via email and may be incorrectly classified as spam.

Learn more about OCR’s Phase 2 Audit program.

Posted in HIPAA, Privacy and Security Rules | Tagged , , , , | Leave a comment

Improper Disclosure of Research Participants’ Protected Health Information Results In $3.9 Million HIPAA Settlement

Feinstein Institute for Medical Research agreed to pay the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) $3.9 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules and will undertake a substantial corrective action plan to bring its operations into compliance. This case demonstrates OCR’s commitment to promoting the privacy and security protections so critical to build and maintain trust in health research.  Feinstein is a biomedical research institute that is organized as a New York not-for-profit corporation

OCR’s investigation began after Feinstein filed a breach report indicating that on September 2, 2012, a laptop computer containing the electronic protected health information (ePHI) of approximately 13,000 patients and research participants was stolen from an employee’s car.  The ePHI stored in the laptop included the names of research participants, dates of birth, addresses, social security numbers, diagnoses, laboratory results, medications and medical information relating to potential participation in a research study.

OCR’s investigation discovered that Feinstein’s security management process was limited in scope, incomplete, and insufficient to address potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI held by the entity.  Further, Feinstein lacked policies and procedures for authorizing access to ePHI by its workforce members, failed to implement safeguards to restrict access to unauthorized users, and lacked policies and procedures to govern the receipt and removal of laptops that contained ePHI into and out of its facilities.  For electronic equipment procured outside of Feinstein’s standard acquisition process, Feinstein failed to implement proper mechanisms for safeguarding ePHI as required by the Security Rule.

Read the entire U.S. Department of Health and Human Services press release.

Read the resolution agreement.

Posted in HIPAA, Privacy and Security Rules | Tagged , , , , | Leave a comment