Showing posts with label HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996. Show all posts
Showing posts with label HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996. Show all posts

Thursday, December 26, 2013

ADJUSTMENTS PROPOSED TO EXCEPTED BENEFITS REGULATIONS

FROM:  U.S. DEPARTMENT OF LABOR 

Obama administration proposes adjustments to excepted benefits regulations
WASHINGTON — The U.S. Departments of Labor, Health and Human Services, and Treasury today proposed rules that would adjust regulations under the Health Insurance Portability and Accountability Act of 1996 regarding excepted benefits to include employee assistance programs (EAPs). The proposed rules would also provide added options for employees and employers in connection with the Affordable Care Act.

"This proposal would give employers and workers more options for their health-care coverage while staying true to the consumer protections put in place by the Affordable Care Act," said Assistant Secretary of Labor for Employee Benefits Security Phyllis C. Borzi. "This is another example of federal agencies listening to public concerns and responding with solutions."

Under the HIPAA, excepted benefits are exempt from certain health reform requirements, including some requirements added by the Affordable Care Act. Since the passage of the Affordable Care Act, employers, employees and other stakeholders expressed concerns that past HIPAA definitions should be updated in light of new Affordable Care Act standards.

The proposed rules would amend current regulations to treat certain EAPs as excepted benefits, effective immediately. EAPs are typically free programs offered by employers that can provide wide-ranging benefits to address circumstances that might otherwise adversely affect employees’ work and health. Benefits may include short-term substance abuse or mental health counseling or referral services, as well as financial counseling and legal services. Under the proposed rules, EAPs would be considered excepted benefits if the program is free to employees and does not provide significant benefits in the nature of medical care or treatment. As excepted benefits, EAPs would be exempt from private insurance market reforms, and EAP coverage would not make individuals ineligible for a premium tax credit for enrolling in qualified health plans through the Health Insurance Marketplace.

Similarly, under the proposed regulations, vision and dental benefits provided by employers on a self-insured basis would be able to qualify as excepted benefits effective immediately, even if they do not require contributions from employees. Insured vision and dental benefits, as well as self-insured vision and dental coverage that requires employee contributions, already qualify as excepted benefits.

Effective for plan years starting in 2015, the proposed rules also would treat as excepted benefits certain limited coverage provided by plan sponsors that "wraps around" an individual market policy. The "wraparound" coverage would be available to employees for whom the plan sponsor’s primary group health coverage is not affordable and who instead get coverage through a nongrandfathered individual market policy. The wraparound coverage would provide extra benefits or broader networks, and may also reduce cost sharing. The proposal would not allow the wraparound coverage to substitute for employment-based coverage. The value of the wraparound coverage could not exceed 15 percent of the value of the primary coverage offered by the plan sponsor, which must be affordable for at least the majority of employees.

Wednesday, June 27, 2012

ALASKA STATE MEDICAID AGENCY TO PAY U.S. HHS $1.7 MILLION TO SETTLE ALLEGED HIPAA PRIVACY VIOLATIONS


Map Credit:  Wikimedia.
U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES
Alaska Medicaid settles HIPAA security case for $1,700,000
The Alaska Department of Health and Social Services (DHSS), the state Medicaid agency, has agreed to pay the U.S. Department of Health and Human Services’ (HHS) $1,700,000 to settle possible violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.  Alaska DHSS has also agreed to take corrective action to properly safeguard the electronic protected health information (ePHI) of their Medicaid beneficiaries.

The HHS Office for Civil Rights (OCR) began its investigation following a breach report submitted by Alaska DHSS as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act.  The report indicated that a portable electronic storage device (USB hard drive) possibly containing ePHI was stolen from the vehicle of a DHSS employee.  Over the course of the investigation, OCR found evidence that DHSS did not have adequate policies and procedures in place to safeguard ePHI.  Further, the evidence indicated that DHSS had not completed a risk analysis, implemented sufficient risk management measures, completed security training for its workforce members, implemented device and media controls, or addressed device and media encryption as required by the HIPAA Security Rule.

In addition to the $1,700,000 settlement, the agreement includes a corrective action plan that requires Alaska DHSS to review, revise, and maintain policies and procedures to ensure compliance with the HIPAA Security Rule.  A monitor will report back to OCR regularly on the state’s ongoing compliance efforts.

“Covered entities must perform a full and comprehensive risk assessment and have in place meaningful access controls to safeguard hardware and portable devices,” said OCR Director Leon Rodriguez.  “This is OCR’s first HIPAA enforcement action against a state agency and we expect organizations to comply with their obligations under these rules regardless of whether they are private or public entities.”

OCR enforces the HIPAA Privacy and Security Rules. The Privacy Rule gives individuals rights over their protected health information and sets rules and limits on who can look at and receive that health information. The Security Rule protects health information in electronic form by requiring entities covered by HIPAA to use physical, technical, and administrative safeguards to ensure that electronic protected health information remains private and secure.

The HITECH Breach Notification Rule requires covered entities to report an impermissible use or disclosure of protected health information, or a “breach,” of 500 individuals or more to the HHS Secretary Sebelius and the media.  Smaller breaches affecting less than 500 individuals must be reported to the secretary on an annual basis.

Individuals who believe that a covered entity has violated their (or someone else’s) health information privacy rights or committed another violation of the HIPAA Privacy or Security Rule may file a complaint with OCR at: http://www.hhs.gov/ocr/privacy/hipaa/complaints/index.html.

Thursday, April 19, 2012

HHS AND HEALTHCARE COMPANY SETTLE OVER PATIENT INFORMATION SAFEGUARDS


FROM:  U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES

HHS settles case with Phoenix Cardiac Surgery for lack of HIPAA safeguards

Phoenix Cardiac Surgery, P.C., of Phoenix and Prescott, Arizona, has agreed to pay the U.S. Department of Health and Human Services (HHS) a $100,000 settlement and take corrective action to implement policies and procedures to safeguard the protected health information of its patients. 
The settlement with the physician practice follows an extensive investigation by the HHS Office for Civil Rights (OCR) for potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.
The incident giving rise to OCR’s investigation was a report that the physician practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible.   On further investigation, OCR found that Phoenix Cardiac Surgery had implemented few policies and procedures to comply with the HIPAA Privacy and Security Rules, and had limited safeguards in place to protect patients’ electronic protected health information (ePHI). 
“This case is significant because it highlights a multi-year, continuing failure on the part of this provider to comply with the requirements of the Privacy and Security Rules,” said Leon Rodriguez, director of OCR.  “We hope that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.”
OCR’s investigation also revealed the following issues:
  • Phoenix Cardiac Surgery failed to implement adequate policies and procedures to appropriately safeguard patient information; 
  • Phoenix Cardiac Surgery failed to document that it trained any employees on its policies and procedures on the Privacy and Security Rules;
  • Phoenix Cardiac Surgery failed to identify a security official and conduct a risk analysis; and
  • Phoenix Cardiac Surgery failed to obtain business associate agreements with Internet-based email and calendar services where the provision of the service included storage of and access to its ePHI.
Under the HHS resolution agreement, Phoenix Cardiac Surgery has agreed to pay a $100,000 settlement amount and a corrective action plan that includes a review of recently developed policies and other actions taken to come into full compliance with the Privacy and Security Rules.

Search This Blog

Translate

White House.gov Press Office Feed