Showing posts with label HIPAA. Show all posts
Showing posts with label HIPAA. Show all posts

Monday, April 28, 2014

STOLEN LAPTOPS AND ACCOUNTABILITY FOR NON-ENCRYPTED COMPUTERS UNDER HIPAA

FROM: U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES 
April 22, 2014
Stolen laptops lead to important HIPAA settlements

Two entities have paid the U.S. Department of Health and Human Services Office for Civil Rights (OCR) $1,975,220 collectively to resolve potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules.  These major enforcement actions underscore the significant risk to the security of patient information posed by unencrypted laptop computers and other mobile devices.

“Covered entities and business associates must understand that mobile device security is their obligation,” said Susan McAndrew, OCR’s deputy director of health information privacy. “Our message to these organizations is simple: encryption is your best defense against these incidents.”

OCR opened a compliance review of Concentra Health Services (Concentra) upon receiving a breach report that an unencrypted laptop was stolen from one of its facilities, the Springfield Missouri Physical Therapy Center.  OCR’s investigation revealed that Concentra had previously recognized in multiple risk analyses that a lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information (ePHI) was a critical risk.  While steps were taken to begin encryption, Concentra’s efforts were incomplete and inconsistent over time leaving patient PHI vulnerable throughout the organization. OCR’s investigation further found Concentra had insufficient security management processes in place to safeguard patient information. Concentra has agreed to pay OCR $1,725,220 to settle potential violations and will adopt a corrective action plan to evidence their remediation of these findings.

OCR received a breach notice in February 2012 from QCA Health Plan, Inc. of Arkansas reporting that an unencrypted laptop computer containing the ePHI of 148 individuals was stolen from a workforce member’s car.  While QCA encrypted their devices following discovery of the breach, OCR’s investigation revealed that QCA failed to comply with multiple requirements of the HIPAA Privacy and Security Rules, beginning from the compliance date of the Security Rule in April 2005 and ending in June 2012.  QCA agreed to a $250,000 monetary settlement and is required to provide HHS with an updated risk analysis and corresponding risk management plan that includes specific security measures to reduce the risks to and vulnerabilities of its ePHI.  QCA is also required to retrain its workforce and document its ongoing compliance efforts.

Tuesday, February 4, 2014

HHS HELPS PATIENTS ACCESS LAB TEST REPORTS

FROM:  DEPARTMENT OF HEALTH AND HUMAN SERVICES 
HHS strengthens patients’ right to access lab test reports

As part of an ongoing effort to empower patients to be informed partners with their health care providers, the Department of Health and Human Services (HHS) has taken action to give patients or a person designated by the patient a means of direct access to the patient’s completed laboratory test reports.

“The right to access personal health information is a cornerstone of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule,” said Secretary Kathleen Sebelius. “Information like lab results can empower patients to track their health progress, make decisions with their health care professionals, and adhere to important treatment plans.”

The final rule announced today amends the Clinical Laboratory Improvement Amendments of 1988 (CLIA) regulations to allow laboratories to give a patient, or a person designated by the patient, his or her “personal representative,” access to the patient’s completed test reports on the patient’s or patient’s personal representative’s request. At the same time, the final rule eliminates the exception under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule to an individual’s right to access his or her protected health information when it is held by a CLIA-certified or CLIA-exempt laboratory. While patients can continue to get access to their laboratory test reports from their doctors, these changes give patients a new option to obtain their test reports directly from the laboratory while maintaining strong protections for patients’ privacy.

The final rule is issued jointly by three agencies within HHS: the Centers for Medicare & Medicaid Services (CMS), which is generally responsible for laboratory regulation under CLIA, the Centers for Disease Control and Prevention (CDC), which provides scientific and technical advice to CMS related to CLIA, and the Office for Civil Rights (OCR), which is responsible for enforcing the HIPAA Privacy Rule.

Under the HIPAA Privacy Rule, patients, patient’s designees and patient’s personal representatives can see or be given a copy of the patient’s protected health information, including an electronic copy, with limited exceptions. In doing so, the patient or the personal representative may have to put their request in writing and pay for the cost of copying, mailing, or electronic media on which the information is provided, such as a CD or flash drive. In most cases, copies must be given to the patient within 30 days of his or her request.

Thursday, December 26, 2013

ADJUSTMENTS PROPOSED TO EXCEPTED BENEFITS REGULATIONS

FROM:  U.S. DEPARTMENT OF LABOR 

Obama administration proposes adjustments to excepted benefits regulations
WASHINGTON — The U.S. Departments of Labor, Health and Human Services, and Treasury today proposed rules that would adjust regulations under the Health Insurance Portability and Accountability Act of 1996 regarding excepted benefits to include employee assistance programs (EAPs). The proposed rules would also provide added options for employees and employers in connection with the Affordable Care Act.

"This proposal would give employers and workers more options for their health-care coverage while staying true to the consumer protections put in place by the Affordable Care Act," said Assistant Secretary of Labor for Employee Benefits Security Phyllis C. Borzi. "This is another example of federal agencies listening to public concerns and responding with solutions."

Under the HIPAA, excepted benefits are exempt from certain health reform requirements, including some requirements added by the Affordable Care Act. Since the passage of the Affordable Care Act, employers, employees and other stakeholders expressed concerns that past HIPAA definitions should be updated in light of new Affordable Care Act standards.

The proposed rules would amend current regulations to treat certain EAPs as excepted benefits, effective immediately. EAPs are typically free programs offered by employers that can provide wide-ranging benefits to address circumstances that might otherwise adversely affect employees’ work and health. Benefits may include short-term substance abuse or mental health counseling or referral services, as well as financial counseling and legal services. Under the proposed rules, EAPs would be considered excepted benefits if the program is free to employees and does not provide significant benefits in the nature of medical care or treatment. As excepted benefits, EAPs would be exempt from private insurance market reforms, and EAP coverage would not make individuals ineligible for a premium tax credit for enrolling in qualified health plans through the Health Insurance Marketplace.

Similarly, under the proposed regulations, vision and dental benefits provided by employers on a self-insured basis would be able to qualify as excepted benefits effective immediately, even if they do not require contributions from employees. Insured vision and dental benefits, as well as self-insured vision and dental coverage that requires employee contributions, already qualify as excepted benefits.

Effective for plan years starting in 2015, the proposed rules also would treat as excepted benefits certain limited coverage provided by plan sponsors that "wraps around" an individual market policy. The "wraparound" coverage would be available to employees for whom the plan sponsor’s primary group health coverage is not affordable and who instead get coverage through a nongrandfathered individual market policy. The wraparound coverage would provide extra benefits or broader networks, and may also reduce cost sharing. The proposal would not allow the wraparound coverage to substitute for employment-based coverage. The value of the wraparound coverage could not exceed 15 percent of the value of the primary coverage offered by the plan sponsor, which must be affordable for at least the majority of employees.

Wednesday, September 5, 2012

OVERVIEW: THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT

Photo Credit:  U.S. Navy.
FROM: U.S. DEPARTMENT OF LABOR
The Health Insurance Portability And Accountability Act (HIPAA)
U.S. Department of Labor
Employee Benefits Security Administration
December 2004

The Health Insurance Portability and Accountability Act (HIPAA) offers protections for millions of American workers that improve portability and continuity of health insurance coverage.

HIPAA Protects Workers And Their Families By
Limiting exclusions for preexisting medical conditions (known as preexisting conditions).
Providing credit against maximum preexisting condition exclusion periods for prior health coverage and a process for providing certificates showing periods of prior coverage to a new group health plan or health insurance issuer.
Providing new rights that allow individuals to enroll for health coverage when they lose other health coverage, get married or add a new dependent.
Prohibiting discrimination in enrollment and in premiums charged to employees and their dependents based on health status-related factors.
Guaranteeing availability of health insurance coverage for small employers and renewability of health insurance coverage for both small and large employers.
Preserving the states’ role in regulating health insurance, including the states’ authority to provide greater protections than those available under federal law.

Preexisting Condition Exclusions
The law defines a preexisting condition as one for which medical advice, diagnosis, care, or treatment was recommended or received during the 6-month period prior to an individual’s enrollment date (which is the earlier of the first day of health coverage or the first day of any waiting period for coverage).
Group health plans and issuers may not exclude an individual’s preexisting medical condition from coverage for more than 12 months (18 months for late enrollees) after an individual’s enrollment date.
Under HIPAA, a new employer’s plan must give individuals credit for the length of time they had prior continuous health coverage, without a break in coverage of 63 days or more, thereby reducing or eliminating the 12-month exclusion period (18 months for late enrollees).

Creditable Coverage
Includes prior coverage under another group health plan, an individual health insurance policy, COBRA, Medicaid, Medicare, CHAMPUS, the Indian Health Service, a state health benefits risk pool, FEHBP, the Peace Corps Act, or a public health plan.

Certificates Of Creditable Coverage
Certificates of creditable coverage must be provided automatically and free of charge by the plan or issuer when an individual loses coverage under the plan, becomes entitled to elect COBRA continuation coverage or exhausts COBRA continuation coverage. A certificate must also be provided free of charge upon request while you have health coverage or anytime within 24 months after your coverage ends.
Certificates of creditable coverage should contain information about the length of time you or your dependents had coverage as well as the length of any waiting period for coverage that applied to you or your dependents.
For plan years beginning on or after July 1, 2005, certificates of creditable coverage should also include an educational statement that describes individuals' HIPAA portability rights. A new model cerfiticate is available on EBSAs Web site.
If a certificate is not received, or the information on the certificate is wrong, you should contact your prior plan or issuer. You have a right to show prior creditable coverage with other evidence — like pay stubs, explanation of benefits, letters from a doctor — if you cannot get a certificate.

Special Enrollment Rights
Are provided for individuals who lose their coverage in certain situations, including on separation, divorce, death, termination of employment and reduction in hours. Special enrollment rights also are provided if employer contributions toward the other coverage terminates.
Are provided for employees, their spouses and new dependents upon marriage, birth, adoption or placement for adoption.

Discrimination Prohibitions
Ensure that individuals are not excluded from coverage, denied benefits, or charged more for coverage offered by a plan or issuer, based on health status-related factors.

This fact sheet has been developed by the U.S. Department of Labor, Employee Benefits Security Administration, Washington, DC 20210. It will be made available in alternate formats upon request: Voice phone: 202.693.8664; Text telephone: 202.501.3911. In addition, the information in this fact sheet constitutes a small entity compliance guide for purposes of the Small Business Regulatory Enforcement Fairness Act of 1996.

Search This Blog

Translate

White House.gov Press Office Feed