Tag Archives: HIPAA

Participant Data And Fiduciary Liability: The Current Regulatory Environment, The Vanderbilt Lawsuit, And Best Practices For Benefit Plan Sponsors

With cybersecurity risks on the rise and increased awareness of the sophisticated ability of hackers in the modern world, many plan sponsors have expressed growing concerns that they may have fiduciary liability with respect to protection of participants’ personal information. By now, most plan sponsors have become accustomed to complying the Health Insurance Portability and Accountability Act (“HIPAA”) with respect to participant data within their employer-sponsored health plan. However, employers are not accustomed to applying such standards in the retirement plan context. Given the heightened cybersecurity risks in today’s digital society, employers serving as plan sponsors of retirement and welfare benefit plans should begin to implement policies and procedures to protect participant data and carefully monitor their service providers as they handle participant data.

In recent years, there has been a push for regulation governing protection of personally identifiable information (“PII”) in the retirement plan context. In 2011, an ERISA advisory council that serves as an advisor to the Secretary of Labor issued a report urging the Department of Labor (“DOL”) to issue guidance or regulations relating to the obligation of plan fiduciaries to protect the PII of plan participants and beneficiaries. The counsel expressed concern over insecurity of plan financial data, asking the DOL to provide guidance on whether ERISA fiduciaries must secure PII and develop educational materials for participants. Specific areas of concern included theft of PII or money from accounts, unsecured/unencrypted data, hacking into plan administration and service provider systems, outdated password protections, phishing emails, and stolen hardware. The counsel met again in 2016 and once again urged the DOL to issue guidance and hoped that the report could serve as a reference for plan sponsors to secure plan data and assets from cybersecurity risks.

To date, the DOL has issued no direct guidance on cybersecurity considerations for PII within retirement and welfare plans. However, a new argument has emerged under ERISA fiduciary standards that the “prudent man” rule, exclusive benefit rule, and the obligation to select and monitor service providers include the obligation to maintain the privacy and security of plan data and monitor service providers’ use of the data. Under ERISA, fiduciaries must act prudently, taking the course of action that a similar, prudent man would in like circumstances and with like knowledge. Furthermore, ERISA requires fiduciaries to act only for the exclusive benefit of plan participants and their beneficiaries. Finally, ERISA fiduciaries must prudently select and monitor a plan’s service providers.

Some have begun to use Interpretive Bulletin 96-1 as a reference point to establish a requirement of prudence in service provider selections, including the prudent selection of a service provider that securely maintains electronic plan data. Additionally, one of the arguments in a lawsuit against Vanderbilt University stated that the University failed to protect plan assets by allowing third parties to market services to participants, referring to participant and financial data held by the plan as “plan assets” protected by fiduciary obligations. In that case, the plaintiffs argued that the University allowed the plan’s recordkeeper to obtain access to participants’ private and sensitive information, including investment choices, account information, contact information, proximity to retirement, age, and more, in order to market and sell its own insurance products to participants outside the plan. The plaintiffs claimed that such an action violated the University’s fiduciary duty to work for the exclusive benefit of the participants. Unfortunately, the parties recently came to a settlement agreement before the courts had a chance to rule on whether ERISA protections will apply to personal plan information.

Although there is no direct guidance from the DOL on fiduciary standards as applied to the privacy and security of participant data, it is likely in the coming years the DOL will find that retirement and welfare plan fiduciaries have a responsibility to safeguard participant data in compliance with the prudence standard, given the common knowledge of cybersecurity risks in today’s society. Specifically, plan sponsors should be aware of their duty to monitor service providers and their security measures in place for protecting plan data. Going forward, plan sponsors should implement security policies and procedures relating to the protection of PII and participant data. Some companies have formed cybersecurity committees for purposes of implementing these procedures and increasing awareness internally about the seriousness of cybersecurity. Further, in choosing service providers, plan sponsors should exercise due diligence in questioning the providers’ security measures, breach reporting practices, and contract provisions relating to the protection of plan data.

Share Button

HIPAA-Covered Entity Exemption To CCPA, Don’t Be Mistaken – You May Still Have To Comply

With the California Consumer Privacy Act’s (CCPA) compliance deadline fast approaching (January 1, 2020), companies are preparing to comply with the additional complex data privacy and security requirements. HIPAA-Covered Entities may mistakenly overlook the fact that the CCPA does not wholly-exempt personal information collected by HIPAA-Covered Entities, but in turn only exempts information already protected by HIPAA. HIPAA, the Health Insurance Portability and Accountability Act, requires health care organizations, employer-sponsored group health plans, healthcare clearinghouses, and other Covered Entities to ensure the privacy and security of Protected Health Information (“PHI”). Although the CCPA exempts data that constitutes PHI, a HIPAA-Covered Entity or related Business Associate must still protect personal data (or even health data) that is covered by the CCPA but does not satisfy the definition of PHI under HIPAA.

HIPAA-Covered Entity Data Could Be Subject to CCPA

What type of data is governed by HIPAA and, as a result, exempt from the CCPA? PHI is defined as “individually identifiable health information” held or transmitted by a Covered Entity or its Business Associate, in any form or medium, whether electronic, paper, or oral. For example, health information, demographic data, medical histories, test results, and insurance information are forms of PHI if they can reasonably be used to identify a patient. Identifiers coupled with health information such as names, geographic locations, dates, contact information, social security numbers, and more can also constitute PHI. If the data amounts to PHI, that data is exempt from the CCPA.

Not all data collected by a HIPAA-Covered Entity amounts to PHI. For example, employment records held in the hands of an employer (rather than held by the group health plan sponsored by the employer) are not PHI. Any data collected by a HIPAA-Covered Entity that is not PHI will be subject to the CCPA (to the extent the entity is subject to the CCPA). However, the CCPA provides for an exception. When a Covered Entity or health care provider maintains health information in the same manner as PHI, even though the health information is not PHI, the CCPA rules do not apply. That being said, applying HIPAA privacy and security rules to non-PHI could be a burdensome task and cause confusion amongst a Covered Entity’s employee population.

What This Means for HIPAA-Covered Entities

Start your data mapping now. To determine what information is collected that is not protected under HIPAA and, to what extent the CCPA applies to such data, you must understand what categories of information are collected, who it is received from, what’s being done with the data and who it is shared with. From there, you can formulate a CCPA plan that correlates and flows with obligations under HIPAA to ensure efficiencies throughout your data compliance program.

As you are reviewing CCPA application to your entity, reach out to our experienced privacy and ERISA team to partner with you to develop a practical plan that minimizes risk and syncs to your already existing HIPAA obligations. Here is a link for more information about our team: Privacy Team

Want to learn more about CCPA, click here to read Tackling The California Market From The Midwest? What A Business Needs To Know About The California Consumer Privacy Act (CCPA)

Share Button

Insurers And Health Plans—Do You Have Your HIPAA House In Order?

data breach

In the wake of the Anthem breach, hackers continue to target the healthcare industry.  At the close of May, CareFirst BlueCross BlueShield reported a data breach that was initially discovered last year; however, when the incident was first noticed, the company believed they had adequately taken care of the problem.  CareFirst said at the time it was believed they “had contained the attack and prevented any actual access to member information.” Unfortunately, ten months later, CareFirst discovered that the breach had, in fact, continued.

Information on about 1.1 million individuals was affected by the breach, which CareFirst discovered during an information technology security review conducted in the wake of the attacks on Anthem and Premera. In June 2014, according to CareFirst, hackers gained access to a single database where CareFirst stores data that is entered by members and other individuals in order to access the company’s websites and online services.

This incident offers a clear lesson to other organizations: it is time to review their security procedures and address gaps in protections before it is too late.  Healthcare data is obtained and stored by a variety of entities that are expected to be aware of and acting to prevent these types of risks.  Healthcare data is extremely valuable to criminals, as it can be re-packaged and sold for a number of different criminal campaigns.  In light of these most recent attacks, we are encouraging all our clients to conduct an internal audit of the security protocols and implement HIPAA policies and procedures to prevent exposure to new threats in the technological world.

If you have questions or would like to discuss your HIPAA compliance questions, please contact a member of the McGrath North Privacy and Data Security team.

Share Button

The Anthem Breach – Assessing Employer Notification Requirements

anthem breachOn February 13, 2015, Anthem, Inc. (Anthem) announced that on January 29, 2015, it discovered that cyber attackers executed a sophisticated attack to gain unauthorized access to Anthem’s IT system and obtained personal information relating to consumers who were or are currently covered by Anthem or other independent Blue Cross and Blue Shield plans that work with Anthem.  Anthem stated that it believed the suspicious activity may have occurred over the course of several weeks beginning in early December, 2014.  Anthem has reported that the information accessed may have included individual names, dates of birth, Social Security numbers, health care ID numbers, home addresses, email addresses and employment information, including income data.  For more information concerning the breach, click here to access the website created by Anthem to update employers about the breach.

Anthem is one of the largest health benefits companies in the United States. Through its affiliated health plans, Anthem companies deliver health benefit solutions through a portfolio of integrated health care plans and related services, along with a range of specialty products such as life and disability insurance benefits, dental, vision, behavioral health benefit services, as well as long term care insurance and flexible spending accounts.  Headquartered in Indianapolis, Indiana, Anthem, Inc. is an independent licensee of the Blue Cross and Blue Shield Association serving members in California, Colorado, Connecticut, Georgia, Indiana, Kentucky, Maine, Missouri, Nevada, New Hampshire, New York, Ohio, Virginia and Wisconsin; and specialty plan members in other states.

Employers who have Anthem plans or use Anthem as a third party administrator (TPA) for their health plans should review their plan documents to understand what rights and obligations the parties have in the event of a data security breach.

Federal And State Breach Notification Requirements.  With respect to federal and state breach notification requirements, if protected health information was involved in the attack, the attack was most likely was a breach under HIPAA and subject to the HIPAA breach notification reporting rules.  Given the nature of the information involved in the attack, most clients of Anthem will likely treat the attack as a breach under HIPAA and follow HIPAA’s breach notification reporting rules. In addition, forty seven states have separate breach notification reporting statutes that may be triggered when certain sensitive information (such as Social Security numbers) is breached.  Since the rules vary from state to state, an affected employer will need to determine which State breach notification reporting statutes apply.

What Affected Employers Should Do Now.  While Anthem’s investigation continues, affected employers should consider taking steps now to insure required breach reporting requirements are met.

  • Obligation To Provide HIPAA Breach Notification.  Breach notification obligations under HIPAA may depend on whether an employer’s health plan is fully insured or self-funded; and, if self-funded, whether Anthem has contractual obligations under its business associate agreement (Agreement) with an affected employer to provide the required notification.  If a plan is fully insured, Anthem will likely be obligated to provide the notification.  If a plan is self-funded, Anthem may also be obligated to provide the notification pursuant to its Agreement with the employer. Affected employers should review their Agreement with Anthem to make this determination.
  • Obligation To Provide State Breach Notification.  Under many State breach notification reporting statutes, the party that lost the data is the one responsible for issuing notification of the breach.  A review by an affected employer of the applicable State breach notification reporting statutes will be required to determine its obligation to report the Anthem breach to its employees.  An affected employer should also consider confirming with the respective State Attorney General that following the HIPAA breach notification reporting requirements will satisfy that State’s breach notification reporting requirements.
  • Communication With Employees.  Affected employers should urge employees affected by the Anthem breach to be extra vigilant for “phishing” schemes – targeted emails with embedded links that might seek to gain access to additional information – and any other suspicious written or verbal communications.  Employees should also be encouraged to immediately change their passwords to all sensitive accounts and should monitor credit card and other financial accounts to guard against unusual activity.  In addition, in its communications with its employees regarding the Anthem breach, an affected employer should note that any information regarding the Anthem beach has been provided by Anthem (where applicable), and that employer is not making any representations about the breach or surrounding facts.
  • Review Anthem Mitigation Efforts.  An affected employer should confirm with Anthem the steps currently being taken protect the employer’s employees and other affected individuals.  The affected employer will want to review any agreements with Anthem to determine whether the victim protection, client indemnification, and paid notification being proposed by Anthem are consistent with Anthem’s obligations under such agreements.
Share Button

Year-End Compliance Checklist

Year end complianceIt’s that time of year again—time to cleanup and close-out the 2014 plan year for your ERISA health and retirement plans. The following is an overview of a few compliance items that should be addressed before the close of 2014.

Group Health Plans

This past year was a big year for health plans. With all the changes associated with the Affordable Care Act (“ACA”) and some big announcements by the IRS and the Supreme Court, there are several new items to add to our year-end checklists. Here are a few of the highlights:

  • Health Flexible Spending Accounts.  The IRS recently announced that the health flexible spending arrangement (“Health FSA”) limit for 2015 was increased to $2,550. Additionally, as announced last year, Health FSAs continue to be permitted to offer limited rollovers of up to $500.
  • New COBRA Notices.  COBRA, which stands for the Consolidated Omnibus Budget Reconciliation Act, requires group health plans to provide qualified beneficiaries with an election notice that describes their rights to continuation coverage and how to make an election. The election notice must be provided to these individuals within 14 days of the date the plan administrator receives the notice of a qualifying event. The Department of Labor (“DOL”) recently issued new model COBRA notices that reference the ACA Marketplaces (or “exchanges”). Accordingly, employers should modify their COBRA notices and include this new language going forward.
  • Health Reimbursement Arrangements.  The IRS continues to maintain that certain health reimbursement arrangements which operate independently of group health plans must be re-designed or terminated by January 1, 2014. Employers providing reimbursement for individual health insurance policies or other medical care should review their plan design to ensure the arrangement remains permissible.
  • DOMA.  On June 26, 2013, the Supreme Court of the United States ruled in the well-publicized United States v. Windsor that Section 3 of the Defense of Marriage Act (“DOMA”) was unconstitutional. As a result, the IRS and the DOL declared that employee benefit plans must now treat same-sex spouses in the same manner as opposite-sex spouses. To this end, plan sponsors should review the plan documents and gather information to determine the impact of this guidance. Specifically, plans should update eligibility provisions, adjust imputed income practices and review plan definitions of “spouse” to ensure compliance before year end.
  • HIPAA.  In January 2013, the government released final HIPAA regulations which became effective September 23, 2013. Sponsors of group health plans should review and update their plan’s HIPAA materials as necessary to ensure compliance with the new regulations. This review should include the plan’s HIPAA Privacy Notice, Business Associate Agreements and HIPAA Privacy Policies.

Sponsors of group health plans should continue focus their efforts on getting ready for the full onset of the ACA’s employer mandate. Under the mandate, large employers will be subject to significant penalties if they fail to offer health coverage or fail to offer sufficient health coverage to their full-time employees. Employers should have measurement periods in place and should continue to examine their workforce, particularly part-time and/or seasonal employees, in order to finalize their health care reform strategies for 2015.

Retirement Plans

Although the ACA has dominated the employee benefits news this past year, plan sponsors of retirement plans are equally affected by the Supreme Court’s ruling on DOMA. Additionally, retirement plans are subject to a variety of annual disclosure obligations. Here are a few of the year-end compliance highlights:

  • Safe Harbor 401(k) Plans.  Plan sponsors of safe harbor 401(k) plans must provide all participants an annual notice describing the employer’s safe harbor contributions. This notice must be provided to participants at least 30 days (but not more than 90 days) before the first day of the plan year. For most plans, the notice was due December 1, 2014.
  • Automatic Enrollment Features.  Plans that automatically enroll participants are required to provide participants with an annual notice describing the plan’s enrollment and contribution features. This notice must be provided to participants at least 30 days (but not more than 90 days) before the first day of the plan year. For most plans, the notice was due December 1, 2014.
  • Funding Notice for Defined Benefit Plans.  Defined benefit plans are required to provide participants with a funding notice summarizing the plan’s assets and liabilities, its funding status for the previous two years and certain other information. The notices are due no later than 120 days after the close of the plan year. For most large plans, the notice must be provided by April 30, 2015.
  • Qualified Default Investment.  Where participants are allowed to direct their own investments, defined contribution plans are allowed to select a “qualified default investment” in which participants’ assets will be invested if the participant does not select an investment option. The plan sponsor must give participants notice of the plan’s qualified default investment. This notice must be provided to participants at least 30 days (but not more than 90 days) before the first day of the plan year. For most plans, the notice was due December 1, 2014.
  • DOMA.  Pursuant to the Supreme Court ruling and guidance from the IRS, same-sex spouses must be treated as lawful spouses for purposes of maximum benefit limitations, spousal consent rules, rollovers, death benefits, minimum required distributions, availability of in-service hardship withdrawals and assignment of benefits under qualified domestic relations orders. At a minimum, plan sponsors should review the plan documents, policies and procedures to determine whether additional amendments are needed to reflect these changes.

Complying with the IRS and the DOL notice requirements is an important part of the plan administration process. Furthermore, penalties for noncompliance can be significant. Penalties for noncompliance generally begin at $100 per day per affected participant or beneficiary.

Compliance Assistance

We understand this is a busy time of year for many of our clients and that it’s easy to overlook small details. If you have any questions regarding the above items or have any related compliance questions, be sure to contact your McGrath North attorney.

Share Button

Connecticut Court Allows HIPAA Negligence Claim

CT HIPAA Claim

On November 11, 2014, the Connecticut Supreme Court ruled that HIPAA does not preempt Connecticut State common law claims for negligence or negligent infliction of emotional distress, and that HIPAA may provide the applicable standard of care. The Connecticut decision joins a number of decisions in other States, including Missouri, Indiana, West Virginia and North Carolina, holding that HIPAA can establish the standard of care in support of State common law negligence claims.

In Byrne v. Avery Center, the plaintiff received gynecological and obstetrical services from the defendant Avery Center.  After the plaintiff ended a relationship with a man named Mendoza, he filed several paternity suits against her, and in connection with the paternity suits, defendant Avery Center was served with a subpoena for the plaintiff’s medical records. Instead of seeking plaintiff’s authorization to disclose the records, obtaining a protective order, or filing a motion to quash, the defendant mailed a copy of the medical records to the court. Before the plaintiff was able to file a motion to seal her records, Mendoza viewed them. The plaintiff alleged that she suffered harassment and extortion threats from Mendoza after he viewed her medical records, and that Mendoza was able to use the information to file several civil actions, including paternity and visitation actions.  On motions for summary judgment by both parties, the trial court dismissed the plaintiff’s negligence and negligent infliction of emotional distress claims, noting that it is well-settled that HIPAA does not provide a private right of action and that HIPAA preempts any action dealing with confidentiality/privacy of medical information.  The plaintiff appealed and the Connecticut Supreme Court reversed the trial court as described above.  Click here to read the Connecticut decision.

The lesson from Byrne is that while it is generally understood that there is no private right of action under HIPAA, healthcare providers and their business associates should be mindful of the potential for de facto enforcement of HIPAA via State law negligence claims by individual patients in addition to enforcement actions instituted by State Attorneys General and federal agencies. For questions about HIPAA compliance issues, contact a member of the McGrath North Privacy and Data Security Group.

Share Button

Government Delays Health Plan Identifier Requirement Indefinitely

delay

The Requirement.  The Health Plan Identifier (HPID) is a standard, unique health plan identifier required by the Health Insurance Portability & Accountability Act of 1996 (HIPAA).  The rule applies to Controlling Health Plans or CHPs (health plans that control their own business activities, actions, or policies; or are controlled by entities that are not health plans) and required CHPs to obtain an HPID by November 5, 2014.  Small health plans had until November 5, 2015 to comply.  Sponsors of self-funded plans were responsible to obtain the HPID on behalf of the plan. For fully insured plans, the insurer was responsible to obtain the HPID on behalf of the plan.

The Delay.  Effective October 31, 2014, Health and Human Services (HHS) announced a delay, until further notice, in enforcement of the HPID requirement.  This enforcement delay applies to all HIPAA covered entities, including healthcare providers, health plans, and healthcare clearinghouses.  This means that if you have yet to apply for and receive an HPID number, the November 5, 2014 deadline is temporarily suspended until further notice.

This delay will come as a welcome reprieve to many plan sponsors during this busy time of year.

Share Button

New Sheriff In Town: FTC Enters The Fray As A Federal Enforcer Of Healthcare Data Breaches

SheriffOver the last several years, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) has significantly increased its HIPAA healthcare data breach enforcement posture, resulting in aggregate fines exceeding more than $10 million since June 2013.   Despite these increased enforcement efforts, however, the Federal Trade Commission (“FTC”) has now entered the fray as an additional federal enforcer of healthcare data breaches.

In August 2013, the FTC filed an administrative complaint against LabMD, a Georgia cancer detection services laboratory, for failing  to provide reasonable and appropriate security for protected health information (“PHI”) on its computer networks, resulting in a breach affecting over 9,000 consumers’ billing information.  The FTC claimed that this alleged security failure and consumer harm represented an unfair act or practice under Section 5 of the FTC Act.  In the course of rejecting LabMD’s motion to dismiss, the FTC asserted its jurisdiction by stating that nothing in HIPAA indicated an intent of Congress to restrict the FTC’s authority over alleged unfair data security practices such as those at issue in the LabMD case, and that nothing in HIPAA or HHS’ rules negated the FTC’s authority to enforce the FTC Act.  On May 12, 2014, a federal district court dismissed LabMD’s motion for a preliminary injunction to stop the FTC’s administrative proceeding.  Regardless of the outcome of the FTC administrative proceeding, businesses should take note that on January 28, 2014, LabMD announced it would be winding down its operations, citing the debilitating effects of the FTC’s investigative practices and litigation.

Businesses subject to the HIPAA Privacy, Security and Data Breach Notification rules now need to be concerned with more than the OCR and state Attorneys General, who are given direct enforcement power under HIPAA, in that the FTC has now clearly asserted itself as an additional regulator of healthcare data breaches.  Businesses should remain diligent in their HIPAA compliance efforts as a breach of PHI may result in multiple enforcement actions.  For questions about HIPAA compliance issues, contact a member of the McGrath North Privacy and Data Security Group.

Share Button

HIPAA Compliance Fines To Increase Next Year

HIPAA ComplianceJerome B. Meites, a chief regional civil rights counsel at HHS, advised a June 12 American Bar Association conference in Chicago that enforcement efforts by HHS in the next 12 months regarding privacy breaches and/or security lapses regarding protected health information will likely result in aggregate fines exceeding the more than $10 million in fines assessed since June 2013.  Mr. Meites based his remarks on previous statements in which leaders at HHS’ Office of Civil Rights have signaled an increasing desire to send strong messages.  As part of his remarks, Mr. Meites also noted that portable media causes an enormous number of the complaints that OCR deals with.  The message here for businesses subject to the HIPAA Privacy, Security and Data Breach Notification rules is to is to perform a comprehensive risk analysis and then address any vulnerabilities raised by the analysis, with a particular focus on mobile devices.  For questions about HIPAA compliance issues, contact a member of the McGrath North Privacy and Data Security Group.

Share Button