Tag Archives: HIPAA

Anthem Reports a Major Data Breach

February 5, 2015


Anthem Inc., the nation’s second largest health insurer, disclosed Wednesday that hackers gained access to their servers and stole Social Security numbers and other personal data of former and present members.

Anthem will individually notify current and former members whose information has been accessed. Anthem will provide credit monitoring and identity protection services to those who have been affected.

A dedicated website has been created – www.anthemfacts.com – to provide answers to frequently asked questions. This website will be updated on a continual basis. A dedicated toll-free number (1-877-263-7995) has also been established so current and previous members can call if they have questions related to this incident.

Anthem is working diligently to identify all impacted current and former members, and will be mailing letters to them in the coming weeks. This letter will advise those affected of protections being offered as well as any next steps.

Continue reading...

CMS Delays HPID Deadline

November 3, 2014


The Centers for Medicare & Medicaid Services (CMS) issued a delay, until further notice, in enforcement of regulations pertaining to health plan enumeration and use of the Health Plan Identifier (HPID).

The HPID is a standard, unique health plan identifier required by HIPAA. Deadlines for plan compliance are as follows:

  • Controlling Health plans (except small health plans) are required to obtain HPIDs by November 5, 2014
  • Small controlling health plans, not to be confused with sub-health plans (SHPs), are required to obtain HPIDs by November 5, 2015

This enforcement delay applies to all HIPAA covered entities, including healthcare providers, health plans, and healthcare clearinghouses.

On September 23, 2014, the National Committee on Vital and Health Statistics (NCVHS), an advisory body to HHS, recommended that HHS rectify in rule making that all covered entities (health plans, healthcare providers and clearinghouses, and their business associates) not use the HPID in the HIPAA transactions. This enforcement discretion will allow HHS to review the NCVHS’s recommendation and consider any appropriate next steps.

Continue reading...

Laptop Thefts Result in $1.9 Million in HIPAA Settlements

April 22, 2014


The U.S. Department of Health and Human Services (HHS) Announced that two organizations have paid the HHS Office for Civil Rights (OCR) $1,9 million to address potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules.  These enforcement actions highlight the significant risk by unencrypted laptops and other mobile devices.

Covered entities and business associates must understand that mobile device security is their obligation,” said Susan McAndrew, OCR’s deputy director of health information privacy. “Our message to these organizations is simple: encryption is your best defense against these incidents.”

OCR opened a compliance review of Concentra Health Services (Concentra) upon receiving a breach report that an unencrypted laptop was stolen from one of its facilities, the Springfield Missouri Physical Therapy Center.  OCR’s investigation revealed that Concentra had previously recognized in multiple risk analyses that a lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information (ePHI) was a critical risk.  While steps were taken to begin encryption, Concentra’s efforts were incomplete and inconsistent over time leaving patient PHI vulnerable throughout the organization. OCR’s investigation further found Concentra had insufficient security management processes in place to safeguard patient information. Concentra has agreed to pay OCR $1,725,220 to settle potential violations and will adopt a corrective action plan to evidence their remediation of these findings.

OCR received a breach notice in February 2012 from QCA Health Plan, Inc. of Arkansas reporting that an unencrypted laptop computer containing the ePHI of 148 individuals was stolen from a workforce member’s car.  While QCA encrypted their devices following discovery of the breach, OCR’s investigation revealed that QCA failed to comply with multiple requirements of the HIPAA Privacy and Security Rules, beginning from the compliance date of the Security Rule in April 2005 and ending in June 2012.  QCA agreed to a $250,000 monetary settlement and is required to provide HHS with an updated risk analysis and corresponding risk management plan that includes specific security measures to reduce the risks to and vulnerabilities of its ePHI.  QCA is also required to retrain its workforce and document its ongoing compliance efforts.

OCR has six educational programs for health care providers on compliance with various aspects of the HIPAA Privacy and Security Rules.  Each of these programs is available with free Continuing Medical Education credits for physicians and Continuing Education credits for health care professionals, with one module focusing specifically on mobile device security:  http://www.hhs.gov/ocr/privacy/hipaa/understanding/training

The Resolution Agreements can be found on the OCR website at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/stolenlaptops-agreements.html

To learn more about non-discrimination and health information privacy laws, your civil rights and privacy rights in health care and human service settings, and to find information on filing a complaint, visit us at www.HHS.gov/OCR

Continue reading...

HIPAA Compliance Deadline Looming

September 12, 2013


As most of our readers are aware HIPAA Privacy and Security Revisions were issued in January, of this year, and went into effect in March. As a result of the new rules Group health plans and business associates have until September 23 to be compliant.

To be compliant with the final regulations, employer should take the following actions:

Business Associate Agreements
Review plan providers and determine what providers are now business associates under the final rule’s expanded definition. In addition, employers should assure plans should enter into a compliant business associate agreement (BAA) with all business associates.

Notice of Privacy Practices
Revise existing Notice of Privacy Practices to incorporate new disclosure requirements. The notice should be revised to include notification that individuals will be notified upon a breach of PHI, written authorization is required when PHI is sold or used for marketing purposes, and that PHI containing genetic information may not be used for underwriting purposes.

If fully-insured these are typically issued by your carrier. Under self-funded arrangements these can be separate documents issued by the TPA or Employer, but often are incorporated into SPD’s (Summary Plan Descriptions.)

HIPAA Policies and Procedures
Review and revise existing policies and procedures to comply with changes required under the final regulations. Updates need to reflect changes to the breach notification procedures, expansion of individual rights, expanded restrictions on marketing and sale of PHI, and the prohibition on use of PHI for underwriting purposes.

Continue reading...

Update 2013-Electronic Medical Records-What’s next?

June 28, 2013


Earlier this year in my article on “Electronic Medical Records in the Age of Reform” we explored why the Federal government is in support of the implementation of Electronic Medical Records (EMRs) along with how EMRs are created and maintained as well as the advantages and disadvantages. At that time uncertainty remained as to how successful efforts would be in prompting doctors and hospitals to adopt this new technology.

While only about six months have passed, the Department of Health and Human Services (HHS) recently announced that more than half of physicians’ office and 80 percent of hospitals that provide Medicare or Medicaid will have EMRs in place by the end of this year. This translates into greater than three out of four physicians using the technology. (UBM Medica US) This development puts the administration on target to meet both of the goals set for 2013.

Kathleen Sebelius, HHS Secretary announced in May, 2013 “we have reached a tipping point in the adoption of electronic medical records”. And Farzad Mostshari, National Coordinator for Health Information Technology at HHS stated “in four years, they’ve made more progress than in the previous 20 years”.

Achievement of these goals is due in large part to government incentives by which physicians and hospitals are eligible to receive payment for meeting the “meaningful use” standard. The Centers for Medicare & Medicaid Services (CMS) reports making $14.6 billion in incentive payments since the program started in 2011. Keep in mind expiring incentive payments will eventually be replaced with penalties for providers that have not adopted the technology.

As discussed in my earlier article, EMRs are expected to improve patient care and allow better information sharing between health care providers. But much more can be accomplished. So now that the goal on EMR adoption rates has been reached, what can we expect next?

A stage has been reached at which providers must show they can store data and track it as well as be able to report quality measures and engage patients electronically. EMR adoption is viewed as a critical step in the transition of America’s healthcare payment system to one that pays for outcomes rather than services. In order to demonstrate quality, providers need access to the data collected by EMR systems. (UBM Medica US)

As discussed in the 2013 Physicians Practice Technology Survey , the early years of EMR implementation were about getting data into the system, but in the past few years the focus has turned to effectively getting data out. Many health care providers have implemented EMR technology but are not using the reporting tools that came with their systems to deliver analytics and eventual predictive analytics. System vendors are an invaluable resource in gaining full implementation of the capabilities that exist. These capabilities will allow providers to more thoroughly track and monitor patient care, identify high-risk patients and improve care while reducing costs.

An excellent example of the predictive analytics possibilities that exist can be seen in recent work by the Centers for Disease Control and Prevention (CDC) on An Algorithm That Identifies Coronary and Heart Failure Events in the Electronic Health Record.

The 2013 Physicians Practice Technology Survey further states as the capabilities of EMRs are realized and physician practices continue to embrace additional new technologies, we can expect:

  • Increased physician access to health information using mobile devices including tablets and smartphones while in or out of the office.
  • Increased implementation of patient portals allowing more convenient and efficient access to new tools that will be used for items such as booking of appointments, viewing test results and refilling prescriptions.
  • Increasing use of social media by physicians. The number of physicians using social media almost doubled from 17% in 2011 to 33% in 2013.
  • Increased participation in health information exchanges making access to information more instantaneous across a network of providers in a secure and interoperable way thereby allowing access and coordination of patient care rendered at other health care facilities.
  • Expanding the use of telemedicine services to meet the needs of an aging population and greater focus on preventative care.

In summary, the adoption rate of EMRs has progressed at a pace that meets or exceeds expectations for 2013. Improvement in patient care and reduction in healthcare costs are anticipated as we move into the next steps of implementation. As EMR technology becomes more commonplace it will pave the way for additional healthcare technologies which will benefit and provide convenience for both doctor and patient alike.

Continue reading...

DOL Issues HIPAA & ACA Self Compliance Tools

March 5, 2013


Recognizing the ever-growing complexities that employers face in offering sponsored health plans the Department of Labor has issued two self-compliance tools. These self-tests are designed to see if offered plans are compliant with HIPAA and some of the provisions of PPACA.

The Affordable Care Act compliance tool provides a checklist of items that are currently defined for PPACA and provides guidance to plan sponsors on how things should already be operating. The tool does not provide guidance or testing on regulations that have not yet been finalized and does not attempt to provide future guidance nor should it be considered definitive on all topics related to the ACA.

The HIPAA & Other Health Care-Related tool predominantly evaluates regulations other than those associated with PPACA. The intent of this tool is to provide assistance in determining whether a plan is compliant with the HIPAA non-discrimination rules, wellness program guidelines, mental health parity and the WHCRA and Newborns Act. 

These tools provide an excellent initial evaluative methodology for plan compliance. However, neither tool should be looked as a comprehensive utility. Plan sponsors should use the tools to begin determining their preliminary compliance status and then work to identify those topics not reviewed by the tools including future activity related to PPACA and or other health care related regulations.

Continue reading...

HIPAA Privacy and Security Revisions

February 4, 2013


On January 17, 2013 the U.S. Department of Health and Human Services (HHS) released its final rule modifying the Privacy Rule, the Security Rule and the Enforcement Rule under the Health Insurance Portability and Accountability Act (HIPAA) as well as the Breach Notification Rule under the Health Information Technology for Economic and Clinical Health Act (HITECH Act).

The final rule take effect on March 26, 2013, and covered entities and business associates are required to comply by September 23, 2013.


Business Associates
The new rules expand the scope of those subject to HIPAA requirements to cover other business associates that might have direct or indirect access to protected health information (PHI). This includes information exchanges, e-prescribing gateways, PHR vendors and data storage vendors.

Penalty Provisions
The new rules subject all business associates as well as covered entities to penalties associated with HIPAA violations. The rules indicate that penalties for knowingly or willfully committed violations will increase to a maximum of $1.5 million per violation. Additionally the rule also clarifies when breaches of information must be reported to the HHS Office of Civil Rights.

Patient Rights
The new rules expand a patients ability to access their medical information as well as provide privacy options for patients who wish to withhold information from their health plan.

The new patient rights will necessitate modification of patients rights disclosures.


The released regulations are in excess of 563 pages of technical and complex requirements. Given the anticipated increased federal scrutiny of plans it would be advisable for employers and plan administrators to re-evaluate their current HIPAA compliance programs and requirements to insure that all the new changes are addressed.

Continue reading...