It has been three years since the adoption of the Corporate Transparency Act (CTA) , which went into effect at the beginning of this year, and now the first filing deadline is fast-approaching on January...
By Madison Johnson, Esq. | Marketing Manager Large law firms have been on a technology transformation journey for the past two decades, embracing new ways of empowering lawyers to work more efficiently...
By Elias Kahn | LexisNexis Practical Guidance Just as in-house counsel thought they were receiving some clarity around a vexing employment law topic, they were ushered right back into a murky legal landscape...
By: Practical Guidance The Federal Reserve continues to pull its available levers in order to achieve a “soft landing” of the U.S. economy, but in the meantime a number of American employers...
By Madison Johnson, Esq. | Marketing Manager The trusty Document Management System (DMS) has been the backbone of law firm work product management for decades. Legal professionals should strap in for...
The U.S. Department of Health and Human Services’ Office for Civil Rights made headlines last month when it issued a Request for Information (RFI), seeking input from the public on how the HIPAA Rules — specifically the HIPAA Privacy Rule — could be modified.
The announcement noted that the original HIPAA Rules were developed to protect individuals’ health information privacy and security, while still permitting information to be shared for important purposes, but is responding to concerns raised about how certain provisions may no longer be achieving those dual goals.
“We look forward to reviewing the input we receive from the public and regulated industry alike on these important topics,” said Lisa J. Pino, director of the Office for Civil Rights.
Health care organizations of all types and sizes should take note of this action as it may well portend changes in data privacy and security regulations under HIPAA that will impact their compliance plans, contract negotiations and product development initiatives.
HIPAA’s Privacy Rules are designed to ensure confidentiality and integrity of protected health information, including electronic health information. A health plan — or other covered health entity — has a number of obligations under those rules. These rules are complex, detailed and come with serious enforcement implications.
To help navigate these requirements, the LexisNexis Practical Guidance team has created a Health Information Privacy and Security Resource Kit, which is designed to help in-house counsel and other attorneys locate essential resources addressing health information privacy and security issues.
One of the components of this resource kit is a comprehensive practice note from Gabriel Marinaro, partner at Akerman LLP, which combs through HIPAA’s privacy, security, breach notification and other administrative simplification rules.
Here are eight keys for health plans to satisfy HIPAA Privacy Rules, excerpted from Marinaro’s practice note on Lexis+:
Safeguards
The plan must have appropriate administrative, technical and physical safeguards to: (1) reasonably protect Protected Health Information (PHI) from any intentional or unintentional use or disclosure in violation of the Privacy Rule, and (2) limit incidental uses or disclosures arising from an otherwise permitted use or disclosure. These safeguards should be designed to protect PHI throughout its handling by the plan, from receipt or creation to destruction or disposal. Guidance for the disposal of PHI can be found in this practice note regarding the Disposal of Protected Health Information under HIPAA.
Written privacy policies and procedures
The plan must implement and maintain up-to-date written policies and procedures setting forth in detail privacy and security practices reasonably designed to ensure compliance with the Privacy Rule, taking into account the size and type of activities relating to PHI undertaken by the plan. The privacy policies and procedures provide detailed instructions for those members of the employer's workforce tasked with handling PHI.
Privacy officer
The plan must appoint a privacy official who is responsible for the development and implementation of the privacy policies and procedures and designate a contact person or office for receiving complaints under the Privacy Rule.
Training
The plan must train members of the employer's workforce on PHI privacy procedures as necessary and appropriate for them to carry out their functions for the plan. Each employee who will have access to PHI must receive training within a reasonable period of time after obtaining the relevant position. If there is a material change in the policies or procedures, additional training is required within a reasonable period of time after the material change becomes effective. See this HIPAA Privacy and Security Training Presentation for a possible template.
Complaints
The plan must provide a process for individuals to make complaints concerning the plan's privacy policies and procedures and document all complaints received and their disposition, if any.
Sanctions
The plan must apply and document sanctions against workforce members who fail to comply with the privacy policies and procedures of the group health plan.
Duty to mitigate
The plan must mitigate any use or disclosure of PHI in violation of its policies and procedures or the Privacy Rule by the group health plan or any of its business associates.
Documentation
The plan must maintain written records of its policies and procedures and any communications, actions, activities, or designations required to be in writing under the Privacy Rule for a period of no less than six years. Documentation standards also apply to hands-off plans, but only with respect to specific plan document requirements identified in the rules.
In addition to these eight keys, it is important to note that all group health plans are prohibited from intimidating, coercing, discriminating against, or taking other retaliatory action against an individual for filing a complaint under the Privacy Rule or for exercising any other right granted to the individual under the Privacy Rule or Breach Notification Rule. Moreover, no plan may require an individual to waive his or her HIPAA rights under the HIPAA Privacy Rule or Breach Notification Rule as a condition to receiving treatment or benefits under a plan or eligibility or participation in the plan.
LexisNexis has created a free resource to help guide in-house counsel through the process of satisfying HIPAA’s data privacy and security rules. You can check it out here.
Practical Guidance now features a new Healthcare module, which contains valuable tools and resources necessary to practice with confidence and efficiency. Experience it for yourself by signing up for a free 7-day trial of Lexis+ General Counsel Suite.