Law firms have long dealt with the challenge of competing for the best new attorneys coming out of law schools and retaining their rising stars, but the level of associate mobility has reached new heights...
The COVID-19 pandemic created tremendous stresses on the American healthcare delivery system and surfaced some major gaps that need to be addressed. But one of the more intriguing impacts was the sharp...
The summer months have arrived and so has the annual vacation season for many Americans. Companies across the nation and in every industry will see most of their employees take some time off work between...
On June 2 nd , the Biden Administration announced a fresh new round of sanctions on Russia in the latest attempt to punish the Russian government for its invasion of Ukraine.
“The United States...
On May 23, 2022, U.S. Surgeon General Dr. Vivek Murthy sounded a national alarm about the urgent need to address a systemic healthcare problem in America. We must come to grips with a surge in health worker...
The U.S. Department of Health and Human Services’ Office for Civil Rights made headlines last month when it issued a Request for Information (RFI), seeking input from the public on how the HIPAA Rules — specifically the HIPAA Privacy Rule — could be modified.
The announcement noted that the original HIPAA Rules were developed to protect individuals’ health information privacy and security, while still permitting information to be shared for important purposes, but is responding to concerns raised about how certain provisions may no longer be achieving those dual goals.
“We look forward to reviewing the input we receive from the public and regulated industry alike on these important topics,” said Lisa J. Pino, director of the Office for Civil Rights.
Health care organizations of all types and sizes should take note of this action as it may well portend changes in data privacy and security regulations under HIPAA that will impact their compliance plans, contract negotiations and product development initiatives.
HIPAA’s Privacy Rules are designed to ensure confidentiality and integrity of protected health information, including electronic health information. A health plan — or other covered health entity — has a number of obligations under those rules. These rules are complex, detailed and come with serious enforcement implications.
To help navigate these requirements, the LexisNexis Practical Guidance team has created a Health Information Privacy and Security Resource Kit, which is designed to help in-house counsel and other attorneys locate essential resources addressing health information privacy and security issues.
One of the components of this resource kit is a comprehensive practice note from Gabriel Marinaro, partner at Akerman LLP, which combs through HIPAA’s privacy, security, breach notification and other administrative simplification rules.
Here are eight keys for health plans to satisfy HIPAA Privacy Rules, excerpted from Marinaro’s practice note on Lexis+:
The plan must have appropriate administrative, technical and physical safeguards to: (1) reasonably protect Protected Health Information (PHI) from any intentional or unintentional use or disclosure in violation of the Privacy Rule, and (2) limit incidental uses or disclosures arising from an otherwise permitted use or disclosure. These safeguards should be designed to protect PHI throughout its handling by the plan, from receipt or creation to destruction or disposal. Guidance for the disposal of PHI can be found in this practice note regarding the Disposal of Protected Health Information under HIPAA.
Written privacy policies and procedures
The plan must implement and maintain up-to-date written policies and procedures setting forth in detail privacy and security practices reasonably designed to ensure compliance with the Privacy Rule, taking into account the size and type of activities relating to PHI undertaken by the plan. The privacy policies and procedures provide detailed instructions for those members of the employer's workforce tasked with handling PHI.
The plan must appoint a privacy official who is responsible for the development and implementation of the privacy policies and procedures and designate a contact person or office for receiving complaints under the Privacy Rule.
The plan must train members of the employer's workforce on PHI privacy procedures as necessary and appropriate for them to carry out their functions for the plan. Each employee who will have access to PHI must receive training within a reasonable period of time after obtaining the relevant position. If there is a material change in the policies or procedures, additional training is required within a reasonable period of time after the material change becomes effective. See this HIPAA Privacy and Security Training Presentation for a possible template.
The plan must provide a process for individuals to make complaints concerning the plan's privacy policies and procedures and document all complaints received and their disposition, if any.
The plan must apply and document sanctions against workforce members who fail to comply with the privacy policies and procedures of the group health plan.
Duty to mitigate
The plan must mitigate any use or disclosure of PHI in violation of its policies and procedures or the Privacy Rule by the group health plan or any of its business associates.
The plan must maintain written records of its policies and procedures and any communications, actions, activities, or designations required to be in writing under the Privacy Rule for a period of no less than six years. Documentation standards also apply to hands-off plans, but only with respect to specific plan document requirements identified in the rules.
In addition to these eight keys, it is important to note that all group health plans are prohibited from intimidating, coercing, discriminating against, or taking other retaliatory action against an individual for filing a complaint under the Privacy Rule or for exercising any other right granted to the individual under the Privacy Rule or Breach Notification Rule. Moreover, no plan may require an individual to waive his or her HIPAA rights under the HIPAA Privacy Rule or Breach Notification Rule as a condition to receiving treatment or benefits under a plan or eligibility or participation in the plan.
LexisNexis has created a free resource to help guide in-house counsel through the process of satisfying HIPAA’s data privacy and security rules. You can check it out here.
Practical Guidance now features a new Healthcare module, which contains valuable tools and resources necessary to practice with confidence and efficiency. Experience it for yourself by signing up for a free 7-day trial of Lexis+ General Counsel Suite.