Enter your email address to receive new posts in your inbox:

Delivered by FeedBurner


Like what you see? Share!

Our Attorneys

DISCLAIMER: This blog is published for general information only - it is not intended to constitute legal advice and cannot be relied upon by any person as legal advice.  U.S. Treasury Regulations require us to notify you that any tax-related material in this blog (including links and attachments) is not intended or written to be used, and cannot be used, for the purpose of avoiding tax penalties, and may not be referred to in any marketing or promotional materials.  While we welcome you to contact our authors, the submission of a comment or question does not create an attorney-client relationship between the Firm and you. 

Entries in Health Plans (62)


HIPAA Breach Notification – Part II (Determining Whether a Breach Has Occurred)

In a previous post we provided a brief overview of the new privacy breach notification requirements under HIPAA (as amended by the HITECH Act), as they relate to employer-sponsored group health plans.  This post will focus on determining whether a privacy breach has occurred, including the exceptions and the all important risk assessment. 

The determination of whether a privacy breach has occurred and notification is required involves a three step process:  (1) a threshold investigation as to whether an unauthorized acquisition, access, use or disclosure of unsecured PHI has occurred; (2) a determination as to whether an exception could apply to completely mitigate the breach; and (3) a judgment regarding the nature of the breach and the likelihood that the individual whose PHI was breached will suffer some kind of significant harm.   As noted in the earlier post, the term "unsecured PHI" means PHI that is not encrypted or otherwise rendered unintelligible or unusable.  Since very few employers have both the ability and the inclination to meet the high standards for security set by HHS, we will assume that the PHI involved is unsecured. 

Click to read more ...


HIPAA Breach Notification – Part I (Overview)

The privacy provisions of the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) are designed to close a gap in the health information privacy and security framework first established under HIPAA back in 2003.  The original statute and the resulting U.S. Department of Health and Human Services (HHS) rules and regulations (45 C.F.R. Parts 160 to 164) required "covered entities" (including employer-sponsored group health plans) to ensure the privacy of an individual's "protected health information" (PHI).  But neither the original statute nor the HHS regulations expressly required a covered entity to notify an affected individual about a breach of his or her privacy.  The HITECH Act and subsequent HHS regulations close that gap by instituting affirmative privacy breach notification requirements.  The breach notification requirements became effective September 24, 2009, but enforcement activity was officially postponed until February 22, 2010.  This post will offer some general thoughts about the HIPAA breach notification rules as they relate to employer-sponsored group health plans.  Future posts will consider selected elements of the rules.

Click to read more ...

Page 1 ... 9 10 11 12 13