HIPAA update for employer-sponsored health plans

The Office for Civil Rights (OCR, the arm of the U.S. Department of Health & Human Services that enforces the HIPAA privacy and security rules, imposed almost $29 million in HIPAA penalties in 2018—an all-time record. The penalty cases include multiple instances of failure to have business associate agreements in place, failure to terminate access to Protected Health Information (PHI) when terminating an employee, and failure to review records of access to PHI. In addition, OCR has issued informal guidance on appropriate security for smart phones and laptops that hold or can access PHI, the dangers of insider threats to the security of PHI, and issues relating to the use of cloud storage and processing for PHI.

• Knowledge of HIPAA privacy and security terminology and health plan obligations
• Awareness of most common HIPAA privacy and security violations
• How to distinguish between PHI and employer information that is not PHI
• Why the risk analysis is the foundation of HIPAA privacy and security compliance
• Lessons from the $16 million penalty for a health plan HIPAA breach 
• The importance of updating HIPAA privacy and security training
• How HIPAA obligations differ between fully insured health plans and self-funded health plans
   

• Which employer-sponsored health plans are subject to HIPAA privacy and security obligations
• Recent resolutions of alleged HIPAA privacy and security violations
• The status of the Phase 2 HIPAA privacy and security audits
• Ransomware and phishing attacks
• Business associate agreement
• Participants’ access to their own PHI
• Protection of PHI on mobile devices and when traveling
• Mental health and substance abuse privacy and security requirements
• HIPAA privacy and security in the context of employer-sponsored wellness programs 
• Employer obligations for fully insured health plans
   

Employers that sponsor health plans for their employees hold PHI that is subject to the HIPAA privacy and security rules and they have legal obligations to protect that PHI. Keeping updated on the latest HIPAA guidance and enforcement trends is a cornerstone of compliance and this webinar will review the latest information from OCR and other sources.

Anyone who has responsibility for choosing or budgeting for health plan offerings, handling health plan enrollment and recordkeeping, dealing with health plan third-party service providers, answering employees’ questions about their health coverage, or health plan legal compliance. Depending on the size of the company, this might include the CEO or CFO, a VP for Benefits or HR, HR managers and front-line HR staff. It may also include compliance officers, payroll managers or staff, and IT security staff.

Christine Williams has worked in the employee benefits field since 1987, both in private practice and as in-house counsel to a Fortune 100 company, and now as a consultant. She has extensive experience with all types of health and welfare plans, and was the editor and a contributing author of HIPAA Portability, Privacy, & Security, published by Employee Benefits Institute of America (EBIA), a division of ThomsonReuters, and is still a contributor to that publication. She was a contributing author of Health Care Reform for Employers and Advisors, also published by EBIA. She has provided advice on HIPAA, health care reform, COBRA, ERISA, and other compliance issues to a wide range of benefit plans, employers that sponsor benefit plans, and business associates. In 2017 she left the active practice of law and founded Health Plan Plain Talk, a consulting firm to assist employers and others with benefit plan compliance. She regularly teaches seminars for employee benefit professionals and writes about benefit plan compliance. Before moving into employee benefits Ms. Williams was an assistant professor at the University of Maryland School of Law. She earned her law degree from the University of Kentucky College of Law.