A Full Service Employee Benefit and Compliance Solution for Employers

From Dorothy Cociu, COIN Editor and HIPAA Privacy & Security Consultant & Trainer

Published in The County of Orange Insurance News, March-April, 2020

There are no HIPAA Privacy & Security settlement agreements to report this issue, but I do have some important news from HHS/OCR.

HHS recently announced its annual adjustments to Civil Monetary Penalties for HIPAA, MSP and SBC violations.  In addition, HHS issued a Notice of Violation to California for its Abortion Coverage Mandate, and announced a bulletin on HIPAA Privacy & The Novel Coronavirus. 

HHS Issues Notice of Violation to California for its Abortion Coverage Mandate.  OCR is issuing a Notice of Violation to the state of California, formally notifying California that it cannot impose universal abortion coverage mandates on health insurance plans and issuers in violation of federal conscience laws.  California has deprived over 28,000 people of plans that did not cover elective abortion, but now must cover abortion due to California’s mandate.  

OCR’s investigation arose from two complaints alleging that California engaged in unlawful discrimination when California’s Department of Managed Health Care (DMHC) ordered, in August 2014, that all health plan issuers under its jurisdiction must offer coverage for elective abortion in every plan they offer.  The two complainants are the Missionary Guadalupanas of the Holy Spirit, a Catholic order of religious sisters, and Skyline Wesleyan Church, a non-profit Christian church—organizations whose religious beliefs preclude them, in good conscience, from helping to pay for insurance coverage for elective abortions.

Pursuant to 45 CFR Part 88 (effective March 2011), OCR has completed the investigation of the complaints and determined that California violated the Weldon Amendment by mandating that California health care plan issuers cover elective abortion in each plan product, and continues to violate federal law by continuing to require objecting health care entities protected by the Weldon Amendment to cover elective abortion.  With this Notice, OCR requests that California inform OCR, within thirty days, whether California will continue to enforce its requirement that all health plans cover elective abortions, or whether it will agree to take corrective action and remedy the effect of its discriminatory conduct.

If, after 30 days, OCR does not receive sufficient assurance that California will come into compliance with federal law, OCR will forward the Notice of Violation and the evidence supporting the OCR  findings in this matter to the HHS funding components from which California receives funding for appropriate action under applicable grants and contracts regulations.  This action may ultimately result in limitations on continued receipt of certain HHS funds.

For more information, go to hhs.gov/ocr/privacy, and find notice dated January 24, 2020.

HHS has announced its annual adjustments of civil monetary penalties for statutes within its jurisdiction in accordance with a 2015 law requiring annual adjustments for inflation by January 15 of each year. The latest amounts are based on a cost-of-living increase of 1.01764%. Here are highlights of the adjustments potentially affecting employer-sponsored health plans:

HIPAA Administrative Simplification. HIPAA administrative simplification encompasses standards for privacy, security, breach notification and electronic healthcare transactions. The HITECH Act substantially increased the penalty amounts for violations of these standards, creating four categories of violations that reflect increasing levels of culpability and establishing minimum and maximum penalty amounts, as well as an annual cap on penalties for multiple violations of an identical provision. The indexed penalty amounts for each violation of a HIPAA administrative simplification provision are as follows:

· Tier 1—lack of knowledge: The minimum penalty is $119 (up from $117); the maximum penalty is $59,522 (up from $58,490); and the calendar-year cap is $1,785,651 (up from $1,754, 698).

· Tier 2—reasonable cause and not willful neglect: The minimum penalty is $1,191 (up from $1,170); the maximum penalty is $59,522 (up from $58,490); and the calendar-year cap is $1,785,651 (up from $1,754,698).

· Tier 3—willful neglect, corrected within 30 days: The minimum penalty is $11,904 (up from $11,698); the maximum penalty is $59,522 (up from $58,490); and the calendar-year cap is $1,785,651 (up from $1,754,698).

·      Tier 4—willful neglect, not corrected within 30 days: The minimum penalty is $59,522 (up from $58,490); the maximum penalty is $1,785,651(up from $1,754,698); and the calendar-year cap is $1,785,651 (up from $1,754,698). [EBIA Comment: The calendar-year caps for Tiers 1–3 do not reflect the enforcement discretion announced by HHS in April 2019, which significantly reduces the penalty caps for those tiers, perhaps because HHS still has not formalized the enforcement discretion.]

HIPAA Privacy & Novel Coronavirus

On February 3, 2020, HHS released a bulletin on the Coronavirus outbreak and how HIPAA relates in such circumstances.

In light of the Novel Coronavirus (2019-nCoV) outbreak, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) is providing this bulletin to ensure that HIPAA covered entities and their business associates are aware of the ways that patient information may be shared under the HIPAA Privacy Rule in an outbreak of infectious disease or other emergency situation, and to serve as a reminder that the protections of the Privacy Rule are not set aside during an emergency.

 The HIPAA Privacy Rule protects the privacy of patients’ health information (protected health information) but is balanced to ensure that appropriate uses and disclosures of the information still may be made when necessary to treat a patient, to protect the nation’s public health, and for other critical purposes.

 The U.S. Centers for Disease Control and Prevention (CDC) has advised: if you were in China within the past 14 days and feel sick with fever, cough, or difficulty breathing, you should get medical care. Call the office of your health care provider before you go and tell them about your travel and your symptoms. They will give you instructions on how to get care without exposing other people to your illness. While sick, avoid contact with people, don’t go out and delay any travel to reduce the possibility of spreading illness to others. More information from the CDC available at: https://www.cdc.gov/coronavirus/2019-ncov/downloads/2019-ncov-factsheet.pdf.

Sharing Patient Information

 Treatment  Under the Privacy Rule, covered entities may disclose, without a patient’s authorization, protected health information about the patient as necessary to treat the patient or to treat a different patient. Treatment includes the coordination or management of health care and related services by one or more health care providers and others, consultation between providers, and the referral of patients for treatment. See 45 CFR §§ 164.502(a)(1)(ii), 164.506(c), and the definition of “treatment” at 164.501.

Public Health Activities  The HIPAA Privacy Rule recognizes the legitimate need for public health authorities and others responsible for ensuring public health and safety to have access to protected health information that is necessary to carry out their public health mission. Therefore, the Privacy Rule permits covered entities to disclose needed protected health information without individual authorization:

To a public health authority, such as the CDC or a state or local health department, that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury or disability. This would include, for example, the reporting of disease or injury; reporting vital events, such as births or deaths; and conducting public health surveillance, investigations, or interventions. A “public health authority” is an agency or authority of the United States government, a State, a territory, a political subdivision of a State or territory, or Indian tribe that is responsible for public health matters as part of its official mandate, as well as a person or entity acting under a grant of authority from, or under a contract with, a public health agency. See 45 CFR §§ 164.501 and 164.512(b)(1)(i).  For example, a covered entity may disclose to the CDC protected health information on an ongoing basis as needed to report all prior and prospective cases of patients exposed to or suspected or confirmed to have Novel Coronavirus (2019-nCoV).

At the direction of a public health authority, to a foreign government agency that is acting in collaboration with the public health authority. See 45 CFR 164.512(b)(1)(i).

To persons at risk of contracting or spreading a disease or condition if other law, such as state law, authorizes the covered entity to notify such persons as necessary to prevent or control the spread of the disease or otherwise to carry out public health interventions or investigations. See 45 CFR 164.512(b)(1)(iv).

 Disclosures to Family, Friends, and Others Involved in an Individual’s Care and for Notification  A covered entity may share protected health information with a patient’s family members, relatives, friends, or other persons identified by the patient as involved in the patient’s care.  A covered entity also may share information about a patient as necessary to identify, locate, and notify family members, guardians, or anyone else responsible for the patient’s care, of the patient’s location, general condition, or death. This may include, where necessary to notify family members and others, the police, the press, or the public at large.  See 45 CFR 164.510(b).

The covered entity should get verbal permission from individuals or otherwise be able to reasonably infer that the patient does not object, when possible; if the individual is incapacitated or not available, covered entities may share information for these purposes if, in their professional judgment, doing so is in the patient’s best interest.

In addition, a covered entity may share protected health information with disaster relief organizations that, like the American Red Cross, are authorized by law or by their charters to assist in disaster relief efforts, for the purpose of coordinating the notification of family members or other persons involved in the patient’s care, of the patient’s location, general condition, or death.  It is unnecessary to obtain a patient’s permission to share the information in this situation if doing so would interfere with the organization’s ability to respond to the emergency.

Disclosures to Prevent a Serious and Imminent Threat  Health care providers may share patient information with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public – consistent with applicable law (such as state statutes, regulations, or case law) and the provider’s standards of ethical conduct. See 45 CFR 164.512(j).  Thus, providers may disclose a patient’s health information to anyone who is in a position to prevent or lesson the serious and imminent threat, including family, friends, caregivers, and law enforcement without a patient’s permission. HIPAA expressly defers to the professional judgment of health professionals in making determinations about the nature and severity of the threat to health and safety.  See 45 CFR 164.512(j).

 Minimum Necessary  For most disclosures, a covered entity must make reasonable efforts to limit the information disclosed to that which is the “minimum necessary” to accomplish the purpose. (Minimum necessary requirements do not apply to disclosures to health care providers for treatment purposes.) Covered entities may rely on representations from a public health authority or other public official that the requested information is the minimum necessary for the purpose, when that reliance is reasonable under the circumstances. For example, a covered entity may rely on representations from the CDC that the protected health information requested by the CDC about all patients exposed to or suspected or confirmed to have Novel Coronavirus (2019-nCoV) is the minimum necessary for the public health purpose.  In addition, internally, covered entities should continue to apply their role-based access policies to limit access to protected health information to only those workforce members who need it to carry out their duties. See 45 CFR §§ 164.502(b), 164.514(d).

Safeguarding Patient Information

In an emergency situation, covered entities must continue to implement reasonable safeguards to protect patient information against intentional or unintentional impermissible uses and disclosures. Further, covered entities (and their business associates) must apply the administrative, physical, and technical safeguards of the HIPAA Security Rule to electronic protected health information.

HIPAA Applies Only to Covered Entities and Business Associates

 The HIPAA Privacy Rule applies to disclosures made by employees, volunteers, and other members of a covered entity’s or business associate’s workforce. Covered entities are health plans, health care clearinghouses, and those health care providers that conduct one or more covered health care transactions electronically, such as transmitting health care claims to a health plan. Business associates generally are persons or entities (other than members of the workforce of a covered entity) that perform functions or activities on behalf of, or provide certain services to, a covered entity that involve creating, receiving, maintaining, or transmitting protected health information. For more information on HIPAA and Public Health, please visit:  

https://www.hhs.gov/hipaa/for-professionals/special-topics/public-health/index.html

##