Several years ago, the Equal Employment Opportunity Commission (EEOC) raised employers’ eyebrows when it filed several lawsuits challenging the validity of employer-sponsored wellness programs. The EEOC contended that such programs violate the ADA and GINA due to terms that rewarded or punished employees and dependents based on their degree of participation in the wellness initiatives. Federal courts were largely unsympathetic to these challenges, noting provisions in other federal laws specifically endorsing the use of wellness programs as a way to improve employee health and help control plan expenses.
Receiving an email that your practice has been identified for participating in the HIPAA Privacy, Security, and Breach Rules Audit Program is enough to raise anyone’s blood pressure. The likely response is to open the email immediately, determine the scope of the audit, and mobilize a team to prepare for the response.Read More
The Office of Civil Rights (“OCR”) has issued new guidance in connection with an increase of malicious cyberattacks, namely ransomware attacks on healthcare organization’s computer systems. Ransomware is a defined by HHS as a type of malicious software whose defining characteristic is that it attempts to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker until the requested ransom is paid.Read More
The possibility of business associates potentially being audited, investigated, and ultimately fined is now a reality. On June 24, 2016, the United States Department of Health and Human Services’ Office of Civil Rights (“OCR”) entered into an agreement with Catholic Health Care Services of the Archdiocese of Philadelphia (“CHCS”) for $650,000 to settle potential HIPAA violations related to the theft of a CHCS iPhone that contained the protected health information of 412 nursing home residents.
This is the first settlement of this kind with a business associate. If there was ever a question as to how diligent business associates must be in implementing a HIPAA compliant program that includes the management of mobile devices used to transmit protected health information, this settlement makes it clear that business associates should be very vigilant.Read More
The Equal Employment Opportunity Commission issued final regulations on Wednesday that place limits on financial incentives used in certain employer-sponsored wellness programs. The two rules issued under the ADA and GINA, essentially limit such incentives or penalties to 30 percent of the cost of employee-only group medical coverage. Wellness programs that require employee or spouse medical examinations, or disclosure of family medical history, cannot include financial terms that reward or punish employees beyond this level based on their participation decision.Read More
An increasing number of health care providers are outsourcing the hosting and maintenance of software applications, the storage of data, and related support services. Outsourcing can provide cost savings, rapid deployment, system scalability, other efficiencies, and appropriate data security. It also introduces additional issues into the provider’s risk management analysis, largely based on the fact that a third party rather than the provider has possession and control of vital and sensitive assets and information. Before you enter into a contract that includes a cloud computing component, you should consider some of the following:
- No business decision or activity is risk free. Risk management is a balancing process based on the particular facts and circumstances. For example, a provider may be less concerned about its inability to access its web-based job application submission portal than its electronic health record application. Not all risks are the same, and a provider should devote more attention and resources to managing its greatest risks.
- Risk management is a team sport. Effective risk management requires the participation and interaction of representatives of the intended user group, financial analysts, compliance officers, information technology and data security experts, and legal counsel experienced in advising on and negotiating the particular type of contract.
The Office of Civil RIghts (“OCR”) recently announced that Phase 2 of the HIPAA audits would be further delayed because the audit portals and project management tools that are needed to initiate the audit process are not ready and available for usage. Phase 2 of the HIPAA audits was initially slated to begin in the fall of 2014 and was subsequently moved to late 2014 or early 2015. Currently, no timeline has been provided as to when the next round of audits will officially begin.
A delay in Phase 2 of the OCR HIPAA Audits does not mean that covered entities and business associates should not continue to make sure they are in compliance with all HIPAA regulations. The potential consequences for failure to comply with HIPAA regulations are significant. While the audit portals are still under development, it is a good time for covered entities to (i) make sure their HIPAA policies and procedures are up to date and meet the latest privacy and security requirements, (ii) create a list of all business associates that provide services to the covered entity, and (iii) conduct an internal risk assessment to identify potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.
Among other things, Parker Poe’s healthcare attorneys advise our healthcare clients about (i) compliance with HIPAA’s privacy requirements as they affect healthcare information, including preparing employee and patient notices, plan policies and procedures, plan amendments and authorization and other forms, and (ii) HIPAA compliance requirements for business associates.
The Equal Employment Opportunity Commission has made emerging issues in employment discrimination law one of its national enforcement priorities. Last week, the EEOC settled a lawsuit brought against a California seed and fertilizer provider, alleging that the employer required applicants to submit to pre-employment medical examinations that included solicitation of family medical histories.
Under the Genetic Information Non-Discrimination Act, employers cannot require applicants or employees to disclose family medical histories as a condition of employment. The EEOC claimed that the defendant refused to hire at least one applicant after he revealed that family members had suffered from a medical condition. In addition to violating GINA, the EEOC alleged that the pre-employment examination was in violation of the Americans with Disabilities Act, because the employer screened applicants based on medical conditions that were unrelated to the requirements of the job. The employer agreed to pay $187,500 and to adopt measures intended to prevent use of such medical examinations as a screening tool in its hiring.
Most employers and medical providers that conduct pre-employment examinations are aware of these requirements, and have deleted requests for family medical histories from their exams. In addition to complying with GINA, employers should periodically review their post-offer, pre-hire examination procedures to make sure that medical grounds used to exclude an applicant from employment are clearly and directly related to their essential job functions. If the exclusion is based on a possible ADA disability, the employer needs to fully explore available reasonable accommodations before making a final decision to reject the applicant.
Jonathan Crotty has been a successful counselor and problem solver for large and small employers in the Carolinas and beyond for over 20 years. He heads Parker Poe’s Employment and Benefits practice group and represents employers in all aspects of the employment relationship, from hiring to discharge.