New EEOC Rules Complicate Task of Designing a Compliant Employer Wellness Program

Laura Gerdes Long

By Laura Gerdes Long



 

 

Co-authored by Laura Gerdes Long and Katherine M. Flett

In 2016, after years of twists and turns, backs and forths, the Equal Employment Opportunity Commission (EEOC) issued final rules that went into effect in January 2017 and apply to all employer group health insurance plans that offer wellness programs.

The final rules follow the EEOC’s 2015 publication of two rules under the Americans with Disabilities Act (ADA) and Genetic Information Non-Discrimination Act (GINA) to address whether an employer offering an incentive to employees to provide health information would effectively render the program “involuntary” and consequently discriminating under the ADA.

In October 2016 AARP filed a challenge arguing that the requirements were arbitrary and capricious under the Administrative Procedures Act (APA) as having incentives that render the disclosure of GINA- and ADA-protected information involuntary and disclosure in violation of law. That challenge was rejected in the District Court of the District of Columbia, which ruled the information required by the regulations is not public disclosure and employers are statutorily forbidden from using it to discriminate against employees.

Categories of Employer Wellness Programs

Employer wellness programs generally fall into two categories: participatory programs and health-contingent programs. Participatory programs offer financial incentive for employee participation, but do not require the employee to satisfy any health-related condition to receive the incentive. Examples of this program include reimbursing for gym memberships and offering health education classes.

On the other hand, health-contingent programs generally require the employee to satisfy a health-related standard to obtain a reward. Within the category of health-contingent programs, there are two sub-groups:  activity-only programs and outcome-based programs. Activity-only programs require the employee to participate, but not to attain or maintain a specific health outcome.  Examples of activity-only programs include rewards for high step-counts and dieting. Outcome-based programs require the employee to attain a specific health goal, such as quitting smoking or lowering one’s body mass index (BMI).

Requirements for Health-Contingent Programs Under the ACA, GINA, and ADA Challenged by AARP

Prior to the new EEOC rules, employers sponsoring wellness programs were required to comply with the Affordable Care Act (ACA), ADA and GINA. Continue reading »

The Intersection of HIPAA and Cloud Storage

Laura Gerdes Long

By Laura Gerdes Long



Co-authored by Laura Gerdes Long and Katherine M. Flett

Our ever-evolving technological society is raising new questions about how to reconcile complex health data protection laws with cloud storage.  Storage of data in the “cloud” allows users to store, maintain, and manage data remotely on the internet.  Its advantages include accessibility of the cloud-stored data from any location via the internet, emergency back-up capacity, and even cost savings.  An online search for HIPAA-compliant cloud storage companies reveals that there is no shortage of companies who advertise their “HIPAA-compliant cloud services.”  It is important to remember that working with a company who claims their cloud storage “is HIPAA compliant,” does not excuse you from meeting HIPAA requirements.  Due diligence is required when selecting such a company and entering into appropriate contractual arrangements with the companies.

The Department of Health and Human Services’ Office for Civil Rights (“OCR”) is responsible for overseeing protection of sensitive health data under the Health Insurance Portability and Accountability Act, as amended (“HIPAA”). OCR issued guidance on October 6, 2016, explaining how to safeguard electronic health information protected by HIPAA in today’s widespread cloud networking environment.

HIPAA applies to “covered entities,” and this article will focus on one such covered entity, the health care provider.  Most health care providers do not perform all of their health care functions by themselves and instead often use a range of services offered by others, called “business associates” under HIPAA.  Health care providers are permitted to disclose protected health information (“PHI”) to these business associates (“BA”) as long as they obtain satisfactory assurances that the BA will use the information only for the purposes for which it was engaged by the health care provider, will safeguard the information from misuse, and will help the health care provider comply with some of the health care provider’s duties under HIPAA, through the execution of business associate agreements.

Continue reading »

HIPAA Non-Compliance Results in Largest Single-Entity Settlement to Date

Laura Gerdes Long

By Laura Gerdes Long



Co-authored by Laura Gerdes Long and Katherine M. Flett

On August 4, 2016, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) entered into a settlement agreement with Advocate Health Care Center (Advocate) in which Advocate agreed to pay $5.5 million to settle multiple violations of the Health Insurance Portability and Accountability Act (HIPAA).  This is the largest HIPAA settlement against a single entity to date, and according to OCR, is due to the severity of the violations and the length of time that those violations continued.

According to OCR’s press release, OCR began its investigation of Advocate in 2013, after Advocate submitted three breach notification reports relating to three separate instances of breach of unsecured electronic protected health information (ePHI).  The combined breaches resulted in unsecured access to over four million patients’ information. Continue reading »

Another State Rules That Patients Can Sue For Negligence for Violating HIPAA Regulations

Laura Gerdes Long

By Laura Gerdes Long



The Connecticut Supreme Court has now joined Missouri, West Virginia and North Carolina in rulings connecting HIPAA with negligence lawsuits by patients.

In a case of first impression in Connecticut, the state’s Supreme Court ruled that a patient can sue a medical office for HIPAA negligence if it violates the patient’s privacy when improperly releasing the medical records to a third party. There is no dispute that HIPAA does not create a private cause of action. Increasingly, however, HIPAA can provide the standard of care for a medical office in how it releases confidential medical records and can be found negligent if it releases such medical records contrary to the requirements of the HIPAA regulations. Continue reading »

Hacked Hospital Network Includes Outstate Missouri Hospitals

Laura Gerdes Long

By Laura Gerdes Long



4.5M Records Stolen, HIPAA violation

In June 2014, hackers in China used high-end, sophisticated malware to launch criminal cyber-attacks to access patient information from a national hospital system. Community Health Systems, Inc. (“CHS”), operates 206 hospitals across the U.S. in 29 states, including four located in Missouri (Kennett, Kirksville, Moberly, and Poplar Bluff). The breached data is considered protected health information under the Health Insurance Portability and Accountability Act (“HIPAA”).

In a filing with the U.S. Securities and Exchange Commission, CHS said the attacker was an “Advanced Persistent Threat” group which bypassed CHS’ security measures, successfully copying and transferring certain data outside CHS. Although CHS has confirmed that this data did not include patient credit card, medical, or clinical information, the breach does include patient names, addresses, birth dates, telephone numbers and Social Security numbers. CHS has been working closely with federal law enforcement authorities in connection with their investigation and potential prosecution of those determined to be responsible for this attack.

Under various state and federal laws, CHS is obligated to notify affected patients. The Department of Health and Human Services provides a web page describing the breach notification requirements of covered entities to effected individuals, the Secretary of Health and Human Services, and, in certain circumstances, to the media. Continue reading »

Mizzou Story Highlights Tension Between Doctor-Patient Privilege and Protecting the Patient

Laura Gerdes Long

By Laura Gerdes Long



A story concerning the death of a female athlete by suicide, her alleged rape, and the role played by the university she attended in the tragic facts has placed the issue of patient confidentiality squarely in the headlines.  The story highlights the care that must be taken to protect a patient’s ability to speak candidly and honestly to his or her medical provider without fear that such information will be divulged to anyone else without the patient’s permission.

The female student athlete had committed suicide in 2011, approximately 16 months after her alleged rape in 2010 by another student athlete at the school.  According to an email posted to Mizzou’s website on January 24, 2014, an ESPN producer of “Outside the Lines” wanted to know if University of Missouri officials planned to investigate or notify law enforcement about the alleged rape.  Just hours before publishing the story, the ESPN producer asked university officials: Continue reading »

HIPAA vs. Florida and HIPAA Wins!

Laura Gerdes Long

By Laura Gerdes Long



In a battle between a state statute and the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) (42 U.S.C. § 1320d to d-9), the Eleventh Circuit Court of Appeals has held that a Florida statute is preempted by HIPAA because it is an obstacle to the “accomplishment and execution of the full purposes and objectives of HIPAA in keeping an individual’s protected health information strictly confidential.” OPIS Management Resources, LLC, et al. v. Secretary Florida Agency for Health Care Administration, No. 12-12593 (11th Cir. April 9, 2013).

OPIS, and the other plaintiff parties, are operators and managers of skilled nursing facilities in Florida. In the course of their operations, the nursing facilities received requests from spouses and attorneys-in-fact for the medical records of deceased nursing home residents. Because the parties requesting the records were not “personal representatives” pursuant to HIPAA and its implementing regulations, the facilities refused to disclose the records.  As a result, the requesting parties filed complaints with the U.S. Department of Health and Human Services Offices for Civil Rights, which concluded that the nursing facilities acted properly.

The Florida Agency for Health Care Administration, however, issued citations against the nursing facilities for violating Florida law by refusing to release the records because the state statute requires licensed nursing homes to release a former resident’s medical records to the spouse, guardian, surrogate, or attorney-in-fact of any such resident. Fla. Stat. § 400.145(1). Because of the conflicting interpretations of the relevant laws, the nursing facilities filed a complaint for declaratory judgment. The district court granted the nursing facilities’ motion for summary judgment, explaining that the Florida statute affords nursing home residents less protection than is required by the federal law; therefore, the state law is preempted by HIPAA.

Stricter Federal HIPAA Law Trumps State Law

At the heart of the issue is whether the state statute, in which the “unadorned text…. authorizes sweeping disclosures, making a deceased resident’s protected health information available to a spouse or other enumerated party upon request, without any need for authorization, for any conceivable reason and without regard to the authority of the individual making the request to act in a deceased resident’s stead,” conflicts with federal law, according to Judge Susan H. Black. Finding that it does conflict, the jurist wrote, the state law “frustrates the federal objective of limiting disclosures of protected health information” and is therefore “preempted by the more stringent privacy protections” imposed by federal law. Continue reading »

Employers and the Health Reform Law

Laura Gerdes Long

By Laura Gerdes Long



On June 28, 2012, the Supreme Court, in a 5-4 decision, upheld the Patient Protection and Affordable Care Act (the “Act”), more commonly known as the health reform law, including the highly controversial individual mandate. While the Court limited the Act’s planned expansion of Medicaid, the decision was overwhelmingly a “win” for President Obama.

Now that President Obama has been elected to a second term, those who resisted implementing the first set of provisions (waiting for the Court to rule) will have to begin earnestly working to comply with both provisions already in effect and forthcoming provisions, including key provisions which require compliance in 2014: the individual mandate and the employer mandate.

Provisions currently in effect include:

  • No lifetime limits on coverage.
  • Restrictions on annual limits.
  • No “rescissions,” meaning health plans cannot cancel coverage once you are sick unless you committed fraud when you applied for coverage.
  • Dependent care coverage is provided up to age 26 for adult children without employer-sponsored coverage.
  • Federal small business tax credits have also been available for employers who provide coverage, with credits differing depending on the size of the company and increasing to 50 percent in 2014.
  •  Many consumer employees have already experienced not having to pay out-of-pocket costs for certain preventative services, such as breast cancer screenings and cholesterol tests, and the disqualification of over-the-counter drugs as medical expenses for Flexible Spending Accounts (FSAs) and Health Savings Accounts (HSAs).
  • Insurers will have to provide rebates to consumers if they spend less than 80 to 85 percent of premium dollars on medical care.

The impact of both the individual mandate and the employer mandate will not be fully known until closer to 2014; however, there has been great speculation about who will be most impacted. Continue reading »

The Impact of Electronic Storage on Mental Health Care Records

Laura Gerdes Long

By Laura Gerdes Long



The looming clash over the privacy of mental health care records as they are increasingly being stored electronically was revealed in “As Records Go Online, Clash over Mental Care Privacy,” an article in the June 21, 2012 issue of the Boston Globe.

The Globe article highlighted the case of a patient who attended weekly therapy sessions and, as is typical, revealed her most private secrets, including depression and childhood sexual abuse.  Her psychiatrist at Massachusetts General Hospital would then type a summary into her computerized medical record.  With that, more than 200 pages of sensitive notes became available to any doctor who cared for her within the sprawling Partners HealthCare system.  She discovered this only when a doctor later referenced the notes.

On one hand, Partners (the hospital system) argues that doctors must have a complete picture to make accurate diagnoses and having different rules for psychiatric records contributes to the stigma of mental illness.

On the other hand, this article highlights the delicate privacy issues that are surfacing as electronic medical records become widespread.  Providers in separate networks are preparing to share patients’ records more widely online — to better coordinate care and cut wasteful spending.  This will probably intensify the debate about what should and should not be shared, as well as fears about the unauthorized release of patient information.

As Dr. David Blumenthal, Partners’ chief health information and innovation officer and former national coordinator for health information technology for the Obama administration, said: Continue reading »

Breastfeeding in Public: Mother Sues Sheriff’s Deputy

Laura Gerdes Long

By Laura Gerdes Long



Co-authored by Laura Gerdes Long and Adrienne R. Lauf

A mother is suing a sheriff’s deputy in Cook County, Illinois for violation of the state’s Right to Breastfeed Act. The mother, who was at the courthouse to apply for food-assistance benefits, was breastfeeding her seven-week-old daughter in the lobby of the courthouse. The mother and her daughter were covered by a blanket at the time of the feeding. The deputy demanded that the mother move from the courthouse lobby to a public bathroom to breastfeed the baby. Because the mother feared she would disrupt the application process for her benefits if she were kicked out of the courthouse, she quit feeding her daughter instead of moving.

Right to Breastfeed in Illinois

In 2004 the General Assembly of Illinois passed the Right to Breastfeed Act. The stated purpose being:

“The General Assembly finds that breast milk offers better nutrition, immunity, and digestion, and may raise a baby’s IQ, and that breastfeeding offers other benefits such as improved mother-baby bonding, and its encouragement has been established as a major goal of this decade by the World Health Organization and the United Nations Children’s Fund. The General Assembly finds and declares that the Surgeon General of the United States recommends that babies be fed breast milk, unless medically contraindicated, in order to attain an optimal healthy start.”

Continue reading »