Employers
HHS Signals Continued Focus on Health Plan Privacy and Cybersecurity
Privacy and security are enforcement priorities for government regulators following HHS's restructuring of its Office for Civil Rights.
HR Compliance
HIPAA Resolution Agreement for Phishing Cyberattack
Department of Health and Human Services' (HHS) Office for Civil Rights (OCR) reached a resolution agreement involving a phishing cyberattack.
The U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) reached a resolution agreement involving a phishing cyberattack. The organization reported to OCR a breach that occurred in May 2021. The breach happened when a hacker accessed an email account containing patients’ electronic protected health information. The covered entity, a consortium of healthcare providers specializing in emergency and occupational medicine, notified all patients since it could not identify who was impacted. This is the first reported breach stemming from a phishing attack.
The OCR determined that the covered entity did not conduct a security risk analysis and did not have procedures for regular reviews of information system activity.
The resolution agreement includes a $480,000 settlement payment and a two-year monitored Corrective Action Plan. The covered entity must create and implement a risk management plan, conduct an annual risk assessment, develop policies for reviews of information system activity, and train its workforce members.
This case emphasizes the importance of cybersecurity protections and highlights employees’ roles in security protocol. Even a click on a phishing email can result in costly HIPAA violations.
Benefit Allocation Systems (BAS) provides online solutions for: Employee Benefits Enrollment; COBRA; Flexible Spending Accounts (FSAs); Health Reimbursement Accounts (HRAs); Leave of Absence Premium Billing (LOA); Affordable Care Act Record Keeping, Compliance & IRS Reporting (ACA); Group Insurance Premium Billing; Property & Casualty Premium Billing; and Payroll Integration.
MyEnroll360 integrates with major insurance carriers for enrollment eligibility management (e.g., Blue Cross, Blue Shield, Aetna, United Health Care, Kaiser, CIGNA and others), and with leading payroll platforms for enrollment deduction management (e.g., Workday, ADP, Paylocity, PayCor, UKG, and others).
This article is for informational purposes only and is not intended as legal, tax, or benefits advice. Readers should not rely on this information for taking (or not taking) any action relating to employment, compliance, or benefits. Always consult with a qualified professional before making decisions based on this content.
Topics
HR Compliance
Hiring Young Workers This Summer
Hiring workers under age 18 requires additional compliance responsibilities under the Fair Labor Standards Act's child labor provisions.
HR Compliance
What Federal Eligibility Verification Rules Can Teach Private Employers
A new OPM rule on federal health plan eligibility verification offers practical lessons for private employers managing dependent audits and qualifying life event documentation.