Healthcare Entities Required to Post New Non-Discrimination Notice

The Patient Protection and Affordable Care Act (ACA) prohibits health care entities from discriminating on the basis of race, color, national origin, sex, age, or disability. The ACA prohibition on discrimination applies to covered entities, which means those healthcare entities that receive federal financial assistance through the Department of Health and Human Services (HHS). For example, a covered entity includes a physician or pharmacy that accepts Medicare or Medicaid, health insurers that offer a plan on the healthcare exchange, and any entity that offers a Medicare part D plan.

In an effort to enforce the non-discrimination law, HHS issued a new rule in May of 2016 that requires all covered entities to post new non-discrimination notices. Although the rule was finalized in May of 2016, health care entities had until October 16, 2016 to post a new notice of non-discrimination. The new notice must state that the health care entity does not discriminate, that language assistance for the patient is available, and delineate how an individual can file a discrimination complaint with HHS. The new notice is intended to decrease discrimination by helping consumers become more aware of their rights.

For further information or to find example HHS non-discrimination notices, visit the following link:

© 2016 Vandenack Weaver LLC
For more information, Contact Us

Final Regulations Issued for Non-Discrimination in Health Programs

Section 1557 of the Patient Protection and Affordable Care Act (ACA) allows the Secretary of Health and Human Services (HHS) to issue regulations pertaining to non-discrimination. Earlier in May of 2016, the Secretary of HHS issued such regulations, which bans the denial of healthcare or health coverage to individuals on the basis of race, color, national origin, sex, age, or disability.

This final rule, the first federal civil rights law that broadly prohibits discrimination on the basis of sex, applies to any federally funded health plan. Although the law prohibits discrimination based upon sex, HHS failed to fully define certain issues, such as whether this covers discrimination based upon sexual orientation. However, HHS’s Office for Civil Rights (OCR), the agency tasked with enforcement, has stated an intention to review all claims in this area to determine whether the discrimination can be addressed under the regulations.

This rule will become effective on July 18, 2016, and will be enforced by OCR. Although OCR is tasked as a primary regulator, compliance burdens will fall to all entities covered by the new regulations, as well as individual citizens because the regulations include a private right of action for violations. Further details can be found at the following link.

© 2016 Vandenack Williams LLC
For more information, Contact Us

New HIPAA Rule Allows Mental Health Reporting to Federal Firearm Background Check System

by Matthew J. Effken

The Department of Health and Human Services is relaxing Privacy Rule provisions of the Health Insurance Portability and Accountability Act (HIPAA) to allow some covered entities to notify the National Instant Criminal Background Check System (NICS) about individuals who are prohibited from having a firearm for mental health reasons.  The NICS is a national database maintained by the FBI and used to conduct background checks for gun purchases.  Under the new rule, the only information that can be reported is the minimum necessary to identify persons who have been involuntarily committed to a mental institution or otherwise have been determined by a lawful authority to be a danger to themselves or others or to lack the mental capacity to manage their own affairs.

The new rule applies only to those HIPAA covered entities with lawful authority to make mental health determinations that disqualify an individual from having a firearm, or are designated NICS reporting entities under state law.  The only information that can be reported is limited identifying information, not diagnostic or clinical information.  The new rule does not apply to most treating providers.  The rule will primarily impact state agencies, boards and commissions outside the court system in states that do not already require that such information be provided to the NICS.

The new rule is effective February 5, 2016.  The text of the rule is available at

© 2015 Vandenack Williams LLC
For more information, Contact Us

$750,000 HIPAA Settlement Highlights the Importance of Risk Assessments under HIPAA

By Matthew J. Effken

The U.S. Department of Health and Human Services Office of Civil Rights (OCR) and The University of Washington Medicine (UW Medicine) recently announced an agreement to settle an OCR investigation into a self-reported HIPAA breach involving UW Medicine patient records.  The breach occurred when a UW Medicine staff member opened an e-mail attachment that contained malicious code, allowing outsiders to gain potential access to confidential patient information.  The information compromised included treatment and demographic information such as addresses, dates of birth and social security numbers for over 90,000 UW Medicine patients.

The settlement agreement states that UW Medicine had adopted HIPAA security policies and procedures, but had not assured that its affiliated entities had implemented such procedures.  UW Medicine also failed to conduct comprehensive risk assessments to identify and respond to potential security vulnerabilities.  The result was a $750,000 monetary penalty, plus a Resolution Agreement that requires at least two years of enhanced reporting to OCR.  UW Medicine also agreed to a reorganization of its compliance program.  Failure to comply with the Resolution Agreement may result in the imposition of additional monetary penalties.

OCR Director Jocelyn Samuels commented: “An effective risk analysis is one that is comprehensive in scope and is conducted across the organization to sufficiently address the risks and vulnerabilities to patient data.  All too often we see covered entities with a limited risk analysis that focuses on a specific system such as the electronic medical record or that fails to provide appropriate oversight and accountability for all parts of the enterprise.”

The Resolution Agreement is available on the OCR website at:

© 2015 Vandenack Williams LLC
For more information, Contact Us