Schedule Appointment

covered entity

Department of Labor Moves to Delay Fiduciary Rule

On Thursday, February 9, 2017, the Department of Labor (DOL) filed a notice with the Office of Management and Budget (OMB) to delay the effective date of the final Conflict of Interest Rule that re-defines who is a fiduciary (the Fiduciary Rule).  While the exact language of the notice will not be known until the OMB’s review is complete and the proposed rule is sent to the Federal Register, many sources are reporting that the notice delays the effective date of the Fiduciary Rule for one hundred eighty (180) days.  The OMB usually takes around ten (10) to fifteen (15) days to review a regulation, and the comment period will reportedly be as short as fifteen (15) days, meaning that the notice delaying the effective date of the Fiduciary Rule by one hundred eighty (180) days could be official as soon as early March.

The DOL is also working on a second notice to be filed with the OMB, which if approved, will start a new notice and comment period for the Fiduciary Rule.  By pushing out the effective date of the Fiduciary Rule one hundred and eighty (180) days, the DOL now has time to hold another notice and comment period before the rule takes effect.  During this notice and comment period, the DOL will hear concerns on the Fiduciary Rule.  This is likely a result of the executive order issued by President Trump.

On February 3, 2017, President Trump signed an executive order, ordering the DOL to review the Fiduciary Rule.  The executive order more specifically required the DOL to examine (a) whether the Fiduciary Rule is likely to harm investors by reducing access to retirement products, (b) cause dislocation or disruption within the retirement service industry, and/or (c) is likely to cause an increase in litigation.

The executive order does not delay, amend, or withdraw the enforcement of the Fiduciary Rule which goes into effect in April, 2017, instead it orders the DOL to examine the Fiduciary Rule for the above issues.  As stated above, it is likely that as a result of the President’s executive order, and the DOL’s instructed review of the Fiduciary Rule, that the DOL determined that the rule should be delayed and subject to future comment.

Subscribe to our KLF Employee Benefits Blog mailing list!

* indicates required
Email Format

HHS Gets Agressive: HIPAA Audits from 2016

HHS has become more aggressive with audits, and with increased penalties, covered entities and business associates simply cannot afford an audit on HIPAA rules and regulations.  In March of 2016, HHS's Office for Civil Rights (OCR) announced Phase 2 of its HIPAA Audit Program.  OCR released the update on the program last April. The Phase 2 HIPAA Audit Program reviews the policies and procedures adopted and utilized by covered entities and business associates to meet the requirements of HIPAA's Privacy, Security, and Breach Notification Rules.   These audits will primarily be conducted off-site, through the production of documents; however, some may be conducted on-site.

To target entities for audit, OCR is requesting that certain information be provided to them about covered entities and business associates, including contact information, size, type, and operations of potential auditees.  From this data, OCR is creating an audit pool.

If an entity does not respond to OCR’s request to verify its contact information or provide answers to additional questions, OCR will use publicly available information about the entity to create its audit subject pool. 

The data from 2016 has reflected HHS's increased audit activity.  Below is a summary of some key findings.  

In 2016, OCR reported $23.5 million in payouts for HIPAA violations. This was a record high, with the previous high occurring in 2014 with $7.9 million in payouts.  Additionally, average payouts have increased, where in 2016 the average HIPAA penalty payout was $1.81 million, up from $1.03 million in 2015.

Further, in 2016, the top causes of HIPAA breaches were unauthorized access / disclosure (44%) and hacking and IT incidents (33%).  Additionally, health care providers were the target of 79% of breaches, which is the highest on record, and health plans were the target of 14% of breaches, the second highest on record.  

Covered entities and business associates would be prudent to do a self-audit to correct any HIPAA issues, as opposed to allowing HHS to uncover such issues, thus subjecting themselves to audit and potential penalties.  HIPAA compliance is a time-consuming process; however, it is a must in light of increased federal audit activity and increased fines.  







Subscribe to our KLF Employee Benefits Blog mailing list!

* indicates required
Email Format