WHAT THE HACK? MALWARE LEADS TO STIFF HIPAA PENALTIES | COURT OKS ACTIVELY MANAGED INVESTMENT OPTIONS | YOU CAN'T GET BLOOD FROM A TURNIP – UNLESS THE PLAN DOCUMENTS SO PROVIDE
The July Monthly Minute addresses a steep settlement and corrective action plan resulting from a widespread HIPAA breach, along with recent employer-friendly cases that highlight judicial support for inclusion of actively managed funds in 401(k) plan investment lineups and approval a health plan's self-help remedy to recover improperly received benefits.
What the Hack? Malware Leads to Stiff HIPAA Penalties
In 2018, Oklahoma State University – Center for Health Sciences (OSU-CHS) filed a breach report stating that an unauthorized third party gained access to its web server. Specifically, a hacker installed malware which resulted in the unauthorized disclosure of electronic protected health information (PHI) of 279,865 individuals. While OSU-CHS initially reported that the breach occurred in 2017, it later reported that the electronic PHI was first impermissibly disclosed in 2016. A subsequent HHS investigation found numerous potential HIPAA violations, including impermissible uses and disclosures of PHI, failure to conduct a required risk analysis, failures to implement audit controls, security incident response and reporting, and failure to provide timely breach notification. In addition to paying HHS an $875,000 monetary settlement, the May 2022 Resolution Agreement also required OHS-CHS to undertake a robust corrective action plan that includes two years of monitoring and requires an enterprise-wide risk analysis of security threats and implementation of a risk management plan to mitigate any such threats.
KMK Comment: The far-reaching impact of the breach combined with the covered entity's delayed reporting and lack of awareness of the content of its server likely served as aggravating factors in OSU-CHS' settlement negotiations. This case is a stark reminder to HIPAA covered entities (including health plans) of the need to carefully follow HIPAA's breach notification requirements in a timely fashion, while also complying with HIPAA's privacy and security mandates and maintaining a keen understanding of where PHI is stored.
Court Oks Actively Managed Investment Options
The Sixth Circuit recently delivered a win to employers in an excessive fee case where plaintiff also objected to the inclusion of actively managed investment fund offerings. In Smith v. CommonSpirit Health, plaintiff alleged that plan fiduciaries breached their duty of prudence by offering actively managed investments in lieu of other passively managed mutual funds which resulted in the plan paying excessive fees. The plan at issue offered 28 different funds, including several low-cost index funds and several actively managed funds with fees as high as .82%. The Court wasted no time rejecting plaintiff's claims wherein it stated in the first paragraph of the decision: "ERISA... does not give the federal courts a broad license to second-guess the investment decisions of retirement plans." In support of the plan's inclusion of actively managed funds, the Court noted that such funds are a common fixture of retirement plans and that "[i]t is indeed possible that denying employees the option of actively managed funds... would itself be imprudent." The Court also reminded fiduciaries that "ERISA... does not allow fiduciaries merely to offer a broad range of options and call it a day.... [t]he plan must ensure that all fund options remain prudent options." However, a showing of imprudence does not come down to simply pointing to a fund with better performance which was a key flaw in plaintiff's claim.
KMK Comment: Overall, the decision is a resounding win for employers and a word of caution to plaintiffs seeking to rely on generic and overly-broad allegations. This decision may also set the stage for a circuit split as more appellate courts review and apply recent Supreme Court precedent addressing the need for context-specific inquiries (see Supreme Court Remand Demands Context-Specific Inquiry in Retirement Plan Fee Cases).
You Can't Get Blood from a Turnip – Unless the Plan Documents So Provide
In an about face, the Ninth Circuit reversed the district court's summary judgment in favor of plaintiffs in an action that hinged on reimbursement language included in the plan documents. In Mull v. Motion Picture Industry Health Plan, a participant's covered dependent received a recovery from a third party in connection with a car accident in which she sustained injuries. Although the plan terms rendered participant liable to the plan for reimbursement of benefits under these circumstances, the settlement funds were already dissipated and the plan was not reimbursed. As a result, the plan ceased making benefit payments to the participant and his covered dependents under its express self-help provisions in order to recoup the unreimbursed payments. The participant sued to recover benefits withheld and the district court ruled in plaintiff's favor. This week, however, the Ninth Circuit disagreed and concluded the clear and unambiguous terms of the plan documents allowed it to invoke the plan's self-help remedy. In so holding, the court stated that ERISA does not limit the use of such self-help remedies, and neither contractual doctrines nor res judicata prevented the plan from enforcing such provisions.
KMK Comment: As employers approach open enrollment, now may a good time to review plan documents and summary plan descriptions to ensure clear and unambiguous reimbursement and recoupment language is included.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.