Posts

Showing posts with the label HIPAA

Louisiana Enacts Consumer Data Privacy Law

Key point: Louisiana becomes the 22nd state — and third this year — to enact a consumer data privacy law, adopting a law similar to Texas’ law. On May 29, 2026, Louisiana Governor Jeff Landry signed the Louisiana Data Privacy Act ( SB 386 ) into law. Louisiana is the 22nd state to pass a broad consumer data privacy law. It is the third state — following Oklahoma and Alabama — to pass a law this year. The new law largely tracks Texas’ law but with some notable differences we identify below. Applicability Although the law generally follows the Texas Data Privacy and Security Act, one of the notable ways in which it differs from that law — as well as other Washington Privacy Act model consumer data privacy laws — is its applicability standard. The law applies to controllers and processors that conduct business in Louisiana and satisfy one or more of the following thresholds: (1) have annual gross revenue in excess of $25 million; (2) annually buy, receive for the business’s commercial p...

OCR Announces HIPAA Enforcement Action Against Self-Funded Group Health Plan

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently  announced  a HIPAA enforcement action against an employer-sponsored group health plan. The action resulted in a payment to HHS of $245,000 and a two-year corrective action plan. While HIPAA enforcement is common in the healthcare sector, actions directly against employer-sponsored group health plans are not as common. This case,  coupled with DOL guidance for ERISA fiduciaries concerning cybersecurity , underscores a growing regulatory focus not only on traditional healthcare entities, but also on the plans and ecosystems maintained by employers under ERISA. The Incident: Ransomware, Unauthorized Access, and Plan Data According to the breach notification sent to affected individuals, the plan sponsor experienced a security incident back in 2021 involving encryption of systems and unauthorized access to sensitive data . The data included names and Social Security numbers, along ...

Alabama Enacts Nation’s Twenty-First State Comprehensive Privacy Law

On April 16, 2026, Alabama Governor Kay Ivey signed the  Alabama Personal Data Protection Act  (APDPA) into law, making A labama the twenty-first state to enact a comprehensive privacy law. Alabama is the second state to pass a comprehensive privacy law this year, with  Oklahoma  passing a comprehensive privacy law last month. Notably, the APDPA has l ow applicability thresholds, applying to entities that control or process personal information of more than 25,000 Alabama residents or derive more than 25% of gross revenue from the sale of personal data. However, the law contains a narrow definition of sale and includes standard entity-wide exemptions for entities covered by the Gramm-Leach-Bliley Act (GLBA), as well as both covered entities and business associates regulated by the Health Insurance Portability and Accountability Act (HIPAA) . It also i ncludes exemptions for personal data processed in a “commercial” or “employment” context. Additionally, unlike many...

Is Your Group Health Plan Ready for a Compliance Audit?

Employer-sponsored group health plans operate at the intersection of multiple federal regulatory frameworks — ERISA, the ACA, COBRA, HIPAA, the Mental Health Parity and Addiction Equity Act (MHPAEA), and more. Each imposes its own documentation requirements, reporting deadlines, and operational obligations. The challenge for most employers is not a lack of intent to comply, but the sheer complexity of keeping pace with layered and frequently updated rules. A proactive, systematic compliance review conducted with legal guidance is one of the most effective tools employers have to reduce legal exposure, strengthen plan governance, and prepare for regulatory inquiries . The following overview identifies the key compliance areas that such a review should cover. Plan Governance and ERISA Documentation ERISA requires every welfare benefit plan to be maintained pursuant to a written plan document that satisfies specific requirements. Compliance reviews routinely reveal documentation gaps that...

The New Postmark Rule Could Make Employee Benefit Notices Late

Image
In December 2025, the U.S. Postal Service (USPS) adopted a new rule for postmarks so that they may indicate the processing date, instead of the date the post office took custody of the item. Employers may want to note this new postmark rule so that they don’t violate their legal notice requirements concerning their employee benefit plans. Quick Hits The USPS recently changed a rule so that postmarks may reflect the processing date, rather than the date a post office obtained a letter or package. The new rule could lead to fines for employers if mandatory notices concerning employee benefit plans are deemed late. Electronically sending mandatory notices can help to meet a legal deadline, if the recipient has agreed to electronic communications. Under federal laws like the Employee Retirement Income Security Act (ERISA), the Consolidated Omnibus Budget Reconciliation Act of 1985 (COBRA), the Health Insurance Portability and Accountability Act (HIPAA), and the Affordable Care Act (ACA) ,...