The Washington Report

September 17, 2025

While we do our best to provide timely updates, it is possible that the information shared in the newsletter may change after our publication deadline.

Health

 

New HIPAA Security Guidance Released
As background, the HIPAA Security Rule requires covered entities, such as group health plans (as well as business associates of covered entities), to perform a written “security risk assessment” of the potential risks and vulnerabilities to HIPAA protected health information maintained on their Internet Technology (IT) systems and applications. 

On September 10, 2025, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) released an updated version of the Security Risk Assessment Tool (HIPAA Tool), which is an interactive application that covered entities and business associates can use to create the security risk assessment. 

The HIPAA Tool guides users through the required security risk assessment process using a series of multiple-choice questions, while providing references and guidance along the way. The updated HIPAA Tool also offers new features, including a glossary, tips, and a remediation report. 

One of the most common HIPAA violations that OCR finds in investigations and audits is a failure to perform the security risk assessment. While most of the requirements of the HIPAA Security Rules are likely addressed by the company’s IT procedures, group health plan sponsors can partner with their internal or external IT teams to create the required security risk assessment using the HIPAA Tool. This should help reduce their exposure to potential fines and penalties under the HIPAA Privacy & Security Rules. 

COBRA Penalties Not Applied by Court in the Absence of Harm to Former Employee
In Thiboeaux v. City of Atlanta, 2025 WL 2505600 (11th Cir. 2025), a former employee sued her employer for failing to provide a timely COBRA election notice. The employee claimed she did not receive notices related to her job status or health insurance continuation rights because the employer sent them to an outdated address.

The employee argued that the employer’s failure to provide a timely election notice entitled her to statutory penalties, as the employee asserted that she was prejudiced by the delay and the employer’s mishandling of her health coverage. The employer countered that despite the notice delay, it had maintained the employee’s health insurance coverage at no cost to her for more than two years after termination, and that there was no bad faith or prejudice warranting penalties.

The trial court noted that the employer was aware at the time it mailed the election notice that the address may have been inaccurate and therefore held that the employer did not timely provide the notice. Nevertheless, the court exercised its discretion not to impose penalties because, with more than two years of employer-paid coverage, the employee was “better off” than if she had received a timely notice and paid for the continued coverage herself.

On appeal, the 11th Circuit Court of Appeals agreed that the employee had not been prejudiced by the failure to provide a timely notice. The court held that the trial court did not abuse its discretion in declining to assess COBRA penalties. The absence of prejudice to a COBRA-qualified beneficiary often weighs against the imposition of penalties for notice violations, but as noted in this opinion, penalty assessment is at the discretion of each deciding court. To avoid disputes and potential liability, employers should ensure that COBRA administration procedures are maintained and followed, including the verification of addresses and documentation of notice delivery.