(no title)

CMS Proposes To Ban Medicare/Medicaid Participation Ban By Providers Providing Minors Gender Transition Care

December 18, 2025

The Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) is preparing to ban health care providers that provide minors certain gender affirming care from participating in Medicare, Medicaid and other programs and activities operated by recipients of HHS funding participation,

OCR enforces the provisions of Rehabilitation Act of 1973 Section 504 (“Section 504”) that prohibit disability discrimination in programs and activities that are conducted by HHS or receiving Federal financial assistance from HHS.

Today, HHS released an advance copy of its Notice of Proposed Rulemaking for Section 504 of the Rehabilitation Act of 1973, which implements Section 504 as it applies to recipients of Federal financial assistance from HHS (45 C.F.R. Part 84).

The proposed rule available on the Federal Register’s website for public inspection clarifies that the definition of “disability” excludes gender dysphoria disorders that do not result from physical impairments. HHS says this clarification is necessary to resolve an ambiguity that was introduced in the preamble to the Section 504 regulation applying to recipients of HHS financial assistance finalized in 2024.

The proposed rule alerts recipients of HHS funding that providing the prohibited services to minor will disqualify them for participation in Medicare, Medicaid and other programs. It also tells providers that prevent, limit, or exclude sex-rejecting procedures that are no longer views as violating Section 504’s prohibition of disability discrimination as it did under rules issued under the Biden Administration.

All program participants involved in these issues should evaluate the effect of the proposed rules to prepare to comply and comment as needed.

Interested parties have proposed rule will be available for review and public comment for 30 days after publication in the Federal Register.

If you have questions about this or other health care concerns, contact the author.

More Information

We hope this update is helpful. For more information about the or other health or other employee benefits, human resources, or health care developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Peer recognized as “Top Rated Lawyer” and “LEGAL LEADER™ “Top Rated Lawyer” and “Best Lawyer” for her work in Health Care Law, Labor and Employment Law; ERISA & Employee Benefits,” and “Business and Commercial Law,” Cynthia Marcotte Stamer is an A Martindale-Hubble “AV-Preeminent” (Top 1%) attorneys board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for her more than 35 years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications including leading edge work on PBM, pharmacy and pharmaceutical and other health care, managed care, insurance, and insured and self-insured contracting, design, administration and regulation..

Author of numerous highly regarded works on Section 504 and other health care, health insurance, health information technology, employment, education plan contracting and other compliance, enforcement, policy and other concerns she is Immediate Past Chair of the ABA International Section Life Sciences Committee and the Tort Trial and Insurance Practice Section Medicine and Law Committee, past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and past Group Chair and current Welfare Benefit Committee Co-Chair of the ABA RPTE Employee Benefits & Other Compensation Group.

Ms. Stamer is most widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on health and other privacy and data security and other health industry legal, public policy and operational concerns.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. As a part of this work, she has continuously and extensively worked with domestic and international health plans, their sponsors, fiduciaries, administrators, and insurers; managed care and insurance organizations; third party administrators and other health benefit service providers; hospitals, health care systems and other health care providers, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; EMR, claims, payroll and other technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, self-insured health and other employee benefit plans, their sponsors, fiduciaries, administrators and service providers, insurers and other payers, health industry advocacy and other service providers and groups and other health and managed care industry clients as well as federal and state legislative, regulatory, investigatory and enforcement bodies and agencies.

She also has extensive experience helping health care systems and organizations, group and individual health care providers, health plans and insurers, health IT, life sciences and other health industry clients prevent, investigate, manage and resolve sexual assault, abuse, harassment and other organizational, provider and employee misconduct and other performance and behavior; manage Section 1557, Civil Rights Act and other discrimination and accommodation, and other regulatory, contractual and other compliance; vendors and suppliers; contracting and other terms of participation, medical billing, reimbursement, claims administration and coordination, Medicare, Medicaid, CHIP, Medicare/Medicaid Advantage, ERISA and other payers and other provider-payer relations, contracting, compliance and enforcement; Form 990 and other nonprofit and tax-exemption; fundraising, investors, joint venture, and other business partners; quality and other performance measurement, management, discipline and reporting; physician and other workforce recruiting, performance management, peer review and other investigations and discipline, wage and hour, payroll, gain-sharing and other pay-for performance and other compensation, training, outsourcing and other human resources and workforce matters; board, medical staff and other governance; strategic planning, process and quality improvement; meaningful use, EMR, HIPAA and other technology, data security and breach and other health IT and data; STARK, ant kickback, insurance, and other fraud prevention, investigation, defense and enforcement; audits, investigations, and enforcement actions; trade secrets and other intellectual property; crisis preparedness and response; internal, government and third-party licensure, credentialing, accreditation, HCQIA and other peer review and quality reporting, audits, investigations, enforcement and defense; patient relations and care; internal controls and regulatory compliance; payer-provider, provider-provider, vendor, patient, governmental and community relations; facilities, practice, products and other sales, mergers, acquisitions and other business and commercial transactions; government procurement and contracting; grants; tax-exemption and not-for-profit; privacy and data security; training; risk and change management; regulatory affairs and public policy; process, product and service improvement, development and innovation, and other legal and operational compliance and risk management, government and regulatory affairs and operations concerns. to establish, administer and defend workforce and staffing, quality, and other compliance, risk management and operational practices, policies and actions; comply with requirements; investigate and respond to Board of Medicine, Health, Nursing, Pharmacy, Chiropractic, and other licensing agencies, Department of Aging & Disability, FDA, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; JCHO and other accreditation and quality organizations; private litigation and other federal and state health care industry actions: regulatory and public policy advocacy; training and discipline; enforcement; and other strategic and operational concerns.

If you have questions about this or other health care concerns, contact the author.

More Information

About the Author

Author of numerous highly regarded works on PBM and other health plan contracting and design, Immediate Past Chair of the ABA International Section Life Sciences Committee and the Tort Trial and Insurance Practice Section Medicine and Law Committee, past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and past Group Chair and current Welfare Benefit Committee Co-Chair of the ABA RPTE Employee Benefits & Other Compensation Group, Ms. Stamer is most widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on health and other privacy and data security and other health industry legal, public policy and operational concerns.

Author of hughly regarded multitude of other highly regarded publications and presentations, on these and a multitude of other health care, health plan and other health industry matters, Ms. Stamer contributes her time and leadership to numerous policy, professional, civil and other organizations including service as the, the American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting and a former Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstance at the particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often rapidly evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. The author and Solutions Law Press, Inc. disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2025 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.

blications on “Transparent PBM Contracting,” “ACOs, Direct Contracting: Legal & Practical Challenges For Employers, Providers & TPAs,” “The Medicare Advantage Contracting Manual,” “Third Party Administrator (TPA) Contracting Principles and Strategies and a multitude of other highly regarded publications and presentations, Stamer is widely recognized for her thought leadership on PBM and other managed care and health plan contracting and design, and a multitude of other health care, health plan and other health industry matters. In addition, Ms. Stamer contributes her time and leadership to numerous policy, professional, civil and other organizations including service as the, the American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting and a former Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Leave a Comment » | Health Care | Permalink
Posted by Cynthia Marcotte Stamer

HHS Enforcement Actions Warns Providers & Grant Recipients To Honor Religious Conscience Rights

December 10, 2025

The U.S. Department of Health and Human Services, Office for Civil Rights (“OCR”) announcement of its fifth investigation examining compliance with Federal laws that safeguard conscience rights for health care professionals during President Trump’s second Administration warns States and other federal health program recipients against discriminating against or failing to appropriately accommodate faith-based organization and providers.

On December 8, 2025, OCR announced the launch of “a major investigation” into a State health department to assess whether its licensing policies, interpretations, or enforcement practices for behavioral health residential facilities and licensed behavioral health personnel violate Federal law by:

Discriminating against faith-based organizations in the administration and/or enforcement of licensing requirements, including requiring any facilitation of sex-rejecting procedures and female genital mutilation (FGM) and treating religious objections as grounds for adverse licensure action, including denial or termination of professional licenses;
Discriminating against institutional and/or individual health care entities for their religious objections to provide, pay for, provide coverage of, or refer for abortion, including through licensing, certification, or other determinations of legal status or participation; or
Requiring any individual in a health service program funded by HHS to perform or assist in the performance of services contrary to that individual’s religious beliefs or moral convictions, including counseling or other assistance related to abortion, sex-rejecting procedures, or FGM.

According to OCR, OCR’s investigation will proceed under applicable laws including:

The Equal Treatment for Faith-Based Organizations rule (45 C.F.R. part 87), which prohibits discrimination against faith-based providers in HHS-supported programs; and
Federal health care conscience protection statutes administered under 45 C.F.R. part 88, including the Weldon Amendment, the Coats-Snowe Amendment (42 U.S.C. § 238n), and the Church Amendments (42 U.S.C. § 300a-7).

The announcement also demonstrates continued efforts across HHS to preserve the fundamental rights of conscience and religious exercise.

Since OCR enforces Federal protections against discrimination based on conscience and religion in specific programs funded by HHS Federal financial assistance and grant and block grant programs that prohibit discrimination against individuals on the basis of religion, all entities involved in of these programs should reaffirm their compliance and mitigate exposures based on the Administration’s enforcement policies and priorities.

If you have questions about this or other health care concerns, contact the author.

More Information

About the Author

Author of publications on “Transparent PBM Contracting,” “ACOs, Direct Contracting: Legal & Practical Challenges For Employers, Providers & TPAs,” “The Medicare Advantage Contracting Manual,” “Third Party Administrator (TPA) Contracting Principles and Strategies and a multitude of other highly regarded publications and presentations, Stamer is widely recognized for her thought leadership on PBM and other managed care and health plan contracting and design, and a multitude of other health care, health plan and other health industry matters. In addition, Ms. Stamer contributes her time and leadership to numerous policy, professional, civil and other organizations including service as the, the American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting and a former Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Leave a Comment » | Academic medicine, Discrimination, Doctor, drug treatment, Health Care, Health Care Finance, Health Care Provider, Home Health, home health, Hospice, Hospital, Hospital, hospitals, Mental Health, public health, Religion, Reproductive Rights | Permalink
Posted by Cynthia Marcotte Stamer

Health Care, Education & Other Federal Funding Recipients Warned To Honor Parental Rights

December 4, 2025

The U.S. Department of Health and Human Services (“HHS”) is warning pediatric and other health care providers, schools, and other federal grant recipients to honor the rights of parents when providing vaccination and other care within the practice of pediatric medicine.

On December 3, 2025, HHS:

Opened an investigation into a complaint that a Midwestern school for vaccinating a child with a federally provided vaccine without the parents’ consent by ignoring a religious exemption submitted under a state law.
issued a Dear Colleague letter reminding health care providers;
Sent a Dear Colleague letter reminding health care providers that federal law requires them to provide parents access to their children’s health information: and
Directed the Health Resources and Services Administration (“HRSA”) to add a grant requirement stating that all funding recipients must comply with all applicable federal and state parental-consent laws for any services or care provided to minors at HRSA-supported health centers as a condition of receiving Health Center Program funds.

The announced investigation by HHS’ Office for Civil Rights (“OCR”) into the reported violation of the exemption from vaccination will examine whether the school failed to comply with the Vaccines for Children Program (“VFC”) requirement that conditions federal provision of vaccines for immunization on compliance with state religious and other exemptions from compulsory vaccination. OCR’s investigation also will also examine how the state agency and school district process religious exemption requests to ensure compliance with state law when implementing the VFC program. Program providers receive vaccines purchased for the VFC by the Centers for Disease Control and Prevention (“CDC”).

OCR’s Dear Colleague letter to health care providers spells out parents’ right to access their children’s protected health information under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule. Under the Privacy Rule, a parent is the personal representative of his or her minor child where the parent has the legal authority to make health care decisions for the child. The letter reinforces that parents who are their children’s personal representatives can exercise their children’s rights with respect to protected health information, including the right of access OCR is also initiating compliance reviews of a number of large health care providers to ensure that parents receive timely access to their children’s health information.

As part of these actions to protect parents’ rights, HRSA is directly addressing the parental consent obligations that apply to HRSA-supported services for minors. Before a minor receives medical, dental, behavioral health, or other services at a HRSA-supported health center, the center must obtain consent from a parent or legal guardian in accordance with applicable state or federal law. This requirement applies to all forms of care, including treatment, preventive services, counseling, and services involving sensitive topics such as sexual identity or reproductive health. Existing state, federal, and local laws on parental consent and notification already apply, and HRSA is now clearly detailing these expectations as a condition of receiving Health Center Program funding. HRSA will also send a notice to grant recipients outlining this obligation.

The actions reenforce the high prioritization of HHS’ prioritization of the protection of vaccination choice, religious freedom and parental choice in federal health, education and other programs.

“Today, we are putting pediatric medical professionals on notice: you cannot sideline parents,” said Health and Human Services Secretary Robert F. Kennedy, Jr.“When providers ignore parental consent, violate exemptions to vaccine mandates, or keep parents in the dark about their children’s care, we will act decisively. We will use every tool at our disposal to protect families and restore accountability.”

“The Vaccines for Children Program should never circumvent parents’ rights,” said Health and Human Services Deputy Secretary and CDC Acting Director Jim O’Neill. “Secretary Kennedy’s decision to probe potential abuse of the VFC is a necessary step in restoring public trust in immunization policy.”

In light of these actions, health care providers, schools and other federal funding and program recipients should use care to ensure their ability to demonstrate their fulfillment of federal parental rights to information and control over their childrens’ vaccine and other care.

If you have questions about this or other health care concerns, contact the author.

For More Information

About the Author

About Solutions Law Press, Inc.™

©2024 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.

Leave a Comment » | Health Care | Permalink
Posted by Cynthia Marcotte Stamer

HHS Extends Fall Cures Act Attestations Condition and Maintenance of Certification Deadline

December 3, 2025

Health IT developers now have until January 1, 2026 to file the attestation of compliance with the Conditions and Maintenance of Certification requirements of 45 CFR part 170, subpart D implemented by the Department of Health and Human Services (“HHS”) under the ONC Cures Act Final Rule.

The ONC Cures Act Final Rule “Attestations” Condition and Maintenance of Certification requirements require a health IT developer, or its authorized representative that is capable of binding the health IT developer, to provide an attestation of compliance with the following Conditions and Maintenance of Certification requirements in 45 CFR part 170, subpart D to the HHS Secretary semiannually for any Health IT Modules that have or have had an active certification at any time under the ONC Health IT Certification Program (Certification Program) during the prior six months:

Information blocking (§ 170.401);
Assurances (§ 170.402), subject to more limited requirements if the health IT developer certified a Health IT Module(s) that is part of a health IT product which can store electronic health information;
Communications (§170.403);
Application programming interfaces (APIs) (§ 170.404), if the health IT developer has a Health IT Module(s) certified to certain certification criteria; and such health IT developer must also ensure that health IT allows for health information to be exchanged, accessed, and used, in the manner described in § 170.404; and
Real world testing (§ 170.405), if the health IT developer has a Health IT Module(s) certified to certain certification criteria.

Per Certification Program guidance, a health IT developer is required to submit its attestation to an ONC-Authorized Certification Body (ACB) within a designated 30-day window twice a year (every six months) during the months of April and October. April attestations cover the months of October–March, while October attestations cover April–September.[1]

From October 1, 2025, through November 12, 2025, the Assistant Secretary for Technology Policy (ASTP) and the Office of the National Coordinator for Health Information Technology (ONC) (collectively, “ASTP/ONC”) shut down due to a lapse in appropriations.

Shilehealth IT developers’ attestations were due by October 31, 2025, the government shutdown that resulted from the appropriations lapse made the ASTP/ONC website for attestation submissions and related compliance resources unavailable. ASTP/ONC staff also were unavailable to provide operational or program support for ONC-ACBs or health IT developers and their authorized representatives.

Due to these disruptions, ASTP/ONC has announced the following enforcement discretion:

ASTP/ONC will not exercise its direct review authority under 45 CFR 170.580 for any non-conformity, potential or actual, that arises solely from a health IT developer not complying with 45 CFR 170.406 until January 1, 2026. Specifically, ASTP/ONC will not exercise its direct review authority over a health IT developer’s obligation to submit their semiannual attestation that would have been due by October 31, 2025, until January 1, 2026, for such attestation.
ASTP/ONC will not conclude that an ONC-ACB has failed to review and submit health IT developer attestations to ASTP/ONC as required by 45 CFR 170.523(q), failed to ensure that health IT developers meet their attestation responsibilities as required by 45 CFR 170.550(l), or violated the good standing provisions of 45 CFR 170.560(a); or take any enforcement action under 45 CFR 170.565 against an ONC-ACB if an ONC-ACB does not review and submit health IT developers’ attestations originally due to ASTP/ONC by October 31, 2025, until January 1, 2026.

This enforcement discretion will apply until January 1, 2026 to give health IT developers and ONC-ACBs through December 31, 2025, to ensure submission of attestations for the period covering April 2025 through September 2025. The deadline for the April 2026 attestation submission, covering the period from October 2025 through March 2026 remains April 30, 2026.

For additional information on the attestation requirements, please see the Certification Companion Guide for Attestations and the Attestations Resource Guide.

For More Information Or Help

We hope this update is helpful. For more information about these or other health or other employee benefits, human resources, insurance, or health care legal developments, please contact the author, Cynthia Marcotte Stamer, via e-mail or telephone at (214) 452-8297.

Solutions Law Press invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating in and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Cynthia Marcotte Stamer is a Martindale-Hubble AV-Preeminent (highest/top 1%) practicing attorney nationally celebrated as a “Top Woman Lawyer,” “Top Rated Lawyer,” and “LEGAL LEADER™” in Health Care Law and Labor and Employment Law; among the “Best Lawyers In Dallas” in “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law recognized for her experience, scholarship, thought leadership and advocacy on health and other employee benefits, insurance, healthcare, workforce, HIPAA and other data and technology and other compliance in connection with her work with health care and life sciences, employee benefits, insurance, education, technology and other highly regulated and performance-dependent clients.

Board certified in labor and employment law by the Texas Board of Legal Specialization and a Fellow in the American College of Employee Benefits Counsel, Ms. Stamer is nationally recognized for her decades of leading edge experience on the design, sponsorship, administration and defense of health and other employee benefit, workforce, insurance, healthcare , data and technology and other operations to promote legal and operational compliance, reduce regulatory and other liability and promote other operational goals.

Along with her decades of legal and strategic consulting experience, Ms. Stamer also contributes her leadership and experience to many professional, civic and community organizations. She currently serves as Co-Chair of the ABA Real Property Trusts and Estates (“RPTE”) Section Welfare Plan Committee, Co-Chair of the ABA International Section International Employment Law Committee and its Annual Meeting Program Planning Committee, Chair Emeritus and Vice Chair of the ABA Tort Trial and Insurance (“TIPS”) Section Medicine and Law Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee. She also has served as Scribe for the Joint Committee on Employee Benefits (“JCEB”) annual agency meetings with the Department of Health and Human Services and JCEB Council Representative, International Section Life Sciences Committee Chair, RPTE Section Employee Benefits Group Chair and a Substantive Groups Committee Member, Health Law Section Managed Care & Insurance Interest Group Chair, as TIPS Section Medicine and Law Committee Chair and Employee Benefits Committee and Workers Compensation Committee Vice Chair, Tax Section Fringe Benefit Committee Chair, and in various other ABA leadership capacities. Ms. Stamer also is a former Southwest Benefits Association Board Member and Continuing Education Chair, SHRM National Consultant Board Chair and Region IV Chair, Dallas Bar Association Employee Benefits Committee Chair, former Texas Association of Business State, Regional and Dallas Chapter Chair, a founding board member and Past President of the Alliance for Healthcare Excellence, as well as in the leadership of many other professional, civic and community organizations. She also is recognized for her contributions to strengthening health care policy and charitable and community service resolving health care challenges performed under PROJECT COPE Coalition For Patient Empowerment initiative and many other pro bono service involvements locally, nationally and internationally.

Ms. Stamer is the author of many highly regarded works published by leading professional and business publishers, the ABA, the American Health Lawyers Association, and others. Ms. Stamer also frequently speaks and serves on the faculty and steering committee for many ABA and other professional and industry conferences and conducts leadership and industry training for a wide range of organizations.

For more information about Ms. Stamer or her health industry and other experience and involvements, see http://www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides health care, human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on health care, leadership, governance, human resources, employee benefits, data security and privacy, insurance, and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources including the following recent publications about related emerging developments:

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. The author and Solutions Law Press, Inc. disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

©️2025 Cynthia Marcotte Stamer. Reprinted by permission pursuant to non-exclusive license to Solutions Law Press.

[1] https://www.healthit.gov/condition-ccg/attestations

Leave a Comment » | Health Care | Tagged: Cares Act, Corporate Compliance, Health Care, Health Care Compliance, Health Care Provider, Health IT, healthcare, HHS, Physician | Permalink
Posted by Cynthia Marcotte Stamer

Troy Health Pays $1.4 Million+ Criminal Penalty Under 1st Non-Prosecution Agreement Under DOJ’s New Corporate Enforcement and Voluntary Self‑Disclosure Policy

August 26, 2025

North Carolina-based Medicare Advantage, Medicare Part D, and Dual Eligible Special Needs Plan provider Troy Health, Inc. (“Troy”) is paying a more than million criminal penalty under a non-prosecution agreement with the Department of Justice resolving its criminal exposure from a federal criminal investigation into a health care fraud and identity theft scheme involving the Troy’s use of artificial intelligence and automation software to illegally obtain Medicare beneficiary information and fraudulently enroll beneficiaries into its Medicare Advantage plans. The Justice Department Health Care Fraud Unit’s first non-prosecution agreement since it implemented its updated Corporate Enforcement and Voluntary Self‑Disclosure Policy (CEP), introduced in May 2025, the prosecution and resulting non-prosecution agreement contain critical insights for Medicare Advantage and other health industry organizations and their leaders.

Troy Fraud Investigation Behind Non-Prosecution Agreement

According to the Justice Department’s August 21, 2025, announcement of the non-agreement, following a Troy executive’s announcement 2021 board meeting announcement of an “aggressive but achievable” plan to triple Troy’s enrollment during the 2022 open enrollment period, Troy deliberately defrauded low-income Medicare beneficiaries and the Medicare system by duping low income Medicare beneficiaries into sharing their information by promising to use its proprietary artificial intelligence platform and other technologies to improve patient health outcomes, and misused patient data to enroll beneficiaries in its Medicare Advantage plan without their consent.

In the non-prosecution agreement,Troy admitted that Troy defrauded the Medicare program by enrolling beneficiaries in Troy’s Medicare Advantage plans without their knowledge or consent when Troy’s Territory Managers under a Troy executive’s direction used proprietary software developed by one of Troy’s executives to unlawfully access pharmacy records and customer lists containing beneficiaries’ names, addresses, dates of birth, Medicare ID numbers, insurance information and other sensitive personal information that Troy used to make unsolicited sales calls to potential Medicare beneficiaries.

Troy also admitted that it used information obtained from the customer lists to enroll beneficiaries in Troy’s Medicare Advantage plan without their consent. During sales calls, Troy’s sales personnel provided false and misleading information to Medicare beneficiaries. For example, Troy’s sales personnel told prospective enrollees that they were calling on behalf of the beneficiaries’ pharmacies and representing to beneficiaries that Troy’s Medicare Advantage plan was being offered as a supplement to their existing health care plans rather than as a new plan.

Troy also admitting using an artificial intelligence-based health care management platform it developed and made available to participating pharmacies, known as Troy.ai, as part of the scheme. Troy marketed Troy.ai as a product that would leverage data and machine learning to lower the cost of care and improve health outcomes. As part of its effort to obtain new enrollments, however, Troy misused the platform by offering pharmacies kickbacks for enrollment referrals submitted through Troy.ai.

At the height of the scheme, during the Medicare Advantage open enrollment period between January 1, 2022 and March 31, 2022, Troy enrolled over 2,700 new Medicare Advantage members, many through automatic or batch enrollments. For example, on March 2, 2022, Troy enrolled over 300 beneficiaries on one day, with the enrollments occurring approximately one minute apart. In addition, some Troy employees manually entered fraudulent enrollments through the Centers for Medicare and Medicaid Services (“CMS”) website.

“The defendant’s use of stolen identities to fraudulently enroll individuals in Medicare Advantage plans was a deliberate scheme to boost profits at the expense of vulnerable patients and the integrity of the Medicare program,” stated Deputy Inspector General for Investigations Christian J. Schrank of the Department of Health and Human Services Office of Inspector General (HHS-OIG). “HHS-OIG, alongside our law enforcement partners, will continue to relentlessly pursue those who exploit Medicare and threaten the security of enrollees’ personal health information.”

As part of the non-prosecution agreement, Troy admitted to and accepted responsibility for the acts of its officers, directors, employees, and agents in connection with the scheme. Troy also agreed to pay a criminal penalty of $1,430,008 and agreed to continue cooperating with the Department in any ongoing or future criminal investigation relating to this conduct.

The Department reached this resolution with Troy based on several factors, including Troy’s efforts to provide all relevant facts known to it, acceptance of responsibility for criminal conduct, extensive and timely remedial measures taken, commitment to continuing enhancement of compliance and internal control programs, absence of prior criminal history or regulatory actions, commitment to cooperation with federal agencies in any ongoing investigations, and the nature and seriousness of the offense. Troy did not receive voluntary self-disclosure credit, but did receive credit for its cooperation with the Department’s investigation and affirmative acceptance of responsibility, which included (i) self-reporting its 2022 batch member enrollment issue to CMS before it had come to the attention of the Department; (ii) providing timely updates on facts learned during its internal investigation; (iii) providing all relevant facts known to it, including information about individuals involved in the conduct. However, and particularly during the early phase of the Department’s investigation, Troy failed to preserve and produce certain documents and evidence in a timely manner and, at times, took actions that were inconsistent with full cooperation. The Justice Department also reduced the penalty amount based on evidence of Troy’s ability to pay.

Health Industry Take Aways

As the first announced settlement announced since the Justice Department announced the new CEO last May, the Troy prosecution and non-prosecution agreement opens a window for other health industry organizations and their leaders into current Justice Department health industry practices for applying the new CEP and other priorities and practices such as the following:

Fraud Prosecution Remains A Hugh Priority. The Troy and other investigations and prosecutions make clear the Justice Department remains committed to finding and prosecuting health care fraud and identity theft.
Medicare Advantage & Supplement Insurer Misconduct. The Troy investigation and non-prosecution agreement is the is part of a series of investigations and actions against insurers accused of engaging in fraud or other abuses recently announced. The Troy announcement also follows the Department of Health & Human Services Office of Inspector General’s addition of several projects targeting fraud and other misconduct by private insurers participating in the Federal Exchange and Medicare and Medicaid Advantage and Supplement marketplaces to its Work Plan.
AI &Technology-Enabled Fraud: The prosecution signals the Justice Department’s growing scrutiny of tech-enabled fraud. It sends a clear warning to healthcare p companies using automation/AI or other technologies that misuse of beneficiary data, deceptive enrollment tactics or other technology -enabled misconduct carries serious consequences.
Corporate and Individual Accountability: Although the Justice Department claims a commitment to enforcing both individuals and organizations and the announcement makes clear specific leaders at Troy participated in creating or promoting this scheme, to date the Justice Department has charged any individuals for their involvement in this scheme. This may be a sign that early cooperation and settlement can help insulate individual leaders from accountability. Stay tuned.
Monitoring. The non-prosecution agreement applies the CEP’s “no-monitors-if-unnecessary” approach while sending a clear message companies must still demonstrate robust cooperation and remediation to benefit from relief offered under the CEP and Federal Sentencing Guidelines penalty guidelines.

If you have questions about this or other health care concerns, contact the author.

More Information

About the Author

About Solutions Law Press, Inc.™

Leave a Comment » | Health Care | Tagged: Federal Sentencing Guidelines, Health Care, Medicare, Medicare Advantage | Permalink
Posted by Cynthia Marcotte Stamer

Stamer “Cybersecurity Jedi Skills Training” Added To 2025 Security Summit Agenda

July 24, 2025

The Information Systems Security Association (“ISSA”) – Los Angeles Chapter (“ISSA-LA”) recently confirmed that Solutions Law Press publisher and author Cynthia Marcotte Stamer will conduct “Cybersecurity Jedi Skills Training” at the 2025 Annual Security Summit 2025 ISSA-LA is hosting on September 17-18, 2025, at the Annenberg Beach House in Santa Monica, California.

Under constant threat from potentially draconian operational, financial and legal mayhem from cybercriminals’ ransomware and other cyberattacks, organizations, investors, breach victims, health care and other business partners, and federal and state regulators increasingly expect cybersecurity and other IT leaders to defend their organization’s proprietary knowledge, workforce, finance, and other mission critical data and systems cyberthreats from dark web with the skill of Jedi knights. While even the most skilled cyberwarriors can’t render their data and operating systems impenetrable against these attacks, cybersecurity professionals and their organizations should engage in constant training and preparation to protect themselves and their organizations from the fallout that commonly follows from a data or systems breach or failure.

The September 17, 2025, “Cybersecurity Jedi Skills Training” workshop that Ms. Stamer will conduct is designed to help CISOs, Directors of Information Security and other leaders strengthen their cybersecurity prevention and response strategies for enhanced defensibility. Drawing from her decades of experience advising and defending data-reliant organizations and their leaders, her workshop will:

Arm cybersecurity leaders with knowledge about how data, systems, and technology can either promote or undermine legal defensibility, and share basic principles and strategies for designing and using technology and data to advance legal goals and defensibility.
Empower cybersecurity defenders with insights into key cybersecurity, privacy, electronic data, and technology-related traps that impact defense and response strategies.
Highlight how cyber events and violations of computer, securities, antitrust, and other laws can expose organizations and their leaders to criminal, civil, and administrative liability.
Reveal key evidentiary practices and processes to use during compliance, contracting, audits, investigations, governance, incident management, and response, as well as when dealing with government or other investigations, to promote and strengthen defensibility and mitigate risks.

Ms. Stamer has developed the training from her decades of experience helping highly regulated and other performance and data-sensitive organizations and their leaders use the law, process, technology and other legal, risk management and operational tools to promote defensibility, mitigate risk, enhance operational effectiveness, and manage change and uncertainty. The founding and Managing Member of the Cynthia Marcotte Stamer, P.C. law firm, Ms. Stamer has used her extensive legal and operational knowledge to provide practical, client-centric advice, tools and solutions to help a diverse array of U.S. and multinational business, government, and community organizations, to design, manage and defend their people; compensation and benefits; technology, data privacy and security; regulatory compliance; and other operations-critical risks and performances for more than 35 years. She is best known for her work with employer and other workforce, health, employee benefits, insurance, data and technology, financial and government organizations, and their technology and other developers and vendors, all of which bear significant data privacy and security obligations.

Longtime Scribe leading the American Bar Association (“ABA”) JCEB Annual Agency Meeting with the HHS Office of Civil Rights; incoming Intellectual Property Section Information Technology Committee Vice Chair, and a widely published author, speaker and thought leader on cybersecurity and other data and technology use, privacy and protection, Ms. Stamer’s process-oriented work throughout her career continuously has included helping clients use and defend their data and technology practices, investigating and responding to data and technology breaches, events, threats and regulations; and dealing with insurers, federal and state legislators, regulators and investigators on cybersecurity and other data and technology concerns. Her cutting-edge work, scholarship and thought leadership, advocacy and community service have earned her recognition as a “Top Woman Lawyer;” “Top Rated Lawyer,” and “LEGAL LEADER™” in Health Care Law and Labor and Employment Law; “Best Lawyer” in “Labor and employment,” “Tax: ERISA & Employee Benefits,” “Health Care,” and “Business and Commercial Law.” For additional information about Ms. Stamer or her services, see here or contact Ms. Stamer directly.

Ms. Stamer’s “Cybersecurity Jedi Skills Training” is part of two days of professional training and networking that ISSA-LA is presenting at its Annual Security Summit 2025. Founded in 1982 by Sandra Lambert and Nancy King, ISSA-LA is the premier catalyst and community resource in Southern California for improving the practice of information security. A 501(c)(3) organization and the founding Chapter of the ISSA®, ISSA-LA provides various training classes and lectures for information Security and IT professionals throughout the year and at the annual Summit. ISSA-LA meets monthly for dinner and regularly collaborates with other IT and Cybersecurity organizations, having joint meetings and social events with the Women’s Society of Cyberjutsu, the Cloud Security Alliance, and the Association of IT Professionals, to name a few. To register, review the schedule, information about sponsorship, or other details about the Annual Security Summit 2025 or ISSA-LA, see here.

For More Information

We hope this update is helpful. For more information about these or other health or other employee benefits, human resources, or health care developments, please contact the author, Cynthia Marcotte Stamer, via e-mail or telephone at (214) 452-8297.

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating in and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About Solutions Law Press™

Solutions Law Press™ provides health care, insurance, human resources and employee benefit, data and technology, regulatory and operational performance, and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education. These include extensive resources on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press™ resources or training.

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or admission. Solutions Law Press and its authors reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. Solutions Law Press and its authors disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2025 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press.™ For information about licensing for republication, please contact the author directly. All other rights reserved.

Leave a Comment » | Corporate Compliance, Cyber crime, data breach, data security, Education, Electronic Medical Records, Emergency Care, FERPA, Genetic Information, Government contractor, Health Apps, Health Care, Health Insurance, Health Plan, HIPAA, Medical Malpractice, NIST | Tagged: ai, Cyber Security, cybersecurity, Security, Technology | Permalink
Posted by Cynthia Marcotte Stamer

Prepare For Coverage Declines From Marketplace Rule Changes

June 26, 2025

Health care providers treating patients covered by the Heathcare Marketplace insurance plans created under the Patient Protection and (“ACA”) should prepare for fallout from a new Department of Health and Human Services (“HHS”) Final Rule that tightens subsidy and other eligibility and makes other reforms. Providers should anticipate and begin planning for fallout upon their organizations from the effect of these enrollment and coverage changes impacting their patients.

The 2025 Marketplace Integrity and Affordability Final Rule (“Rule”) reverses Biden Administration rules that loweredrequirements for individuals to receive subsidies to pay costs for purchasing health coverage and eased other requirements for Exchange coverage.

According to the now Trump Administration-led Centers for Medicare & Medicaid Services (“CMS”), improper ACA enrollments enabled by weakened verification processes and expanded premium subsidies triggered widespread fraud. Research shows that in 2024, an estimated 5 million people may have been improperly enrolled, costing taxpayers as much as $20 billion^[1].

To address these concerns, the new Rule:

Repealing the monthly special enrollment period (SEP) for individuals with projected household incomes at or below 150% of the federal poverty level, a policy used by some agents and brokers to improperly enroll ineligible consumers and perform unauthorized plan switching to gain commissions;
Requiring income verifications to ensure people qualify for the premium subsidies they receive;
Conducting eligibility verifications for the majority of enrollments through SEPs, closing loopholes that allowed people to wait to enroll until they needed care and improving the risk pool, which can lower premiums for middle-class families not receiving subsidies;
Reducing advanced payments of the premium tax credit (APTC) by $5 a month for individuals who are auto re-enrolled in fully-subsidized plans without eligibility verification, ensuring consumers are aware of and engaged in their health coverage; and
Standardizing the Annual Open Enrollment Period starting with the 2027 plan year so that it ends by December 31 for all health insurance exchanges, encouraging people to maintain year-round health coverage rather than waiting until they get sick to enroll, which helps keep insurance affordable for everyone.

CMS says many changes are “temporary” measures set to sunset at the end in 2026 to immediately tamp down on the outflow of funds to ensure that eligibility verification processes work efficiently and allow qualified enrollees to access ACA Exchange coverage without fear of coverage gaps or surprise tax liabilities resulting from the improper actions of third parties.

To ensure federal subsidies for coverage through ACA Exchanges only support the statutory requirements and goals of the ACA, CMS also is:

Prohibiting federal subsidies from being used to help cover the cost of specified sex-trait modification procedures to align an individual’s physical appearance or body with an asserted identity that differs from the individual’s sex; and
Reinstating HHS’ longstanding 2012 interpretation of “lawfully present” to exclude Deferred Action for Childhood Arrivals (DACA) recipients from eligibility and enrollment in ACA Exchange coverage and Basic Health Program (BHP) coverage in States that elect to operate a BHP, including APTC, premium tax credits, and cost-sharing reductions.

CMS says these reforms address “improper enrollments and the improper flow of federal funds implemented during the Biden Administration.

Regardless of the reason and duration of these changes, the Rule will trigger loss or other changes in enrollment or coverage for many patients reliant on the Marketplace for coverage. Health care practices should anticipate and prepare to deal the probable effects of these changes on their practices. While effects may vary, consequences foreseeable from these changes might include

More uninsured or underinsured patients;
Care adjustment and transitions by patients experiencing losses or reductions in coverage ;
Increased demand for cash pay, financing and other special arrangements;
Declines or delays in patient medication or other care compliance;
Enhanced accounts receivables and collections issues;
Lost revenue; and
More.

Anticipating and planning for the effects of the changes can help health care providers mitigate disruptions from the impending changes.

For More Information Or Help

About the Author

About Solutions Law Press, Inc.™

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. The author and Solutions Law Press, Inc. disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

©️2025 Cynthia Marcotte Stamer. Reprinted by permission pursuant to non-exclusive license to Solutions Law Press.

Leave a Comment » | Health Care | Tagged: ACA, Affordable Care Act, Health Care, Health Care Provider, Health Care Reimbursement, Health Insurance, Health Plan, Health Plans, healthcare, Hospital, pharmacist, Physician, Physicians, Reimbursement | Permalink
Posted by Cynthia Marcotte Stamer

Use OIG Work Plan To Anticipate OIG Audit & Enforcement Risks

May 17, 2025

Health care organizations and providers can get invaluable insight about their likely audit and enforcement risks by following.the Department of Health & Human Services Office of Inspector General (“OIG”) Work Plan.

OIG updates its plan monthly. The following are the new projects to OIG added to the work plan this month:

For More Information Or Help

About the Author

About Solutions Law Press, Inc.™

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. The author and Solutions Law Press, Inc. disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

©️2025 Cynthia Marcotte Stamer. Reprinted by permission pursuant to non-exclusive license to Solutions Law Press.

Leave a Comment » | Health Care | Permalink
Posted by Cynthia Marcotte Stamer

OCR’s 8th Investigation Announcement Clearly Warns HHS-Funded Organizations To Ensure Merit-Based Decisions & Manage Antisemitism & Other Prohibited Discrimination Risks

May 14, 2025

Academic medicine and other education, health care, Medicare or Medicaid Advantage insurers, and other organizations received another warning to update and strengthen the defensibility of their policies and practices system-wide for preventing anti-Semitism, and other race, color, national origin, race, religious or other discrimination from the Department of Health & Human Service’s May 13, 2025, announcement of another investigation of another university for anti-Semitism in violation of the Civil Rights Act of 1964 (“CRA”) and other federal civil rights laws.

The Civil Rights Act of 1964 (the “CRA”), the Equal Protection Clause of the 14^th Amendment to the United States Constitution, Section 1557 of the Patient Protection and Affordable Care Act (“Section 1557”) and various other federal laws discrimination on the basis of race, national origin, color and certain other status by covered government or private organizations by health care, Medicare and Medicaid Advantage, academic medicine and other education, child care, research and other HHS-funded organizations, employers and other entities.

Since President Donald J. Trump (“President Trump”) took office in January, HHS OCR, the Departments of Education and Justice, the Equal Employment Opportunity Commission (“EEOC”) and other federal agencies are aggressively investigating anti-Semitism, anti-Christianity, and certain other race, color, national origin and religious discrimination by academic medicine and other educational institutions, health care organizations, health insurers, employers and other organizations covered by these civil rights laws. These investigations and enforcement actions target prohibited discrimination in all forms, including the use of race, national original, color, sex, religion and other non-merit based criteria, even when those criteria are applied to promote racial balancing, diversity or other similar goals.

Trump Merit-Based Civil Rights Executive Orders Heighten Public & Private Civil Rights & Other Discrimination Risks

This heightened investigation and enforcement emphasis is a direct response to the directives of President Trump in a series of Executive Orders directing federal agencies zealously to combat anti-Semitism, anti-Christian, and other discrimination or bias based on race, color, national origin and religion. See e.g., Executive Order 14188 – Additional Measures To Combat Anti-Semitism (January 29, 2025); Executive Order 14202, Eradicating Anti-Christian Bias (February 6, 2025); Executive Order 14291, Establishment of the Religious Liberty Commission (“May 11, 2025); and Executive Order 14291, Establishment of the Religious Liberty Commission (May 1, 2025).

As part of these directives, President Trump specifically singled out anti-Semitism for special attention and concern, In Executive Order 14188, for instance, President Trump directed HHS, the Justice Department and other agencies to vigorously enforce the Civil Rights Act to combat the rise of anti-Semitism and anti-Semitic incidents in the U.S. and around the world. While Executive Order 14188 specifically targeted the use of the Civil Rights Act and other federal prohibitions against race, color and national origin discrimination to fight anti-Semitism, Executive Order 14188 also noted that anti-Semitism also can violate federal protections against religious discrimination, stating:

…[Title VII] prohibits discrimination on the basis of race, color, and national origin in programs and activities receiving Federal financial assistance. While Title VI does not cover discrimination based on religion, individuals who face discrimination on the basis of race, color, or national origin do not lose protection under Title VI for also being a member of a group that shares common religious practices. Discrimination against Jews may give rise to a Title VI violation when the discrimination is based on an individual’s race, color, or national origin.

The Trump Administration’s emphasis on protecting federal right of conscience and other religious freedom protections is made more perilous by his sharp disagreement, revocation, and characterization as patently illegal various key aspects of the interpretation and enforcement policies of the Biden, Obama and other previous administration regarding federal right of conscience and other religious freedom, sexual orientation, reproductive rights and other civil rights policies and protections. See e.g., Executive Order 14281 -Restoring Equality of Opportunity and Meritocracy (April 23, 2025). These directives and widespread coverage and publicity of the actions by HHS and other federal agencies to implement and enforce the Administration’s Merit Based interpretation and enforcement of civil rights laws are fueling a a slew of new federal investigations and enforcement, as well as encouraging and shaping private discrimination claims by both parties advantaged or disadvantaged by the Administration’s interpretations.

As reflected by OCR’s May 13, 2025 announcement of its investigation of complaints against a “prestigious” midwestern university (“University”), OCR and other federal agencies are responding by zealously investigating complaints of anti-Semitism or other race, color, national origin and religious discrimination by academic and other health care, education, health insurance and other organizations receiving federal funding under programs managed by HHS.

Announced OCR Investigations Since February Show HHS Enforcement Risks

According to OCR, the investigation announced on May 13, 2025, and other investigations “[are] part of a broader effort by the Administration’s multi-agency Joint Task Force to Combat Anti-Semitism. OCR opened the investigation against the University in response to a complaint from a multi-stakeholder advocacy organization that alleges “systemic concerns regarding the University’s actions to maintain a campus climate, academic direction, and institutional policy that ensures nondiscrimination on the basis of race, color, and national origin.” OCR says its investigation will examine whether the University complied with its obligations under Title VI not to discriminate against Jewish students, such that it denied them an educational opportunity or benefit.

Before OCR issued is May 13, 2025, announcement, OCR and other federal agencies previously had announced Civil Rights Act and other investigations of illegal anti-Semitism at four academic medical centers based on their response to protests and other anti-Semitic activity during graduation and other activities. In addition, OCR also had announced similarly high-profile investigation or enforcement actions against Harvard University and Harvard Law Review, a HHS-funded health services research scholarship program; eight medical schools and hospitals; a HHS-funded health research program; a California-based medical school; the State of Maine and others for impermissibly applying race, color, national origin, sex, religious or other prohibited criteria in operating their programs.

The message from these and other HHS investigations and enforcements is clear. “Institutions of higher education receiving HHS Federal financial assistance are responsible for complying with Title VI’s nondiscrimination mandates,” said Anthony Archeval, Acting Director of the Office for Civil Rights at HHS. “OCR is committed to ensuring students’ education, safety, and well-being are not disrupted due to discrimination at institutions funded by taxpayer dollars.”

Dear Colleague Letter Advises Academic Medicine & Other HHS-Funded Organizations On Implementing Merit Based Decisionmaking

While warning academic medical and other health care and other HHS-funded organizations against the application of non-merit based criteria and other prohibited race, national origin, color, sex and religious discrimination, OCR also has sought to encourage covered entities to adapt their policies and practices to comply with President Trump’s merit based interpretation of the Civil Rights Act and other federal civil rights law prohibitions against race, color, national origin, sex and religious discrimination through a May 6, 2025, “Dear Colleague” Letter. In the dear Colleague Letter, OCR ‘clarifies’ its updated policies interpreting and enforcing what constitutes race-based discrimination under Title VI, Section 1557, and the Equal Protection Clause of the United States Constitution as applied to student admissions, academic and campus life, and the operation of university hospitals and clinics.

The Dear Colleague Letter reiterates that Title VI and Section 1557 prohibit academic medical and other covered organizations from relying on race-based criteria, racial stereotypes, and facially neutral criteria that operate as a pretext for race. Instead, citing to the Supreme Court’s decision in Students for Fair Admissions v. Harvard, 600 U.S. 181 (2023) and President Trump’s Executive Order 14173, Ending Illegal Discrimination and Restoring Merit-Based Opportunity, the Dear Colleague Letter warns HHS funded academic medicine and other organizations that these federal rules require health care providers, and those in the health professions pipeline make their selections and decisions “based on merit and clinical skills, not race” or other non-merit based criteria even when the purpose of the use of the criteria is to promote diversity or racial-balancing.

The Dear Colleague Letter discloses that in applying its merit-based interpretation of Title VI and Section 1557, OCR will prioritize enforcement against HHS funded organizations that:

Use race as part of their application or employment processes;

Require diversity, equity, and inclusion statements in connection with hiring or promotion; or
Lack clear policies demonstrating compliance with Students for Fair Admissions v. Harvard.

Accordingly, the Dear Colleague Letter advises medical schools and other HHS-funded organizations to:

Ensure their policies and procedures comply with existing federal civil rights laws;
Discontinue criteria, tools, or processes that serve as substitutes for race or are intended to advance race-based decision-making; and
End reliance on third-party contractors, clearinghouses, or data aggregators that engage in prohibited uses of race.

Act Now To Mitigate Risks From Past, Current & Future Non-Merit Based Decisions & Other Prohibited Discrimination

The new emphasis of HHS and other agencies on investigation and enforcement of federal protections for race, national origin, and other civil rights laws alone should prompt all health care and other HHS-regulated authorities prospectively to reevaluate and update their own practices to strengthen their defensibility under new standards.

As the Trump Administration civil rights directives and interpretations apply to all federal agencies, all organizations should consider and redress their exposure to civil rights or other discrimination under EEOC and other workforce, Department of Justice, and other applicable agency rules when assessing the adequacy of their existing policies and practices.

Organizations also should anticipate the likely need to defend past actions taking into account given the practice of HHS and other agency to apply the merit-based civil rights law interpretations of the Trump Administration even to events and actions that occurred while organizations were subject to the diversity, equity and inclusion friendly interpretations of federal civil rights laws during the Biden Administration. Since the investigation and enforcement actions announced by HHS and other agencies so far retroactively apply the newly announced Trump-era interpretations and standards to investigations of events and actions that occurred during the Biden Administration, prospective changes to enhance the defensibility of current and future actions alone may not be enough. Rather, health care and other organizations need to prepare for the possibility that HHS or other agencies may require their organization to defend Biden-era events under the new Trump Administration interpretations and enforcement policies. In the face of these developments, all health care organizations receiving funding from HHS should review their current and past policies and actions implicating federally civil rights laws to assess and manage their potential past exposures and mitigate future risks.

Because the process of reviewing and revising their policies and practices inevitably will require medicine and other HHS-funded institutions to identify and engage in legally and politically sensitive discussions of past and current policies, events, and actions affecting the competing interests of individuals or organizations whose opportunities are either helped or hurt by the Trump Administration’s transition to a merit-based interpretation of civil rights laws as well as potential whistleblower and retaliation exposures, academic medicine and other HHS-funded organizations generally should work with within the scope of attorney-client privilege with legal counsel experienced with these and other civil rights laws and dealing with OCR and other agencies in relation to investigations and enforcement actions under these rules.

The author of this update, Cynthia Marcotte Stamer has decades of experience advising, representing, and defending health care providers, Medicare and Medicaid Advantage and other public and private health plans and plan sponsors, public and private employers, government contractors and grant recipients, educational organizations, child care facilities, employers, technology, data, third party administrators, and other managed care and other health care, defense, technology, life sciences and other clients about Civil Rights Laws and other religious, civil rights and other discrimination, HIPAA and other privacy and data security, False Claims Act and other billing and reimbursement, quality, technology, licensing and accreditation, whistleblower and other workforce, enforcement, governmental affairs, dispute resolution, and other compliance, risk management and operational matters. If you have questions or need advice or help evaluating or addressing these or other compliance, risk management, or other concerns, contact her.

For More Information

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for her more than 35 years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications including leading edge work on workforce and other risk management and compliance.

In addition, Ms. Stamer serves as a Scribe for the American Bar Association (“ABA”) Joint Committee on Employee Benefits annual agency meetings with OCR and shares her thought leadership as International Section Life Sciences Committee Vice Chair, and a former Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations.

Author of many highly regarded compliance, training and other resources on cybercrime and other data privacy and security, health and other employee benefits, health care, insurance, workforce and other risk management and compliance, Ms. Stamer is widely recognized for her thought leadership and advocacy in these matters.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. The author and Solutions Law Press, Inc. disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Leave a Comment » | Academic medicine, Child Care, Childcare, Civil Rights, Conditions of Participation, Cultural diversity, dei, Direct Primary Care, Disability Discrimination, Discrimination, early childhood education, Education, Employee Benefits, Employer, Employment, Federal Health Center, Government contractor, Grant recipients, Grants, Health Care, Health Care, Health Care Finance, Health Care Provider, Health Insurance, Health Insurance Exchange, Health Plan, Health Plans, healthcare, Heath Care Exchange, HHS, Home Health, home health, Hospice, Hospital, Hospital, hospitals, Medicaid, Medicaid Advantage, Medical Licensure, Medicare, Medicare Advantage, Medicare Advantage, OCR, OCR, Patients, Pharmaceudical, Reproductive Rights, Rural Health Care, Section 1557, University, Veterans Health | Tagged: Civil Rights, donald-trump, Education, Merit-Based, news, politics, Trump | Permalink
Posted by Cynthia Marcotte Stamer

Medicare Advantage Plans, Brokers Face Justice Department FCA & Antikickback Suit

May 14, 2025

The Justice Department has filed a False Claims Act (“FCA”) and Antikickback Statute complaint against three of the nation’s largest health insurance companies — Aetna Inc. and affiliates, Elevance Health Inc. (formerly known as Anthem), and Humana Inc., CVS Health Corporation, and three large insurance broker organizations — eHealth, Inc. and an affiliate, GoHealth, Inc., and SelectQuote Inc.

Under the Medicare Advantage (“MA”) Program, also known as Medicare Part C, Medicare beneficiaries may choose to enroll in health care plans (MA plans) offered by private insurance companies, like defendants Aetna, Anthem, and Humana. To select which MA Program insurer for enroll in, many Medicare beneficiaries rely on insurance brokers to help them choose an MA plan that best meets their individual needs.

The Anti-Kickback Statute prohibits parties who participate in federal healthcare programs from knowingly and willfully paying or receiving any remuneration in return for referring an individual to, or arranging for the furnishing of, any item or services for which payment is made by the federal healthcare programs. Although much more often enforced against health care providers, its prohibitions against kickbacks also apply to Medicare Advantage health insurers and the brokers doing business with them. Also like required for Medicare participating health care providers, the MA Program requires participating insurers to certify their compliance with the Anti-Kickback Statute, the Justice Department construes the False Claims Act as prohibiting a participating Medicare Advantage insurer from billing Medicare for the capitated payments Medicare pays to plans for periods when the insurer is in violation of the Anti-Kickback Statute.

Alleged Kickbacks Alleged In United States ex rel Shea v. eHealth et. all

Originally brought as a private whistleblower action by former eHealth employee, in United States ex rel. Shea v. eHealth, et al., No. 21-cv-11777 (D. Mass. May 5, 2025), the Justice Department Civil Division claims that the defendant insurers paid hundreds of millions of dollars in illegal kickbacks to the defendant brokers in exchange for enrollments into the insurers’ Medicare Advantage plans from 2016 through at least 2021.

Rather than acting as unbiased stewards, the Justice Department charges that the defendant brokers allegedly directed Medicare beneficiaries to the plans offered by insurers that paid brokers the most in kickbacks, regardless of the suitability of the MA plans for the beneficiaries.

According to the complaint, the broker organizations incentivized their employees and agents to sell plans based on the insurers’ kickbacks, set up teams of insurance agents who could sell only those plans, and at times refused to sell MA plans of insurers who did not pay sufficient kickbacks.

The Justice Department also alleges that Aetna and Humana each conspired with the broker defendants to discriminate against Medicare beneficiaries with disabilities whom they perceived to be less profitable. Aetna and Humana allegedly did so by threatening to withhold kickbacks to pressure brokers to enroll fewer disabled Medicare beneficiaries in their plans.

The Justice Department further alleges that, in response to these financial incentives from Aetna and Humana, the defendant brokers or their agents rejected referrals of disabled beneficiaries and strategically directed disabled beneficiaries away from Aetna and Humana plans.

The lawsuit was originally filed under the qui tam or whistleblower provisions of the FCA. Under the FCA, private parties can file an action on behalf of the United States and receive a portion of the recovery. The FCA permits the United States to intervene in and take over the action. If a defendant is found liable for violating the FCA, the United States may recover three times the amount of its losses plus applicable penalties.

Commonwealth Care Alliance Prior Kickback Settlement

The actions filed against the defendants are not first of their kind. In January, 2025, the Justice Department announced that MA Program insurer Commonwealth Care Alliance, Inc. (CCA) agreed to pay $520,355.65 to resolve allegations that Reliance HMO, Inc., a company CCA acquired in 2022, violated the FCAby providing cash payments to induce the referral of Medicare beneficiaries to enroll in Reliance’s Medicare Advantage Plan in violation of the Anti-Kickback Statute after CCA voluntarily self-disclosed the conduct to the U.S. Attorney’s Office.

In April 2019, CMS authorized Reliance HMO, Inc. (Reliance) to operate a MA plan for Medicare beneficiaries in Michigan, with beneficiaries receiving coverage starting in January 2020. On March 31, 2022, CCA announced completion of its acquisition of a 70% stake in Reliance. After the acquisition, CCA identified concerns regarding certain marketing-related outreach and payments Reliance agents had made to personnel at physician practices. In particular, CCA disclosed two schemes.

First, from April 12, 2019, through December 22, 2020, Reliance provided cash payments to healthcare professionals and administrative staff in physician practices, in exchange for providing Reliance with the contact information for patients who had agreed, through executing so-called “permission to contact” cards, to be contacted by Reliance regarding its MA plan offerings.

Second, in November 2019, prior to Reliance’s MA plan becoming active, Reliance paid each of four physicians and physician practices $2,500, which Reliance characterized as advances on “coordination of care” services to be provided by the physicians to beneficiaries when the MA plan became active in 2020.

The United States alleges these payments were intended to induce the referral, recommendation, or arrangement of enrollment of Medicare beneficiaries in Reliance’s MA plan. Such payments, the United States alleges, were impermissible kickbacks in violation of the False Claims Act. The settlement announced today resolves these claims.

CCA voluntarily self-disclosed this conduct to the United States and received credit for its cooperation. In addition, CCA took remedial measures, including terminating the employees directly involved with the decision to offer the payments described above, and providing the United States with a detailed written statement describing its investigation, along with other supplemental information to assist the United States in its investigation.

Alleged Medicare Advantage Insurer Risk Adjustment Padding

The Justice Department also recently has investigated certain Medicare Advantage insurers for alleged manipulation of risk data to increase their capitated payments from Medicare. For Instance, the Justice Department recently sued MA Program insurer Independent Health Association and its affiliate, Independent Health Corporation (collectively, “Independent Health”) for allegedly illegally manipulating risk data used to set risk adjustment rates paid by Medicare to their Medicare Advantage plans in United States ex rel. Ross v. Independent Health Association et al., No. 12-CV-0299(S) (WDNY). To settle the litigation, Independent Health agreed to pay up to $98 million to resolve allegations that they violated the False Claims Act by knowingly submitting or causing the submission of invalid diagnosis codes to Medicare for Medicare Advantage Plan enrollees to increase payments that Independent Health received from Medicare. Under the terms of the settlement, Independent Health promised to make guaranteed payments of $34,500,000 and contingent payments of up to $63,500,000 on behalf it itself and DxID, which ceased operations in 2021. Its Chief Executive Officer separately agreed to pay $2,000,000. In addition, Independent Health entered into a five-year corporate integrity agreement (CIA) with HHS-OIG that requires among other things, that Independent Health hire an Independent Review Organization to annually review a sample of Independent Health’s Medicare Advantage patients’ medical records and associated internal controls to help ensure appropriate risk adjustment payments.

The Justice Department touts all of these and other investigations and enforcement actions against Medicare Advantage insurers as demonstrating its commitment to hold Medicare Advantage insurers and brokers accountable for kickbacks or other misconduct. In the Justice Department’s press release about the e-Health litigation, Deputy Assistant Attorney General Michael Granston of the Justice Department’s Civil Division. “We are committed to rooting out illegal practices by Medicare Advantage insurers and insurance brokers that undermine the interests of federal health care programs and the patients they serve.”

These and other actions send a strong warning to Medicare Advantage insurers and brokers to abstain from prohibited risk adjustment, kickbacks or other prohibited conduct. Additionally, self-insured health plan sponsors, fiduciaries, administrators and their consultants, brokers and insurers also should keep in mind that practices like those challenged in the Justice Department actions also are likely to raise concerns under the fiduciary responsibility and prohibited transaction rules of the Employee Retirement Income Security Act of 1974 (“ERISA”). Consequently, employer and other plan sponsors, their fiduciaries and their brokers and advisors may wish to visit with experienced legal counsel about the advisability of conducting due diligence into the past, current or future plan vendor relationships with their own programs.

More Information Or Help

About the Author

About Solutions Law Press, Inc.™

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. The author and Solutions Law Press, Inc. disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

©️2025 Cynthia Marcotte Stamer. Reprinted by permission pursuant to non-exclusive license to Solutions Law Press.

Leave a Comment » | Health Care | Tagged: Anti-Kickback, false claims act, Health Care Fraud, Health Insurance, Health Plans, Medicare | Permalink
Posted by Cynthia Marcotte Stamer

6/16 Deadline To Recommend On Patient-Centric Technology Design With CMS and ONC

May 14, 2025

June 16, 2025 is the deadline to share input on designing a seamless, secure, and patient-centered digital health infrastructure that will help seniors and their families use modern technology to control of their health and well-being, manage chronic conditions, and access care more efficiently in response to the request for information (“RFI”) of the Centers for Medicare & Medicaid Services (“CMS”) and the Office of the National Coordinator for Health Information Technology (“ONC”).

Following up on the CMS Interoperability and Patient Access Final Rule and part of Secretary Kennedy’s effotts to “Make America Healthy Again,” the RFI invites input from patients, caregivers, providers, payers, technology developers, and other stakeholders on how CMS and ONC can:

Drive the development and adoption of digital health management and care navigation applications;
Strengthen interoperability and secure access to health data through open, standards-based technologies;
Identify barriers preventing the seamless exchange of health information across systems; and
Reduce administrative burden while accelerating progress toward value-based, patient-centered care.

Many health care providers and others in the health industry have made significant investments in and have experience with patient focused health and wellness technologies. Sharing input can promote awareness of helpful design ideas and help deter investments or mandates of counterproductive technologies.

For More Information

©️2025 Cynthia Marcotte Stamer. Licensed for republication to Cynthia Marcotte Stamer.

Leave a Comment » | Electronic Health Records, Employee Benefits, Health Apps, Health Care, Health Care, Health Care Provider, Health Care Reform, Health Insurance, Health IT, Health Plan, Health Plans, healthcare, Patient Empowerment, Patients, public health, Wellness | Permalink
Posted by Cynthia Marcotte Stamer

Health Care Organizations Urged To Strengthen Right Of Conscience Defenses As HHS Opens 2 Right Of Conscience Investigations Within 1 Month Of Opening New Child Chemical Or Surgical Mutilation Whistleblower Portal

May 12, 2025

Health care organizations should move quickly to verify the defensibility of their current and past practices and actions for offering and providing religious accommodation and avoiding religious discrimination in light of the announcements by the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) of the opening of two new Church Amendment right of conscience investigations less than a month after of OCR published a new right of conscience guidance and launched a new online portal for whistleblowers to use to submit tips or complaints regarding the chemical and surgical mutilation of children. These developments are particularly concerning in light of the sharp reversal of the policies of the prior administration and the apparent current readiness of the agencies to treat actions taken under the previous administration’s policies as grounds for investigation or enforcement.

Federal Statutes Protect “Right of Conscience” In Health Care

While Federal protections against religious discrimination and infringement on rights of conscience and longstanding and well-established through the religious freedom and discrimination provisions of the First Amendment to the United States Constitution and the Civil Rights Act of 1964 (the “CRA”), and health care specific laws such as the Church Amendment, Section 1557 of the Patient Protection and Affordable Care Act (“Section 1557”) and other federal laws, President Trump’s policy directions on right of conscience and other religious freedom and discrimination are fueling new requirements and risks for health care organizations and other businesses and government organizations.

HHS interpretation and enforcement of the prohibitions against religious or other discrimination under Sectio 1557 and other federal rules protecting Rights of Conscience in health care is now rapidly evolving in response to recent Executive Orders of President Trump. Its announcement of two right of conscience investigations against health care organizations in less than a month illustrate the exploding risks that health care providers and other organizations receiving HHS funding face for excluding or discriminating against health care providers, patients, and certain other federal program participants who refuse on religious or moral grounds to participate in certain health care services under these federal health care right of conscience rules including the following:

Church Amendment

Enacted in the 1970s to protect the rights of individuals and entities to object to performing or assisting in the performance of certain procedures because of their religious beliefs or moral convictions, the Church Amendment:

Prohibits public officials and authorities from requiring recipients of certain federal financial assistance to provide or make their facilities available for abortion or sterilization when the recipient has a religious or moral objection to sterilization or abortion.
Prohibits entities that receive certain federal financial assistance from discriminating against physicians and health care personnel:
- because they performed a lawful sterilization, abortion, or other lawful health service or research activity,
- because they refused to perform a lawful sterilization, abortion, or other lawful health service or research activity, or
- because of their religious beliefs or moral convictions about sterilization, abortion, or any other lawful health services or research activities.
Protects individuals who object because of their religious or moral beliefs to performing or assisting in the performance of any part of a federally funded health service program or research activity.
Prohibits entities that receive certain federal financial assistance from discriminating against applicants for training or study because the applicant is reluctant or willing to participate in abortions or sterilizations due to their religious or moral beliefs.

Coats-Snow Amendment

The Coats-Snowe Amendment codified as Section 245 of the Public Health Service Act, prohibits the federal government and any state or local government receiving federal financial assistance from discriminating against any health care entity on the basis that the entity:

Refuses to undergo training in the performance of abortions;
Refuses to require or provide abortion training;
Refuses to perform abortions, or to provide referrals for abortion training or for abortions;
Refuses to make arrangements for any of the above activities related to abortion; or
Attends (or attended) a post-graduate physician training program, or any other program of training in the health professions, that does not (or did not) perform induced abortions or require, provide, or refer for training in the performance of induced abortions, or make arrangements for the provision of such training.

Weldon Amendment.

The Weldon Amendment provides that none of the funds made available in those HHS appropriations acts may be made available to a Federal agency or program, or to a state or local government, if the agency, program, or government discriminates against any institutional or individual health care entity on the basis that the health care entity does not provide, pay for, provide coverage of, or refer for abortions. It defines “health care entity” to include “an individual physician or other health care professional, a hospital, a provider-sponsored organization, a health maintenance organization, a health insurance plan, or any other kind of health care facility, organization, or plan.”

Trump Policy Directives Drive New Risks By Changing Prior Religion & Other Discrimination Interpretations & Prioritizing New Rule Enforcement For Past, Current & Future Actions

Although U.S. law long has protected religious freedom through the protections of the First Amendment to the United States Constitution, the Civil Rights Act of 1964 (the “CRA”), Section 1557 of the Patient Protection and Affordable Care Act (“Section 1557”) and other federal laws, President Trump’s policy directions on right of conscience and other religous freedom and discrimination, HHS interpretation and enforcement of these Rights of Conscience now are rapidly evolving in response to recent Executive Orders of President Trump.

Most directly, HHS’ new emphasis on investigation and enforcement of Rights of Conscience directly responds to Executive Orders of President Trump on religious freedom. On his Executive Order 14188 – Additional Measures To Combat Anti-Semitism (January 29, 2025), for instance, President Trump in declaring his administration’s commitment to combating the rise of anti-Semitism and anti-Semitic incidents in the United States and around the world and directing the Justice Department and other agencies to vigorously enforce Civil Rights Act Title VI, specifically noted the current prohibitions against anti-Semitism embedded in U.S. religious freedom laws, stating:

Title VI of the Civil Rights Act of 1964 (Title VI) prohibits discrimination on the basis of race, color, and national origin in programs and activities receiving Federal financial assistance. While Title VI does not cover discrimination based on religion, individuals who face discrimination on the basis of race, color, or national origin do not lose protection under Title VI for also being a member of a group that shares common religious practices. Discrimination against Jews may give rise to a Title VI violation when the discrimination is based on an individual’s race, color, or national origin.

In Executive Order 14202, Eradicating Anti-Christian Bias (February 6, 2025), President Trump ordered HHS and other agencies to review and recommend policy changes and other remedial actions to correct any unlawful anti-Christian policies, practices of the Biden Administration and develop other strategies to protect the religious liberties of Americans.

Subsequently, in his May 11, 2025, Executive Order 14291, Establishment of the Religious Liberty Commission, President Trump took aim at threats to religious freedom from efforts of certain Federal, state and local policies that President Trump views as infringing longstanding conscience protections, preventing parents from sending their children to religious schools, threatening loss of funding or denial of non-profit tax status for faith-based entities, and singling out religious groups and institutions for exclusion from governmental programs. To redress these threats, President Trump announced it is “the policy of the executive branch to vigorously enforce the historic and robust protections for religious liberty enshrined in Federal law” and to “promote citizens’ pride in our foundational history, identify emerging threats to religious liberty, uphold Federal laws that protect all citizens’ full participation in a pluralistic democracy, and protect the free exercise of religion.”

To implement this policy, President Trump established a “Religious Liberty Commission” to prepare a comprehensive report on the foundations of religious liberty in America, the impact of religious liberty on American society, current threats to domestic religious liberty, strategies to preserve and enhance religious liberty protections for future generations, and programs to increase awareness of and celebrate America’s peaceful religious pluralism. In defining the directives of the Commission, President Trump expressly included among the topics for consideration by the Commission “[c]onscience protections in the health care field and concerning vaccine mandates” and the Permitting time for voluntary prayer and rright of all Americans to freely exercise their faith without fear or Government censorship or retaliation. See Executive Order 14291, Establishment of the Religious Liberty Commission (May 1, 2025).

Beyond these religious freedom directives, President Trump also has issued other Executive Orders reversing key Biden Administration policies on politically sensitive policies often overlapping with issues of religious conscience. For instance, in one of his earliest actions upon commencing his second Presidency, President Trump overruled previous administrations’ policies that promoted and protected the right of individuals to self-define their own sex regardless of biological sex at birth and associated safeguards and protection by directing[1] that U.S. law recognize only two genders, male and female, the assignment of which is determined by the gender of an individual at birth.

Subsequently, in Executive Order 14187, Protecting Children From Chemical and Surgical Mutilation (January 28, 2025) overruled Biden Administration policies protective of gender transition and other treatments for gender dysphoria by ordering HHS to end take action to terminate all regulations and other policies and practices that allow or support chemical and surgical mutilation of children as a treatment of gender dysphoria.

Meanwhile, in his Executive Order 14182-Enforcing the Hyde Amendment (January 24, 2025), President Trump reversed key policies undertaken by the Biden Administration to mitigate the effects of the Supreme Court’s landmark Dobbs vs. Jackson Women’s Health Organization decision that overturned Roe vs. Wade by declaring the U.S. Constitution does not protect a woman’s right to an abortion.

In response to these and other Trump Executive Orders, HHS on April 14, 2025, published its new Guidance for Whistleblowers on the Chemical and Surgical Mutilation of Children (the “Whistleblower Guidance”). The Whistleblower Guidance explains the conditions under which the Health Insurance Portability & Accountability Act of 1996 (“HIPAA”) allows health care providers, health plans, health care clearinghouses or their business associates (“HIPAA Entities”) to disclose information about chemical or surgical mutilation of children in violation of Executive Order and key federal anti-retaliation protections for whistleblowers making these disclosures or engaging in other exercises of their Rights of Conscience under the Church Act.

New HIPAA Whistleblower Guidance

The HIPAA Privacy Rule generally prohibits use, disclosure, and protection of protected health information (“PHI) by HIPAA Entities. The Whistleblower Guidance notes that since its inception, the Privacy Rule has provided various pathways for HIPAA Entities to use and disclose PHI in connection with whistleblowing actions of their workforce members or business associates.

Along with the option to use de-identified information in whistleblower disclosures, the Whistleblower Guidance also notes that the whistleblower provision of the Privacy Rule provides that a HIPAA Entity is not considered to violate the Privacy Rule when a workforce member or business associate discloses PHI in the following circumstances:

The workforce member or business associate has a good faith belief that the conduct being reported is unlawful or otherwise violates professional or clinical standards, or that the care, services, or conditions provided by the covered entity potentially endangers one or more patients, workers, or the public[2], and
The workforce member or business associate of the covered entity discloses PHI to any of the following:

A health oversight agency[3] or public health authority[4] authorized by law to investigate or otherwise oversee the relevant conduct or conditions of the covered entity.
An appropriate health care accreditation organization[5], such as a state medical board, for the purpose of reporting the allegation of failure to meet professional standards[6] or misconduct by the covered entity.
An attorney retained by or on behalf of the workforce member or business associate for the purpose of determining his or her legal options with respect to whistleblowing.

Thus, the Whistleblower Guidance states the Privacy Rule protects a HIPAA Entity from liability for the good-faith whistleblower action of a member of its workforce or a business associate in these situations, but does not protect the HIPAA Entity where, for example, a member of its workforce or its business associate discloses PHI to a member of the media or in some other manner not in accordance with an allowable exception to the Privacy Rule.

Since the HIPAA Entities bear responsibility for inappropriate disclosures of PHI by whistleblowers from their workforce, the Whistleblower Guidance sends a strong message to HIPAA Entities to properly document and train workforce members about when and how HIPAA allows or prohibits the use of PHI when reporting known or suspected violations of the law.

Along with discussing when HIPAA allows whistleblowers to uses or disclose PHI to report illegal behavior, the Whistleblower Guidance also highlights the following as among the federal laws most likely pertinent for “protecting whistleblowers who take action related to ensuring compliance with” the Executive Order. EO 14187:

The National Defense Authorization Act of 2013 (“NDAA”) contains a broad whistleblower protection for employees of federal contractors and grantees by providing that “[a]n employee of a contractor, subcontractor, grantee, subgrantee, or personal services contractor may not be discharged, demoted, or otherwise discriminated against as a reprisal for disclosing to” certain statutorily defined officials and entities “information that the employee reasonably believes is evidence of gross mismanagement of a Federal contract or grant, a gross waste of Federal funds, an abuse of authority relating to a Federal contract or grant, a substantial and specific danger to public health or safety, or a violation of law, rule, or regulation related to a Federal contract (including the competition for or negotiation of a contract) or grant.”
The False Claims Act (“FCA”) anti-retaliation provisions protect “employee[s], contractor[s], [and] agent[s]” from discharge, demotion, suspension, or any other manner of discrimination “in the terms and conditions of employment” because of lawful acts taken by the individual in furtherance of a claim under the FCA or “other efforts to stop one or more violations of [the FCA]” where an individual must generally show that: (1) he or she is a covered “employee, contractor, or agent”; (2) he or she was engaged in activity protected by the statute; (3) he or she was retaliated against; and (4) the retaliation was “because of” protected activity.
The Church Amendments prohibits entities that receive certain federal financial assistance from discriminating “in the employment, promotion, or termination of employment of any physician or other health care personnel” or discriminating “in the extension of staff or other privileges to any physician or other health care personnel” because that individual “refused to perform or assist in the performance” of a “lawful sterilization procedure” “on the grounds that his performance or assistance in the performance of the procedure . . . would be contrary to his religious beliefs or moral convictions,” or “because of his religious beliefs or moral convictions respecting sterilization procedures[.]” In addition, 42 U.S.C. § 300a-7(d) provides: “No individual shall be required to perform or assist in the performance of any part of a health service program or research activity funded in whole or in part under a program administered by the Secretary of Health and Human Services if his performance or assistance in the performance of such part of such program or activity would be contrary to his religious beliefs or moral convictions.”
The HIPAA Privacy Rule generally requires HIPAA Entities to have and apply appropriate sanctions against members of its workforce who failed to comply with their privacy policies or procedures or with the requirements of the rule. However, Privacy Rule § 164.530€(1) explicitly excludes the application of sanctions to a member of the HIPAA Entity’s workforce for whistleblowing activity.

2 New Right Of Conscience Investigations Signal Growing Enforcement Risks

OCR’s announcement of its opening of two Right of Conscience investigations sends a clear warning to health care providers and other HHS-funded entities to ensure the defensibility of their own practices and policies for honoring the rights of conscience of their workforce and others they do business with in the course of their operations.

1st Right Of Conscience Investigation Announcement On April 14

On April 14, 2025, OCR announced its initiation of its first investigation of a major pediatric teaching hospital for allegedly terminating the employment of a whistleblower nurse for exercising her federally protected rights of conscience. According to the OCR announcement, the pediatric teaching hospital allegedly terminated the employment of a whistleblower nurse for exercising her federally protected rights of conscience. The OCR announcement states that the investigation will examine whether the pediatric hospital violated the Church Amendments by firing a whistleblower nurse after she requested a religious accommodation to avoid administering puberty blockers and cross-sex hormones to children, which she opposed due to religious beliefs about the sterilization effects of these interventions. The announcement also quotes Acting HHS OCR Director Anthony Archeval as stating, “The Department will robustly enforce Federal laws protecting these courageous whistleblowers, including laws that protect health care professionals from being forced to violate their religious beliefs or moral convictions.”

2^nd Right of Conscience Investigation Announcement On May 12

Less than one month after announcing its first investigation, OCR on May 12, 2025, announced its second right of conscience investigation against a hospital which is part of a larger health care system. According to the announcement, the investigation will focus on how the hospital accommodates its health care personnel who decline to perform or assist in the performance of abortion procedures contrary to their religious beliefs or moral convictions.

The second announcement notes that the investigations are “part of a larger effort to strengthen enforcement of laws protecting conscience and religious exercise.” It also quotes Acting OCR Director Archeval as stating, “The Department is committed to enforcement of our nation’s laws that safeguard the fundamental rights of conscience and religious exercise,” … “Health care professionals should not be coerced into, fired for, or driven out of the profession for declining to perform procedures that Federal law says they do not have to perform based on their religious beliefs or moral convictions.”

The new emphasis of HHS and other agencies on investigation and enforcement of federal protections for rights of conscience and other religious freedoms and other civil rights laws alone should prompt all health care and other HHS-regulated authorities prospectively to reevaluate and update their own practices to strengthen their defensibility under new standards. When assessing the adequacy of their existing policies and practices, health care and other covered organizations also should anticipate the likely need to defend past actions taking into account the Trump Administration’s sharp redirection of interpretations and enforcement away from the policies of the Biden Administration. Since the investigation and enforcement actions announced by HHS and other agencies so far retroactively apply the newly announced Trump-era interpretations and standards to investigations of events and actions that occurred during the Biden Administration, prospective changes to enhance the defensibility of current and future actions alone may not be enough. Rather, health care and other organizations need to prepare for the possibility that HHS or other agencies may require their organization to defend Biden-era events under the new Trump Administration interpretations of the Church Amendments, the CRA, Section 1557, and other federal rules on religious or other Civil Rights law discrimination. In the face of these developments, all health care organizations receiving funding from HHS should review their current and past policies and actions implicating potential exercises of rights of conscience regarding to the treatment of children for gender dysphoria, abortion and other reproductive rights and other areas likely to implicate the Church Amendments or other federally protected religious rights to assess their potential past exposures and mitigate future risks.

For More Information

About the Author

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. The author and Solutions Law Press, Inc. disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

[1] See e.g., Executive Order 14168, Defending Women From Gender Ideology Extremism and Restoring Biological Truth to the Federal Government (January 20, 2025).

[2] 45 CFR 164.502(j)(1)(i).

[3] 45 CFR 164.501.

[4] 45 CFR 164.501.

[5] 65 Fed. Reg. at 82492.

[6] See 65 Fed. Reg. at 82727

Leave a Comment » | Civil Rights, Conditions of Participation, dei, Discrimination, Employment, Health Care, Health Care, Health Care Finance, home health, Hospital, Medicaid, Medicaid Advantage, Medical Licensure, Medicare, Medicare Advantage, OCR, Physician, Reimbursement, Section 1557 | Tagged: Church Amendments, Health, Health Care, Health Care Fraud, HIPAA, Hospital, Medicare, Physician, politics, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

CMS Suspends 8 Quality Improvement Measures

May 6, 2025

The Centers for Medicare & Medicaid Services (CMS) is suspending the following eight improvement activities for the 2025 performance year (“PY”) in accordance with the Merit-based Incentive Payment System (MIPS) Improvement Activities Suspension Policy finalized in the CY2021 Physician Fee Schedule (PFS) final rule (86 FR 65465):

IA_AHE_5 – MIPS Eligible Clinician Leadership in Clinical Trials or CBPR
IA_AHE_8 – Create and Implement an Anti-Racism Plan
IA_AHE_9 – Implement Food Insecurity and Nutrition Risk Identification and Treatment Protocols
IA_AHE_11 – Create and Implement a Plan to Improve Care for Lesbian, Gay, Bisexual, Transgender, and Queer Patients
IA_AHE_12 – Practice Improvements that Engage Community Resources to Address Drivers of Health
IA_PM_6 – Use of Toolsets or Other Resources to Close Health and Health Care Inequities Across Communities (Use of toolset or other resources to close healthcare disparities across communities)
IA_ERP_3 – COVID-19 Clinical Data Reporting with or without Clinical Trial
IA_PM_26 – Vaccine Achievement for Practice Staff: COVID-19, Influenza, and Hepatitis B

Clinicians using any suspended measure should select other improvement activities to complete. However, if any of the suspended improvement activities have already been completed or were in the process of being completed, clinicians will still be able to attest to completing them and receive credit. Please review the 2025 Improvement Activities Inventory for available improvement activities.

For More Information

About the Author

Ms. Stamer’s work throughout her career has focused heavily on working with health care, health insurance and managed care, insurance and financial services, defense contractors, and other workforce and data sensitive businesses domestically and internationally on employment, benefits, data and other knowledge use and protection, Federal Sentencing Guidelines and other workforce and heath care management, internal and operational controls, regulatory and public policy and other legal and operational concerns. As a part of this work, she has had extensive involvement in the design, enforcement, investigation, mitigation and defense of trade secret and other information privacy and confidentiality, HRIS, claims, electronic medical records, payment, and other systems and technologies; HIPAA and other health industry, DOD, FACTA, GLB, EU, and other data privacy and security, trade secret and other confidential information; and other information privacy and security laws, policies, practices, contracts and requirements.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. The author and Solutions Law Press, Inc. disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Leave a Comment » | Health Care | Permalink
Posted by Cynthia Marcotte Stamer

HHS Harvard University Action & Dear Colleague Letter Clarify Civil Rights Merit-Based Action & DEI Ban

May 6, 2025

The U.S. Department of Health and Human Services (“HHS”), Office for Civil Rights (“OCR”) on May 7, 2025, clarified in a “Dear Colleague” letter its interpretation of what constitutes race-based discrimination under Title VI of the Civil Rights Act of 1964 (“Title VI”), Section 1557 of the Affordable Care Act (“Section 1557”), and the Equal Protection Clause of the 14th Amendment of the United States Constitution as applied to institutions of higher education, such as medical schools, and other entities that receive HHS funding in light of President Trump’s directives in Executive Order 14173, Ending Illegal Discrimination and Restoring Merit-Based Opportunity.

Evolving Application of Civil Rights Laws To DEI, Affirmative Action & Other Preferences

In Students for Fair Admissions v. Harvard, 600 U.S. 181 (2023), the Supreme Court ruled the DEI admissions policies applied by Harvard University and the University of North Carolina violated the Equal Protection Clause of the 14th Amendment. applies the case’s holding to Title VI and Section 1557. The Court ruled the requirement of equal treatment prohibits discrimination absent proof of a compelling government interest under a strict scrutiny standard. The Court ruled the universities failed to demonstrate the necessary compelling interest. Accordingly, the Court found their application of rave or other preferences violated the 14th Amendment.

Under Executive Order 14173, Ending Illegal Discrimination and Restoring Merit-Based Opportunity, President Trump directed federal agencies to enforce long-standing civil rights laws and “to combat illegal private sector diversity, equity and inclusion (“DEI”) preferences, mandates, policies, programs, and activities.”

HHS & ED Merit-Based Decisions Policy Investigations & Enforcement

During the second term of the Trump Administration, OCR has initiated seven investigations under federal civil rights law to promote merit-based opportunity.

The April 28, 2025 announcements of openings of discrimination investigations of Harvard by both HHS and ED of race discrimination investigation of both reports of race-based discrimination permeating the operations under Civil Rights Act is illustrative.

Opened in response to information HHS and ED received about policies and practices for journal membership and article selection, HHS’ and ED’s OCR investigations respond to reports of potential application of preferences in violation of EO 14173.

The Harvard Law Review’s editor reportedly wrote that it was “concerning” that “[f]our of the five people” who wanted to reply to an article about police reform “are white men.” Another HLR editor suggested “that a piece should be subject to expedited review because the author was a minority.”

Based on these reports, HHS and ED suspect Harvard Law Review’s article selection process ‘picks winners and losers on the basis of race, employing a spoils system in which the race of the legal scholar is as, if not more, important than the merit of the submission.

According to HHS and ED, these types of considerations based solely on race are illegal and unacceptable for recipients of federal funding.

“Law journal membership and publication are crucial achievements that build momentum for law students’ careers and shape legal scholarship,” said Anthony Archeval, Acting Director of HHS Office for Civil Rights. “This investigation reflects the Administration’s common-sense understanding that these opportunities should be earned through merit-based standards and not race.”

Acting Director Archeval warned, “Title VI’s demands are clear: recipients of federal financial assistance may not discriminate on the basis of race, color, or national origin. No institution—no matter its pedigree, prestige, or wealth—is above the law. The Trump Administration will not allow Harvard, or any other recipients of federal funds, to trample on anyone’s civil rights.”

The apparent triggering of the investigations based on “reports” of statements suggesting race bias of a nature often expressed within certain segments of many organizations highlights the challenges covered organizations are likely to experience in negotiating civil rights compliance. Health care, academic medicine and other organizations continue should ensure their merit based criteria and their underlying business justifications are clearly defined and defensible intheir form, design and administration.

Harvard stands to lose big if the investigations are not resolved in its favor. HHS and ED are threatening to terminate Carbert’s eligibility for federal funds from their agencies. Alongside the HHS and ED investigations, the Trump administration also has asked the internal Revenue Service to investigate whether Harvard’s policy of applying racial preferences, disqualifies it for continuing tax exemption under the Internal Revenue Code.

These high profile investigations are designed to send a strong signal to organizations to bring an end to DEI practices or face similar harsh consequences.

New Dear Colleague Letter Policy Clarification

This week , OCR followed up by sending out the Dear Colleague letter to reinforce and clarify its current policy on race preferences. Although the letter technically addresses, academic institutions, HHS says its principles apply to all programs funded and activities regulated by HHS.

The Dear Colleague letter reiterates that relying on race-based criteria, racial stereotypes, and facially neutral criteria that operates as a pretext for race are all prohibited under Title VI and Section 1557, including when diversity and racial-balancing are the aims.

In implementing President Trump’s “merit-based’ Civil Rights Laws interpretation, OCR’ Dear Colleague letter states OCR will prioritize investigations of institutions that:

Use race as part of their application or employment processes;
Require diversity, equity, and inclusion statements in connection with hiring or promotion; or
Lack clear policies demonstrating compliance with Students for Fair Admissions v. Harvard.

In light of OCR’s commitment to enforce this merit-based decision making requirement, the Dear Colleague letter advises medical schools and other entities receiving federal funding to ensure health care providers, and those in the health professions pipeline, are selected based on merit and clinical skills, not race,” said the Office for Civil Rights Acting Director, Anthony Archeval. HHS and ED also recommend academic healthcare and other HHS or ED funded organizations:

Ensure their policies and procedures comply with existing federal civil rights laws;
Discontinue criteria, tools, or processes that serve as substitutes for race or are intended to advance race-based decision-making; and
End reliance on third-party contractors, clearinghouses, or data aggregators that engage in prohibited uses of race.

The author of this update, Cynthia Marcotte Stamer has decades of experience advising academic medicine and other education, health care providers, Medicare and Medicaid Advantage and other public and private health plans and plan sponsors, government contractors and grant recipients, and their child care facilities, employers, technology, data, third party administrators, and other managed care and other health care, defense, technology, life sciences and other clients about Civil Rights Laws and other discrimination, quality, technology, reimbursement, licensing and accreditation, compliance, enforcement, governmental affairs, dispute resolution, and other compliance, risk management and operational matters. If you have questions or need advice or help evaluating or addressing these or other compliance, risk management, or other concerns, contact her.

For More Information

About the Author

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. The author and Solutions Law Press, Inc. disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Leave a Comment » | Health Care | Tagged: academic medicine, Civil Rights, dei, Health Care, Health Care Compliance, Health Insurance, Health Plans, Hospital, pharmacy, Physician, Physicians | Permalink
Posted by Cynthia Marcotte Stamer

Nurse Practitioner Likely To Get Lengthy Prison Sentence For Health Care Fraud Conviction

May 2, 2025

A Louisiana nurse practitioner faces a lengthy prison sentence when sentences for her federal jury conviction yesterday for her role in an over $2 million health care fraud scheme.

According to court documents and evidence presented at trial, Shanone Chatman-Ashley, was a nurse practitioner and enrolled provider with Medicare. Chatman-Ashley worked as an independent contractor for companies that purportedly provided telehealth services to Medicare beneficiaries. As part of the scheme, the Chatman-Ashley caused the submission of false and fraudulent claims to Medicare for medically unnecessary durable medical equipment (“DME”). Chatman-Ashley routinely ordered knee braces, suspension sleeves, and other types of DME for patients without an examination by her or another medical provider. Chatman-Ashley concealed the scheme by signing documentation falsely certifying that she had consulted with the beneficiaries and personally conducted assessments of them. From 2017 to 2019, the defendant signed more than 1,000 orders for medically unnecessary DME, causing over $2 million in fraudulent Medicare claims and over $1 million in reimbursements. In exchange for the orders, Chatman-Ashley received kickbacks and bribes from the telehealth services companies.

in the Justice Department’s announcement of the conviction, Matthew R. Galeotti, the Head of the Justice Department’s Criminal Division warned:

The Department of Justice will not tolerate medical professionals who fraudulently enrich themselves at the expense of American taxpayers.

Chatman-Ashley was convicted of five counts of health care fraud. She is scheduled to be sentenced on July 31. She faces a maximum penalty of 10 years in prison on each count. A federal judge will determine any sentence after considering the U.S. Sentencing Guidelines and other statutory factors.

The author of this update, Cynthia Marcotte Stamer has decades of experience advising health care providers, Medicare and Medicaid Advantage and other public and private health plans and plan sponsors, government contractors and grant recipients, and their technology, data, third party administrators, and other managed care and other health care, defense, technology, life sciences and other clients about health industry quality, technology, reimbursement, licensing and accreditation, compliance, enforcement, governmental affairs, dispute resolution, and other compliance, risk management and operational matters. If you have questions or need advice or help evaluating or addressing these or other compliance, risk management, or other concerns, contact her.

For More Information

About the Author

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. The author and Solutions Law Press, Inc. disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Leave a Comment » | Health Care | Permalink
Posted by Cynthia Marcotte Stamer

Health Care Network’s $600,000 Settlement Highlights Health Industry HIPAA Hacking Liability Exposures & Risk Analysis Responsibilities

April 23, 2025

Conduct an appropriate risk analysis and take the required steps to protect your electronic health records from phishing and other hacking threats by conducting a thorough risk analysis and otherwise cleaning up your Health Insurance Portability and Accountability Act of 1996 compliance! That’s the clear message to the Department of Health and Human Services Office of Civil Rights (“OCR”) urges health care providers, health plans, health care clearinghouses (“Covered Entities”) and their business associates (collectively “Regulated Entities”) to learn from the $600,000 HIPAA Privacy, Security, and Breach Notification Rules (“HIPAA Rules”) settlement the Department of Health & Human Services Office of Civil Rights (“OCR”) announced with Southern California health care network PIH Health, Inc. (“PIH”) on April 23, 2025.

Hacking incidents present a significant cybersecurity threat to Regulated Entities’ electronic health and other data. Phishing and other hacking attacks are among the most common types of large breaches reported to OCR every year. Over the past five years, there has been a 256% increase in large breaches reported to OCR involving hacking and a 264% increase in ransomware. In 2023, hacking accounted for 79% of the large breaches reported to OCR. Between January 1 and April 23, 2025 alone, OCR received 161 hacking-related breach reports from Regulated Entities. OCR’s Breach Portal indicates that on April 23, 2025, OCR had a total of 554 open hacking-related breach investigations, 506 involving health care providers, 47 involving health plans, and one involving a health care clearinghouse.

The HIPAA Privacy, Security, and Breach Notification Rules require Regulated Entities to conduct and maintain documented risk analysis to assess their hacking and other threats to the security of their individually identifiable electronic protected health information (“ePHI”) and meet other specific standards to protect the privacy and security of protected health information against hacking and other improper access, destruction, or disclosure. As reflected in the following table of current HIPAA sanctions, violation of these HIPAA requirements exposes a Regulated Entity to significant civil monetary penalties or criminal sanctions.

HIPAA Sanctions

Tier	Civil Penalties[1]	Criminal Penalties
1	Lack of Knowledge: $141 – $71,162 per violation	Reasonable Cause or No Knowledge of Violation: Up to 1 year imprisonment
2	Reasonable Cause: $1,424 – $71,162 per violation	PHI Obtained Under False Pretenses: Up to 5 years imprisonment
3	Willful Neglect (corrected within 30 days): $14,232 – $71,162 per violation	PHI Obtained for Personal Gain or with Malicious Intent: Up to 10 years imprisonment
4	Willful Neglect (not corrected within 30 days): $71,162 – $2,134,831 per violation

Most Regulated Entities that OCR accused of violating the HIPAA requirements avoid paying the full amount of authorized civil monetary penalties by accepting OCR settlement offers. As the $600,000 PHI demonstrates, settlement with OCR allows Regulated Entities to avoid much greater potential civil monetary penalties by paying a much smaller, but still generally significant settlement amount.

PHI Breach and Settlement

The PHI settlement resolves an investigation that OCR conducted after receiving a breach report from PIH in January 2020 about a June 2019 phishing attack. The report stated the attack compromised forty-five of its employees’ email accounts, resulting in the breach of 189,763 individuals’ unsecured ePHI. PIH reported that the ePHI disclosed in the phishing attack included affected individuals’ names, addresses, dates of birth, driver’s license numbers, Social Security numbers, diagnoses, lab results, medications, treatment and claims information, and financial information.

OCR’s investigation found multiple potential violations of the HIPAA Rules, including:

Failure to use or disclose protected health information only as permitted or required by the HIPAA Privacy Rule.
Failure to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by PIH.
Failure to notify affected individuals, the HHS Secretary, and the media of a breach of unsecured protected health information within 60 days of its discovery.

Under the terms of the resolution agreement, PIH has agreed to implement a corrective action plan that OCR will monitor for two years and pay a $600,000 settlement to OCR. Under the corrective action plan, PIH is obligated to take definitive steps toward resolving potential violations of the HIPAA Rules, including:

Conducting an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI.
Developing and implementing a risk management plan to address and mitigate security risks and vulnerabilities identified in its risk analysis.
Developing, maintaining, and revising, as necessary, its written policies and procedures to comply with the HIPAA Rules.
Training its workforce members who have access to PHI on its HIPAA policies and procedures.

The findings of deficiencies in PIH’s risk analysis and requirements that PIH conduct an accurate and thorough risk analysis and implement a risk management plan to address and mitigate identified security risks and vulnerabilities are a recurrent theme in OCR breach investigations. OCR’s recent addition of a Risk Analysis Initiative to its compliance and enforcement priorities heightens the significance of OCR’s inclusion of these findings and requirements in the PIH settlement.

The HIPAA Security Rule requires a Regulated Entity to conduct an “accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI” and “[i]mplement policies and procedures to prevent, detect, contain, and correct security violations.” Meanwhile, the HIPAA Breach Notification Rule requires in 45 CFR § 164.402 that a Regulated Entity that experiences an impermissible acquisition, access, use, or disclosure (“breach”) of unsecured ePHI to conduct a documented risk assessment to determine whether the Regulated Entity must notify affected individuals, OCR and in the case of breaches involving the ePHI of 500 or more individuals, the media. OCR interprets these Rules together also to require Regulated Entities experiencing a breach of ePHI or having evidence putting the Regulated Entity on notice of a potential susceptibility creating a risk of a breach as triggering a duty by the Regulated Entity to conduct a Risk Assessment to assess the susceptibility of its ePHI to the risk and the actions reasonably necessary to mitigate it under the Security Rule.

OCR views Risk Analysis as foundational to the protection of ePHI. Consequently, OCR constantly has urged Regulated Entities to fulfill their Risk Analysis obligations since the earliest days of HIPAA in its guidance and educational outreach, as well as by regularly discussing the requirement and role of Risk Analysis deficiencies in creating the circumstances leading to enforcement actions against Regulated Entitles in its civil monetary penalty assessments and HIPAA settlement announcements.

Despite OCR’s constant and ever-rising efforts to promote compliance with the Risk Analysis requirements, however, OCR consistently has found deficiencies in Regulated Entities’ Risk Analysis in its breach investigations and audit findings since these rules became effective. As the number and magnitude of reported breaches of ePHI skyrocketing and massive breaches like those experienced in 2024 by UnitedHealthcare subsidiary Change Health, Ascension and others demonstrating the serious consequences ransomware and other cyberattacks can inflict on health care delivery, payment, and patient privacy, OCR is placing new emphasis on tightening both the requirements for Risk Analysis and its enforcement of compliance with the Risk Analysis requirements.

On December 27, 2024, for instance, OCR published a notice of proposed rulemaking that proposes to clarify and tighten significantly the Risk Analysis requirements and other elements of the HIPAA Security Rule. Along with proposing these heightened Risk Analysis requirements, OCR announced and now is zealously enforcing the current Risk Analysis requirements through its Risk Analysis Initiative to hold Regulated Entities accountable for failing to fulfill their Risk Analysis responsibilities as part of its heightened efforts to improve Regulated Entities’ fulfillment of their Risk Analysis obligations. Prior to its announcement of the PIH settlement, OCR in recent months previously announced seven Risk Analysis Initiative settlements including two in April. Although OCR’s PHI settlement announcement does not label the settlement as a Risk Analysis Initiative, OCR’s discussion makes clear OCR considered PIH’s failure to fulfill the Risk Analysis requirements a core failure contributing to the breach.

OCR Acting Director Anthony Archeval made a point of warning other Regulated Entities to ensure the adequacy of their own organizations’ Risk Analysis and other Security Rule compliance in OCR’s announcement of the PIH settlement by stating:

Ransomware and hacking are the primary cyber-threats to electronic protected health information within the health care industry. Failure to conduct a HIPAA risk analysis puts this information at risk and vulnerable to future ransomware attacks and other cyber-threats[.]

Required & Recommended Actions To Promote Defensibility Of Risk Analysis Compliance

With cyberattacks targeting health care and other Regulated Entities soaring and OCR stepping up its scrutiny of Regulated Entities’ Risk Analysis compliance in audits and enforcement actions, each health care provider and other Regulated Entity should review and tighten its Risk Analysis practices and documentation to reduce its susceptibility to potential breaches and to promote its ability to defend its compliance with the Risk Analysis requirements in the event of a breach investigation or audit.

Fulfill Current Risk Analysis Standards

To fulfill the “Risk Analysis” implantation specification, the Security Management Process Standard requires Regulated Entities enforce appropriate administrative, physical, and technical safeguards for the confidentiality, integrity, and security of electronic protected health information (“ePHI”) based on an up-to-date conduct of an up-to-date accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by that organization (“Risk Analysis”).

The Security Rule requires Regulated Entities to document each Risk Analysis in writing, to keep Risk Analysis documentation for six years, and to provide Risk Analysis documentation to OCR upon request.

Among other things, the Risk Analysis implementation standard requires regulated entities adequately to:

Identify where ePHI is located in the organization, including how ePHI enters, flows through, and leaves the organization’s information systems.
Integrate Risk Analysis and risk management into the organization’s business processes.
Ensure that audit controls are in place to record and examine information system activity.
Implement regular reviews of information system activity.
Utilize mechanisms to authenticate information to ensure only authorized users are accessing ePHI.
Encrypt ePHI in transit and at rest to guard against unauthorized access to ePHI when appropriate.
Incorporate lessons learned from incidents into the organization’s overall security management process.
Provide workforce members with regular HIPAA training that is specific to the organization and to the workforce members’ respective job duties.

Follow Proposed Rules & Enforcement Actions To Mitigate Risks

The proposed rule published by OCR on December 27, 2024, seeks to clarify and expand the original requirements of the Risk Assessment implementation standard based on OCR’s past HIPAA Security and Breach Rule investigation and enforcement experience. Under the proposed rule, a Regulated Entity’s Risk Analysis also would be required to include:

Require the development and revision of a technology asset inventory and a network map that illustrates the movement of ePHI throughout the regulated entity’s electronic information system(s) on an ongoing basis, at least once every 12 months and in response to a change in the regulated entity’s environment or operations that may affect ePHI.
Require greater specificity for conducting a risk analysis, including a written assessment that contains, among other things:
- A review of the technology asset inventory and network map;
- Identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI;
- Identification of potential vulnerabilities and predisposing conditions to the regulated entity’s relevant electronic information systems;
- An assessment of the risk level for each identified threat and vulnerability, based on the likelihood that each identified threat will exploit the identified vulnerabilities; and
- A review of the technology asset inventory and network map.

Other changes included in the proposed rule would further heighten the Risk Analysis and other Security Standard requirements for Regulated Entities. For instance, the proposed rule would require Regulated Entities:

To establish written procedures to restore the loss of certain relevant electronic information systems and data within 72 hours;
To perform an analysis of the relative criticality of their relevant electronic information systems and technology assets to determine the priority for restoration;
To establish written security incident response plans and procedures documenting how workforce members are to report suspected or known security incidents and how the regulated entity will respond to suspected or known security incidents;
To implement written procedures for testing and revising written security incident response plans;
To conduct a compliance audit at least once every 12 months to ensure their compliance with the Security Rule requirements;
To require business associates to verify at least once every 12 months for covered entities (and that business associate contractors verify at least once every 12 months for business associates) that they have deployed technical safeguards required by the Security Rule to protect ePHI through a written analysis of the business associate’s relevant electronic information systems by a subject matter expert and a written certification that the analysis has been performed and is accurate;
To encrypt ePHI at rest and in transit, with limited exceptions;
To establish and deploy technical controls for configuring relevant electronic information systems, including workstations, in a consistent manner including deployment of anti-malware protection, removal of extraneous software, and disabling network ports in accordance with the regulated entity’s risk analysis;
Use of multi-factor authentication, with limited exceptions;
Vulnerability scanning at least every six months and penetration testing at least once every 12 months;
Network segmentation;
Separate technical controls for backup and recovery of ePHI and relevant electronic information systems;
To review and test the effectiveness of certain security measures at least once every 12 months, in place of the current general requirement to maintain security measures;
Business associates to notify covered entities (and subcontractors to notify business associates) upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation;
Group health plans to include in their plan documents requirements for their group health plan sponsors to: comply with the administrative, physical, and technical safeguards of the Security Rule; ensure that any agent to whom they provide ePHI agrees to implement the administrative, physical, and technical safeguards of the Security Rule; and notify their group health plans upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation.

To help Regulated Entities understand and fulfill these responsibilities, OCR alone and in conjunction with the Office of the National Coordinator for Health Information Technology (“ONC”) also has published guidance like the HIPAA Security Risk Assessment (SRA) Tool. OCR guidance reflects that fulfillment of the Tool can help Regulated Entities may help defend but does not guarantee fulfillment of the Risk Assessment requirements, as the adequacy of the Risk Assessment always depends upon the unique facts and circumstances of the Regulated Entity at a particular time. This guidance confirms the importance of conducting timely and appropriate Risk Analysis in a manner that shows the Regulated Entity appropriately evaluated the risks to its e-PHI and acted reasonably in designing, administering, and updating that Risk Analysis to reasonably defend its e-PHI against breaches or other susceptibilities.

Since OCR’s guidance makes clear that the adequacy of a Regulated Entity’s Risk Analysis and other HIPAA Security compliance based on its evaluation and response to known and suspected susceptibility threats as conducted and documented pursuant to the Risk Analysis rule, health care providers and other Regulated Entities should view Risk Analysis as an ongoing process. While the Security Rule does not currently dictate how frequently a regulated entity must perform Risk Analysis, a proposed rule published by OCR on December 27, 2024 seeks to amend the existing Security Rule to expand the requirement to require regulated entities to develop and revise a technology asset inventory and a network map that illustrates the movement of ePHI throughout the regulated entity’s electronic information system(s) on an ongoing basis, at least once every 12 months and in response to a change in the regulated entity’s environment or operations that may affect ePHI. Although OCR has not officially adopted this and other changes contained in the proposed rule, substantial evidence exists that it already regularly administers the Risk Analysis requirement with the expectation that regulated entities will perform Risk Analysis at least this frequently. For instance, current OCR resolution agreements require impacted organizations to conduct Risk Analysis to identify and address vulnerabilities at least annually, and more frequently as needed in response to signs of potential breach or susceptibility. Likewise, since OCR developed the proposed rule from its past enforcement experience, wise Regulated Entities also will recognize the value of drawing upon the changes set forth in the proposed rule for helpful insights to strengthen the security of their ePHI generally and promoting the defensibility of the adequacy of their Risk Assessments.

Appropriate Processes Can Enhance Defensibility

With the continued explosion in ransomware and other cyberthreats heightening the risk of experiencing a breach or other incident likely to draw the attention of OCR, each health plan or other Regulated Entity should take assess and confirm the adequacy of their current Risk Analysis, both to protect its ePHI and to promote its ability to defend its compliance with the HIPAA Security Rule’s Risk Analysis and other requirements in light of OCR’s heightened emphasis on Risk Analysis compliance and enforcement. For purposes of conducting this analysis, Regulated Entities generally will want to use a process like the following to structure their evaluation of their existing Risk Analysis to take advantage of the opportunity to use attorney-client privilege and other evidentiary rules to help protect discoverability of sensitive discussions about possible deficiencies in their existing Risk Analysis and discussions about potential tradeoffs considered in current or future Risk Analysis response:

Engage legal counsel experienced with HIPAA and other cybersecurity-related risks and liabilities to advise and assist your organization in designing and administering your Risk Analysis processes and response within the scope of attorney-client privilege;
Appoint and designate leadership and technical leadership for team responsible for design and administration of your organization’s initial and ongoing cybersecurity Risk Analysis and response (“Cyber-Risk Team”) and process for board and senior management reporting of the Cyber-Risk Team;
Select and engage outside consulting service providers, cyber-liability insurers and other risk service providers expected to participate in the process; work with qualified legal counsel to contract with these business associates to include the business associate agreement and other reassurances required by the HIPAA Privacy, Security and Breach Notification Rule and other performances, cooperation to provide and back services in accordance with agreed-upon protocols in the contract;
Train Cyber-Risk Team in the appropriate processes for working with internal teams, outside service providers, leadership, and designated legal counsel to conduct Risk Analysis, investigation and response using attorney-client privilege and other evidentiary tools and processes to maximize defensibility;
Require the Cyber-Risk Team conduct an updated, document assessment of cyber-risk within scope of attorney-client privilege and work with legal counsel to develop a documented cyber-risk policy that captures analysis and determinations for your justification for the size, scope and timing of your periodic Risk Analysis and rules and processes for interim risk identification, reassessments and response in reaction to potential cyber-risk signs between periodic Risk Analysis for presentation and approval by the Board taking into account the insights from published final and proposed guidance, enforcement actions and industry standards;
Require, oversee and enforce Cyber-Risk Team’s documented administration of the initial and subsequently required Risk Analysis and response pursuant to the adopted cyber-risk policy to identify vulnerabilities and work with legal counsel within the scope of privilege to document your analysis and justifications for addressing identified vulnerabilities and other required actions in response to identified susceptibilities or event;
Review adequacy of incident detection and response arrangements, including reporting and response mechanisms, insurance and indemnification protection, and other critical elements for mitigation and recovery; and
Other actions as warranted based on advice of counsel taking into account emerging threats, guidance, and risk susceptibility.

Although civil monetary penalties or settlements are the most common sanction imposed for HIPAA Security and Breach Notification rule violations, willful and certain other violations of HIPAA can trigger criminal liability subject to the Federal Sentencing Guidelines. Consequently, beyond fulfilling the specific requirements of HIPAA, an adequate Risk Assessment also can be an invaluable tool for helping mitigate Federal Sentencing Guideline exposures of a Regulated Entity and its leaders under the Federal Sentencing Guidelines Organizational Liability rules.

Beyond these specific HIPAA-associated exposures, Regulated Entities and their leaders should keep in mind that HIPAA is likely only one of many laws that define their responsibilities to secure, report, and respond to breaches of ePHI or other sensitive data. Depending on the location, nature and other circumstances, Regulated Entities and their leaders also may have additional responsibilities and liability exposures under a variety of other federal and state laws, ethical or other professional standards, and contractual obligations. For instance, inadequate data safeguards for ePHI also can trigger liability under the Fair and Accurate Credit Transactions Act, the Federal Trade Commission Act, and various electronic crimes statutes. The Securities and Exchange Commission rules can trigger disclosure and other obligations for publicly traded hospital or other health care providers, insurers, or their business associates. Health care providers, payers and others are likely to face specific additional health care or insurance-specific licensing and ethics rules, as well as other confidential information privacy, cybersecurity and breach reporting obligations and liability under various state statutes and regulations. Regulated Entities and their leaders generally will want to fully evaluate and manage these risks in conjunction with their compliance with the Risk Analysis and other requirements of the HIPAA Security and Breach Notification Rules.

The author of this update, Cynthia Marcotte Stamer is nationally known and celebrated for her experience providing advice and representation to health care providers, health insurers, employers and other health plan sponsors, health plans, health plan fiduciaries and administrators, third party administrators, human resources and health plan technology, and other businesses about HIPAA and other compliance, risk management and operational matters. If you have questions or need advice or help evaluating or addressing these or other compliance, risk management, or other concerns, contact her.

For More Information Or Help

About the Author

Cynthia Marcotte Stamer is a Martindale-Hubble AV-Preeminent (highest/top 1%) practicing attorney recognized as a “Top Woman Lawyer,” “Top Rated Lawyer,” and “LEGAL LEADER™” in Health Care Law and Labor and Employment Law; among the “Best Lawyers In Dallas” in “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law recognized for her experience, scholarship, thought leadership and advocacy on HIPAA and other data and technology use, security and compliance in connection with her work with health care and life sciences, employee benefits, insurance, education, technology and other highly regulated and performance-dependent clients.

Board certified in labor and employment law by the Texas Board of Legal Specialization and a Fellow in the American College of Employee Benefits Counsel, Ms. Stamer works with these and other highly regulated or data and performance reliant businesses to design, risk manage, and defend their employment and other workforce, data and technology and other operations to promote legal and operational compliance, reduce regulatory and other liability and promote other operational goals.

Additionally, more her ABA involvements include than a decade of service as a Scribe for the Joint Committee on Employee Benefits (“JCEB”) annual agency meetings with the Department of Health and Human Services and JCEB Council Representative, International Section Life Sciences Committee Chair, RPTE Section Employee Benefits Group Chair and a Substantive Groups Committee Member, Health Law Section Managed Care & Insurance Interest Group Chair, as TIPS Section Medicine and Law Committee Chair and Employee Benefits Committee and Workers Compensation Committee Vice Chair, Tax Section Fringe Benefit Committee Chair, and in various other ABA leadership capacities. Ms. Stamer also is a former Southwest Benefits Association Board Member and Continuing Education Chair, SHRM National Consultant Board Chair and Region IV Chair, Dallas Bar Association Employee Benefits Committee Chair, former Texas Association of Business State, Regional and Dallas Chapter Chair, a founding board member and Past President of the Alliance for Healthcare Excellence, as well as in the leadership of many other professional, civic and community organizations. She also is recognized for her contributions to strengthening health care policy and charitable and community service resolving health care challenges performed under PROJECT COPE Coalition For Patient Empowerment initiative and many other pro bono service involvements locally, nationally and internationally.

About Solutions Law Press™

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or admission. Solutions Law Press and its authors reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. Solutions Law Press and its authors disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

[1] The civil monetary penalty amounts are adjusted annually for inflation. OCR has not yet published the 2025 inflation adjusted amounts.

Leave a Comment » | Health Care | Tagged: ai, Cyber Security, cybersecurity, Security, Technology | Permalink
Posted by Cynthia Marcotte Stamer

Risk Analysis Critical For Health Care Providers & Other HIPAA-Covered Entities To Manage OCR & Other Data Breach Exposures

April 22, 2025

With the financial impact to businesses suffering data breaches in 2024 now averaging nearly $5 million and the announcement by the Department of Health and Human Services Office of Civil Rights (“OCR”) two additional Health Insurance Portability & Accountability Act (“HIPAA”) “Risk Analysis Initiative” settlements in seven days, health care providers, health plans, healthcare clearinghouses (“Covered Entities”) and their business associates (collectively “Regulated Entities”) face a growing imperative to act now to promote the defensibility of their practices under the Risk Analysis and other HIPAA Privacy, Security, and Breach Notification Rule requirements. Coupled with OCR’s steady announcement of enforcement actions like those announced this month against NERAD and others under its Risk Analysis Initiative, OCR clearly is warning health care providers and other Regulated Entities to clean up and strengthen their Risk Analysis and other HIPAA Security Rule compliance.

HIPAA Risk Analysis Requirement & OCR Risk Analysis Initiative

The need for Regulated Entities to ensure their fulfillment of HIPAA’s Risk Analysis requirements to prevent and mitigate their legal, financial and operational exposures from breaches of electronic protected health information (“ePHI”) and to defend against a potential OCR Risk Analysis enforcement action or audit is demonstrated by OCR’s announcement of HIPAA Security Rule enforcement actions and settlements with Northeast Radiology, P.C. (NERAD) on April 10, 2025, and Guam Memorial Hospital Authority (“GMHA”) on April 17, 2025, the sixth and seventh under OCR’s recently announced HIPAA “Risk Analysis Initiative” .

Risk Analysis Longstanding HIPAA Requirement

The HIPAA Privacy, Security, and Breach Notification Rules require Regulated Entities to meet specific standards to protect the privacy and security of protected health information. Violation of these requirements exposes Regulated Entities to civil monetary penalties or even criminal penalties depending on the nature of the violation.

Since the HIPAA Security Rule first took effect, risk analysis is one of the four required implementation specifications Regulated Entities must meet under the Security Management Process standard in 45 CFR § 164.308.

To fulfill this Risk Analysis requirement, a Regulated Entity must conduct an “accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI” and “[i]mplement policies and procedures to prevent, detect, contain, and correct security violations.”

Additionally, in 45 CFR § 164.402 the HIPAA Breach Notification Rule requires a Regulated Entity that experiences an impermissible acquisition, access, use, or disclosure (“breach”) of unsecured ePHI to conduct a documented risk assessment to determine whether the Regulated Entity must notify affected individuals, OCR and in the case of breaches involving the ePHI of 500 or more individuals, the media. As consistently interpreted and applied by OCR, experiencing a breach or the existence of evidence putting the Regulated Entity on notice of a potential susceptibility creating a risk of a breach triggers a duty by the Regulated Entity to conduct a Risk Assessment to assess the susceptibility of its ePHI to the risk and the actions reasonably necessary to mitigate it under the Security Rule.

OCR views Risk Analysis as foundational to the protection of ePHI. As OCR Acting Director Anthony Archeval recently stated to explain OCR’s emphasis on Risk Analysis compliance and enforcement, “Ransomware and hacking are the primary cyber-threats to electronic protected health information within the health care industry. Failure to conduct a HIPAA risk analysis puts this information at risk and vulnerable to future ransomware attacks and other cyber-threats[.]” Consequently, OCR constantly has urged Regulated Entities to fulfill their Risk Analysis obligations since the earliest days of HIPAA. To promote compliance, OCR persistently has communicated the necessity and importance of the Risk Analysis in guidance and sought to reinforce the consequences of inadequate Risk Analysis by discussing the role of Risk Analysis deficiencies in creating the circumstances leading to enforcement actions against Regulated Entitles in its civil monetary penalty assessments and HIPAA settlement announcements.

OCR Raising Risk Analysis Expectations & Enforcement

On December 27, 2024, for instance, OCR published a notice of proposed rulemaking that proposes to clarify and tighten significantly the Risk Analysis requirements and other elements of the HIPAA Security Rule. Along with proposing these heightened Risk Analysis requirements, OCR announced and now is zealously enforcing the current Risk Analysis requirements through its Risk Analysis Initiative to hold Regulated Entities accountable for failing to fulfill their Risk Analysis responsibilities as part of its heightened efforts to improve Regulated Entities’ fulfillment of their Risk Analysis obligations. With OCR’s announcement of the NERAD and GMHA enforcement actions on April 10 and April 17, respectively bringing to seven the number of Risk Analysis Initiative enforcement settlements in recent months, health care providers and other Regulated Entities should heed the schooling these and other similarly sanctioned organizations as a call to action to ensure their own Risk Analysis and other HIPAA Privacy, Security and Breach Rule compliance.

NERAD Enforcement Risk Analysis Initiative Enforcement Action & Settlement

The first of two Risk Analysis Initiative settlements announced in seven days in April and the sixth enforcement action and settlement specifically labeled as taken under the “Risk Analysis Initiative,” the NERAD enforcement action and settlement announced April 10, 2025 resolves liabilities for violation of the Risk Analysis Rule arising from OCR’s investigation of a breach of ePHI stored on NERAD’s Picture Archiving and Communication System (“PACS”) server for storing, retrieving, managing, and accessing radiology images.

OCR initiated its investigation of NERAD after receiving a NERAD breach report that between April 2019 and January 2020, unauthorized individuals accessed radiology images stored on NERAD’s PACS server. NERAD notified the 298,532 patients whose information was potentially accessible on the PACS server of this breach. OCR’s investigation found that NERAD had failed to conduct an accurate and thorough Risk Analysis to determine the potential risks and vulnerabilities to the ePHI in NERAD’s information systems.

To avoid potentially much greater HIPAA civil monetary penalties under the terms of the resolution agreement, NERAD paid OCR $350,000 and agreed to implement a corrective action plan that OCR will monitor for two years. Under the corrective action plan, NERAD will take steps to improve its compliance with the HIPAA Security Rule and protect the security of ePHI, including:

Conducting an accurate and thorough Risk Analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI;
Developing and implementing a risk management plan to address and mitigate security risks and vulnerabilities identified in its Risk Analysis;
Developing and implementing a written process to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports;
Developing, maintaining, and revising, as necessary, its written policies and procedures to comply with the HIPAA Rules; and
Augmenting its existing HIPAA and security training program to all of its workforce members who have access to PHI.

Guam Memorial Hospital Authority Risk Assessment Initiative & Ransomware Enforcement Action

Seven days after announcing the NERAD Risk Analysis enforcement action and settlement, OCR reaffirmed its commitment to enforcement of the Risk Analysis enforcement when it announced its first HIPAA settlement under the new Trump Administration with GMHA, a public hospital on the U.S. Territory, island of Guam, on April 17, 2025.

The seventh Risk Analysis Initiative enforcement action and eleventh ransomware enforcement action announced by OCR, the GMHA settlement arose from OCR’s investigation of two complaints alleging that GMHA impermissibly allowed the disclosure of ePHI of GMHA patients. OCR originally initiated its investigation in response to a January 2019 complaint alleging that GMHA experienced a ransomware attack affecting the ePHI of approximately 5,000 individuals. During the investigation, OCR received another complaint in March 2023 alleging that hackers accessed patient records. OCR’s investigation determined that GMHA had failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to ePHI held by GMHA.

Under the terms of the resolution agreement, GMHA paid OCR $25,000 and agreed to implement a corrective action plan that OCR will monitor for three years. In the corrective action plan, GMHA must take a number of steps to ensure compliance with the HIPAA Security Rule and protect the security of ePHI, including:

Conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI;
Develop and implement a risk management plan to address and mitigate security risks and vulnerabilities identified in its risk analysis;
Develop a written process to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports;
Develop, maintain, and revise, as necessary, written policies and procedures to comply with the HIPAA Privacy, Security and Breach Notification Rules;
Augment its existing HIPAA and security training program so all workforce members with access to PHI understand the HIPAA requirements and GMHA’s HIPAA policies and procedures;
Enhance workforce security and information access management by reviewing all access credentials that have been granted access to ePHI; and
Conduct breach risk assessments and provide evidence to OCR that all breach notification obligations have been conducted.

Required & Recommended Actions To Promote Defensibility Of Risk Analysis Compliance

Fulfill Current Risk Analysis Standards

Among other things, the Risk Analysis implementation standard requires regulated entities adequately to:

Identify where ePHI is located in the organization, including how ePHI enters, flows through, and leaves the organization’s information systems.
Integrate Risk Analysis and risk management into the organization’s business processes.
Ensure that audit controls are in place to record and examine information system activity.
Implement regular reviews of information system activity.
Utilize mechanisms to authenticate information to ensure only authorized users are accessing ePHI.
Encrypt ePHI in transit and at rest to guard against unauthorized access to ePHI when appropriate.
Incorporate lessons learned from incidents into the organization’s overall security management process.
Provide workforce members with regular HIPAA training that is specific to the organization and to the workforce members’ respective job duties.

Follow Proposed Rules & Enforcement Actions To Mitigate Risks

Require the development and revision of a technology asset inventory and a network map that illustrates the movement of ePHI throughout the regulated entity’s electronic information system(s) on an ongoing basis, at least once every 12 months and in response to a change in the regulated entity’s environment or operations that may affect ePHI.
Require greater specificity for conducting a risk analysis, including a written assessment that contains, among other things:
- A review of the technology asset inventory and network map;
- Identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI;
- Identification of potential vulnerabilities and predisposing conditions to the regulated entity’s relevant electronic information systems;
- An assessment of the risk level for each identified threat and vulnerability, based on the likelihood that each identified threat will exploit the identified vulnerabilities; and
- A review of the technology asset inventory and network map.

To establish written procedures to restore the loss of certain relevant electronic information systems and data within 72 hours;
To perform an analysis of the relative criticality of their relevant electronic information systems and technology assets to determine the priority for restoration;
To establish written security incident response plans and procedures documenting how workforce members are to report suspected or known security incidents and how the regulated entity will respond to suspected or known security incidents;
To implement written procedures for testing and revising written security incident response plans;
To conduct a compliance audit at least once every 12 months to ensure their compliance with the Security Rule requirements;
To require business associates to verify at least once every 12 months for covered entities (and that business associate contractors verify at least once every 12 months for business associates) that they have deployed technical safeguards required by the Security Rule to protect ePHI through a written analysis of the business associate’s relevant electronic information systems by a subject matter expert and a written certification that the analysis has been performed and is accurate;
To encrypt ePHI at rest and in transit, with limited exceptions;
To establish and deploy technical controls for configuring relevant electronic information systems, including workstations, in a consistent manner including deployment of anti-malware protection, removal of extraneous software, and disabling network ports in accordance with the regulated entity’s risk analysis;
Use of multi-factor authentication, with limited exceptions;
Vulnerability scanning at least every six months and penetration testing at least once every 12 months;
Network segmentation;
Separate technical controls for backup and recovery of ePHI and relevant electronic information systems;
To review and test the effectiveness of certain security measures at least once every 12 months, in place of the current general requirement to maintain security measures;
Business associates to notify covered entities (and subcontractors to notify business associates) upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation;
Group health plans to include in their plan documents requirements for their group health plan sponsors to: comply with the administrative, physical, and technical safeguards of the Security Rule; ensure that any agent to whom they provide ePHI agrees to implement the administrative, physical, and technical safeguards of the Security Rule; and notify their group health plans upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation.

Since OCR’s guidance makes clear that the adequacy of a Regulated Entity’s Risk Analysis and other HIPAA Security compliance based on its evaluation and response to known and suspected susceptibility threats as conducted and documented pursuant to the Risk Analysis rule, health care providers and other Regulated Entities should view Risk Analysis as a ongoing process. While the Security Rule does not currently dictate how frequently a regulated entity must perform Risk Analysis, a proposed rule published by OCR on December 27, 2024 seeks to amend the existing Security Rule to expand the requirement to require regulated entities to develop and revise a technology asset inventory and a network map that illustrates the movement of ePHI throughout the regulated entity’s electronic information system(s) on an ongoing basis, at least once every 12 months and in response to a change in the regulated entity’s environment or operations that may affect ePHI. Although OCR has not yet officially adopted this and other changes contained in the proposed rule, substantial evidence exists that it already regularly administers the Risk Analysis requirement with the expectation that regulated entities will perform Risk Analysis at least this frequently. For instance, current OCR resolution agreements require impacted organizations to conduct Risk Analysis to identify and address vulnerabilities at least annually, and more frequently as needed in response to signs of potential breach or susceptibility. Likewise, since OCR developed the proposed rule from its past enforcement experience, wise Regulated Entities also will recognize the value of drawing upon the changes set forth in the proposed rule for helpful insights to strengthen the security of their ePHI generally and promoting the defensibility of the adequacy of their Risk Assessments.

Use Appropriate Process To Audit, Update & Strengthen Risk Defensibility

Engage legal counsel experienced with HIPAA and other cybersecurity-related risks and liabilities to advise and assist your organization in designing and administering your Risk Analysis processes and response within the scope of attorney-client privilege;
Appoint and designate leadership and technical leadership for team responsible for design and administration of your organization’s initial and ongoing cybersecurity Risk Analysis and response (“Cyber-Risk Team”) and process for board and senior management reporting of the Cyber-Risk Team;
Select and engage outside consulting service providers, cyber-liability insurers and other risk service providers expected to participate in the process; work with qualified legal counsel to contract with these business associates to include the business associate agreement and other reassurances required by the HIPAA Privacy, Security and Breach Notification Rule and other performances, cooperation to provide and back services in accordance with agreed-upon protocols in the contract;
Train Cyber-Risk Team in the appropriate processes for working with internal teams, outside service providers, leadership, and designated legal counsel to conduct Risk Analysis, investigation and response using attorney-client privilege and other evidentiary tools and processes to maximize defensibility;
Require the Cyber-Risk Team conduct an updated, document assessment of cyber-risk within scope of attorney-client privilege and work with legal counsel to develop a documented cyber-risk policy that captures analysis and determinations for your justification for the size, scope and timing of your periodic Risk Analysis and rules and processes for interim risk identification, reassessments and response in reaction to potential cyber-risk signs between periodic Risk Analysis for presentation and approval by the Board taking into account the insights from published final and proposed guidance, enforcement actions and industry standards;
Require, oversee and enforce Cyber-Risk Team’s documented administration of the initial and subsequently required Risk Analysis and response pursuant to the adopted cyber-risk policy to identify vulnerabilities and work with legal counsel within the scope of privilege to document your analysis and justifications for addressing identified vulnerabilities and other required actions in response to identified susceptibilities or event;
Review adequacy of incident detection and response arrangements, including reporting and response mechanisms, insurance and indemnification protection, and other critical elements for mitigation and recovery; and
Other actions as warranted based on advice of counsel taking into account emerging threats, guidance, and risk susceptibility.

For More Information

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Additionally,more her ABA involvements include than a decade of service as a Scribe for the Joint Committee on Employee Benefits (“JCEB”) annual agency meetings with the Department of Health and Human Services and JCEB Council Representative, International Section Life Sciences Committee Chair, RPTE Section Employee Benefits Group Chair and a Substantive Groups Committee Member, Health Law Section Managed Care & Insurance Interest Group Chair, as TIPS Section Medicine and Law Committee Chair and Employee Benefits Committee and Workers Compensation Committee Vice Chair, Tax Section Fringe Benefit Committee Chair, and in various other ABA leadership capacities. Ms. Stamer also is a former Southwest Benefits Association Board Member and Continuing Education Chair, SHRM National Consultant Board Chair and Region IV Chair, Dallas Bar Association Employee Benefits Committee Chair, former Texas Association of Business State, Regional and Dallas Chapter Chair, a founding board member and Past President of the Alliance for Healthcare Excellence, as well as in the leadership of many other professional, civic and community organizations. She also is recognized for her contributions to strengthening health care policy and charitable and community service resolving health care challenges performed under PROJECT COPE Coalition For Patient Empowerment initiative and many other pro bono service involvements locally, nationally and internationally.

About Solutions Law Press™

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or an admission. Solutions Law Press and its authors reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often rapidly evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. Solutions Law Press and its authors disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Leave a Comment » | Conditions of Participation, Health Care, Health Care Provider, Health Care Quality, Health Insurance Exchange, Health IT, home health, Mental Heatlh, OCR | Tagged: ai, Cyber Security, cybersecurity, Data Breach, Health Care, Health Care Provider, Health Plan, HIPAA, Hospital, OCR, Physician, Privacy, Risk Analysis, Security, Technology | Permalink
Posted by Cynthia Marcotte Stamer

Trump 4/15 Executive Order Targets Prescription Drug Cost, Transparency and Competitiveness Reforms

April 17, 2025

Health care providers, health plans and insurers, pharmaceutical and prescription drug companies, prescription benefit manager and consumers should prepare for increased regulation of prescription drug benefit management arrangements and other changes in federal rules on prescription drug pricing, coverage and related practices in response to directives in President Trump’s April 15, 2025 Executive Order on Lowering Drug Prices By Once Again Putting Americans First (the “Executive Order”).

Intended to address widely shared concerns about prescription drug availability, cost and coverage, by the Executive Order declares optimization of health care programs, intellectual property protections, and safety regulations to provide access to prescription drugs at lower costs to American patients and taxpayers the policy of the United States. Persons potentially concerned or impacted by these concerns should monitor the affected agencies for calls for stakeholder input, proposed guidance, and other activities in furtherance of the shaping and implementation of these new policy initiatives.

Medicare-Focused Prescription Drug Reforms

To promote this policy, the Executive Order directs the Department of Health and Human Services (“HHS”) and various other federal agencies to take certain steps to implement this policy. The Executive Order includes several directives to HHS and certain other agencies that President Trump intends to lower the cost of prescription drugs within and outside the Medicare program.

By April 15, 2026, the Executive Order directs HHS to develop a better payment model to improve the ability of the Medicare program to obtain better value for high-cost prescription drugs and biological products covered by Medicare, including those not subject to the Medicare Drug Price Negotiation Program.

In addition, the Executive Order:

Directs HHS to work with the Congress to modify the Medicare Drug Price Negotiation Program to align the treatment of small molecule prescription drugs with that of biological products so as to end the distortion that undermines relative investment in small molecule prescription drugs, coupled with other reforms to prevent any increase in overall costs to Medicare and its beneficiaries;
By June 14, 2025,
- Requires HHS to propose changes to the Medicare Drug Price Negotiation Program regulations for the initial price applicability year 2028 and manufacturer implementation of maximum fair price under such program in 2026, 2027, and 2028 to improve the transparency of the Medicare Drug Price Negotiation Program, prioritize the selection of prescription drugs with high costs to the Medicare program, and minimize any negative impacts of the maximum fair price on pharmaceutical innovation within the United States; and
- Requires HHS to require health centers receiving Public Health Service Act Section 330(e) grants to establish practices to make insulin and injectable epinephrine available at or below the discounted price paid by the health center grantee or sub-grantee under the 340B Prescription Drug Program (plus a minimal administration fee) to low income individuals who have a high cost-sharing requirement for either insulin or injectable epinephrine; have a high unmet deductible; or have no healthcare insurance.
- Requires the Assistant to the President for Domestic Policy (“APDP”) in coordination with the Secretary, the Director of the Office of Management and Budget (“OMB Director”), and the Assistant to the President for Economic Policy (“APECP”), to provide recommendations to the President on how best to stabilize and reduce Medicare Part D premiums;
- Requires the HHS Secretary to publish a plan to conduct a survey under the Site-of-Service Price Transparency rules of Social Security Act Section 1833(t)(14)(D)(ii) to determine the hospital acquisition cost for covered outpatient drugs at hospital outpatient departments and propose appropriate adjustments to align Medicare payment with the cost of acquisition, consistent with the budget neutrality requirements;
- Requires HHS to evaluate and propose regulations to ensure that payment within the Medicare program is not encouraging a shift in drug administration volume away from less costly physician office settings to more expensive hospital outpatient departments.

Other Prescription Drug Reforms

In addition to these predominantly Medicare-focused programs, the Executive Order also orders federal agencies to

Requires the Secretary of Labor to propose regulations pursuant to section 408(b)(2)(B) of the Employee Retirement Income Security Act of 1974 to improve employer health plan fiduciary transparency into the direct and indirect compensation received by pharmacy benefit managers by October 12, 2025;
Requires the APDP, in coordination with the HHS Secretary, the OMB Director, and the APECP, to provide recommendations to the President on how best to promote a more competitive, efficient, transparent, and resilient pharmaceutical value chain that delivers lower drug prices for Americans by June 14, 2025;
Requires the Food and Drug Administration to streamline and improve the Importation Program under the Federal Food, Drug, and Cosmetic Act to make it easier for States to obtain approval without sacrificing safety or quality;
Requires the OMB Director, the APDP, and the Assistant to the President for Economic Policy )”APECP, and HHS Secretary to provide joint recommendations on how best to ensure that manufacturers pay accurate Medicaid drug rebates consistent with section 1927 of the Social Security Act, promote innovation in Medicaid drug payment methodologies, link payments for drugs to the value obtained, and support States in managing drug spending;
Requires the HHS Secretary, through the Commissioner of Food and Drugs, to issue a report providing administrative and legislative recommendations to accelerate approval of generics, biosimilars, combination products, and second-in-class brand name medications; and improve the process through which prescription drugs can be reclassified as over-the-counter medications, including recommendations to optimally identify prescription drugs that can be safely provided to patients over the counter;
Requires HHS, the Department of Justice, the Department of Commerce, and the Federal Trade Commission to conduct listening sessions and issue a report with recommendations to reduce anti-competitive behavior from pharmaceutical manufacturers.

Leave a Comment » | Doctor, drug treatment, Health Care, Health Care Reform, Health Insurance, Health Plan, Health Plans, healthcare, Heath Care Exchange, Home Health, Hospital, hospitals, managed care, Medicare, Medicare Advantage, Medicare Prescription Drug Program, Patient Empowerment, Pharmaceudical, pharmaceutical, Pharmacy, Physician, Preexisting Condition Insurance Plan, Reimbursement | Tagged: Health, healthcare, Medicare, news, politics | Permalink
Posted by Cynthia Marcotte Stamer

State Medicaid Programs Can Deny Out-Of-State Providers Supplemental Payments

April 9, 2025

While Medicaid rules require state Medicaid programs to provide reimbursements for out-of-state services provided to beneficiaries, the District Of Colombia Court of Appeals has ruled that states can limit supplemental payments funded through a tax or assessment on in-state providers to in-state providers.

In Asante v. Kennedy, No. 23-5055 (D.C. Cir. 2025), border hospitals caring for California residents covered by California’s Medi-Cal program argued California violated the Commerce Clause and the Equal Protection Clause of the Constitution by refusing to pay Medi-Cal supplemental payments provided to in-state hospitals caring for Medi-Cal beneficiaries to the border hospitals treating Medi-Cal beneficiaries seeking care outside California.

The Medi-Cal program is the program through which California participates in Medicaid. Federal Medicaid funding is available to States for expenditures related to the provision of a covered Medicaid service to a Medicaid beneficiary under 42 U.S.C. § 1396b.

For purposes of Asante, the Court distinguished between two types of State Medicaid expenditures:

Base payments, which CMS has defined as payments made to providers “on a per-claim basis for services rendered to a Medicaid beneficiary,” and
Supplemental payments, which are payments to providers separate from (and in addition to) the “per-claim” base payments for services rendered to a beneficiary.

See Medicare and Medicaid Programs; Minimum Staffing Standards for Long-Term Care Facilities and Medicaid Institutional Payment Transparency Reporting, 89 Fed. Reg. 40,876, 40,925 (June 21, 2024) (citing 42 U.S.C. § 1396b(bb)); 42 C.F.R. § 438.6(a).

The Medicaid law does not require states to fund their share of Medicaid expenditures entirely on their own. Instead, States may tax providers in accordance with specified criteria to generate funds that the federal government then matches. In 2009, California exercised this taxing authority by establishing a Quality Assurance Fee (“QAF”) as part of its administration of Medi-Cal. The QAF program operates by: (i) assessing a provider tax, which California calls a quality assurance fee, on nonexempt in-state hospitals; (ii) using those funds to generate matching federal Medicaid funding; and (iii) distributing the collected funds as supplemental payments to qualifying private in-state hospitals. Id. §§ 14169.50, 14169.52, 14169.54, 14169.55.

Following California’s original creation of the QAF program, a group of out-of-state hospitals located near the California border challenged the program in federal court in California, claiming an entitlement to receive the QAF supplemental payments, which by California law were to go solely to instate hospitals. At that time, California chose to settle rather than fight the out-of-state hospitals. Consequently, California entered into settlement agreements under which it gave QAF supplemental payments to those out-of-state hospitals through 2019. Those settlement agreements expired in 2019.

When California sought and obtained in 2020 CMS approval of the QAF program with payments restricted to in-state hospitals for the next two-year cycle, California again faced challenges from out-of-state hospitals along its border. A group of out-of-state hospitals located near the California border again argued in federal court that their exclusion from the QAF supplemental payments violates the Commerce Clause, the Equal Protection Clause, and federal Medicaid regulations. After district court granted summary judgment approving the California exclusion of the out-of-state providers, Asante v. Azar, 656 F. Supp. 3d 185, 190 (D.D.C. 2023), the border hospitals appealed.

In its ruling upholding California’s limitation of eligibility for the supplemental payments, the Court rejected each of the border hospital’s Constitutional challenges to their ineligibility.1

Regarding the Commerce Clause, the Court of Appeals rejected the border hospitals’ Commerce Clause’s claim that the QAF program discriminates against interstate commerce because California pays QAF supplemental payments only to in-state hospitals. The Appeals Court noted that both the QAF provider tax assessed against in-state hospitals and the QAF supplemental payments given to in-state hospitals are calculated based solely on the in-state provision of medical care to in-state patients. The QAF program does not assess a tax against out-of-state hospitals. Since California makes no “obvious effort to saddle those outside the State” with the costs of the QAF program. Since out-of-state hospitals neither incur the costs (the provider tax) nor receive the benefits (the supplemental payments) of the QAF program, the Appeals Court held that the program does not discriminate against interstate commerce—as it imposes no “differential burden on any part of the stream of commerce” here. See W. Lynn Creamery, Inc. v. Healy, 512 U.S. 186, 202 (1994).

The Court likewise rejected the border hospital’s claim that California violated the Equal Protection Clause. Noting that a challenged state law such as the California statute that does not include factors justifying heightened scrutiny must be upheld under the Equal Protection Clause “if there is any reasonably conceivable state of facts that could provide a rational basis” for it, the Court ruled that limiting eligibility for the supplemental payments to the in-state hospitals that paid the taxes that funds it. Accordingly, the Court ruled the border hospitals were not entitled to receive supplemental payments under the Equal Protection Clause.

Finally, the Appeals Court also rejected the border hospitals’ last argument that California’s QAF program violated HHS Regulations by denying the supplemental payments to the border hospitals because the supplemental payments are not reimbursements for services and therefore not covered by 42 C.F.R. § 431.52.

Accordingly, the Appeals Court ruled that California does not violate the Commerce Clause or Equal Protection Clause of the United States Constitution by excluding out-of-state hospitals located along the California border (“border hospitals”) that treat California residents enrolled in Medi-Cal from eligibility to collect Medi-Cal supplemental payments paid to California hospitals for treating Medi-Cal-covered Californians.

The author of this update, Cynthia Marcotte Stamer has decades of experience advising health care providers, Medicare and Medicaid Advantage and other public and private health plans and plan sponsors, government contractors and grant recipients, government health and social security programs, and their technology, data, third party administrators, and other managed care and other health care, defense, technology, life sciences and other clients about health industry quality, technology, reimbursement, licensing and accreditation, compliance, enforcement, governmental affairs, dispute resolution, and other compliance, risk management and operational matters. If you have questions or need advice or help evaluating or addressing these or other compliance, risk management, or other concerns, contact her.

For More Information

About the Author

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. The author and Solutions Law Press, Inc. disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Leave a Comment » | Academic medicine, Childrens Health Insurance Program, Health Care, Health Care Provider, health care reimbursement, Medicaid, Medicaid Advantage | Tagged: Health, healthcare, insurance, news, politics | Permalink
Posted by Cynthia Marcotte Stamer

Texas Pharmacist Ordered To Serve 17+ Years, Repay $115 Million & Forfeit Record $405 Million For Health Care Fraud

April 8, 2025

Plano, Texas pharmacist Dehshid “David” Nourian, must serve 17 years and six months in prison pay more than $115 million in restitution and forfeit a record $450 million in assets for his role in a $145 million scheme to defraud the Department of Labor by submitting fraudulent prescription compound creams claims.

Evidence at trial showed these compounds were mixed in the back rooms of the pharmacies by untrained teenagers at a cost to the defendants of around $15 per prescription. The pharmacies then billed to the Department of Labor’s Office of Workers’ Compensation Programs (“DOL-OWCP”) for as much as $16,000 per prescription.

Patients who received the creams testified at trial to the creams’ ineffectiveness and that using the creams resulted in painful, irritating skin rashes in some instances.

The $450 million forfeiture is the highest forfeiture ever obtained in a health care fraud case in the Justice Department’s history.

Nourian and others then attempted to conceal their ill-gotten gains by laundering the money through purported holding companies and attempted to evade paying $24 million in federal income taxes on the illicit proceeds.

In November 2023, a federal jury in the Northern District of Texas convicted Nourian of one count of conspiracy to commit health care fraud, eight counts of health care fraud, one count of conspiracy to launder money, five counts of money laundering, and one count of conspiracy to defraud the United States by failing to report and attempting to evade the collection of taxes owed to the IRS.

A federal court ordered Nourian to serve a 17 and a half years prison sentence and to pay $115 million in restitution on February 21, 2025 as the sanction for his conviction.

In an order issued following Nourian’s sentencing, the court also ruled that Nourian will forfeit $405 million in seized assets tied to his crimes. Evidence at trial demonstrated that Nourian and his co-conspirators used a complex web of bank accounts and shell companies to launder their fraud proceeds, ultimately depositing tens of millions of dollars into Nourian’s and other family members’ bank and investment accounts. The forfeiture order returned that money to the taxpayers and included the forfeiture of $395 million in brokerage accounts, over $2 million in bank accounts, real estate in Dallas and Austin worth $8 million, and a BMW luxury vehicle.

The prosecution and sentencing shows the high price pharmacists and other health care providers can incur for dishonest or other fraudulent conduct in health care or coverage.

For More Information

About the Author

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. The author and Solutions Law Press, Inc. disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Leave a Comment » | Health Care | Permalink
Posted by Cynthia Marcotte Stamer

$11 Million False Claims Act Cybersecurity Settlement Reminds Health Plas HIPAA Isn’t Only Cyberbreach Exposure

March 17, 2025

The more than $11 million Health Net Federal Services Inc. (“HNFS”) and its corporate parent Centene Corporation, have agreed to pay under a settlement resolving claims that HNFS falsely certified compliance with cybersecurity requirements in a contract with the U.S. Department of Defense (“DoD”) reminds health industry organizations that Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) is only one of many federal statutes under which their organizations and their leaders can incur liability for cybersecurity breaches or other deficiencies. As the HNFS settlement makes clear, for instance, HIPAA Entities and other businesses that violate conditions of participation or contractual requirements for federal program participation also risk potential significant liability for deficiency in their compliance with data security, privacy or other cybersecurity requirements of those programs.

HIPAA Important But Not Only Cyber Liability Risk For Health Industry Organizations

Most health care providers, health insurers and other health plans, healthcare clearinghouses (“Covered Entities”) and their business associates (collectively, “HIPAA Entities”) recognize the importance of complying with the national standards for the protection of individuals’ electronic protected health information (“ePHI”) set forth in HIPAA Privacy, Security, and Breach Notification Rules (the “HIPAA” Rules”) to minimize or avoid painful civil monetary penalties or even criminal liability HIPAA authorizes for violations of HIPAA.

While the lengthy and growing list of HIPAA civil monetary penalties and resolution agreements obtained by the Department of Health and Human Services (“HHS”) Office of Civil Rights found to have violated the Security or other requirements of the HIPAA Rule shows the continued importance for HIPAA Entities to maintain HIPAA compliance, enforcement actions like the HNFS drive home that HIPAA Entities should not ignore other important cybersecurity obligations arising from the cybersecurity requirements created under terms of participation applicable to federal programs, or other applicable laws or statutes.

HNFS False Claims Act Cyber Liability Settlement

The HNFS enforcement action and settlement reveals False Claims Act liability as another significant cyber liability risk for health care providers, health care exchange insurers, Medicare Advantage, Medicaid Advantage, SCHIP, TRICARE and other military health, health technology, and other health industry organizations and their business associates and other subcontractors, who are government contractors or grant recipients.

The Justice Department previously has warned federal contractors that failing to fulfill or falsely certifying their compliance with required cybersecurity standards applicable to their contracts or programs could expose them to civil liability for violation of the False Claims Act^[1] (“FCA”). On October 6, 2021, then Deputy Attorney General Lisa O. Monaco announced a Civil Cyber-Fraud Initiative would use the FAC to hold accountable government contractors and grant recipients that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches applicable to their federal contracts or programs.

To violate the FCA, the government contractor or other accused person must have submitted, or caused the submission of, the false claim or made a false statement or record with knowledge of the falsity. Under Section 3729(b)(1), knowledge of false information is defined as being (1) actual knowledge, (2) deliberate ignorance of the truth or falsity of the information, or (3) reckless disregard of the truth or falsity of the information.

The Department of Justice obtained more than $2.9 billion in settlements and judgments from civil cases involving fraud and false claims against the government in the fiscal year ending Sept. 30, 2024. Under the FCA, government contractors or other persons violating the FCA generally are liable to pay the United States three times the government’s damages plus a penalty that is linked to inflation for knowingly submitting or causing another to submit a false claim to the government; making a false record or statement to get a false claim paid by the government; acting improperly to avoid having to pay money to the government; or conspiring to violate the FCA. In addition to allowing the United States to pursue FCA violations on its own, the FCA allows private citizens to file “qui tam” suits on behalf of the government against violators of the FCA. Private citizens who successfully bring qui tam actions may receive a portion of the government’s recovery. Many Justice Department FCA and other fraud investigations and lawsuits arise from such qui tam actions.

While the Justice Department’s announcement of the HNFS settlement did not expressly reference the Civil Cyber-Fraud Initiative, the action and statements made by Justice Department officials in connection with its announcement reflect that the Justice Department remains committed to using the False Claims Act to hold federal government health care and other contractors, subcontractors, and grant recipients accountable for failing to comply with applicable federal cybersecurity requirements.

Beginning in 2010, HNFS contracted with the DOD to provide managed healthcare support services for the TRICARE program in approximately 22 states. The support services included administrative support services, provider network development, referral management, enrollment support, and claims processing services. In 2016, Centene succeeded to these contractual obligations when it acquired all of the shares of Health Net Inc., HNFS’s corporate parent, and assumed the liabilities of HNFS. Consistent with applicable conditions for participation in the program, HNFS’s contract with the DOD required HNFS to comply with DOD data security and privacy requirements and to periodically certify that compliance.

The TRICARE contract required HNFS to “provide information management and information technology support as needed to accomplish the stated functional and operational requirements of the TRICARE program” and to adhere to certain privacy standards and cybersecurity requirements, including but not limited to 48 C.F.R. § 252.204-7012 and 51 security controls listed in the National Institute of
Standards and Technology Special Publication 800-53 (NIST 800-53), Security and Privacy Controls for Information Systems, Revision 4. The annual certification requirement included in the contract also required HNFS annually to certify both compliance with the standards and “that the security controls required by the contract are implemented correctly, operating as intended, and support the security policies of the Defense Health Agency.”

The settlement resolves DOD and Justice Department allegations that, between 2015 and 2018, HNFS failed to provide the cybersecurity controls required under its contract. Specifically, Justice Department charged that:

HNFS failed to timely scan for known vulnerabilities and remedy security flaws on its networks and systems, in accordance with its System Security Plan and response times established by HNFS;
HNFS ignored reports from third-party security auditors and its internal audit department of cybersecurity risks on HNFS’ networks and systems related to asset management; access controls; configuration settings; firewalls; end-of-life hardware and software in use; patch management (i.e., installing critical security updates released by vendors to counter known threats); vulnerability scanning; and password policies; and
HNFS falsely attested to DHA that it was in compliance with at least seven of the NIST 800-53 security controls listed in the NIST Compliance Certifications when it submitted those certifications to DHA

The Justice Department and DOD also charged HNFS with falsely certifying compliance with these controls in annual reports to DHA that were required under its contract to administer the TRICARE program.

As a result of these deficiencies, the Justice Department and Department of Defense claimed that HNFS’ claims for reimbursement under the Tricare contract were false, regardless of whether there was any exfiltration or loss of servicemember data or protected health information.

To resolve the alleged False Claims Act liability asserted by the government, HNFS and Centene Corporation agreed to pay $11,253,400 to the Department of Justice. The settlement agreement also expressly reserves the United States’ right to pursue any criminal charges arising from the conduct and limits HNFS and Centene from raising the settlement as a bar to any such criminal charges.

Statements made by Justice Department officials in its announcement of the HNFS settlement signal that the Justice Department remains committed to using the False Claims Act to hold government contractors and other recipients of federal funds accountable for failing to comply with cybersecurity requirements of their contracts.

The press release announcing the settlement quotes Acting Assistant Attorney General Brett A. Shumate, head of the Justice Department’s Civil Division as warning, “We will continue to pursue knowing violations of cybersecurity requirements by federal contractors and grantees to protect Americans’ privacy and economic and national security.”

Meanwhile, Cyber Field Office Special Agent in Charge Kenneth DeChellis of the Defense Criminal Investigative Service (DCIS), the law enforcement arm of the DoD Office of Inspector General also is quoted as stating, “DCIS will not be deterred from investigating contractors that fail to comply with federal cybersecurity requirements and risk exposing protected information vulnerable to criminal hackers. The U.S. taxpayers who fund these government contracts expect no less.”

Taken together with the HNFS enforcement action and resulting settlement, these statements provide a strong warning for health industry and other government contractors that their failure to comply with cybersecurity requirements in their federal contracts or grants could lead to prosecution under the False Claims Act in addition to otherwise applicable liabilities arising under HIPAA or other federal or state laws. Accordingly, health care organizations; Medicare, Medicaid, SCHIP, TRICARE and Federal Health Insurance Exchange program contractors; and other federal government contractors, subcontractors and grant recipients also should ensure their ability to defend their ongoing compliance with any data security, privacy or other federal cybersecurity requirements to guard against potential False Claims Act liability for noncompliance with these contractual responsibilities.

The author of this update, Cynthia Marcotte Stamer is an American College of Employee Benefits Counsel Fellow and attorney board certified in Labor and Employment Law by the Texas Board of Legal Specialization, who has decades of experience advising health care providers, Medicare and Medicaid Advantage and other public and private health plans and plan sponsors, government contractors and grant recipients, and their technology, data, third party administrators, and other managed care and other health care, defense, technology, life sciences and other clients about HIPAA and other protected health information, trade secret, personal information and other cybersecurity and other data and systems use, protection, andthese and other federal and state program design, contracting, quality, technology, reimbursement, licensing and accreditation, compliance, enforcement, governmental affairs, dispute resolution, and other compliance, risk management and operational matters. If you have questions or need advice or help evaluating or addressing these or other compliance, risk management, or other concerns, contact her.

For More Information

About the Author

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. The author and Solutions Law Press, Inc. disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

[1]31 U.S.C. §§ 3729 – 3733.

Leave a Comment » | CHIP, Cyber crime, data breach, data security, Department of Defense, DOD, false claims act, Government contractor, Grant recipients, Health Care, Heath Care Exchange, HHS, HIPAA Cyber Crime, Medicaid Advantage, Medicare Advantage, TRICARE | Tagged: cybersecurity, Health Care, Health Care Fraud, healthcare, HIPAA, Hospital, Medicare, Physician, Security, Technology | Permalink
Posted by Cynthia Marcotte Stamer

Texas Pharmacist Gets 17+ Years Prison Sentence & To Forfeit $405M in Assets For Making False Federal Health Plan & Worker’s Comp Claims

March 17, 2025

Texas pharmacist Dehshid “David” Nourian was sentenced to 17 years and six months in prison and ordered to pay over $115 million in restitution for his role in a $145 million scheme to defraud the Department of Labor by submitting fraudulent claims for prescription compound creams on February 21, 2025On March 6, the court also forfeited $405 million in assets tied to Nourian’s fraud and money laundering schemes.

According to court documents and evidence presented at trial, Nourian and others conspired to pay doctors to prescribe medically unnecessary compound creams to injured federal workers. Nourian and others owned and operated three pharmacies located in Fort Worth and Arlington, Texas. Over the course of the scheme, they paid doctors millions of dollars in illegal bribes and kickbacks for referring expensive compound medications to be filled by those pharmacies. Evidence at trial showed these compounds were being mixed in the back rooms of the pharmacies by untrained teenagers at a cost to the defendants of around $15 per prescription and then billed to the Department of Labor’s Office of Workers’ Compensation Programs (DOL-OWCP) for as much as $16,000 per prescription. Patients who received the creams testified at trial to the creams’ ineffectiveness and, in some instances, that using the creams resulted in painful, irritating skin rashes.

In less than three years, between May 2014 and March 2017, the pharmacies billed the DOL-OWCP and Blue Cross Blue Shield more than $145 million and were paid more than $90 million for unnecessary prescriptions referred by medical providers in exchange for the illegal bribes and kickbacks. Nourian and others then attempted to conceal their ill-gotten gains by laundering the money through purported holding companies and attempted to evade paying $24 million in federal income taxes on the illicit proceeds.

The $400+ million forfeiture ordered by the court is the highest forfeiture ever obtained in a health care fraud case in the Justice Department’s history.

For More Information

About the Author

Ms. Stamer’s work throughout her career has focused heavily on working with businesses domestically and internationally on employment, benefits, Federal Sentencing Guidelines and other workforce management, regulatory and public policy and other legal and operational concerns.

Author of many highly regarded compliance, training and other resources on health and other employee benefits, health care, insurance, workforce and other risk management and compliance, Ms. Stamer is widely recognized for her thought leadership and advocacy on these matters.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Leave a Comment » | Health Care | Permalink
Posted by Cynthia Marcotte Stamer

$1.5 Million Warby Parker Penalty Latest Reminder Of Cyberattack HIPAA Liability Risks

March 13, 2025

The $1,500,000 civil monetary penalty (“CMP”) the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) imposed against online prescription and nonprescription eyewear manufacturer and online retailer Warby Parker, Inc., for Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule violations warns other HIPAA-covered health care providers health plans, healthcare clearinghouses (“covered entities”) and their business associate service providers (collectively, “HIPAA Entities”) to protect electronic systems with electronic protected health information (“ePHI”) from ransomware and other hacking attacks.

HIPAA Hacking Responsibilities & Risks

The HIPAA Privacy, Security, and Breach Notification Rules (the “HIPAA Rules”) set requirements that HIPAA Entities must follow to protect the privacy and security of protected health information (“PHI”).

The HIPAA Security Rule establishes national standards to protect individuals’ ePHI created, received, used, disclosed, maintained, or transmitted by a HIPAA Dntity. It also requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, availability, and security of ePHI.

OCR guidance and enforcement make clear it considers protecting ePHI from improper access, use, disclosure, and destruction of other unavailability due to ransomware and other hacking threats.

Violation of HIPAA can trigger either civil monetary penalties or criminal penalties under HIPAA. As amended by the the HITECH Act, HIPAA provides for the following civil monetary penalties for HIPAA violations:

A minimum of $100 for each violation where the covered entity or business associate did not know and, by exercising reasonable diligence, would not have known that the covered entity or business associate violated such provision, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $25,000
A minimum of $1,000 for each violation due to reasonable cause and not to willful neglect, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $100,000. Reasonable cause means an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity or business associate did not act with willful neglect.
A minimum of $10,000 for each violation due to willful neglect and corrected within 30 days, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $250,000.
A minimum of $50,000 for each violation due to willful neglect and uncorrected within 30 days, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $1,500,000.

As required by law, OCR adjusts the CMP ranges for each penalty tier for inflation³ for violations after November 2, 2015.

Along with these potentially substantial civil penalty exposures, HIPAA’s potential criminal penalties make HIPAA compliance a required element of the Federal Sentencing Guideline Compliance programs Covered Entities and their leaders need to mitigate their exposures to organizational liability under the Guidelines.

HIPAA breaches also generally expose HIPAA Entities and their leaders to potential liability for breach liability under federal and state electronic crimes and other data breach and security laws; Federal Trade Commission and other federal and state fraud and deceptive business laws; securities laws; Federal Sentencing Guideline and other liability for health care or other fraud and other crimes enabled by inadequate compliance or response; create licensing or ethical sanctions; create shareholder, tort or contractual liabilities; trigger public company disclosure and executive compensation clawback responsibilities; and a host of other legal, operational and business partner and public relations headaches.

Warby Parker’s Hard Lesson

Warby Parker is the latest in a fast-mounting list of HIPAA Entities nailed for hacking-related HIPAA breaches

The $1.5 million Warby Parker civil money penalty announced February 20, 2025 resulted from an OCR investigation of a December 2018 breach report of a hacking incident involving customer accounts filed by Warby Parker. The report stated that in November 2018, Warby Parker became aware of unusual, attempted log-in activity on its website. Warby Parker reported that between September 25, 2018, and November 30, 2018, unauthorized third parties gained access to Warby Parker customer accounts by using “credential stuffing.” Hackers used usernames and passwords obtained from other, unrelated websites that were presumably breached to access the Warby Parker data.

In September 2020, Warby Parker filed an addendum to its December 2018 breach report, updating the number of individuals affected by the breach to 197,986.

The compromised ePHI included customer names, mailing addresses, email addresses, certain payment card information, and eyewear prescription information.

Warby Parker also filed subsequent breach reports (each breach report affecting fewer than 500 persons) in April 2020, and June 2022, following similar attacks.

OCR’s investigation of the breach reports found evidence of three violations of the HIPAA Security Rule. These included:

Failure to conduct an accurate and thorough risk analysis to identify the potential risks and vulnerabilities to ePHI in Warby Parker’s systems;
Failure to implement security measures sufficient to reduce the risks and vulnerabilities to ePHI to a reasonable and appropriate level; and
Failure to implement procedures to regularly review records of information system activity.

Based on these findings, OCR’s Notice of Final Determination imposed a $1,500,000 civil money penalty.

Ransomware & Other Hacking Now OCR #1 HIPAA Enforcement Priority

All HIPAA Entities should learn from the costly lessons of Warby Parker and the many other HIPAA Entities sanctioned or awaiting their consequences for hacking incidents and consult with qualified legal counsel for assistance in conducting an assessment of the adequacy of their current compliance.

Hacking, ransomware and other cyberattacks collectively and individually account for the breaches of ePHI affecting the largest number of individuals by far and away.

OCR announced various other hacking or other cyberattack related large breaches intermittently across the years.

Hacking-related HIPAA investigations and enforcement actions date back to the 2015 hacking breach at Premera Blue Cross that impacted more than 10.4 million individuals’ records and led to Premera paying OCR $6.85 million to settle resulting OCR HIPAA charges.

After periodically warning HIPAA Entities to address ransomware and hacking through its announcement of occasional hacking-related breach enforcement actions and other guidance, epidemic ransomware and other large scale cyber breaches targeting UnitedHealthcare subsidiary Change Health, Ascension Health, and many other large health care and health insurance organizations prompted OCR to identify HIPAA Security Rule breaches involving ransomware and other cyberattacks a top prevention, investigation and enforcement priority. Since then, the list of HIPAA entities paying OCR civil monetary penalties or settlements to resolve cyberattack related HIPAA charges has quickly and steadily grown. with the number of cyber attacks, impacting HIPAA entities accelerating, the number and magnitude of penalties assessed will only grow.

OCR has published a long list of guidance and alerts to help HIPAA Entities fulfill their HIPAA duties to safeguard their ePHI from ransomware and other cyberattacks and resulting HIPAA liabilities.

Among other things, OCR recommends that HIPAA Entities take the following steps to mitigate or prevent cyber-threats:

Identify where ePHI is located in the organization, including how ePHI enters, flows through, and leaves the organization’s information systems;
Integrate risk analysis and risk management into the organization’s business processes;
Ensure that audit controls are in place to record and examine information system activity;
Implement regular reviews of information system activity;
Utilize mechanisms to authenticate information to ensure only authorized users are accessing ePHI;
Encrypt ePHI in transit and at rest to guard against unauthorized access to ePHI when appropriate;
Incorporate lessons learned from incidents into the organization’s overall security management process; and
Provide workforce members with regular HIPAA training that is specific to the organization and to the workforce members’ respective job duties.

OCR regulations, resolution agreements, civil monetary penalty, assessments, also make clear HIPAA Entities must carefully document their original risk assessments, their timely monitoring and response to new threats, the analysis underlying their risk assessments and response, and other critical details and be prepared to produce that risk assessment in the event of an OCR investigation or audit.

This guidance also reflects HIPAA Entities should capture their ongoing use of appropriate procedures to monitor and respond to signs of threat or compromise to their own systems as well as OCR and other agency and industry alerts about emerging threats and susceptibilities as part of their ongoing risk assessment and response process.

Given the high threat environment and the growing HIPAA and other liabilities that commonly follow a cyberattack breach, HIPAA entities and their leaders should consider the advisability of conducting these assessments and any known or suspected breach investigation and response with the benefit of guidance from HIPAA experienced legal counsel within the scope of attorney-client privilege

HIPAA entities also should ensure appropriate plans and resources to investigate and respond to any breach that might occur promptly. Most entities will want to secure liability insurance coverage as well as require suitable credential information, indemnification, insurance and other assurances from their business associates and other vendors with access to systems or data that includes electronic PHI.

For HIPAA Help or Information

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for her more than 35 years of health, insurance, employment and employee benefits and other industry management work, public policy leadership and advocacy, coaching, teachings, and publications including leading-edge work on crisis preparedness, response and recovery.

Author of many highly regarded compliance and risk management tools, training and other resources on health and other employee benefits, health care, insurance, workforce and other risk management and compliance, Ms. Stamer is widely recognized for her thought leadership and advocacy on these matters.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides health care, insurance, human resources and employee benefit, data and technology, regulatory and operational performance, and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education. These include extensive resources on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources.

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often rapidly evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. The author and Solutions Law Press, Inc. disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Leave a Comment » | Academic medicine, ambulance, business associate, Childrens Health Insurance Program, Conditions of Participation, Cyber crime, data security, Electronic Health Records, Emergency Care, Employee Benefits, GINA, Health Care, Health Care, Health Care Finance, Health Care Provider, Health Insurance Exchange, Health IT, Health Plan, Health Plans, healthcare, HIPAA, HIPAA Cyber Crime, HITECH Act, home health, Hospital, Medicaid, NIST, Physician, Physician Licensing | Permalink
Posted by Cynthia Marcotte Stamer

HHS Issues Southern California Fire Public Health Emergency Disaster Relief

January 10, 2025

Health care providers, health plans and insurers, child care facilities, schools and other Southern California organizations impacted by the California fires that are regulated by the Department of Health and Human Services (“HHS”) may qualify for temporary waivers or modification of certain HHS regulatory obligations under the Declarations of a Public Health Emergency (“PHE”) published by HHS today.

The relief provided by the PHE includes:

An extensive list of resources and guidance to help health plans, health care providers and others to understand and cope with HHS requirements in disaster or other emergency situations such as:

For information about how the HIPAA Privacy Rule applies in a public health emergency, visit the OCR’S HIPAA Emergency Preparedness, Planning, and Response page (www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/index.html) or you may use the HIPAA Disclosures for Emergency Preparedness Decision Tool (www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/decision-tool-overview/index.html).
For information and resources for emergency responders/officials to help ensure individuals have equal access to emergency services, including language access and effective communication, please see this checklist for emergency responders: HHS OCR Emergency Preparedness Checklist for Ensuring Language Access and Effective Communication (www.hhs.gov/sites/default/files/lang-access-and-effective-comm-checklist-for-emergency-responders.pdf).
For information about emergency requirements for long-term care facilities, visit the CMS Emergency Preparedness Rule page (www.cms.gov/Medicare/Provider-Enrollment-and-Certification/SurveyCertEmergPrep/Emergency-Prep-Rule.html)

Health care providers and other HHS regulated entities impacted by the fire or other disasters should carefully review this guidance to understand the scope and availability of the current relief. Additionally, health care providers, health plans, health care providers, business associates and other HHS-regulated entities not currently impacted by today’s or another public health emergency declaration should keep in mind that they likely are subject to HHS and other regulatory, statutory, common law, or ethical obligations to make advance arrangements to prepare in advance to deal with responsibilities during a disaster. Accordingly, providers and others not currently affected by the current disaster should heed the reminder from the disaster to reconfirm before they are impacted by a disaster the adequacy of their own policies, plans and arrangements to provide for their continued ability to fulfill HHS regulatory and other obligations in the event of a disaster.

Health care providers and other HHS-regulated entities planning to rely upon the PHE relief should keep in mind the limited duration and scope of the relief provided by this PHE or any other HHS public health emergency declaration. Entities planning to rely on the PHE relief must review the scope, conditions and duration requirements and ensure their ability to defend their continued compliance taking into account these limited waivers and modifications.

Also, the PHE guidance documents are not a final agency action, do not legally bind persons or entities outside the Federal government, and may be rescinded or modified at the Department’s discretion. Noncompliance with any voluntary standards (e.g., recommended practices) contained in these documents will not, in itself, result in any enforcement action.

Furthermore, health care providers, health plans and insurers, and other HHS regulated entities typically face a myriad of responsibilities beyond those imposed by the HHS under various federal and state laws, other agency regulations, contracts, common law and ethical or other standards or rules. Consequently, providers and other HHS entities intending to rely on the HHS PHE also should check other agencies disaster declaration webpages to determine what additional relief from other agency requirements, if any, their organization may qualify as a result of the disaster. Except to the extent covered by other declared disaster relief, coverage by or compliance with the HHS PHE guidance and policies typically provide no protection against liability for failure to fulfill duties or responsibilities under these other laws, regulations or standards or beyond the specific relief granted in the HHS PHE. Accordingly, entities impacted by the fire or another disaster are urged to take necessary steps before, during and after any disaster to position themselves to demonstrate fulfillment of duties and mitigate the seriousness of any alleged deficiencies in their compliance.

For More Information

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for her more than 35 years of health, insurance, employment and employee benefits and other industry management work, public policy leadership and advocacy, coaching, teachings, and publications including leading-edge work on crisis preparedness, response and recovery.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often rapidly evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. The author and Solutions Law Press, Inc. disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Leave a Comment » | Health Care | Tagged: California FIres, Disaster, Health, Health Caer, Health Care, Health Care Fraud, Health Care Provider, healthcare, HIPAA, Medicare, Physician, Privacy, Security, Technology | Permalink
Posted by Cynthia Marcotte Stamer

3/31 Deadline To Submit Submissions

January 6, 2025

The Centers for Medicare & Medicaid Services (CMS) has opened data submission for the 2024 performance year of the Quality Payment Program (“QPP). Providers can submit and update data until 8 p.m. ET on March 31, 2025.

How to Submit and Review Your 2024 MIPS Data

Follow the steps outlined below to submit data:

Go to the QPP sign in page.
Sign in using your QPP access credentials.
Submit your data for the 2024 performance year or review the data reported on your behalf by a third party. (You can’t correct errors with your data after the submission period, so it’s important to make sure the data submitted on your behalf is accurate.)

Submission resources are available on the QPP Resource Library.

How to Sign To QPP Data Submission System

To sign in and submit data, clinicians will need an HCQIS Authorization Roles and Profile (HARP) account and a QPP role. For help enrolling with HARP, please refer to “Step 1. Register for a HARP Account” in the QPP Access User Guide (ZIP, 4MB). For help obtaining a QPP role, please refer to “Step 2. Connect to an Organization” in the QPP Access User Guide (ZIP, 4MB).

CMS encourages all users with an existing HARP account to sign into the QPP websitenow to ensure they don’t lose access.

Note: Clinicians unsure about their eligibility to participate in the Merit-based Incentive Payment System (MIPS) for the 2024 performance year can check their final eligibility status using the QPP Participation Status Tool. Clinicians and groups that are opt-in eligible must make an election to opt-in or voluntarily report before they can submit data. (No election is required for opt-in eligible clinicians and groups that don’t want to participate in MIPS.)

Reminder: Preliminary Scoring No Longer Available During Submission

As a reminder, CMS eliminated the preliminary score and preliminary category-level scores from submission. We’ll release 2024 MIPS final scores in mid-June 2025.

Submit Early

CMS encourages providers to submit 2024 MIPS performance period data early during the submission period to allow plenty of time for Service Center assistance if needed.

The QPP Service Center projects an increase in volume between January 2, 2025, and March 31, 2025.

There are a variety of ways to contact the QPP Service Center for submitters needing help:

You can schedule a call with a QPP Service Center Representative at a time that works best for you. Just go to the CCSQ Support Central page and click on Schedule a Call.

You can also submit a ticket for support by clicking on Request Support and selecting Call Scheduling Options from the dropdown menu.

Live Chat: CCSQ Support Central Chat and Resource Line (CARL). The Support Central Chat feature, CARL, is another option to use for assistance. To contact the QPP Service Center via Chat, go to the CCSQ Support Central page and click on the Chat icon in the lower right area:

Due to the anticipated increase in volume at the QPP Service Center and to minimize a backlog, CMS asks providers to use only one method of reporting for the same issue (email, phone, or CCSQ Support Central). CMS processes cases in the order received, regardless of how the Service Center was contacted. Please allow time for processing.

For additional information please visit the QPP Resource Library to review new and existing resources or contact the author.

For More Information

About the Author

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Leave a Comment » | Accreditation, Clinical pathway, Conditions of Participation, Corporate Compliance, Electronic Medical Records, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Quality, Medicaid, Medicare, Medicare Advantage | Permalink
Posted by Cynthia Marcotte Stamer

New March 14 Deadline To Submit HQR System CY 2024 Medicare Data & Attestations

January 6, 2025

March 14, 2025 now is the deadline for eligible hospitals and critical access hospitals (“CAHs”) to submit calendar year (“CY”) electronic clinical quality measure (“eCQM”) data and attestations for the 2024 Medicare Promoting Interoperability Program.

The Hospital Quality Reporting (“HQR”) System currently is open to accept this data.

The March 14 deadline is an extended deadline. Previously, submissions were due on February 28, 2025. However the Department of Health and Human Services now has delayed the ceadlone to Friday, March 14, 2025, at 11:59 p.m. Pacific Time(PT).

By March 14, 2025, at 11:59 p.m. PT, Medicare Promoting Interoperability Program participants are required to complete all required data reporting and attestations.

The CY 2024 HQR User Guide provides the necessary tools to register, log in, and navigate within the HQR system. It contains the steps needed to submit data for the Medicare Promoting Interoperability Program, including eCQM data. Refer to the CY 2024 QRDA I Submission Checklist for more help on submitting eCQM data.

Facilities that experience difficulty successfully meeting the Medicare Promoting Interoperability Program requirements for certain reasons may apply for a Hardship Exception. A granted Hardship Exception avoids a downward payment adjustment for the Medicare Promoting Interoperability Program.

To be considered for an exception (to avoid a downward payment adjustment), eligible hospitals and CAHs must complete and submit a Hardship Exception application. If approved, the Hardship Exception is valid for only one payment adjustment year. Eligible hospitals and CAHs would need to submit a new application for subsequent years provided no eligible hospital or CAH can receive more than five exceptions in a lifetime.

For more information regarding Hardship Exceptions, please review the CY 2024 Hardship Exception Fact Sheet.

For more information on CY 2024 Medicare Promoting Interoperability Program Requirements, reference the resources below or contact the author of this update:

CY 2024 Promoting Interoperability Program Requirements
Medicare Promoting Interoperability Program Webinars & Events
Medicare Promoting Interoperability Resource Library
CY 2024 Medicare Promoting Interoperability Infographic
For information regarding the Medicare Promoting Interoperability Program and Hardship Exception Process, please submit questions to Inpatient and Outpatient Healthcare Quality Systems Development and Program Support at the QualityNet Question and Answer Tool at https://cmsqualitysupport.servicenowservices.com/qnet_qa?id=ask_a_question or by phone at (844) 472-4477
For information about the HQR System, including user roles, reports, data upload, and troubleshooting error messages, please submit questions to the Center for Clinical Standards and Quality (CCSQ) Service Center at QnetSupport@cms.hhs.gov or (866) 288-8912

For More Information

About the Author

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Leave a Comment » | Academic medicine, ambulance, Conditions of Participation, Corporate Compliance, Electronic Medical Records, Emergency Care, Evidence Based Medicine, Federal Health Center, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Quality | Permalink
Posted by Cynthia Marcotte Stamer

2025 Surprise Billing Fees Unchanged But Clear Cache Weekly To Avoid Missing Form Updates

December 27, 2024

2025 federal surprise billing Prevent Errors & Delays independent dispute resolution fees applicable to health care providers, health plans, and health insurers will remain are holding steady.

On December 27, 2024, the Department of Health and Human Services (“HHS”), the Department of Labor (“DOL”), and the Department of the Treasury (collectively, the “Departments”) updated the No Surprises Act (NSA) website to reflect updated certified IDR entity fees in accordance with the Federal Independent Dispute Resolution (IDR) Process Administrative Fee and Certified IDR Entity Fee Ranges Final Rule (IDR Fees Final Rule).

The IDR Fees Final Rule, effective as of January 22, 2024, set forth the 2024 IDR entity fee ranges. The Departments announced these fees will remain unchanged for 2025.

The 2025 IDR entity fees now published on the NSA website are effective for disputes initiated on or after January 1, 2025. For these disputes, the administrative fee amount is $115 per party per dispute, and the certified IDR entity fee ranges are $200-$840 for single determinations and $268-$1,173 for batched determinations. The website now includes information on the fee set by each certified IDR entity within these ranges.

Along with confirming the 2025 fees, the Departments caution plans and providers to monitor the website for updates to the IDR web form to accommodate guidance-related and system enhancements. The Departments ask plans and providers who have initiated an IDR dispute previously, to clear their computer’s cache or open the IDR initiation web form in a private or incognito window at least once a week to see all the new features. The Departments warn to clear the cache or open this form in private/incognito mode could result in additional follow-up with certified IDR entities or system errors.

For More Information

About the Author

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Leave a Comment » | air ambulance, ambulance, Ambulatory care, Corporate Compliance, Direct Primary Care, Emergency Care, Employee Benefits, Employer, ERISA, exchange plans, Fiduciary Responsibility, Health Care, Health Care Finance, Health Care Provider, health care reimbursement, Health Insurance, Health Insurance Exchange, Health Plan, Health Plans, healthcare, Hospital, Hospital, hospitals, managed care, participating provider, Physician, Provider contracting, Reimbursement, surprise billing | Tagged: Corporate Compliance, Doctor, Employer, Health Care, Health Care Provider, Health Care Reimbursement, Health Insurance, Health Plan, Health Plans, Hospital, Hospitals, Physician, Physicians, solutionslawyer, surprise billing | Permalink
Posted by Cynthia Marcotte Stamer

$1.19 Million Penalty Warns HIPAA Health Care & Other Covered Entities To Ensure HIPAA Compliance Defensibility Including Service Provider Threats

December 6, 2024

The $1.19 million Health Insurance Portability and Accountability Act (“HIPAA”) penalty imposed on a Florida pain clinic this week sends a clear warning to other health care providers, health plans, healthcare clearinghouses and their business associates (“Covered Entities”) to take adequate, documented steps to ensure the defensibility of their own safeguards and other compliance with the HIPAA Security Rule including those from their own current and former workers and service providers.

HIPAA Security Rule

The HIPAA Privacy, Security, and Breach Notification Rules require health plans, health car clearinghouses, and most health care providers, and their business associates (“Covered Entities”) to meet requirements to protect the privacy and security of protected health information (“PHI”). The HIPAA Security Rule included in these rules requires Covered Entities to conduct and maintain documented risk assessments to prove their efforts to comply with detailed national administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic PHI (“ePHI”).

A minimum of $100 for each violation where the covered entity or business associate did not know and, by exercising reasonable diligence, would not have known that the covered entity or business associate violated such provision, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $25,000
A minimum of $1,000 for each violation due to reasonable cause and not to willful neglect, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $100,000. Reasonable cause means an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity or business associate did not act with willful neglect.
A minimum of $10,000 for each violation due to willful neglect and corrected within 30 days, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $250,000.
Aminimum of $50,000 for each violation due to willful neglect and uncorrected within 30 days, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $1,500,000.

As required by law, OCR adjusts the CMP ranges for each penalty tier for inflation³ for violations after November 2, 2015.

Additionally HIPAA breaches also may expose Covered Entities and their leaders to potential liability for breach liability under securities, electronic crimes, and other data breach and security laws; Federal Sentencing Guideline and other liability for health care or other fraud and other crimes enabled by inadequate compliance or response; create licensing or ethical sanctions; create shareholder, tort or contractual liabilities; trigger public company disclosure and executive compensation clawback responsibilities; and a host of other legal, operational and business partner and public relations headaches.

New $1.19 Million Settlement

The $1.19 million penalty against Pain Clinic for Gulf Coast Pain Consultants, LLC d/b/a Clearway Pain Solutions Institute (“Gulf Coast Pain Consultants”) announced December 4, 2024 by the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) shows how quickly a Covered Entity found in violation of these rules can rack up substantial civil monetary penalties.

The Gulf Coast Pain Management civil monetary penalty arose from OCR’s finding of “systematic” HIPAA Security Rule violations while investigating a breach report that a former contractor for the company impermissibly accessed their electronic record system.

OCR initiated the investigation following the receipt of a breach report filed by Gulf Coast Pain Consultants, which reported that a former contractor impermissibly accessed Gulf Coast’s electronic medical record system to retrieve PHI for use in potential fraudulent Medicare claims.

OCR’s investigation revealed the breach was accomplished by a business consultant independent contractor hired to provide business consulting in 2018, whose contract was terminated prematurely a several months later before the end of the contract term.

After the contract terminated, Gulf Coast did not immediately terminate the former contractor’s system access.

Months later on February 20, 2019, Gulf Coast discovered that on three occasions, between September 7, 2018, and February 3, 2019, the Contractor impermissibly used its access to Gulf Coast’s electronic medical record (“EMR”) system to access the ePHI of approximately 34,310 individuals. On February 21, 2019, Gulf Coast terminated the independent contractor’s access to its systems.

It was later discovered that the Contractor generated medical claims for services that were not actually rendered, resulting in approximately 6,500 false Medicare claims. The Contractor was indicted under 18 U.S.C. §1347 and §1028(a)(1) and was ultimately found not guilty.

On April 5, 2019, Gulf Coast filed a breach report with OCR concerning this incident. The report described that the compromised PHI included names, addresses, phone numbers, email addresses, dates of birth, Social Security numbers, chart numbers, insurance information, and primary care information.

OCR’s investigation determined that the impermissible access occurred on three occasions, affecting approximately 34,310 individuals. The compromised PHI included patient names, addresses, phone numbers, email addresses, dates of birth, Social Security numbers, chart numbers, insurance information, and primary care information.

Based on the investigation, OCR found four violations by Gulf Coast Pain Consultant of the HIPAA Security Rule, including failures to:

Conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to ePHI in its systems;
Implement procedures to regularly review records of activity in information systems;
Implement procedures to terminate former workforce members’ access to ePHI; and
Implement procedures for establishing and modifying workforce members’ access to information systems.

As often happens, the investigation and other processes leading to the settlement were protracted and expensive.

More than four years after the breach and its report, OCR issued a Notice of Proposed Determination in August 2024 seeking to impose a civil money penalty. After Gulf Coast waived its right to a hearing and did not contest OCR’s findings, OCR issued its Notice of Final Determination imposing the $1,190,000 civil money penalty.

Lessons

Aside from demonstrating the significant penalties that Covered Entities can face for failing to satisfy HIPAA, the settlement also highlights the need to manage data security threats from contractors and other current and former service providers with access to ePHI.

“Current and former workforce can present threats to health care privacy and security—risking continuity of care and trust in our health care system,” said OCR Director Melanie Fontes Rainer in its announcement of the penalty. “Effective cybersecurity and compliance with the HIPAA Security Rule means being proactive in reviewing who has access to health information and responding quickly to suspected security incidents.”

OCR recommends that Covered Entities take a number of steps to mitigate or prevent cyber threats including

Integrate risk analysis and risk management into business processes.
Implement regular review of information system activity.
Implement procedures for terminating access to ePHI when the employment of, or other arrangement with, a workforce member ends.
Implement procedures for modifying a user’s right of access to a workstation, transaction, program or process, or an alternative equivalent measure.
A multitude of other risk assessment and mitigation actions required in response to existing and emerging threats arising from time to time as identified and evaluated pursuant to the ongoing conduct of documented risk assessments required by the Security Rule.

The author of this update, Cynthia Marcotte Stamer has worked extensively with covered entities and business associates on these and other HIPAA and other compliance and risk management. If you have questions or need advice or help evaluating or addressing your HIPAA compliance or other concerns, contact her.

For More Information

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for her more than 35 years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications including leading edge work on PBM, pharmacy and pharmaceutical and other health care, managed care, insurance, and insured and self-insured contracting, design, administration and regulation..

As a part of this work, she has continuously and extensively worked with domestic and international health plans, their sponsors, fiduciaries, administrators, and insurers; managed care and insurance organizations; third party administrators and other health benefit service providers; hospitals, health care systems and other health care providers, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; EMR, claims, payroll and other technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, self-insured health and other employee benefit plans, their sponsors, fiduciaries, administrators and service providers, insurers and other payers, health industry advocacy and other service providers and groups and other health and managed care industry clients as well as federal and state legislative, regulatory, investigatory and enforcement bodies and agencies.

Author of many highly regarded compliance, training and other resources on HIPAA and other risk management and compliance, Ms. Stamer is widely recognized for her thought leadership on HIPAA and many other health care, health plan and other health industry matters.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Leave a Comment » | Health Care | Permalink
Posted by Cynthia Marcotte Stamer

New HIPAA Settlement Warns Providers & Health Plans Against Improper Disclosure Of Reproductive Health Information & To Update Notices, Practices & Policies For New Rules

December 3, 2024

A just-announced settlement warns health care providers, health plans, healthcare clearinghouses and their business associates (“Covered Entities”) to fulfill their responsibility to ensure the privacy of patient reproductive health and other personally identifiable health care information (“PHI”) under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) HIPAA Privacy, Security, and Breach Notification Rules (the “Privacy Rules”). Covered Entities should ensure they have updated their policies, privacy notices, training and practices to comply with changes with the Privacy Rules made by the HIPAA Privacy Rule to Support Reproductive Health Care Privacy Final Rule (the “Reproductive Privacy Rule”) adopted in April.

Covered Entities Required To Update Policies To Comply With New Reproductive Privacy

The HIPAA Privacy Rule enforced by Department of Health and Human Rights Office for Civil Rights (“OCR”) establishes national standards to protect individuals’ medical records, requires appropriate safeguards to protect the privacy of protected health information and sets limits and conditions on the uses and disclosures that may be made of such information without an individual’s authorization, (such as disclosures for health oversight activities or for law enforcement purposes), and gives individuals rights such as the ability to access their own medical records.

On April 22, 2024, OCR adopted the Reproductive Privacy Rule to expand protections for reproductive health care privacy and other reproductive rights following the Supreme Court’s landmark abortion decision in Dobbs v. Jackson. The Reproductive Privacy Rule:

Requires Covered Entities to modify their Notice of Privacy Practices to support reproductive health care privacy;
Prohibits the use or disclosure of PHI when it is sought to investigate or impose liability on individuals, health care providers, or others who seek, obtain, provide, or facilitate reproductive health care that is lawful under the circumstances in which such health care is provided, or to identify persons for such activities;
Requires a regulated health care provider, health plan, clearinghouse, or their business associates, to obtain a signed attestation that certain requests for PHI potentially related to reproductive health care are not for these prohibited purposes.

Covered Entities that have not already done so should review and update their policies, privacy notices, procedures and practices to ensure their compliance with these updated requirements.

New Holy Redeemer Reproductive Privacy Settlement

The new settlement with Pennsylvania hospital Holy Redeemer Family Medicine (“Holy Redeemer”) announced December 2, 2024, resolves charges that Holy Redeemer violated HIPAA by impermissibly disclosing reproductive health care and other PHI about a female patient. The settlement arose from a September 2023 complaint received by OCR that Holy Redeemer impermissibly disclosed surgical history, gynecological history, obstetric history, and other sensitive health information concerning reproductive health care of a female patient to the patient’s prospective employer when the patient only authorized Holy Redeemer to send one specific test result unrelated to her reproductive health to that prospective employer. OCR’s investigation found that Holy Redeemer disclosed the patient’s full medical record, including information concerning her reproductive health care without the patient’s authorization for the broad disclosure of her PHI. OCR also found that the disclosure was not otherwise permitted under the Privacy Rule.

Under the terms of the resolution agreement, Holy Redeemer paid $35,581 and agreed to implement a corrective action plan that identifies specific steps it will take to comply with the HIPAA Rules and protect patient privacy to prevent this from happening again. OCR will monitor the implementation of this corrective action plan for two years.

The Holy Redeemer Settlement demonstrates the advisability for each Covered Entity to ensure that its policies, privacy notices, training, practices and other controls for protecting the wrongful use, access or disclosure of reproductive and other sensitive health care information are up to date and defensible. The author of this update, Cynthia Marcotte Stamer has worked extensively with covered entities and business associates on these and other HIPAA and other compliance and risk management.

Along with their exposure to civil monetary penalties under HIPAA, improper sharing of reproductive health or other personal health care information also could expose health care providers to ethical or licensing discipline, malpractice invasion of privacy or other civil suits and other liabilities. While the preemption provisions of the Employee Retirement Income Security Act (“ERISA”) generally insulate employment-based insured and self-insured health plans and their fiduciaries against state law invasion of privacy and other state tort claims, employment-based health plans, their fiduciaries, insurers and administrators breaching the Privacy Rule risk liability under HIPAA as well as ERISA breach of fiduciary duty. Where ERISA preemption does not apply, insurers, brokers or other insurance industry businesses violating these rules likewise also can face licensing or other regulatory discipline as well as potential damage liability for invasion of privacy and other tort claims.

If you have questions or need advice or help evaluating or addressing your HIPAA compliance or other concerns, contact her.

For More Information

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for her more than 35 years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications including leading edge work on PBM, pharmacy and pharmaceutical and other health care, managed care, insurance, and insured and self-insured contracting, design, administration and regulation..

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Leave a Comment » | Academic medicine, business associate, Doctor, Electronic Health Records, Employee Benefits, Employment, Health Care, Health Care Provider, Health Insurance, Health Insurance Exchange, Health IT, Health Plan, Health Plans, healthcare, HHS, HIPAA, HIPAA Cyber Crime, Home Health, home health, Hospice, Hospital, Hospital, Inpatient Rehabilitation, Licensing, Medical Licensure, Medical Privacy, Medical Records, Medicare, Medicare Advantage, Mental Health, Mental Heatlh, OCR, Patient Empowerment, Patients, Physician, Physician Licensing, Privacy, Reproductive Rights, Rural Health Care | Tagged: Abortion, cybersecurity, healthcare, HIPAA, Reproductive Privacy, Security, Technology | Permalink
Posted by Cynthia Marcotte Stamer

Providers & Health Plans Warned To Timely Deliver Requested Records By $100,000 HIPAA Penalty

November 21, 2024

The $100,000 penalty paid by a mental health facility alerts health care providers, health plans and health care clearinghouses (“covered entities”) to the perils of failing to timely deliver health records access as required by the Health Insurance Portability and Accountability Act (“HIPAA”).

The $100,000 civil monetary penalty against California mental health provider Rio Hondo Community Mental Health Center (“Rio Hondo”) announced by the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) on October 19, 202 is the fifty-first OCR enforcement action under its HIPAA Right of Access enforcement initiative.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rules’ right of access provisions generally require covered entities to provide individuals access to their protected health information within 30 days, with the possibility of one 30-day extension and prohibits charging more than a reasonable, cost-based fee for this access.

The penalty against Rio Hondo resolves an OCR investigation into Rio Hondo over a failure to provide a patient with timely access to their medical records. OCR enforces the right of access and other requirements of the HIPAA Privacy Rule.

OCR launched an investigation after receiving a complaint from a patient that Rio Hondo did not provide timely access to their medical records, despite multiple requests in writing and by telephone.

OCR’s investigation found that it took nearly seven months from the time the patient first requested the records until Rio Hondo provided them.

The patient made multiple telephone calls in July and August 2020, regarding the status of her request, but still did not receive the requested records until it produced the records in response to the investigation.

The late delivery of the records access did not end the enforcement action. Based on the facts, OCR found that Rio Hondo failed to take timely action in response to the patient’s right of access in accordance with the HIPAA Privacy Rule.

In July 2024, OCR issued a Notice of Proposed Determination to impose a $100,000 civil monetary penalty. After Rio Hondo waived its right to a hearing and did not contest the findings of OCR’s Notice of Proposed Determination, OCR issued a Notice of Final Determination imposing the penalty.

OCR’s announcement of the penalty includes a strong warning to other covered entities to comply with HIPAA’s access requirements. It quotes OCR Director Melanie Fontes Rainer. As stating:

Ensuring patients’ rights to timely access to medical information continues to be a HIPAA enforcement priority. Healthcare providers are legally obligated to provide patients with timely access to their medical records. If they fail to provide that access, OCR will not hesitate to do everything in its power, including imposing civil monetary penalties, to ensure compliance with the law.”

With OCR promising to continue to prioritize enforcement, all covered entities should take documented steps to confirm the adequacy of their existing processes to ensure compliance with OCR’s Right of Access guidance and other applicable federal and state legal and ethical requirements like the Employee Retirement Income Security Act (“ERISA”) claims and appeals and Patient Protection and Affordable Care Act (“ACA”) adverse benefit procedures applicable to health plans and State ethical and statutory medical records delivery requirements applicable to providers. Health care providers also should consider including processes for tracking and monitoring access requests in these processes that provide for review every 30 days.Covered entities should keep records of these efforts for the six-year period required by HIPAA’s record retention rules.

Covered entities that receive follow up access requests or otherwise discover a potential failure to timely provide access should engage a HIPAA knowledgeable attorney for help and advice. Obviously, covered entities should correct any oversight promptly by delivering the records access. However legal counsel can assist by helping the covered entity assess if a violation actually occurred, avoid added violations or inflammatory communications or actions that could enhance exposures to complaints or penalties and suggest actions to help mitigate risks of an OCR investigation and penalties. For instance, past enforcement actions suggest a covered entity should consider foregoing requiring payment of charges HIPAA otherwise might allow for the records access to avoid further delay of access that could heighten penalty exposures. Covered entities also should document their delivery of access and their investigation and corrective actions addressing the source of the compliance failure.

For More Information

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for her more than 35 years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications including leading edge work on PBM, pharmacy and pharmaceutical and other health care, managed care, insurance, and insured and self-insured contracting, design, administration and regulation..

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Leave a Comment » | Health Care | Tagged: Health Care Compliance, Health Care Provider, health care. OCR, Health Plans, HIPAA, Hospital, Medical Records, Physician, Privacy, Right of Access | Permalink
Posted by Cynthia Marcotte Stamer

New Electronic Process For Partial QPs In CMS Quality Payment Program Coming In January

November 13, 2024

The Centers for Medicare & Medicaid Services (CMS) announced a new electronic process for the election of Partial Qualifying Alternative Payment Model (APM) Participants (Partial QPs) to participate in the Merit-based Incentive Payment System (MIPS) will open January 2, 2025.

Historically, the election for Partial QP clinicians to participate in MIPS has been done by completing the Partial QP election form and emailing it to the Quality Payment Program (QPP) Help Desk. 

This process will no longer exist starting in calendar year (CY) 2025. Instead, the new, direct process through the QPP online application will replace the old process.

CMS is incorporating the Partial QP election process into the online QPP application opening to submissions open on January 2, 2025. The submission window closes on March 31, 2025.

If you have questions or need advice or help evaluating or addressing these or other concerns, contact the author of this update, Cynthia Marcotte Stamer.o

For More Information

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for her more than 35 years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications including leading edge work on PBM, pharmacy and pharmaceutical and other health care, managed care, insurance, and insured and self-insured contracting, design, administration and regulation..

Author of numerous highly regarded works on PBM and other health plan contracting and design, Immediate Past Chair of the ABA International Section Life Sciences Committee and Chair Emeritus of the Tort Trial and Insurance Practice Section Medicine and Law Committee, past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and past Group Chair and current Welfare Benefit Committee Co-Chair of the ABA RPTE Employee Benefits & Other Compensation Group, Ms. Stamer is most widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on health and other privacy and data security and other health industry legal, public policy and operational concerns.

About Solutions Law Press, Inc.™

Leave a Comment » | Health Care | Tagged: Health Care, Health Care Compliance, health care quality, Hospital, Medicaid, Medicare, Physician, Physicians, Reimbursement | Permalink
Posted by Cynthia Marcotte Stamer

Invent a holiday!

November 3, 2024

Explain how and why everyone should celebrate.

National Unity Day the first Wednesday in November.

A day for Americans to set aside the debate and divisiveness of the election season to join together to promote the best for America regardless of party or political affiliation.

Leave a Comment » | Health Care | Tagged: dailyprompt, dailyprompt-2111 | Permalink
Posted by Cynthia Marcotte Stamer

Preview Your Facility’s Quality Data

October 28, 2024

Hospital or inpatient psychiatric facilities now through November 26, 2024, can preview the public quality data that will appear in the January 2025 release on the Compare tool on Medicare.gov and the Provider Data Catalog on the CMS Hospital Quality Reporting (HQR) page.

Medicare beneficiaries and the public can use these tools to view quality measure data for participating hospitals and facilities.

Facilities should thoroughly review their quality data as soon as possible during the preview period

Follow the filling steps to access your Public Reporting preview data:

Navigate to the HQR system page: https://hqr.cms.gov/hqrng/login
Enter your Health Care Quality Information Systems Access Roles and Profile (HARP) User ID and Password. By logging in, you agree to the terms and conditions. Then, select Log In.
You will see the Two-Factor Authorization page. Select Text or Then, select Next.
Enter the code you received and select Next.
On the HQR system landing page, hover over Lock Menu on the left side.
Select Program Reporting.
From the drop-down menu, select Public Reporting.
The page will refresh, and the data will be available to

To export the data displayed on the user interface, select Export Data in the measure table. The exported measure data will be in PDF format for a user-friendly printed report.

You can find these help guides on CMS’ QualityNet website:

You can also find these quick reference guides to help preview your data:

If you have a question about your hospital or facility’s data, the following resources may help:

For Overall Hospital Quality Star Ratings, contact the Overall Hospital Quality Star Ratings Team via the QualityNet Question and Answer Tool.
For the Inpatient Psychiatric Facility Quality Reporting Program, submit questions to the Inpatient and Outpatient Healthcare Quality Systems Development and Program Support Contract Team via the QualityNet Question and Answer Tool or call (844) 472-4477 or (866) 800-8765 weekdays from 8 a.m. to 8 p.m. Eastern Time (ET).
For the Hospital Inpatient Quality Reporting Program, submit questions to the Inpatient and Outpatient Healthcare Quality Systems Development and Program Support Contract Team via the QualityNet Question and Answer Tool or call toll-free (844) 472-4477 or (866) 800-8765 weekdays from 8 a.m. to 8 p.m. ET.
For the Medicare Promoting Interoperability Program: submit questions to the Inpatient and Outpatient Healthcare Quality Systems Development and Program Support Contract Team via the QualityNet Question and Answer Tool or call toll-free (844) 472-4477 or (866) 800-8765 weekdays from 8 a.m. to 8 p.m. ET.
For the Prospective Payment System-exempt Cancer Hospital Quality Reporting Program, submit questions to the Inpatient and Outpatient Healthcare Quality Systems Development and Program Support Contract Team via the QualityNet Question and Answer Tool or call (844) 472-4477 or (866) 800-8765 weekdays from 8 a.m. to 8 p.m. ET.
For the Hospital Outpatient Quality Reporting (OQR) Program, submit questions to the Inpatient and Outpatient Healthcare Quality Systems Development and Program Support Team via the QualityNet Question and Answer Tool or call (866) 800-8756 weekdays from 7 a.m. to 6 p.m. ET.

If you have questions or need advice or help evaluating or addressing these or other concerns, contact the author of this update, Cynthia Marcotte Stamer.o

For More Information

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for her more than 35 years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications including leading edge work on PBM, pharmacy and pharmaceutical and other health care, managed care, insurance, and insured and self-insured contracting, design, administration and regulation..

About Solutions Law Press, Inc.™

Leave a Comment » | Health Care | Permalink
Posted by Cynthia Marcotte Stamer

New OCR Video Emphasizes Health Plan & Provider Legal & Operational Imperatives To Defend E-PHI Against Ransomware Threats

October 18, 2024

Health plans and insurers, health care providers, healthcare clearinghouses (“Covered Entities”) and their business associates, fiduciaries, sponsors and other leaders should review the new U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) video on ransomware and how compliance with the Health Insurance Portability & Accountability Act (“HIPAA”) Security Rule can help such organizations combat ransomware and verify compliance with their other cyber security and compliance in response to growing cybersecurity liability and operating threats.

Released amid OCR’s ongoing prioritization of ransomware and other cybersecurity threats in its compliance and enforcement efforts in conjunction with OCR’s October observance of National Cybersecurity Awareness Month, the video updates the Covered Entities and their business associates on the ransomware trends OCR sees in its cybersecurity investigations, OCR guidance and resources, best practices and practical advice on how HIPAA compliance can help HIPAA regulated entities prevent, detect, respond to, and recover from ransomware attacks.

Topics include:

OCR breach and ransomware trend analysis
Review of prior OCR ransomware guidance and materials
Analysis of the ransomware attack chain
Explore how Security Rule compliance can combat ransomware.

Effective documented ransomware safeguards are essential particularly in light of recent operational disruptions experienced from the UnitedHealth Change Health, Ascension Health and other large breaches from ransomware attacks.

OCR recently warned Covered Entities and their business associates to “get serious” about cybersecurity and compliance with the HIPAA Privacy, Security, and Breach Notification Rules in its announcement of its fifth ransomware enforcement action against Providence Medical Institute in Southern California (“Providence”) amid a 264% increase in large ransomware breaches since 2018.

With OCR reporting a 264% increase in large breaches reported to OCR involving ransomware attacks since 2018, ransomware and hacking are the primary cyber-threats in health care. OCR blames deficiencies in compliance with the HIPAA Security Rule for this trend.

HIPAA requires Covered Entities to meet HIPAA’s requirements to protect the privacy and security of protected health information. The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information created, received, used, or maintained by a Covered Entity. It also requires proper administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.

The $250,000 civil monetary penalty announced October 8, 2024, HIPAA sanctions resolve potential violations of HIPAA OCR uncovered when investigating a ransomware attack breach report filed by Providence in April 2018, after Providence reported that its systems were affected by a series of ransomware attacks that affected the electronic protected health information (“ePHI”) of 85,000 individuals between February and March 2018. OCR’s investigation found that servers holding ePHI were encrypted with ransomware three times.OCR found two potential violations of the HIPAA Security Rule, including failure to have a business associate agreement in place and failure to implement policies and procedures to allow only authorized persons or software programs access to ePHI.

In March 2024, OCR issued a Notice of Proposed Determination seeking to impose a civil money penalty. Providence waived its right to a hearing and did not contest OCR’s findings. Accordingly, OCR imposed a civil money penalty of $240,000 under a Notice of Final Determination.

In announcing the Provident civil monetary penalty, OCR warned other Covered Entities to ensure the adequacy of their safeguards and practices for protecting their systems holding ePHI under the HIPAA Security Rule including taking the following steps to mitigate or prevent cyber-threats:

Review the video and all related guidance and enforcement;
Conduct documented recurrent threat assessment and response;
Review all vendor and contractor relationships to ensure business associate agreements are in place as appropriate and address breach/security incident obligations.
Integrate risk analysis and risk management into business processes; conducted regularly and when new technologies and business operations are planned.
Ensure audit controls are in place to record and examine information system activity.
Implement regular review of information system activity.
Utilize multi-factor authentication to ensure only authorized users are accessing ePHI.
Encrypt ePHI to guard against unauthorized access to ePHI.
Incorporate lessons learned from incidents into the overall security management process.
Provide training specific to organization and job responsibilities and on regular basis; reinforce workforce members’ critical role in protecting privacy and security.

Covered Entities and their leaders should conduct documented risk assessments within the scope of attorney-client privilege to assess and strengthen as needed the adequacy of their existing cybersecurity safeguards to manage HIPAA and other applicable cybersecurity compliance and risks.

In conducting these efforts, Covered Entities, business associates, employer and other health plan sponsors and vendors and others dealing with this sensitive data also should consider duties and obligations under other federal laws. For instance, health plan fiduciaries risk personal liability under the Employee Retirement Income Security Act (‘ERISA”) for failing to prudently protect plan data from ransomware and other attacks. Employers, health care providers, and others also face exposures under various federal and state data privacy, identity theft, negligence, ethics and other laws.

If you have questions or need advice or help evaluating or addressing your Covered Entities HIPAA and other data security or related concerns, contact the author of this update, Cynthia Marcotte Stamer.o

For More Information

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for her more than 35 years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications including leading edge work on PBM, pharmacy and pharmaceutical and other health care, managed care, insurance, and insured and self-insured contracting, design, administration and regulation..

About Solutions Law Press, Inc.™

Leave a Comment » | Health Care | Permalink
Posted by Cynthia Marcotte Stamer

OCR Warns HIPAA-Covered Entities To Get Serious About Ransomware and Other Cybersecurity In Announcing $240,000 Civil Monetary Penalty Against Providence Medical Institute

October 9, 2024

The U.S. Department of Health and Human Services (“HHS”), Office for Civil Rights (“OCR”) is warning healthcare providers, health plans, health care clearinghouses and their business associate service providers (“Covered Entities”) to “get serious” about cybersecurity and Health Insurance Portability and Accountability Act of 1996 (‘HiPAA”) HIPAA Privacy, Security, and Breach Notification Rules in its announcement of its fifth ransomware enforcement action against Providence Medical Institute in Southern California (“Providence”) amid a 264% increase in large ransomware breaches since 2018.

The $250,000 civil monetary penalty announced October 8, 2024, sanctions potential violations of HIPAA OCR uncovered when investigating a ransomware attack breach report filed by Providence in April 2018, which reported that its systems were affected by a series of ransomware attacks that affected the electronic protected health information (“ePHI”) of 85,000 individuals between February and March 2018. OCR’s investigation found that servers holding ePHI were encrypted with ransomware three times.OCR found two potential violations of the HIPAA Security Rule, including failure to have a business associate agreement in place and failure to implement policies and procedures to allow only authorized persons or software programs access to ePHI.

Review all vendor and contractor relationships to ensure business associate agreements are in place as appropriate and address breach/security incident obligations.
Integrate risk analysis and risk management into business processes; conducted regularly and when new technologies and business operations are planned.
Ensure audit controls are in place to record and examine information system activity.
Implement regular review of information system activity.
Utilize multi-factor authentication to ensure only authorized users are accessing ePHI.
Encrypt ePHI to guard against unauthorized access to ePHI.
Incorporate lessons learned from incidents into the overall security management process.
Provide training specific to organization and job responsibilities and on regular basis; reinforce workforce members’ critical role in protecting privacy and security.

For More Information

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for her more than 35 years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications including leading edge work on PBM, pharmacy and pharmaceutical and other health care, managed care, insurance, and insured and self-insured contracting, design, administration and regulation..

About Solutions Law Press, Inc.™

Leave a Comment » | Health Care | Permalink
Posted by Cynthia Marcotte Stamer

Limited Waiver of HIPAA Sanctions & Penalties For Georgia & North Carolina During Hurricane Helene Declared Emergency

September 28, 2024

In response to the Hurricane Helene Public Health Emergency Declaration (PHE) for Georgia and North Carolina, the Department of Health & Human Services has issued penalty relief for certain violations of the Health Insurance Portability & Accountability Act (“HIPAA”).

Affected parties should review the following guidance:

Waiver or Modification of Requirements under Section 1135 of the Social Security Act
The Limited Waiver of HIPAA Sanctions and Penalties as a Result of Emergency Conditions in the State of Georgia;
For information about how the HIPAA Privacy Rule applies in a public health emergency, visit the OCR’S HIPAA Emergency Preparedness, Planning, and Response page (www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/index.html) or you may use the HIPAA Disclosures for Emergency Preparedness Decision Tool(www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/decision-tool-overview/index.html).
For information and resources for emergency responders/officials to help ensure individuals have equal access to emergency services, including language access and effective communication, please see this checklist for emergency responders: HHS OCR Emergency Preparedness Checklist for Ensuring Language Access and Effective Communication(www.hhs.gov/sites/default/files/lang-access-and-effective-comm-checklist-for-emergency-responders.pdf).
For information about emergency requirements for long-term care facilities, visit the CMS Emergency Preparedness Rule page(www.cms.gov/Medicare/Provider-Enrollment-and-Certification/SurveyCertEmergPrep/Emergency-Prep-Rule.html).

HHS and other agencies commonly issue a wide range of enforcement and other relief following hurricane and other natural disasters. Healthcare providers, health plans, healthcare clearing houses, and others subject to these rules are cautioned to review this guidance carefully and avoid overestimating the relief. Covered parties also should use care to recognize the limited duration of the relief provided and take documented stepsto comply with all applicable requirements during the emergency and demonstrate their timely efforts to restore normal operations honor before the time that any limited relief expires.

If you have questions about HIPAA or other health care concerns during a disaster or otherwise, contact the author.

More Information

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for her more than 35 years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications including leading edge work on PBM, pharmacy and pharmaceutical and other health care, managed care, insurance, and insured and self-insured contracting, design, administration and regulation..

About Solutions Law Press, Inc.™

Leave a Comment » | Electronic Health Records, Health Care, Health Insurance, Health IT, Health Plan, HIPAA | Tagged: HIPAA, Hurricane | Permalink
Posted by Cynthia Marcotte Stamer

FTC Faces PBM Lawsuit For Report Critical Of PBMs And Their Practices

September 19, 2024

Health care providers, independent pharmacies, employer and other health plan sponsors and fiduciaries, and individuals concerned about prescription drug prices and access should carefully follow the rapidly accelerating battle between the Federal Trade Commission (“FTC”) and pharmacy benefit managers (“PBMs”), which threatens to reshape how pharmaceutical products are priced and sold to health plans and consumers.

At the center of the complex pharmaceutical distribution chain that delivers prescription medicines from manufacturers to patients, PBMs generally are vertically integrated organizations that simultaneously serve and regulate health plans and pharmacists and play other roles in the drug supply chain.

This vertical integration allows these six PBMs to wield enormous power and influence over health plans’ and patients’ access to drugs and the prices they pay, as well as pharmacies’ access to prescription drugs and the price and other terms under which pharmacies qualify for health plan coverage or payment for these medications.

PBMs also exert substantial influence over independent pharmacies by imposing contractual terms imposed by PBMs as a condition of accessing medications, covering the pharmacies under health plans contracted with the PBMs, or both. Physicians and health care prescribers also often complain that these PBM-imposed restrictions inappropriately interfere with appropriate physician prescribing practices and pit pharmacists against physicians to the detriment of patients.

Mergers and consolidations within the PBM, pharmacy and health benefit industries that brought ownership of the largest PBMs under common ownership with large insurers and retail pharmacies they purport to both manage and work has increased the already significant power of PBMs to use their integration to control these and other aspects of prescription drug availability, access, distribution, and pricing/ Consequently, the sixth largest PMBs -Caremark Rx, LLC; Express Scripts, Inc.; OptumRx, Inc.; Humana Pharmacy Solutions, Inc.; Prime Therapeutics LLC; and MedImpact Healthcare Systems, Inc. – now collectively negotiate and enforce access, coverage, pricing and other key terms and conditions governing the availability, access to, and cost of prescription drugs for hundreds of millions of Americans.

With the consolidation of ownership of large PBMs, payers and pharmacies further tightening these PBMs’ control over prescription drug distribution, pricing, and coverage and prescription drug costs continuing to rise, PBMs and their practices increasingly face scrutiny, challenges and calls for reform by employers and other plan sponsors, health care providers, independent pharmacies, the FTC and other regulators, Congress, state legislatures and regulators, consumers, and others. See Report on Pharmacy Benefit Managers: The Powerful Middlemen Inflating Drug Costs and Squeezing Main Street Pharmacies.

FTC July 2024 Interim Report On 6th Largest PBMs

In response to these and other growing concerns about consolidation, lack of transparency and other potential abuses about the PBM industry and prescription drug costs, the FTC began investigating the PBM industry in 2022. In July 2024, the FTC released its Report on Pharmacy Benefit Managers: The Powerful Middlemen Inflating Drug Costs and Squeezing Main Street Pharmacies (the “FTC Report”) that reports the FTC’s interim findings from its ongoing study of the six largest PBMs – Caremark Rx, LLC; Express Scripts, Inc.; OptumRx, Inc.; Humana Pharmacy Solutions, Inc.; Prime Therapeutics LLC; and MedImpact Healthcare Systems, Inc. use their vertical integration and concentration to inflate drug costs, squeeze Main Street pharmacies and engage in other practices harmful to patients and independent pharmacies.

The FTC Report shares interim findings based on the FTC staff’s review of more than 1,200 public comments to identify predominant areas of concern, initial submissions of internal documents and data from PBM respondents and their affiliates, interviews of various industry experts and participants and review of other public data and information. The FTC Report also discloses that certain PBMS have yet to produce the data and documents required in response to FTC orders issued more than two years ago. While stating its study continues and promising that the FTC will continue efforts to force the PBMs to produce the evidence demanded in the orders, the FTC Report also promises to share regular updates about its progress and findings.

While the investigation continues, the FTC Report shares the FTC’s interim findings that:

The market for pharmacy benefit management services has become highly concentrated, and the largest PBMs are now also vertically integrated with the nation’s largest health insurers and specialty and retail pharmacies;
As a result of this high degree of consolidation and vertical integration, the leading PBMs can now exercise significant power over Americans’ access to drugs and the prices they pay;
Vertically integrated PBMs may have the ability and incentive to prefer their own affiliated businesses, which in turn can disadvantage unaffiliated pharmacies and increase prescription drug costs;
Evidence suggests that increased concentration may give the leading PBMs the leverage to enter into complex and opaque contractual relationships that may disadvantage smaller, unaffiliated pharmacies and the patients they serve;
PBMs and brand drug manufacturers sometimes negotiate prescription drug rebates that are expressly conditioned on limiting access to potentially lower cost generic alternatives in exchange for higher rebates from the manufactures in a manner that may cut off patient access to lower-cost medicines and warrant further scrutiny by the Commission, policymakers, and industry stakeholders.

The FTC Report also shares the FTC’s concern that the six largest PBMs improperly use their integration and market control over 95 percent of all prescriptions filled in the United States:

To profit at the expense of patients and independent pharmacists;
To hike the cost of and overcharge for drugs
To squeeze independent pharmacies that many Americans—especially those in rural communities—depend on for essential care;
To wield enormous power over patients’ ability to access and afford their prescription drugs, allowing PBMs to significantly influence what drugs are available and at what price; and
To impose unfair, arbitrary, and harmful contractual terms that can impact independent pharmacies’ ability to stay in business and serve their communities.

The FTC Report concludes that PBMs’ have an “outsized influence” that comes not only from the expansion of their traditional, middlemen administrative services in processing patients’ pharmacy prescription claims but also from decades of consolidation and vertical integration across the healthcare delivery system where “the largest PBMs have come under common ownership with the largest, most dominant health insurers … [that] operate some of the largest retail, mail order, and specialty pharmacies in the country, which compete with local independent pharmacies. Given these relationships, PBMs and their affiliated entities may have the incentive and ability to engage in steering a growing share of prescription revenues to their own pharmacies through specialty drug classification, self-preferential pricing, and pharmacy contracting procedures to target and control the business operations of pharmacies. While the FTC Report principally focuses on the impact of these changing market dynamics on the operation and vitality of the nation’s pharmacies, the FTC Report also states that initial evidence about PBM and brand pharmaceutical rebating practices “urgently warrant further scrutiny and potential regulation.”

The FTC Report concludes that these interim findings underscore the importance and urgency of scrutinizing the role and influence of PBMs in the nation’s healthcare system, particularly as federal and state governments are the largest purchasers of healthcare.

Express Scripts Sues FTC Demanding Retraction Of FTC Report

Not surprisingly, the PBMs subject to the FTC Report generally have protested the reported findings. On September 17, 2024, CIGNA-owned Express Scripts sued the FTC, demanding the FTC retraction of the FTC Report. In the Express Scripts, Inc. v. FTC complaint, Express Scripts characterizes the FTC Report as “unfair, biased, erroneous, and defamatory.” In the Complaint, Express Scripts alleges:

“According to the Commission’s press release announcing the Report, the Report stems from special orders issued under Section 6(b) of the FTC Act to six PBMs, including Express Scripts, demanding data and information about the PBM industry. But the Report is not an analysis of the data and information produced by the PBMs. Instead, it is seventy-four pages of unsupported innuendo leveled against Express Scripts and other PBMs under a false and defamatory headline and accompanied by a false and defamatory press release. The Commission disregarded the millions of documents and terabytes of data produced and relied instead on unverified comments from the very companies that PBMs negotiate against in order to help lower drug costs. Not surprisingly, those entities are incentivized to point the finger at PBMs for allegedly driving drug costs up, when it is PBMs who are, in fact, bringing drug costs down.”

Charging that the FTC Report “followed prejudice and politics, not evidence or sound economics, and wrongly concluded that PBMs inflate drug costs and harm independent pharmacies” and harmed Express Scripts’ business and reputation by the FTC’s “unlawful, unconstitutional, and arbitrary and capricious conduct and defamatory statements,” the Complaint alleges that the FTC Report “gets nearly everything wrong” as a result of FTC Chair Khan’s and the FTC’s bias against PBMs and failure to consider the evidence before them. For example, the Complaint asserts:

“It falsely accuses Express Scripts and other PBMs of “controlling” access to drugs and drug pricing when it is manufacturers who set drug prices and plan sponsors who decide which drugs to cover for their members.

It attacks Express Scripts for disadvantaging independent pharmacies when the evidence produced shows that on average independent pharmacies not affiliated with PBMs receive higher reimbursements than unaffiliated chain pharmacies, independent pharmacies are profitable, and the number of prescriptions filled at independent pharmacies is increasing.

It falsely claims that Express Scripts is “profiting by inflating drug costs,” including by taking rebates from drug manufacturers in return for putting high cost drugs on formularies when, in truth, the bulk of rebates and fees received by PBMs get passed through to plan sponsors and lower the net cost of drugs to plan sponsors and members. Moreover, Express Scripts prefers drugs with the lowest net cost to its plan sponsors on its largest standard formularies.

It makes the broad-brush claim that the PBMs failed to comply with the Commission’s 2022 6(b) orders, which demanded extensive data and information for production—without identifying who the supposed offenders are—even while Express Scripts had long ago complied with the Commission’s requests, which

the Commission knew and verbally acknowledged before and after issuing its Report. It falsely states that PBMs, including Express Scripts, “profit at the expense of patients by inflating drug costs” when the evidence shows that PBMs compete for the business of plan sponsors by offering lower costs for covered drugs than their competitors. PBMs have low and declining operating margins and any PBM that sought to inflate the cost of covered drugs would quickly lose its clients.

Due to these alleged false conclusions, the Complaint charges that the FTC Report violates federal and state law several times over, including in at least the following ways:

By exhibiting bias against PBMs and prejudgment of the facts, the Report violates Express Scripts’ right to due process under the Fifth Amendment to the U.S. Constitution.
It contains (i) assertions that will predictably be and have been interpreted as conclusions adverse to all PBMs and (ii) false statements unsupported by the record that demonstrate the Commission’s failure to consider the available contrary evidence and render its decision arbitrary and capricious.
It is not in the public interest and therefore exceeds the Commission’s statutory authority under Section 6(f) of the FTC Act.
It is unlawful because Commissioners exercise executive authority while enjoying statutory removal protections in violation of Article II of the U.S. Constitution.
And the Commission’s claim both in the Report and the accompanying press release that PBMs, including Express Scripts, are “inflating drug costs” and “profit by inflating drug costs at the expense of patients,” is false and defamatory.

Claiming that Express Scripts has suffered and continues to financial, business and reputational harm by the FTC Report’s allegedly false statements about its business practices and the insinuation that Express Scripts’ successful efforts to fight for lower prices for plan including being sued in multiple lawsuits invoking the FTC Report as evidentiary support for plaintiffs’ claims and faces multiple demands for information from state regulators and federal legislative committees. Contending these harms “have only just begun and will only be compounded over time,” Express Scripts asks the District Court:

To vacate and require the FTC to set aside the FTC Report;
Make the FTC correct the false statements it has made about PBMs; and
Require the recusal of FTC Chair Khan from further FTC proceedings regarding Express Scripts in light of her evident bias against PBMs, including Express Scripts.

Regardless of how the Express Scripts lawsuit plays out, employers and other health plan sponsors, fiduciaries, third party administrators, insurers, pharmacies, health care providers and individual Americans can expect to see continued challenges and attempts to reform PBMs to address perceived abuses. The direction and specifics of those challenges and changes remain unclear. Since political pressure is likely to significantly influence the ultimate outcome of any reforms, concerned individuals and organizations should carefully monitor and provide input.

Meanwhile, employer and other health plan sponsors and fiduciaries should also anticipate that the FTC Report and similar Congressional and other studies and investigations may increasingly fuel and provide evidence to support participants’ and beneficiaries’ questions and challenges to PBM features and practices within their health plans.

More Information

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for her more than 35 years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications including leading edge work on PBM, pharmacy and pharmaceutical and other health care, managed care, insurance, and insured and self-insured contracting, design, administration and regulation..

About Solutions Law Press, Inc.™

Leave a Comment » | Health Care | Tagged: Health, Health Insurance, healthcare, news, pharmacy | Permalink
Posted by Cynthia Marcotte Stamer

Intrepid Pays $3.85 Million To Settle Hospice & Home Health False Claims Act Charges

August 21, 2024

Texas-based Intrepid U.S.A. Inc. and various wholly-owned subsidiaries (“Intrepid”) will $3,850,000 to resolve allegations that Intrepid violated the False Claims Act in two lines of its business, home health and hospice.

The Settlement resolves government charges that Intrepid:

Knowingly submitted claims to Medicare for home healthcare services for patients who did not qualify for the Medicare home healthcare benefit or where services otherwise did not qualify for Medicare reimbursement; and
Knowingly submitted claims to Medicare for patients who did not qualify for the hospice benefit.

The United States alleged that, between 2016 and 2021, 19 Intrepid home healthcare facilities submitted claims to Medicare for home healthcare services for patients who did not qualify or were not properly certified as eligible for the Medicare home healthcare benefit, where the services provided were not reasonable or medically necessary, where the services were provided by untrained staff, or where services were not performed.

Separately, the United States alleged that, between 2016 and 2021, three Intrepid hospice facilities admitted patients to hospice care who were ineligible for the Medicare hospice benefit because they were not terminally ill or continued providing services to patients who should have been discharged because they no longer met the requirements for the Medicare hospice benefit.

These charges resulted from and resolves claims brought under the qui tam or whistleblower provisions of the False Claims Act in two different lawsuits. One qui tam action was brought by Jennifer Jones, a former travel nurse, and Pamela Joffe, a former Director of Quality Assessment Performance Improvement and New Business Development, for Intrepid. The qui tam case is captioned U.S. ex rel. Jones v. Intrepid USA Healthcare Inc., No. 19-sc-2973 (D. Minn.). The second qui tam action was brought by Marsha Rigney, a former Director of Clinical Excellence and Integrity, and Janet Watts, a former Regional Manager of Clinical Excellence, for Intrepid. This qui tam case is captioned U.S. ex rel. Rigney v. Intrepid U.S.A. Inc., No. 3:20-cv-95-RGJ (WDKY). Under the provisions of the False Claims Act, a private party can file an action on behalf of the United States and receive a portion of any recovery. Relators Jones and Joffe will receive $333,985 from the settlement proceeds, and Relators Rigney and Watts will receive $359,014 from the settlement proceeds.

The settlement amount is based on Intrepid’s ability to pay.

Following previous high dollar hospice and home health settlements like the $125 million plus settlement with Kindred Healthcare, Inc. announced last month, the Settlement reflects federal continued scrutiny of hospice, home health and long term care providers.

For More Information

We hope this update is helpful. For more information about these or other health or other legal, management, or public policy developments, please get in touch with the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

About the Author

Cynthia Marcotte Stamer has extensive experience advising and defending health care and life sciences, health plans and insurers, their business associates about False Claims and other billing and other compliance, risk management, operational and legislative and regulatory affairs concerns.

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

A Fellow in the American College of Employee Benefit Counsel, Immediate Past Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee and Vice-Chair Elect of its International Employment Law Committee, Immediate Past Chair of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Past Group Chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee; and Chair of the ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership advising healthcare and life sciences, managed care and other insurance and employer-sponsored health benefit, technology, and other highly regulated and data dependent clients about health care and other regulatory, workforce and staffing, health and other employee benefits, safety, contracting, quality assurance, compliance and risk management, and other legal, public policy and operational concerns. She speaks and publishes extensively on these and other related compliance issues.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Author of a multitude of highly regarded publications on HIPAA and other medical record and data privacy and scribe for the ABA JCEB Annual Meeting with the HHS Office of Civil Rights, her experience includes extensive involvement throughout her career in advising health care and life sciences and other clients about preventing, investigating and defending health care fraud; HIPAA, FACTA, GDPR, GLB, and other privacy, data security and information protection and breach; EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state compliance, investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state health care, privacy, data breach and security, employment, employee benefits and insurance, equal opportunity, equity and other laws.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Laws Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here, such as:

ABOUT THIS COMMUNICATION

NOTICE: These statements and materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstances at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules make it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access to this publication.

Leave a Comment » | Health Care | Tagged: false claims act, Health Care Fraud, home health, Hospice, Hospital, Medicare, Physician | Permalink
Posted by Cynthia Marcotte Stamer

High Dollar Civil Monetary Penalties Warn HIPAA-Covered Heath Providers, Health Plans & Healthcare Clearinghouses To Ensure Timely Medical Record Access

August 5, 2024

The more than $560,000 in civil monetary penalties (“CMPs”) collected since March by the Department of Health and Human Services (“HHS”) Office of Civil Rights (“OCR”) from three HIPAA-covered entities for failing to respond to medical record requests within 30 days as required by the Health Insurance Portability & Accountability Act (“HIPAA”) right of access rule (“Access Rule”) shows patients, their personal representatives and health care providers, health plans, health care clearinghouses (“Covered Entities”) the seriousness of OCR’s commitment to enforcement of the Access Rule.

On August 2, 2024, OCR announced emergency medical provider American Medical Response (“AMR”) paid a $115,200 civil monetary penalty (“AMR CMP”) for waiting 370 days before delivering medical records requested by a patient’s personal representative. OCR’s AMR CMP announcement follows its April 1, 2024 announcement Hackensack Meridian Health, West Caldwell Care Center (“Hackensack Meridian Health”) paid a $100,000 CMP (“HMH CMP”) for waiting 161 days to provide medical records requested by a patient’s personal representative and March 29, 2024 announcement of its agreement to accept payment of $35,000 in satisfaction the previously assessed $250,000 CMP against Phoenix Healthcare LLC d/b/a Green County Care Center (“Phoenix”) for Access Rule violations. With these three actions, OCR collected $565,000 in CMPs for Access Rule violations since March 29, 2024, and has announced a total of 49 high-dollar Access Rule CMP or settlement collections since announcing its Access Rule enforcement initiative in 2019.

OCR’s pursuit of CMPs in excess of $100,000 against each of these three entities for failing to respond to a single request for patient records makes clear OCR’s readiness to investigate and pursue big dollar penalties against Covered Entities for even a single failure to deliver documents to a requesting patient or personal representative. In light of OCR’s clear commitment holding all Covered Entities accountable for Access Rule compliance, all Covered Entities should recognize the importance of timely responding to each access request in accordance with the Access Rule to avoid similar CMP exposure for their organizations.

HIPAA Right Of Access Rule

HIPAA’s Privacy Rule right of access (“Access Rule”) is part of the national standards that HIPAA Privacy, Security, and Breach Notification Rules (“Privacy Rule”) require that Covered Entities and their business associates meet for protecting to protect individuals’ protected health information (“PHI”), limit uses and disclosures of PHI, and give individuals the right to timely access and to obtain a copy of their PHI records and certain other rights. Like other Privacy Rule violations, Access Rule violations can subject a Covered Entity or business associate to expensive HIPAA civil monetary penalties (“CMPs”).

The Access Rule codified in 45 C.F.R. 164.524 generally requires that a Covered Entity to respond to a request from an individual or its personal representative to access or for a copy of protected health information (“PHI”) in any records set of a Covered Entity or its business associate within 30 days of receipt of the individual’s request. OCR Access Rule guidance makes clear OCR views this deadline as the maximum allowed period

The Covered Entity can respond to a right of access request by granting or denying the request in whole or in part, or if it is unable to provide the records within 30 days for a legitimate reason, the Access Rule allows the Covered Entity a one-time 30-day extension of the response timeframe by sending the requestor a written statement of the reasons for the delay and the date within the extended response deadline by which the Covered Entity will complete its action on the request. 45 C.F.R. § 164.524(b)(2).

The Access Rule also contains specific guidance governing the calculation of the allowable fee, if any, the Covered Entity can charge for providing the PHI to a reasonable cost-based fee calculated following the Access Rule. It also sets forth other requirements about the manner and format in which the Covered Entity must deliver the PHI.

OCR is responsible for implementing the Privacy Rules and enforcing non-criminal violations of its requirements. When OCR finds violations of the Access Rule or other HIPAA violations, HIPAA as amended by the HITECH Act,¹ generally authorizes OCR to impose and collect a CMP determined based on the following penalty schedule, with adjustments for inflation:

A minimum of $100 for each violation where the Covered Entity or business associate did not know and, by exercising reasonable diligence, would not have known that it violated the HIPAA provision, provided the total amount of CMPs imposed on the Covered Entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $25,000.
A minimum of $1,000 for each violation due to reasonable cause and not to willful neglect, except that the total amount imposed on the Covered Entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $100,000.
A minimum of $10,000 for each violation due to willful neglect and corrected within 30 days, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $250,000.
A minimum of $50,000 for each violation due to willful neglect and uncorrected within 30 days, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $1,500,000.

As required by law, OCR has adjusted the CMP ranges for each penalty tier for inflation.³ The adjusted amounts apply only to CMPs whose violations occurred after November 2, 2015.

$115,200 AMR CMP

According to the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) August 1, 2024 announcement of the AMR CMP, AMR paid OCR the $115,200 AMR CMP after OCR assessed the CMP in a Notice of Final Determination that AMR violated the Access Rule.

The Notice of Final Determination arose from an OCR investigation of a complaint made by an attorney (“the Patient’s Attorney”) on behalf of a patient transported by AMR alleging that AMR failed to provide a patient with timely access to its medical records after many failed attempts by the patient to obtain the records.

According to the Proposed Notice of Determination, the Patient’s Attorney sent AMR a fax on the patient’s behalf on October 31. 2018 asking for copies of a patient’s medical records including, “all billing records pertaining to treatment rendered for 9/15/2015 injury date; Patient Balance Verification; all medical records pertaining to treatment rendered for 9/15/2015 injury date” in electronic format to the patient’s attorney (“access request”). The access request was in writing, signed by the Patient’s Attorney, that clearly identified the Patient’s Attorney and where to send the copy of the Patient’s Attorney’s PHI. The Patient’s Attorney received a fax transmission report reflecting that AMR received her request on October 31, 2018. Although AMR uses an electronic health record (EHR) for its medical records and maintains the Patient’s Attorney’s requested PHI in its HER, it did not respond to this request by November 30, 2018, the date 30 days from receipt.

On November 8, 2018, the Patient’s Attorney also mailed a copy of her October 31, 2018, access request to AMR’s Seattle, Washington office via certified mail and received confirmation of delivery on November 13, 2018 from the United States Postal Service. The Patient’s Attorney also subsequently sent two follow-up requests for the PHI records on January 24, 2019.

Although AMR’s electronic medical record confirmed AMR received these requests, AMR did not respond to the Patient’s Attorney’s request until March 1, 2019, 121 days after the initial request, when AMR sent the Patient’s Attorney an invoice requiring payment of an access fee before AMR would provide the requested records to Complainant.

On March 18, 2019, the Patient’s Attorney then sent AMR another follow-up letter that reiterated the Patient’s Attorney’s multiple access requests and advised AMR that if AMR did not send the PHI to the Patient’s Attorney electronically within seven days the Patient’s Attorney would file a complaint with OCR. Since AMR failed to deliver the requested records in electronic format within the specified period, the Patient’s Attorney filed a complaint with OCR on July 29, 2019, alleging that AMR violated the Access Rule by failing to provide a copy of the patient’s PHI in response to the Patient’s Attorney’s multiple access requests.

OCR’s October, 2019 investigation found AMR repeatedly failed to timely respond to the patient’s access request even though AMR had procedures in place for processing individuals’ written access requests.

In response to OCR’s investigation, AMR sent the requested records to the Patient’s Attorney on November 5, 2019, 370 days after the Patient’s Attorney’s initial request.

In response to OCR’s investigation, AMR also amended its internal procedures to streamline and better track access requests. OCR notified AMR of the results of OCR’s investigation on August 3, 2021, and offered AMR an opportunity to resolve the matter informally. Rather than accepting this offer, however, AMR responded to OCR through counsel on August 9, 2021, asking OCR to “reconsider its position” without providing a counteroffer or otherwise engaging in negotiations with OCR. While OCR did not disclose the terms of its proposed offer of resolution, acceptance of this offer presumably would have allowed AMR to resolve the charges for an amount less than the $115,200 CMP ultimately imposed.

OCR then sent an April 15, 2022 Letter of Opportunity (LOO) to AMR, which informed AMR that OCR’s investigation indicated that AMR violated HIPAA’s Access Rule and providing AMR with an opportunity to submit written evidence of mitigating factors and affirmative defenses to this violation as well as evidence to support a waiver of a CMP for violating the Access Rule. OCR determined AMR’s May 16, 2022 response to the LOO did not support any affirmative defense to the charges or grounds for waiver of the CMP but weighed AMR’s LOO response alleging mitigating factors in determining the amount of the CMP.

Based on these factual findings, OCR sent AMER a Notice of Proposed Determination that announced OCR’s intent to impose the $155,200 AMR CMP for its violation of the Access Rule by failing to provide timely access to the Patient’s Attorney after receiving her lawful requests.

Finding the Reasonable Cause penalty tier applicable for purposes of determining the CMP for AMR’s Access Rule violation from December 1, 2018, to February 28, 2019, OCR calculated the AMR CMP as follows: $39,680 CMP Calendar Year 2018 (31 days from 12/1/18-12/31/18 at $1,280 per day); plus $75.520 CMP Calendar Year 2019 (59 days from 1/1/19 to 2//19, at $1,280 per day) = $115,200 Total CMP

While AMR argued that OCR should exercise its discretion and choose not to apply any CMPs because of “multiple mitigating factors, OCR determined AMR’s arguments factually inaccurate and not meriting change of the CMP assessment from the reasonable cause level. Accordingly, OCR refused to reduce the original $115,200 based on alleged mitigating factors.

After AMR did not challenge the determinations of OCR in the Notice of Proposed Determination within the allowed period, OCR issued the Final Notice of Determination imposing the $115,200 AMR CMP and AMR paid that amount.

Since as early as 2016, OCR has made Access Rule enforcement a priority. Along with its assessment of the AMR CMP, OCR’s commitment to continued Access Rule enforcement is demonstrated by the 48 other previously announced Access Rule enforcement actions through July 31, 2024.

$100,000 Hackensack Meridian Health CMP

Before it collected the AMR CMP, on April 1, 2024, OCR already had announced its collection of a $100,000 CMP from a New Jersey skilled nursing facility for violating the Access Rule in April.

Essex Residential Care, LLC, doing business as Hackensack Meridian Health, West Caldwell Care Center (“HMH”) is a skilled nursing facility that provides long-term care and rehabilitation services.

In May 2020, OCR received a complaint alleging that HMH failed to provide a personal representative with access to his mother’s medical records even after HMH received sufficient documentation that the patient’s son who requested the records as his mother’s personal representative.

OCR found that HMH failed to respond timely to a HIPAA right of access request. In September 2023, OCR issued a Notice of Proposed Determination (“HMHPD”) seeking to impose the $100,000 civil money penalty. When HMH waived its right to a hearing and did not contest OCR’s findings, OCR finalized the Notice of Final Determination imposing the $100,000 CMP.

The OCR investigation found that when Peter Lindsay originally requested copies of the medical records of his mother, Lois Lindsey (“mother”) from WCCC in an April 19, 2020 email, WCCC responded with an April 22, 2020 e-mail denial that requested Mr. Lindsay provide WCCC a copy of a power of attorney, medical proxy or similar document executed by the mother establishing that he was his mother’s personal representative. However, when WCCC still failed to deliver the requested medical records after Mr. Lindsey sent a copy of his mother’s power of attorney via May 23, 2020 e-mail, Mr. Lindsey complained to OCR.

After OCR notified WCCC on October 15, 2020, its investigation of the complaint, WCCC acknowledged that it failed to respond to the complainant’s request for his mother’s medical records within 30 days of receiving the complainant’s written request for the records but still did not deliver the records until December 1, 2020, 161 days after the complainant’s request.

By letter dated March 25, 2022, OCR informed WCCC its investigation found that WCCC failed to provide timely access to protected health information and offered WCCC an opportunity to settle this matter informally. Although OCR’s letter encouraged WCCC to contact OCR no later than ten days after receipt of the letter, OCR received no response until WCCC responded via e-mail through its attorney on April 29, 2022, that WCCC disagreed with OCR’s proposed resolution, OCR received an email correspondence from the WCCC’s attorney stating WCCC’s disagreement with OCR’s proposed resolution. OCR then responded by issuing a May 16, 2022 Letter of Opportunity (LOO) informing WCCC that OCR found preliminary indications of non-compliance and providing WCCC with an opportunity to submit written evidence of mitigating factors, affirmative defenses, or waiver factors for OCR’s consideration in determining the CMP amount.

In the June 15, 2022 response to the LOO sent by WCCC’s attorney, WCCC acknowledged receipt of both the April 19, 2020, medical record request and the power of attorney emailed on April 23, 2020. WCCC also admitted that instead of providing Mr. Lindsay with the requested medical record, WCCC instead sent a copy of the mother’s medical records to another facility to which Ms. Lindsay was transferred. WCCC’s attorney admitted WCCC should have handled the request differently but indicated at the time of the original request, both Mr. Lindsey and his mother were parties to ongoing litigation with WCCC over non-payment for care, that WCCC also was struggling with the COVID-19 pandemic, that Mr. Lindsey filed his complaint with OCR exactly 30 days after his e-mailed request before WCCC’s response to the initial request was due and asserted several affirmative defenses it claimed excused WCCC’s failure to provide the medical documents.

Based on the above findings of fact, OCR calculated the WCCC CMP at the reasonable cause not corrected tier for WCCC’s failure to provide the requested medical records from June 23, 2020, to December 1, 2020.

WCCC also asserted various affirmative defenses and a right of waiver to avoid or mitigate the amount of the WCCC CMP, all of which OCR found unpersuasive.

Regarding WCCC’s assertion that HIPAA barred imposition of a CMP in this case, as a matter of law, under the HIPAA affirmative defense for a violation not due to willful neglect and timely corrected, OCR determined that the affirmative defense did not apply as WCCC did not timely correct the violation.
OCR also rejected WCCC’s assertion that imposition of a CMP under these circumstances would be arbitrary and capricious and violate the Administrative Procedure Act (the Patient’s AttorneyA).
OCR likewise found rejected WCCC’s claim that OCR should waive any possible CMP because assessment of the CMP would be excessive as WCCC only failed to timely respond to a single request for records access, submitted amidine the midst of litigation with the requesting party during the COVID-19 pandemic and WCCC’s personnel mistakenly believed that an appropriate, timely response to the complainant’s medical record request had been made through the transfer of the patient to another facility.

After WCCC waived its right to challenge these OCR determinations in an administrative hearing, OCR issued the Notice of Final Determination on January 12, 2024, which OCR publicly announced on April 1, 2024.

Phoenix CMP Settlement

OCR’s WCCC CMP announcement came only three days after OCR announced a settlement with Phoenix under which OCR accepted and collected $35,000.00 (“Settlement Amount”) from Phoenix in full satisfaction of a $250,000 CMP under a March 30, 2021 Notice of Final Determination issued against Phoenix for willful violation of the Access Rule.

The Phoenix CMP and resulting settlement arose from OCR’s investigation of a right of access complaint filed against the Oklahoma multi-facility nursing care organization by a patient’s daughter in April 2019 that Phoenix would not provide the daughter, who serves as a personal representative, with a copy of her mother’s medical records. After Phoenix eventually sent the requested records 323 days after the request on January 30, 2020 and only after OCR attempts to get the records through technical assistance and other efforts, OCR notified Phoenix of its intention to impose a $250,000 civil money penalty (“Phoenix CMP”) against Phoenix for willful violation of the Access Rule along with violations of HIPAA’s business associate requirements.

Rather than accede to OCR’s proposed imposition of the $250,000 Phoenix CMP, however, Phoenix chose to challenge the proposed Phoenix CMP to an administrative law judge (“ALJ”) in the Civil Remedies Division of the Departmental Appeals Board (“DAB”) of HHS. In Decision No. CR6232, the ALJ on February 16, 2023, upheld the Access Rule violations cited by OCR and OCR’s determinations that Phoenix acted with willful neglect in committing the violations, but reduced the Phoenix CMP amount from the $250,000 proposed by OCR to $75,000.

Despite the ALJ’s reduction of the Phoenix CMP, Phoenix then unsuccessfully challenged the ALJ’s determinations. On August 4, 2023, the HHS Departmental Appeals Board upheld the ALJ’s decision to uphold OCR’s determinations that Phoenix acted with willful neglect in violating the Access Rule and imposition of the reduced $75,000 CMP.

When Phoenix threatened to appeal this determination in federal court and presented evidence of “financial hardship, however, OCR agreed “as a compromise based on the unique facts and circumstances of this matter,” to accept in full satisfaction of the $75,000 CMP assessed due and owing by Phoenix under ALJ Decision affirmed by DAB Decision No. 3105 and DAB Decisions No. CR6232 in return for Phoenix’s payment of the $35,000 Settlement Amount and Phoenix’s agreement not to further challenge OCR’s assessment and to revise its HIPAA Policies and Procedures to address the Access Rule and business associate agreement requirements, training, and other compliance.

Right Of Access Enforcement Takeaways

OCR’s pursuit of CMPs for Access Rule violations against AMR, WCCC and Phoenix, along with the 46 Access Rule settlements announced by OCR before the Phoenix Settlement makes clear OCR takes seriously and stands prepared to assess substantial CMPs against Covered Entities that violate the Access Rule.

Like the 46 Access Rule settlements OCR previously announced, the circumstances surrounding the assessment of the AMR CMP and other Access Right Enforcement actions contain several important lessons for Covered Entities and business associates including:

Ensuring Covered Entities appropriately track and timely respond to access requests is critical;
Failing to provide timely response to even a single access request can trigger a significant CMP;
The existence or expectation of a lawsuit or other dispute with the patient or patient’s personal representative does not justify delay or refusal timely to provide requested medical records within 30 days;
While Covered Entities and business associates have a duty to verify a family member, attorney or other party requesting medical records on behalf of a patient is the personal representative, a Covered Entity is responsible for verifying this and delivering the requested medical records promptly following receipt of a request;
If a Covered Entity or business associate intends to charge to provide requested medical records in response to an access request, ensure that the proposed charge is calculated following the Access Rule, notification is delivered within 30 days of the original request and deliver the medical records promptly after the payment is received;
Providing requested medical records to another health care provider or other party does not excuse or substitute for providing the medical records to the requesting patient or personal representative;
A Covered Entity that fails to meet the 30-day deadline for responding to an access request should fix the problem promptly by delivering the documents as soon as possible and taking documented corrective action to prevent future noncompliance;
A Covered Entity or business associate that already has not responded within 30 days of receipt of an access request should not withhold delivery of the requested PHI pending the requestor’s payment of the minimal allowed charge that it could have imposed had it timely responded to the access request within 30 days; and
Consider carefully before declining an offer from OCR to settle through informal resolution.

Covered Entities and business associates also should keep in mind other potentially applicable legal or ethical requirements to provide medical records. For instance, state medical licensure and ethics rules typically require physicians and other health care providers to provide copies of medical records or other materials that also qualify as protected health information under HIPAA. Likewise, the Employee Retirement Income Security Act, state insurance rules and other federal or state laws also may require health plans and their insurers, administrators and others with timely access to medical or other records that also are protected heath information under HIPAA. Covered Entities and business associates should ensure that all applicable deadlines are met and that any charges imposed satisfy all applicable requirements.

Covered Entities and business associates also should keep in mind that the Access Rule is only one of several areas of HIPAA enforcement prioritized by OCR that can trigger costly CMPs. Since HIPAA took effect in April 2003 through April 2024, OCR has:

Received and resolved 99 percent of the more than 358,975 HIPAA complaints and the more than 1,188 OCR-initiated compliance reviews;
Required changes in privacy practices and corrective actions in more than 30,839 cases investigated;
Settled or imposed a civil money penalty in 145 cases resulting in a total dollar amount of $142,663,772.00; and
OCR referred 2,197 to the Department of Justice (DOJ) for criminal investigation of cases involving the knowing disclosure or obtaining of protected health information in violation of HIPAA.

The compliance issues most often alleged in complaints cumulatively, in order of frequency through April, 2024 have remained consistent across the 20 years since HIPAA became effective. They include cumulative in order of frequency:

Impermissible uses and disclosures of protected health information;
Lack of safeguards of protected health information;
Lack of patient access to their protected health information;
Lack of administrative safeguards of electronic protected health information; and
Use or disclosure of more than the minimum necessary protected health information.

While health care providers are the type of Covered Entity most often subjected to enforcement, OCR data confirms OCR investigations and enforcement has impacted all types of Covered Entities and business associates. According to this data, the categories of Covered Entities OCR investigations have found to have committed violations are, in order of frequency:

General Hospitals;
Private Practices and Physicians;
Pharmacies;
Outpatient Facilities; and
Group Health Plans.

Additionally, while Group Health Plans as a group have the fewest compliance violations to date, OCR enforcement data confirms OCR’s investigation and enforcement of Access Rule violations against Group Health Plans, as well as that Group Health Plans and their business associates historically account for violations of the HIPAA security rules for the protection of electronic health information affecting millions of Americans. With OCR’s even further heightening its prioritization of HIPAA’s security rule oversight and enforcement in response to massive breaches of electronic protected health information systems and data that triggered widespread disruptions of care and payment systems reported by UnitedHealthcare Group’s Change Health, Ascension Health, and others, and recent OCR guidance requiring to update their Notices of Privacy Practices, all Covered Entities and their business associates should ensure seize the opportunity to re-verify the defensibility of their organization’s Access Rule, Security Rule and other HIPAA compliance.

For More Information

About the Author

Scribe leading the American Bar Association Joint Committee on Employee Benefits Annual Meeting with the HHS Office of Civil Rights on HIPAA, Cynthia Marcotte Stamer has extensive experience advising and defending health care and life sciences, health plans and insurers, their business associates about HIPAA and other privacy and data security protection, breach response and other compliance and risk management.

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Author of a multitude of highly regarded publications on HIPAA and other medical record and data privacy and scribe for the ABA JCEB Annual Meeting with the HHS Office of Civil Rights, her experience includes extensive involvement throughout her career in advising health care and life sciences and other clients about preventing, investigating and defending HIPAA, FACTA, GDPR, GLB, and other privacy, data security and information protection and breach; EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state compliance, investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state privacy, data breach and security, employment, employee benefits and insurance, equal opportunity, equity and other laws.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Laws Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here, such as:

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Leave a Comment » | data breach, Health Care, HIPAA, PHI, ransomware | Tagged: cybersecurity, healthcare, HIPAA, Medical Records, Patient Records, Privacy, Right of Access, Security | Permalink
Posted by Cynthia Marcotte Stamer

CMS Updates 2024 FY Workplan

July 20, 2024

The Centers for Medicare and Medicaid Services (“CMS”) updated its work plan this week.

The updates add the following projects:

To review all currently active Work Plan projects here.

For More Information

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

A Fellow in the American College of Employee Benefit Counsel, Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee and Vice-Chair Elect of its International Employment Law Committee, Chair-Elect of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership on heath benefit and other healthcare and life science, managed care and insurance and other workforce and staffing, employee benefits, safety, contracting, quality assurance, compliance and risk management, and other legal, public policy and operational concerns in the healthcare and life sciences, employee benefits, managed care and insurance, technology and other related industries. She speaks and publishes extensively on these and other related compliance issues.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Author of a multitude of highly regarded publications on HIPAA and other medical record and data privacy and scribe for the ABA JCEB Annual Meeting with the HHS Office of Civil Rights, her experience includes extensive involvement throughout her career in advising health care and life sciences and other clients about preventing, investigating and defending EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state discrimination investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state equal opportunity, equity and other laws.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Laws Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here.

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Leave a Comment » | Health Care | Permalink
Posted by Cynthia Marcotte Stamer

Hurricane Beryl Texas Court Deadline Extensions

July 15, 2024

The Supreme Court of Texas has issued an emergency order authorizing the modification of deadlines in certain justice courts affected by Hurricane Beryl.

The order states that upon request by local judicial leaders and pursuant to Section 22.0035(b) of the Texas Government Code, justice courts in Fort Bend, Galveston, Harris, Matagorda, and Montgomery counties that have been prevented from complying with a deadline in a civil case because the court’s normal operations have been disrupted by the disaster may:

Consider the disaster as good cause under Texas Rule of Civil Procedure 500.5 for extending a time period in the Texas Rules of Civil Procedure or local rules, including appeal and new trial deadlines, until July 26, 2024; and
Postpone statutory deadlines until July 26, 2024, if the court finds that the postponement is necessary to facilitate the orderly resumption of the court’s normal operations.

Read the complete order here.

For More Information

We hope this update is helpful. For more information or help about these or other health or other legal, management, or public policy developments, please get in touch with the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of compliance, risk management, regulatory affairs, operations, strategy and other work with health, employee benefits, insurance, hospitality, retail, construction and other clients, public policy leadership and advocacy, coaching, teachings, and publications.

A Fellow in the American College of Employee Benefit Counsel, Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee and Vice-Chair and Chair Elect of its International Employment Law Committee, Chair of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, and Chair of t and Che ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer has decades of experience advising employers, investigating and helping employers to defend wage and hour, worker classification, discrimination and other labor and employment, employee benefits and other compliance.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Her experience includes extensive involvement advising clients about preventing, investigating and defendingWHD, CAS, Davis-Bacon and other federal and state wage and hour and other compensation; EEOC, OFCCP, DOD, HUD, HHS and other Civil Rights Act, Section 1557 and other federal and state discrimination; EBSA, IRS, and PBGC employee benefit and compensation; DEA and other Justice Department; CDC, OSHA and other safety and other compliance, investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state equal opportunity, equity and other laws.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Laws Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here, such as:

ABOUT THIS COMMUNICATION

Leave a Comment » | ADA, Anitrust, Antitrust, Disaster Relief, Employer, Employment law, ERISA, Health Care, litigation | Permalink
Posted by Cynthia Marcotte Stamer

OCR Continues Prioritizing Protecting Health Info & Systems Against Ransomware & Other Hacking Threats; Plans $50M Investment To Develop Cybersecurity Tools

May 20, 2024

Responding to concerns heightened by a series of health industry cybersecurity incidents disrupting patient health care and privacy resulting from unpatched systems and devices like those recently experienced by UnitedHealthcare Group subsidiary Change Health, Ascension Healthcare and other health industry organizations, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) is making safeguarding PHI a top priority. Along with the growing series of guidance packages, enforcement, audit and other efforts, OCR and the Advanced Research Projects Agency for Health (“ARPA-H”) are investing more than $50 million to help develop tools to help hospital and clinic IT teams better protect their health information record systems and patients from ransomware and other cyberattacks.

OCR Responds To Care Disruptions From Health Industry Ransomware Attack

In September, 2021, OCR clearly warned health care providers, health plans, healthcare clearinghouses and their business associates (“covered entities”) to protect their health information systems and electronic protected health information against ransomware, hacking and similar outside threats by publishing its Fact Sheet: Ransomware and HIPAA as well as through a growing list of hacking and ransomware related resolution agreements. See e.g. HHS’ OCR Settles HIPAA Investigation with Phoenix Healthcare; HHS’ Office for Civil Rights Settles Malicious Insider Cybersecurity Investigation for $4.75 Million; HHS’ Office for Civil Rights Settles Ransomware Cyber-Attack Investigation with Doctors’ Management Services; HHS Office for Civil Rights Settles with L.A. Care Health Plan Over Potential HIPAA Security Rule Violations; HHS Office for Civil Rights Settles HIPAA Investigation with iHealth Solutions Regarding Disclosure of Protected Health Information on an Unsecured Server for $75,000; HHS Office for Civil Rights Settles HIPAA Investigation with Arkansas Business Associate MedEvolve Following Unlawful Disclosure of Protected Health Information on an Unsecured Server for $350,000; HHS Office for Civil Rights Settles HIPAA Investigation with Arizona Hospital System Following Cybersecurity Hacking; Oklahoma State University – Center for Health Services Pays $875,000 to Settle Hacking Breach.

While OCR historically waited to publicly respond to these and other massive breaches until its announcement of resolution agreements reached after years’ long investigations of these massive breaches, the massive disruptions in patient care resulting from the February, 2024, UHG Breach prompted OCR to act quickly. Just weeks after UHG first announced the February 23, 2024, ransomware attack and before receiving a breach report from UHG or Change Health, OCR announced its opening of an investigation and issued its March 13, 2024 Dear Colleague letter. See e.g., HHS Office for Civil Rights Issues Letter and Opens Investigation of Change Healthcare Cyberattack. In the March 13, 2024, Dear Colleague letter:

Confirmed OCR’s opening and prioritization of an investigation of Change Healthcare and UnitedHealth Group focused on whether a breach of protected health information (PHI) occurred and on the entities’ compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Rules because of the cyberattack’s unprecedented impact on patient care and privacy.
Confirmed that OCR anticipates that it eventually also will conduct secondary investigations of the HIPAA compliance of covered entities that have business associate relationships with Change Healthcare and UHG, and those organizations that are business associates to Change Healthcare and UHG.; and
Reminded all of these partner entities of their HIPAA obligations to have business associate agreements in place and to ensure that timely breach notification to the Department of Health and Human Services (HHS) and affected individuals occurs.

Subsequently, OCR has shared additional guidance on its expectations for covered entity response to the UHG Breach in its Change Healthcare Cybersecurity Incident Frequently Asked Questions page (“FAQ”}. Among other things, the FAQ reminds covered entities that its OCR’s ransomware guidance provides specific information on the steps covered entities and business associates should take to determine if a ransomware incident is a HIPAA breach and confirming that OCR will presume a breach of electronic protected information occurred and that a covered entity is required to provide notification unless a covered entity impacted by the breach can demonstrate its investigation proves a “…low probability that the PHI has been compromised,” based on the factors in the Breach Notification Rule.

Since UHG has indicated it may be months before its can restore its systems sufficiently to determine the identities of the individuals whose protected health information was breached and other relevant data,he FAQ also provides guidance to covered entities about options for making breach reports given the existing uncertainty of the information available from UHG currently.

These and other actions by OCR in response to the UHG breach send a strong message to all covered entities OCR’s readiness to act zealously against covered entities that fail to take appropriate steps to safeguard their health information systems and data against ransomware and other hacking.

UPGRADE Program To Fund Development of Hospital & Clinic Cybersecurity Tools

OCR and ARPA-H’s May 20, 2024 announcement of plans to invest $50 million investment in heath industry cybersecurity under the ARPA-Hs’s new Universal Patching and Remediation for Autonomous Defense (“UPGRADE”) program reflects HHS is moving to help covered entities to fulfill their HIPAA responsibilities along with vigorously investigating large ransomware and hacking related breaches at covered entities. According to the May 20, 2024 announcement, ARPA-H will solicit proposals for the development of tools to effectuate the UPGRADE program in four technical areas: creating a vulnerability mitigation software platform, developing high-fidelity digital twins of hospital equipment, auto-detecting vulnerabilities, and auto-developing custom defenses.

HHS ARPA-H established the UPGRADE program in recognition that cyberattacks that disrupt hospital or clinic operation can impact patient care or even lead to facility closure. The establishment of the UPGRADE program recognizes that complexities of the software systems used in a given health care facility, the number and variety of internet-connected devices unique to each facility, disruptions caused by taking critical pieces of hospital infrastructure offline for updates, and other unique challenges impacting hospitals often delay development and deployment of software fixes. These and other complexities and challenges often leave actively supported devices in hospitals and clinics vulnerable for over a year and unsupported legacy devices vulnerable far longer.

The ARPA-H’s UPGRADE program is tasked with developing tools to reduce the effort it takes to secure hospital equipment and ensure devices are safe and functional so that health care providers can focus on patient care. HHS anticipates that the UPGRADE platform will enable proactive evaluation of potential vulnerabilities by probing models of digital hospital environments for weaknesses in software. Once a threat is detected, a remediation (e.g., patch) can be automatically procured or developed, tested in the model environment, and deployed with minimum interruption to the devices in use in a hospital. HHS hopes the UPGRADE program will ‘speed the time from detecting a device vulnerability to safe, automated patch deployment down to a matter of days, providing confidence to hospital staff and peace of mind to the people in their care.

The UPGRADE program adds a new element to ARPA-H’s ongoing digital health care security efforts. It Digital Health Security Initiative, DIGIHEALS, launched last summer focuses on securing individual applications and devices. ARPA-s also recently partnered with the Defense Advanced Research Projects Agency for the Artificial Intelligence Cyber Challenge, or AIxCC, a prize competition to secure open-source software used in critical infrastructure.

The UPGRADE program aims to secure whole systems and networks of medical devices to ensure solutions can be employed at scale. Multiple awards under this solicitation are anticipated. To learn more about UPGRADE, including information about the draft solicitation, virtual Proposers’ Day registration, and how to state interest in forming an applicant team, visit the UPGRADE program page. For more information on HHS’ Cybersecurity Performance Goals and HHS’ cybersecurity work, visit HHS Cybersecurity Gateway.

Other OCR Cybersecurity Guidance & Tools

Safeguarding protected health information is a top OCR priority. Before announcing the UPGRADE program, OCR already has provided a growing list of resources to help entities protect their record systems and patients from cyberattacks, including:

OCR HIPAA Security Rule Guidance Material – This webpage provides educational materials to learn more about the HIPAA Security Rule and other sources of standards for safeguarding electronic protected health information. Materials include a Recognized Security Practices Video, Security Rule Education Paper Series, HIPAA Security Rule Guidance, OCR Cybersecurity Newsletters, and more.
OCR Video on How the HIPAA Security Rule Protects Against Cyber-Attacks – This video educates the health care industry on real world cyber-attack trends from OCR breach reports and investigations and explores how implementation of HIPAA Security Rule safeguards can help detect and mitigate common cyber-attacks. Topics include OCR breach and investigation trend analysis, common attack vectors, OCR investigations of weaknesses that led to or contributed to breaches, and how Security Rule compliance can help regulated entities defend against cyber-attacks.
OCR HIPAA Risk Analysis Webinar – This webinar discusses the HIPAA Security Rule Risk Analysis discusses the HIPAA Security Rule requirements for conducting an accurate and thorough assessment of potential risks and vulnerabilities to electronic protect health information and reviews common risk analysis deficiencies OCR has identified in its investigations.
HHS Security Risk Assessment Tool – This tool is designed to assist small- to medium-sized entities in conducting an internal security risk assessment to aid in meeting the security risk analysis requirements of the HIPAA Security Rule.
Factsheet: Ransomware and HIPAA – This resource provides information on what is ransomware, what covered entities and business associates should do if their information systems are infected, and HIPAA breach reporting requirements.
Healthcare and Public Health (HPH) Cybersecurity Performance Goals – These voluntary, healthcare-specific cybersecurity performance goals can help healthcare organizations strengthen cyber preparedness, improve cyber resiliency, and protect patient health information and safety.
Ransomware Guidance – OCR’s ransomware guidance provides specific information on the steps covered entities and business associates should take to determine if a ransomware incident is a HIPAA breach. The HIPAA Rules define a breach as “…the acquisition, access, use, or disclosure of [PHI] in a manner not permitted under the HIPAA Privacy Rule, which compromises the security or privacy of the PHI.” See 45 CFR 164.402. Whether the presence of ransomware would be a breach under the HIPAA Rules is a fact-specific determination.

In the face of these developments, hospitals and clinics, as well as other covered entities should timely complete documented risk assessments of their exposures and diligent, well-documented and reasoned efforts to ensure their systems are timely and appropriately implemented and updated timely to incorporate all necessary software patches and other processes needed to defend against ransomware and other hacking.

For More Information

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Author of a multitude of highly regarded publications on HIPAA and other medical record and data privacy and scribe for the ABA JCEB Annual Meeting with the HHS Office of Civil Rights, her experience includes extensive involvement throughout her career in advising health care and life sciences and other clients about preventing, investigating and defending EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state discrimination investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state equal opportunity, equity and other laws.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Laws Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here, such as:

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Leave a Comment » | data breach, Health Care, HIPAA, PHI, ransomware | Tagged: cybersecurity, healthcare, HIPAA, Privacy, Security | Permalink
Posted by Cynthia Marcotte Stamer

Cleveland Clinic Foundation Pays $7.6M To Settle FCA Charges Relating To NIH Grants

May 20, 2024

The Cleveland Clinic Foundation (“CCF”) has agreed to pay $7,600,000 to resolve allegations that it violated the False Claims Act (“FCA”) by submitting to the National Institutes of Health (“NIH”) federal grant applications and progress reports in which CCF failed to disclose that a key employee involved in administering the grants had pending and/or active financial research support from other sources.

The settlement resolves allegations that CCF made false statements to NIH, a component of the Department of Health and Human Services (“HHS”), in connection with three federal grant awards. Despite NIH requirements to do so, federal officials charged CCF repeatedly failed to disclose that the employee who it designated as the Principal Investigator on each grant had pending and/or active grants from foreign institutions that provided financial assistance to support the employee’s research and already obligated that employee’s research time. CCF falsely certified that the grants submissions were true and accurate. The settlement also resolves allegations that CCF violated NIH password policies by permitting CCF employees to share passwords. Some of the false submissions wherein CCF failed to disclose the Principal Investigator’s foreign grant support were made by CCF employees who were inappropriately given access to NIH’s online grant reporting platform.

NIH requires full transparency in applications and throughout the life of the grants it awards. This includes a requirement that grant applicants disclose all sources of research support, from any source, on grant applications and on follow-up documents relating to grant awards. NIH uses this information to determine if the applicant has the time necessary to allocate to the proposed research project, and if the research proposal has other sources of funding that are duplicative. It also assists NIH in determining if an applicant’s financial interests may affect its objectivity in conducting research.

Under the Cleveland Clinic Settlement Agreement, CCF will pay $7.6 million settlement and be subject to additional NIH imposed Specific Award Conditions on all CCF’s grants for a one-year period.

Federal regulations allow NIH to impose Specific Award Conditions on grant recipients, including on recipients that do not comply with the terms of a federal award. In this case, NIH is requiring a high-level CCF employee to personally attest to the truth, completeness, and accuracy of all “other grant support” information CCF provides to NIH. CCF must also develop a corrective action plan that includes an assessment of internal controls related to other grant support and foreign-component reporting; create a mandatory training program addressing requirements for disclosing other grant support, research security, and cyber security; and develop an improvement plan for its internal controls, ensuring that CCF has oversight at the institutional level to confirm that the information its Principal Investigators disclose is true, complete, and accurate, among other requirements. The Specific Award Conditions will begin Oct. 1, 2024, and remain in effect through Sept. 30, 2025, or until NIH is satisfied that CCF has successfully completed the Corrective Action Plan.

The Department of Justice FCA enforcement and settlement illustrate the importance for researchers receiving NIH grants to ensure the accuracy of information reported in applications and other documentation related to federal grants. U.S. Attorney Rebecca C. Lutzko for the Northern District of Ohio said, “Today’s settlement illustrates the importance of being truthful at every stage of the grants process.”

For More Information

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of compliance, risk management, regulatory affairs, operations, strategy and other work with health, employee benefits, insurance, hospitality, retail, construction and other clients, public policy leadership and advocacy, coaching, teachings, and publications.

A Fellow in the American College of Employee Benefit Counsel, Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee and Vice-Chair and Chair Elect of its International Employment Law Committee, Chair of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, and Chair of t and Che ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer has decades of experience advising employers, investigating and helping employers to defend wage and hour, worker classification, discrimination and other labor and employment, employee benefits and other compliance.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Her experience includes extensive involvement advising clients about preventing, investigating and defendingWHD, CAS, Davis-Bacon and other federal and state wage and hour and other compensation; EEOC, OFCCP, DOD, HUD, HHS and other Civil Rights Act, Section 1557 and other federal and state discrimination; EBSA, IRS, and PBGC employee benefit and compensation; DEA and other Justice Department; CDC, OSHA and other safety and other compliance, investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state equal opportunity, equity and other laws.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Laws Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here, such as:

ABOUT THIS COMMUNICATION

Leave a Comment » | Corporate Compliance, Employer, Employment law, Health Care, i-9, National Origin Discrimination | Tagged: business, Health, healthcare | Permalink
Posted by Cynthia Marcotte Stamer

Settlement Alerts Health Industry Employers Against Overreaching Employment Eligibility Verification

May 15, 2024

A Justice Department (“DOJ” set we m settlement agreement with home healthcare provider Maxim Healthcare Services (“oaoyMaxim”) shows health industry businesses remain high priority targets for national origin and other discrimination investigations and prosecutions. With national origin discrimination a key overall priority for DOJ and other agencies under the Biden administration, all healthcare and other employers should use care to carefully negotiate their employment eligibility verifications to ensure collection of the required proof without imposing additional or special documentation requirements for non-US citizens or based on other prohibited factors or otherwise engaging in prohibited discrimination.

The Maxim agreement resolves DOJ charges that Maxim violated the Immigration and Nationality Act (INA) at its Gardena, California, office by discriminating against a non-U.S. citizen worker when it rejected her valid document showing her permission to work and requiring lawful permanent residents working for the company to prove their continued permission to work even though it was unnecessary.

An investigation of a worker’s complaint led DOJ’s Civil Rights Division Immigrant and Employee Rights Section (“IER”) concluded that Maxim improperly rejected the worker’s valid document based on her citizenship status. Specifically, it found Maxim illegally rejected the worker’s employment authorization document (“EAD”) because the last name on it was different from the last name on her driver’s license and Social Security card, even though it accepted documents from U.S. citizens under similar circumstances and believed that the EAD reasonably appeared to be genuine and to relate to the worker, which is alltrquired by the Department of Homeland Security I-9 rules.

The investigation also determined that Maxim routinely required lawful permanent residents to present unnecessary documentation when their Permanent Resident Cards expired, which is not required by law. The INA’s anti-discrimination provision prohibits employers from rejecting valid documents or asking for specific or unnecessary documents because of a worker’s citizenship or immigration status. If a lawful permanent resident provides an unexpired Permanent Resident Card to prove their permission to work, employers are not permitted to request new documentation if the Permanent Resident Card later expires.

Under the terms of the settlement, Maxim will pay a civil penalty to the United States and lost wages to the affected worker, train its employees on the INA’s anti-discrimination requirements, revise its employment policies and processes and be subject to monitoring. The DOJ announcement as a publication did not disclose the amount of the civil penalty paid or include a copy of the settlement agreement.

The maxim and other DOJ actions against businesses for discriminating on national origin, race, or other prohibited grounds in their eligibility, verification processes send a strong message to other employers. Healthcare providers and other businesses should carefully comply with the nine verification requirements by requiring every applicant and employee to provide the documentation required. However, employer should not specify a more restrictive list of documents or require groups to present additional documentation beyond what is required by I-9 rules unless consulting legal counsel verifies a legitimate basis for questioning eligibility, is raised by the examination of the presented documents and other safeguards make it appropriate to proceed with requiring additional verification. To minimize potential exposure to discrimination charges based on questions of identity, employers may want to consult with their qualified legal counsel about using e-verify or other processes on a uniform basis to verify the identity of applicant or employee a consistent, non-discriminatory manner.

For More Information

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of compliance, risk management, regulatory affairs, operations, strategy and other work with health, employee benefits, insurance, hospitality, retail, construction and other clients, public policy leadership and advocacy, coaching, teachings, and publications.

A Fellow in the American College of Employee Benefit Counsel, Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee and Vice-Chair and Chair Elect of its International Employment Law Committee, Chair of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, and Chair of t and Che ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer has decades of experience advising employers, investigating and helping employers to defend wage and hour, worker classification, discrimination and other labor and employment, employee benefits and other compliance.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Her experience includes extensive involvement advising clients about preventing, investigating and defendingWHD, CAS, Davis-Bacon and other federal and state wage and hour and other compensation; EEOC, OFCCP, DOD, HUD, HHS and other Civil Rights Act, Section 1557 and other federal and state discrimination; EBSA, IRS, and PBGC employee benefit and compensation; DEA and other Justice Department; CDC, OSHA and other safety and other compliance, investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state equal opportunity, equity and other laws.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Laws Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here, such as:

ABOUT THIS COMMUNICATION

Leave a Comment » | Corporate Compliance, Employer, Employment law, Health Care, i-9, National Origin Discrimination | Permalink
Posted by Cynthia Marcotte Stamer

FLSA Salary Threshold Increases, Other Proposed Changes To Rules & Enforcement Alert Health Care Employers To Confirm Salaried Employee Defensibility

May 14, 2024

Overtime awards like the $152,000 in back wages and liquidated damages a Bronx Urgent Care, P.C. (“Bronx”) must pay for wrongfully misclassifying as exempt and routinely failing to pay overtime to nine employees for hours over 40 in a workweek (“overtime”) and recently announced increases in the salary threshold required for salaried employees strongly signal the need for all medical practices and other health care providers to reassess and re-verify the defensibility of their classification and pay practices for each salaried employee of their organizations and related management services organizations to confirm each salaried employee both the earnings and job duties requirements to qualify as an exempt employee under the Fair Labor Standards Act (“FLSA”). The precautionary warning sent by the judgment comes on the heels of the announcement by the Department of Labor Wage and Hour Division (“WHD”) of two increases in the minimum salary that an employer must pay an employee who otherwise satisfies the job duties requirements for payment by an employer on a salaried basis between July 1, 2024, and January 1, 2025. The salaried classification reviews both should confirm current fulfillment of each salaried classified employee and identify and begin preparations for necessary adjustments to classifications or salary for any salaried employee currently earning less than the higher minimum salary requirements set to take effect this Summer.

Bronx $152,000 Back Pay & Liquidated Damages Award

The Brox overtime judgement is part of a growing number of enforcement actions targeting health industry employers for overtime and other labor and employment violations. See, e.g., Nearly $900K FLSA Backpay Award Warns Other Home Health Employers.

On May 10, 2024, the U.S. District Court for the Southern District of New York ordered Bronx Urgent Care P.C. to pay $152,000 – $76,000 in back wages and an equal amount in liquidated damages – to the affected workers. The court also affirmed $8,000 in civil money penalties the WHD assessed by because the court found the FLSA violations willful. In addition to the wage recovery, damages and penalties assessed, the court order also forbids Bronx from future FLSA violations.

The judgment resulted after a WHD investigation found the employer operating Bronx, its owner Basil Bruno, and operations manager Samuel Singer violated the FLSA by misusing the salaried employee exemption and failing to pay time and a half overtime pay for overtime hours worked to nine employees improperly treated as salaried.

WHD Raising Salary Threshold Salaried Exemption

The FLSA requires employers to treat and pay each employee as an hourly employee subject to the minimum wage, overtime, and recordkeeping requirements unless the employer proves that the employee qualifies as exempt. To treat an employee as a salaried employee exempt from the FLSA requirements, an employer bears the burden of proving both that the employee’s salary meets or exceeds the required salaried threshold and that the actual duties and responsibilities of the employee fulfill the job duties test.

The judgment follows WHD’s April 23, 2024, adoption of a final rule that will twice increase the salary threshold of two upcoming increases to the minimum salary an employee must earn to qualify for treatment as an exempt employee eligible for the employer to pay on a salaried basis. On July 1, 2024, the Final Rule will increase the salary threshold from the current required annual equivalent salary threshold of $35,568 to an annual salary of $43,888. On January 1, 2025, the Final Rule further increases the salary threshold to an annual salary equivalent of $58,656.

The impending changes mean the Final Rule will prohibit an employer from paying any employee on a salaried basis and must comply with the FLSA’s minimum wage, overtime, and recordkeeping requirements for any employee whose an annual equivalent salary is less than $43,888 after June 30, 2024 or less than $58,656 after December 31, 2024. Consequently, employers that currently pay employees whose job duties fulfill the job duties test paid less than the applicable salary threshold must either increase the employees’ salaries above the threshold or reclassify and compensate the employee as non-exempt employees, subject to the FLSA’s minimum wage and overtime requirements.

WHD and private litigation challenges overturning health industry and other salaried classification and other wage and hour practices demonstrate that many organizations rely upon inaccurate or overly optimistic perceptions of their ability to defend their salaried employee characterizations. Defending even the most realistically grounded salaried worker classification would become even more difficult if proposed changes to WHD proposed changes to its “White Collar” exemption rules announced earlier this year. When considering whether to raise salaries or reclassify, a health care or other organization should conduct documented compliance reviews on both workers the organization directly employs and any workers providing services to the organization through management services organizations, employee leasing, staffing, manpower, consultant, independent contractor, or other similar service arrangements where the potential exists for reclassification of the worker as a employee of the employer or the employer as a joint employer of the employee taking into account, the more aggressive regulatory and enforcement positions of the Biden Administration that make defending salaried characterizations more difficult for employers.

The process should both realistically assess the defensibility of the classification and capture documentation of the employer’s compliance efforts, as this documentation can help mitigate exposure to willfulness penalties in the event the WHD or a court rejects the salaried classification of a particular employee in the future.The review of each salaried employee’s classification should begin with a review of whether each salaried employee currently meets the job duty and salaried threshold tests to qualify for salaried status. If the review raises concerns about the defensibility of any employee’s current salaried classification, the organization should work with counsel to pursue options for resolving potential exposures.

An employer should conduct this review on all salaried employees, not just those whose current salary is below the current or upcoming increased minimum salaried threshold level. Reevaluation of the defensibility of all salaried workers classification is recommended because many employers mistakenly misclassify workers as salaried rather than hourly due to an overly optimistic misunderstanding of the duties requirements for a worker to qualify as salaried. The risk of misclassification is heightened under the current administration’s enforcement policies. Employers currently aggressively classifying workers as salaried currently are at risk for FLSA wage and hour backpay, penalty, interest, and enforcement cost liability for record-keeping and overtime violations for misclassified workers under the FLSA and other applicable federal and state laws. Raising the salary of a misclassified worker will only make matters worse by increasing the overtime liability that the employer will be required to pay for failure to pay overtime after the salary increases take effect. As the impending salary threshold increases will heighten already the already high enforcement interest of the WHD and private class action and individual litigants, employers are cautioned to consider their heightened risks of enforcement when evaluating the aggressiveness of their current and future salaried classification and other worker classification and pay practices.

For More Information

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of compliance, risk management, regulatory affairs, operations, strategy and other work with health, employee benefits, insurance, hospitality, retail, construction and other clients, public policy leadership and advocacy, coaching, teachings, and publications.

A Fellow in the American College of Employee Benefit Counsel, Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee and Vice-Chair and Chair Elect of its International Employment Law Committee, Chair of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, and Chair of t and Che ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer has decades of experience advising employers, investigating and helping employers to defend wage and hour, worker classification, discrimination and other labor and employment, employee benefits and other compliance.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Her experience includes extensive involvement advising clients about preventing, investigating and defendingWHD, CAS, Davis-Bacon and other federal and state wage and hour and other compensation; EEOC, OFCCP, DOD, HUD, HHS and other Civil Rights Act, Section 1557 and other federal and state discrimination; EBSA, IRS, and PBGC employee benefit and compensation; DEA and other Justice Department; CDC, OSHA and other safety and other compliance, investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state equal opportunity, equity and other laws.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Laws Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here, such as:

ABOUT THIS COMMUNICATION

Leave a Comment » | Health Care | Tagged: compensation, FLSA, Health, Health Care, home health, Hospital, medical, news, nurses, Physician Practicxes, Salary Threshold, Wage and Hour, White Colar Exemption, Worker Classification | Permalink
Posted by Cynthia Marcotte Stamer

New CMS LTC Staffing Requirements Likely To Increase Workforce Competition, Costs Industry-Wide

May 12, 2024

Nursing homes and other health care facilities competing for staffing with these facilities should begin preparing to cope with expected wage costs and other pressures expected to result from new staffing and other changes to staffing requirements for Meficare and Medicaid participating long-term care favorites released by the Department of Health and Human Services Centers for Medicare & Medicaid Services (“”CMS”) on April 22, 2024.

The Minimum Staffing Standards for Long-Term Care (LTC) Facilities and Medicaid Institutional Payment Transparency Reporting final rule (“Final Rule”) will require long-term care facilities participating in federal programs such as Medicare and Medicaid are to have a licensed registered nurse (“RN”) on site at all times and to meet minimum nurse staffing (“TNS”) requirements imposed under the Final Rule. The Final Rule also will face enhanced facility assessment requirements under the Final Rule.

The mandates of the Final Rule and resulting increases in compensation and competition will impact both participating LTCs and other health care providers competing for staffing.

Total Nurse Staffing

CMS says its new minimum nurse staffing standards “will set a national and broadly applicable baseline that will significantly reduce the risk of unsafe and low-quality care for residents across all LTC facilities.”

Subject to certain limited temporary exceptions, the TNS requirements for long-term care (“LTC”) facilities aim to significantly reduce the risk of residents receiving unsafe and low-quality care within LTC facilities by specifying required minimum nurse staffing.

The Final Rule generally will require LTC facilities to meet a total nurse staffing standard of 3.48 hours per resident day (HPRD), which must include at least 0.55 HPRD of direct registered nurse (RN) care and 2.45 HPRD of direct nurse aide care. LTCs may use any combination of registered nurse (“RN”), licensed practical nurse (“LPN”), licensed vocational nurse (“LBN”), or nurse aide) to account for the additional 0.48 HPRD needed to comply with the total nurse staffing standard.

In addition, the Final Rule will require LTCs to have at least one RN on site 24 hours a day, 7 days a week to provide skilled nursing care.

Some “limited temporary exceptions” may apply to all the requirements for qualifying LTCs in areas with workforce shortages that meet other criteria. While an estimated 25% of nursing homes would be eligible for exceptions, these are “limited, temporary exceptions,” LTC must be in a workforce shortage area and report the amount of their income spent on wage and other information to prove their “good faith” efforts to hire by paying competitive wages.”

While these are minimum staffing standards, CMS expects LTC facilities to use the updated and newly strengthened facility assessment to determine whether their staffing needs to be set above these minimums, based on resident acuity and individual care needs. CMS is committed to continued examination of staffing thresholds, including work to review quality and safety data resulting from initial implementation of these finalized policies, as well as robust public engagement.

Additionally, to increase transparency related to compensation for workers, CMS will also require states to collect and report on the percent of Medicaid payments that are spent on compensation for direct care workers, and support staff, delivering care in nursing facilities and intermediate care facilities, for individuals with intellectual disabilities.

CMS Tightening LTC Assessments

LTC facilities are already required to conduct, document, and review, annually and as necessary, a facility-wide assessment to determine what resources are necessary to care for residents competently during both day-to-day operations and emergencies. ensure that facilities are utilizing the assessment as intended by making thoughtful, person-centered staffing plans, and decisions focused on meeting resident needs, including staffing at levels above the finalized minimums as indicated by resident acuity, the Final Rule raises the assessment requirements as follows:

Facilities must use evidence-based methods when care planning for their residents, including consideration for those residents with behavioral health needs.
Facilities must use the facility assessment to assess the specific needs of each resident in the facility and to adjust as necessary based on any significant changes in the resident population.
Facilities must include the input of the nursing home leadership, including but not limited to, a member of the governing body and the medical director; management, including but not limited to, an administrator and the director of nursing; and direct care staff, including but not limited to, RNs, LPNs/LVNs, and NAs, and representatives of direct care staff as applicable. The LTC facility must also solicit and consider input received from residents, resident representatives, and family members.
Facilities are required to develop a staffing plan to maximize recruitment and retention of staff consistent with what was described in the President’s April Executive Order on Increasing Access to High-Quality Care and Supporting Caregivers.

Temporary Limited Exceptions

LTC facilities may qualify for a temporary hardship exemption from the minimum nurse staffing HPRD standards and the 24/7 RN requirement only if they meet the following criterion for geographic staffing unavailability, financial commitment to staffing, and good faith efforts to hire:

The facility is located in an area where the supply of RN, NA, or total nurse staff is not sufficient to meet area needs as evidenced by the applicable provider-to-population ratio for nursing workforce (RN, NA, or combined licensed nurse and nurse aide), which is a minimum of 20% below the national average, as calculated by CMS using data from the U.S. Bureau of Labor Statistics and the U.S. Census Bureau.
- The facility may receive an exemption from the total nurse staffing requirement of 3.48 HPRD if the combined licensed nurse and nurse aide to population ratio in its area is a minimum of 20% below the national average.
- The facility may receive an exemption from the 0.55 RN HPRD requirement, and an exemption of eight hours a day from the RN on-site 24 hours per day for seven days a week requirement, if the RN to population ratio in its area is a minimum of 20% below the national average.
- The facility may receive an exemption from the 2.45 NA HPRD requirement if the NA to population ratio in its area is a minimum of 20% below the national average.

Eligible LTC facilities that meet the criteria will receive a temporary hardship exemption by completing the following:

The facility provides documentation of good faith efforts to hire and retain staff, such as through job postings, the number and duration of vacancies, job offers made, and competitive wage offerings.
The facility provides documentation of the facility’s financial commitment to staffing, including the amount the facility expends on nurse staffing relative to revenue.

Before being considered, the LTC facility must be surveyed for compliance with the LTC participation requirements. CMS will coordinate with state survey agencies to determine if the facility meets the criteria for a hardship exemption noted above.

Facilities granted an exemption will be required to: 1) post a notice of its exemption status in a prominent and publicly viewable location in each resident facility; 2) provide notice of its exemption status, and the degree to which it is not in compliance with the HPRD requirements, to each current and prospective resident; and 3) send a copy of the notice to a representative of the Office of the State Long-Term Care Ombudsman.

CMS will indicate if a facility has obtained an exemption on the Medicare.gov Care Comparewebsite.

Facilities are not eligible for an exemption if any one of the following is true:

They have failed to submit their data to the Payroll Based Journal System.
They have been identified as a special focus facility (SFF).
They have been identified within the preceding 12 months as having: widespread, or a pattern of, insufficient staffing that resulted in actual harm to a resident; or an incident of insufficient staffing that caused or is likely to cause serious harm or death to a resident.

Facilities that meet the hardship exemption criteria are eligible from the time at which the exemption is granted until the next standard recertification survey, unless the facility meets any of the above-mentioned criteria for not being eligible for the exemption during that time. The hardship exemption may be extended on each standard recertification survey, after the initial period, if the facility continues to meet the exemption criteria.

Implementation Deadlines

The Final Rule has staggered implementation timeframe for its minimum nurse staffing standards and 24/7 RN requirement based on geographic location as well as possible exemptions for qualifying facilities for some parts of these requirements based on workforce unavailability and other factors.

CMS is implementing the minimum nurse staffing requirements to occur in three phases over a three-year period for all non-rural facilities. The following deadlines apply for non-rural facilities:

Phase 1 — Within 90 days of the final rule publication, facilities must meet the facility assessment requirements.
Phase 2 — Within two years of the final rule publication, facilities must meet the 3.48 HPRD total nurse staffing requirement and the 24/7 RN requirement.
Phase 3 — Within three years of the final rule publication, facilities must meet the 0.55 RN and 2.45 NA HPRD requirements.

The Final Rule sets later deadlines for rural facilities in acknowledgment of the unique challenges that rural LTC facilities may face in staffing as follows:

Phase 1 — Within 90 days of the final rule publication, facilities must meet the facility assessment requirements.
Phase 2 — Within three years of the final rule publication, facilities must meet the 3.48 HPRD total nurse staffing requirement and the 24/7 RN requirement.
Phase 3 — Within five years of the final rule publication, facilities must meet the 0.55 RN and 2.45 NA HPRD requirements.

Qualification as a rural facility is determined by the Office of Management and Budget.

CMS Nursing Home Staffing Campaign

CMS continues efforts to encourage the availability to increase the number of nurses in nursing homes. As part of these efforts, CMS plans to promote awareness of the many career pathways in the nursing field that are available to help recruit all types of individuals, from NAs to LPNs/LVNs and RNs. It also plans to offer financial incentives like tuition assistance for nurses to work in the nursing home environment in qualifying facilities or state oversight roles and to make it easier for individuals to become nurse aides by streamlining the process for enrolling in training programs and finding placement in a nursing home.

Additionally, CMS plans to partner with states to bolster nurse recruitment.

CMS says more announcements are expected later this year and it anticipates beginning distribution of financial incentives in 2025.

Begin Preparing Now

All nursing homes and other health care facilities competing for staffing should begin preparing for these changes immediately. Obviously, LTC is participating in Medicare, Medicaid or other covered programs will face the most immediate and direct impact from these rules. Facility should begin documented efforts to meet the staffing requirements and where applicable, evidence and other materials needed to prepare for required surveys and to establish, other criteria necessary to qualify for exemption if needed.

It is not just the facilities directly covered by the rules that the new staffing requirements will impact.

While the new requirements technically apply only to LTCs participating in Medicare, Medicaid or other CMS regulated programs, their applicability likely will impact non-participating programs as well. the new minimum requirements will affect standards of care for negligence and other purposes.

Likewise, increases in compensation and other terms and conditions of employment at covered facilities will affect other types of providers. Non-participating nursing homes, home health, hospice, rehabilitation, hospitals, rehabilitation, facilities, assisted living facilities and other providers should expect greater scrutiny of their staffing and greater pressure to pay better wages and improve other work conditions and benefits in response to greater competition for workers.

Facilities that have used noncompetition agreements or other restraints on post employment eligibility to work are cautioned that these types of restraints could run afoul of the federal trade commissions new Non-Competition Clause Final Rule slated to take affect in September, 2024 if the current judicial stay against it is lifted by that time.

Likewise, long-term care another healthcare employers planning to increase wages, or other terms of employment are cautioned to use care to comply with any applicable duties to bargain or other requirements if subject to union organization or contracts.

Given the complicated maze of employment, benefits, and healthcare regulations that facilities working to deal with these new requirements must negotiate, healthcare providers working with these and other recruitment rules are encouraged to consult with qualified legal counsel with experience in both the healthcare and employment issues involved.

For Additional Information

We hope this update is helpful. Solutions Law Press, Inc. invites you to receive future updates by registering on here and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

If you need have questions or need assistance with this or other cybersecurity, health, benefit, payroll, investment or other data, systems or other privacy or security related risk management, compliance, enforcement or management concerns, to inquire about arranging for compliance audit or training, or need legal representation on other matters, contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

About the Author

Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of workforce, risk management, compliance, regulatory and government affairs and other work with health care, employee benefit, managed care and other insurance, education, workforce and other performance and data dependent organizations, public policy leadership and advocacy, coaching, teachings, and publications.

A Fellow in the American College of Employee Benefit Counsel, Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee and Vice-Chair Elect of its International Employment Law Committee, Chair of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership on heath benefit and other healthcare and life science, managed care and insurance and other workforce and staffing, employee benefits, safety, contracting, quality assurance, compliance and risk management, and other legal, public policy and operational concerns in the healthcare and life sciences, employee benefits, managed care and insurance, technology and other related industries. She speaks and publishes extensively on these and other related compliance issues.

Ms. Stamer’s work throughout her career has focused heavily on working with government and private health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services, education and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Author of a multitude of highly regarded publications, her experience includes extensive involvement throughout her career advising and representing health care and life sciences and other clients about preventing, investigating and defending HHS CMS, OIG, CIICO, OCR; , DOL WHD, EEOC, EBSA, OSHA; DOJ, OFCCP; NLRB; DOE; ICE; state attorney general licensing, Department of Health, Aging, Disability, Insurance, and other federal and state, JCHO and other accreditation and quality, peer review, employment and other workforce, contract and other investigations, audits, and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state laws.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Laws Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here.

IMPORTANT NOTICE

Leave a Comment » | Academic medicine, Accreditation, Ambulatory care, compensation, Conditions of Participation, Doctor, Emergency Care, Employee Benefits, Employer, Employment law, ERISA, FLSA, FTC, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Quality, health care reimbursement, Health Plan, Health Plans, healthcare, HHS, Home Health, Hospice, Hospital, hospitals, Immigration, Indian Health, Labor Law, Medicaid, Medicaid Advantage, Medical Licensure, Medical Malpractice, Medicare, Medicare Advantage, nursing home, OIG, Patients, Peer Review, Reimbursement, Rural Health Care, Skilled Nursing Facility | Tagged: Health Care, Health Care Provider, nursing home, Skilled Nursing | Permalink
Posted by Cynthia Marcotte Stamer

CMS Health Care Disparities Report Released

May 3, 2024

Reports released by the Centers for Medicare & Medicaid Services share data on health care disparities and patient care quality in the Medicare Advantage and Prescription Drug Plan Consumer Assessment of Healthcare Provider and Systems survey.

The 2024 Disparities in Health Care in Medicare Advantage by Race, Ethnicity, and Sex Report prepared by the CMS Office of Minority Health (CMS OMH) summarizes the quality of health care received by people enrolled in Medicare Advantage across the United States, focusing on differences in patient experience and clinical care quality based on race, ethnicity, and sex in 2023.

The 2024 report highlights a range of aspects regarding the quality of patient care. It includes seven measures of patient experience from the Medicare Advantage and Prescription Drug Plan Consumer Assessment of Healthcare Provider and Systems survey, along with 41 clinical care quality measures covering nine domains of care from the Health Effectiveness Data and Information Set. These measures were stratified by race and ethnicity, sex, and the combination of race and ethnicity within sex to highlight areas where disparities exist.

In addition, CMS is announced the availability of a new public use file on Socio-demographic and Health Characteristics of Medicare Beneficiaries Living in the Community by Metropolitan Residence Status. This public use file uses 2021 Survey File data from the Medicare Current Beneficiary Survey. Also released today is an infographic; Health Status and Access to Care Among Medicare Beneficiaries Living in the Community by Metropolitan Residence Status.

For More Information

About Solutions Laws Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here.

IMPORTANT NOTICE

Leave a Comment » | Health Care | Permalink
Posted by Cynthia Marcotte Stamer

Update Change Surprise Billing IDR Resubmission Procedures Effective 5/1/24

May 1, 2024

The Departments of Health and Human Services, Labor, and the Treasury (collectively, the Departments) today announced changes to the requiredprocess for resubmitting Independent Dispute Resolution (“IDR”) disputes originally improperly batched or bundled in the Federal IDR portal. Health care providers and plans should update their processes for resubmission immediately.

According to the Departments’ May 1 announcement, resubmission requests for disputes originally improperly batched or bundled will come directly from the Federal IDR portal instead of from the certified IDR entity, and initiating parties now will have a unique web form they can access via a link in their resubmission email notification to complete the resubmission process.

Starting on May 1, 2024, certified IDR entities will notify parties through an email from the Federal IDR portal that a dispute is eligible for resubmission due to improper batching or bundling from auto-reply-federalidrquestions@cms.hhs.gov. If the recipient initiated the dispute, the resubmission email notification will contain a unique link to a new form called the Notice of IDR Initiation – Resubmission web form and instructions on the next steps. If the recipient did not initiate the original dispute, the email notification will be informational and will not have a link.

Initiating parties have four business days from the date of the resubmission email notification to resubmit a dispute. The resubmission link will no longer work after the four business day window has passed.

If a certified IDR entity notified the party that a dispute submitted was eligible for resubmission due to improper batching or bundling before May 1, 2024, the Departments state the recipient should resubmit the dispute as instructed in the email from its certified IDR entity through the Notice of IDR Initiation web form by May 6, 2024. For information on how to resubmit these disputes, refer to the Notice of Initiation Web Form Job Aid.

The Departments state the Notice of IDR Initiation web form will accept resubmitted disputes through May 6, 2024. After May 6, 2024, the Notice of IDR Initiation web form will no longer accept resubmitted disputes, and all resubmissions must be submitted via the Notice of IDR Initiation – Resubmission web form, as described in the paragraph below.

The following resources provide additional information and instructions on how to complete and submit the new Notice of IDR Initiation – Resubmission web form, following

User Guide: Notice of IDR Initiation – Resubmission
Recorded Demo: Notice of IDR Initiation – Resubmission

Health care providers and health plans using the new IDR processes should update their processes immediately to avoid forfeiting surprise billing rights. Recipients of e-mails purportedly from the portal are cautioned to include and follow appropriate procedures to guard against malware or other cyber threats.

For More Information

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of health, employee benefits, insurance, hospitality, retail, construction and other industry management work, public policy leadership and advocacy, coaching, teachings, and publications.

A Fellow in the American College of Employee Benefit Counsel, Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee and Vice-Chair and Chair Elect of its International Employment Law Committee, Chair of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer has decades of experience advising employers, investigating and helping employers to defend wage and hour, worker classification, discrimination and other labor and employment, employee benefits and other compliance.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Author of a multitude of highly regarded publications on HIPAA and other medical record and data privacy and scribe for the ABA JCEB Annual Meeting with the HHS Office of Civil Rights, her experience includes extensive involvement throughout her career in advising health care and life sciences and other clients about preventing, investigating and defending EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state discrimination investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state equal opportunity, equity and other laws.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Laws Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here.

IMPORTANT NOTICE

Leave a Comment » | Health Care | Permalink
Posted by Cynthia Marcotte Stamer

DOJ Sets Minimum Standards For State & Local Government Website, Mobile App Disability Accessibility

May 1, 2024

Government hospitals and other health care providers, academic medicine and other schools, and other state and local governments should begin assessing their responsibilities under a new Justice Department final rule that requires State and local governments to improve web and mobile application (app) access for people with disabilities.

The rule clarifies what State and local governments must do to meet their existing duty under Title II of the Americans with Disabilities Act (ADA) for website or other activities movedto the digital space.

The rule, signed by the Attorney General earlier this month and published in the Federal Register today, adopts a technical standard for web and mobile accessibility to ensure that people with disabilities can better access important public services like health care, voting, and education. Read this fact sheet for a high level summary.

The final rule requires State and local governments with a population of 50,000 or more to comply with the rule’s requirements beginning on April 24, 2026. The compliance deadline for State and local governments with a population of less than 50,000, as well as special district governments, is April 26, 2027. This means that State and local governments’ web content and mobile apps will have to generally meet the technical standard in the rule by these dates and on an ongoing basis after these dates.

Until then, State and local governments still have existing ADA Title II, Section 1557 and other disability accessibility and accommodations aggressively enforced by government agencies like the Civil Rights Divisions of DOJ, the Department of Health & Human Services and Department of Education as well as private litigants. This means that even before the compliance dates, State and local governments must provide people with disabilities equal access to their services, programs, and activities offered via the web and mobile apps.

The Department plans to issue a Small Entity Compliance Guide to assist small State and local governments in complying with the rule. Stay tuned!

Meanwhile impacted health, education and other government entities and their contractors should begin evaluating and implementing the changes required to ensure the defensibility of the accessibility of their current web, mobile access and other services now and when the new rules take effect.

As websites, mobile apps and other Internet, based communications, records, and other services portals usually collect patient healthcare, financial, or other sensitive personal information and interface with medical, education, financial and other systems, these efforts should continuously include documented efforts to assess and fulfill data security, privacy, retention and other requirements under applicable laws like the Health Insurance Portability & Accountability Act, the Family Educational Rights Act, the Fair & Accurate Credit Tranactions Act and other relevant Federal and state privacy, data security and other laws.

For Additional Information

About the Author

Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of work with health care, employee benefit, managed care and other insurance, education, workforce and other performance and data dependent organizations, public policy leadership and advocacy, coaching, teachings, and publications.

Ms. Stamer’s work throughout her career has focused heavily on working with government and private health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services, education and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Author of a multitude of highly regarded publications on HIPAA and other medical record and data privacy and scribe for the ABA JCEB Annual Meeting with the HHS Office of Civil Rights, her experience includes extensive involvement throughout her career in advising health care and life sciences and other clients about preventing, investigating and defending EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state discrimination investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state equal opportunity, equity and other laws.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Laws Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here.

IMPORTANT NOTICE

Leave a Comment » | ADA, Education, Health Care, Public Schools, University | Permalink
Posted by Cynthia Marcotte Stamer

DOJ Sets Minimum Standards For State & Local Government Website, Mobile App Disability Accessibility

April 25, 2024

Today’s publication requires State and local governments with a population of 50,000 or more to comply with the rule’s requirements beginning on April 24, 2026. The compliance deadline for State and local governments with a population of less than 50,000, as well as special district governments, is April 26, 2027. This means that State and local governments’ web content and mobile apps will have to generally meet the technical standard in the rule by these dates and on an ongoing basis after these dates.

The Department plans to issue a Small Entity Compliance Guide to assist small State and local governments in complying with the rule. Stay tuned!

For Additional Information

About the Author

Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of work with health care, employee benefit, managed care and other insurance, education, workforce and other performance and data dependent organizations, public policy leadership and advocacy, coaching, teachings, and publications.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Author of a multitude of highly regarded publications on HIPAA and other medical record and data privacy and scribe for the ABA JCEB Annual Meeting with the HHS Office of Civil Rights, her experience includes extensive involvement throughout her career in advising health care and life sciences and other clients about preventing, investigating and defending EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state discrimination investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state equal opportunity, equity and other laws.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Laws Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here.

IMPORTANT NOTICE

Leave a Comment » | ADA, Education, Health Care, Public Schools, University | Permalink
Posted by Cynthia Marcotte Stamer

More Information

About the Author

More Information

About the Author

About Solutions Law Press, Inc.™

About Solutions Law Press, Inc.™

Share this:

More Information

About the Author

About Solutions Law Press, Inc.™

Share this:

For More Information

About the Author

About Solutions Law Press, Inc.™

Share this:

For More Information Or Help

About the Author

About Solutions Law Press, Inc.™

Share this:

Troy Fraud Investigation Behind Non-Prosecution Agreement

Health Industry Take Aways

More Information

About the Author

About Solutions Law Press, Inc.™

Share this:

About Solutions Law Press™

Share this:

For More Information Or Help

About the Author

About Solutions Law Press, Inc.™

Share this:

For More Information Or Help

About the Author

About Solutions Law Press, Inc.™

Share this:

Trump Merit-Based Civil Rights Executive Orders Heighten Public & Private Civil Rights & Other Discrimination Risks

Announced OCR Investigations Since February Show HHS Enforcement Risks

Dear Colleague Letter Advises Academic Medicine & Other HHS-Funded Organizations On Implementing Merit Based Decisionmaking

Act Now To Mitigate Risks From Past, Current & Future Non-Merit Based Decisions & Other Prohibited Discrimination

For More Information

About the Author

About Solutions Law Press, Inc.™

Share this:

Alleged Kickbacks Alleged In United States ex rel Shea v. eHealth et. all

Commonwealth Care Alliance Prior Kickback Settlement

Alleged Medicare Advantage Insurer Risk Adjustment Padding

More Information Or Help

About the Author

About Solutions Law Press, Inc.™

Share this:

For More Information

Share this:

Federal Statutes Protect “Right of Conscience” In Health Care

Church Amendment

Coats-Snow Amendment

Weldon Amendment.

Trump Policy Directives Drive New Risks By Changing Prior Religion & Other Discrimination Interpretations & Prioritizing New Rule Enforcement For Past, Current & Future Actions

New HIPAA Whistleblower Guidance

2 New Right Of Conscience Investigations Signal Growing Enforcement Risks

For More Information

About the Author

About Solutions Law Press, Inc.™

Share this:

For More Information

About the Author

About Solutions Law Press, Inc.™

Share this:

Evolving Application of Civil Rights Laws To DEI, Affirmative Action & Other Preferences

HHS & ED Merit-Based Decisions Policy Investigations & Enforcement

New Dear Colleague Letter Policy Clarification

For More Information

About the Author

About Solutions Law Press, Inc.™

Share this:

For More Information

About the Author

About Solutions Law Press, Inc.™

Share this:

HIPAA Sanctions

PHI Breach and Settlement