Trump Administration Grants Fiduciary Rule Prohibited Transaction Relief

March 27, 2017

Employer and other employee benefit plan sponsors, fiduciaries and investment and financial service providers and other plan service providers should review their plans for possible transactions that may qualify for excise tax relief under new guidance issued today by the Internal Revenue Service and Department of Labor.

IRS Announcement 2017-04, scheduled for publication in the Federal Register as  IRB 2017-16 on April 17, 2017, provides relief from the excise taxes under section 4975 of the Internal Revenue Code and any related reporting requirements  to conform to the temporary enforcement policy described by the Department of Labor (DOL) in Field Assistance Bulletin (FAB) 2017-01 with respect to the final fiduciary duty rule published in the Federal Register on April 8, 2016 (81 F.R. 20946), entitled “Definition of the Term ‘Fiduciary’; Conflict of Interest Rule – Retirement Investment Advice” and related prohibited transaction exemptions, including the Best Interest Contract Exemption (BIC Exemption), the Class Exemption for Principal Transactions in Certain Assets Between Investment Advice Fiduciaries and Employee Benefit Plans and IRAs (Principal Transactions Exemption), and certain amended prohibited transaction exemptions (collectively, PTEs)

The relief parallels similar relief provided by the Department of Labor to these individuals in a recently released Field Assistance Bulletin.

The new DOL and IRS guidance gives temporary relief to the DOL final regulation defining who is a “fiduciary” of an employee benefit plan under § 3(21)(A)(ii) of ERISA as a result of giving investment advice to a plan or its participants or beneficiaries published April 6, 2016.  That final rule, which also applies to the definition of a “fiduciary” of a plan under § 4975(e)(3)(B) of the Code, treats persons who provide investment advice or recommendations for a fee or other compensation with respect to assets of a plan as fiduciaries in a wider array of advice relationships than was true of the prior regulatory definition.   Concurrent with its publication of the final rule, the DOL published the PTEs, which provide two new administrative class exemptions from the prohibited transaction provisions of ERISA and the Code, as well as amendments to previously granted exemptions. 

The PTEs would allow, subject to appropriate safeguards, certain broker-dealers, insurance agents, and others that act as investment advice fiduciaries, as defined under the final rule, to continue to receive a variety of forms of compensation that would otherwise violate prohibited transaction rules, triggering excise taxes and civil liability.

The final fiduciary duty rule became effective on June 7, 2016, and has an applicability date of April 10, 2017. The PTEs also have an applicability date of April 10, 2017, with a phased implementation period ending on January 1, 2018, for the BIC Exemption and the Principal Transactions Exemption. 

President Trump, by Memorandum to the Secretary of Labor dated February 3, 2017, directed the DOL to examine whether the fiduciary duty rule may adversely affect the ability of Americans to gain access to retirement information and financial advice and to prepare an updated economic and legal analysis concerning the likely impact of the rule as part of that examination.

After requesting comments on the final rule on March 3, DOL on March 10, 2017,  announced a temporary enforcement policy related to its proposal to extend for 60 days the applicability date of the fiduciary duty rule and the related PTEs. The policy announced in FAB 2017-01 provides  that:

  • If DOL issues a final rule after April 10 implementing a delay in the applicability date of the fiduciary duty rule and related PTEs, the DOL will not initiate an enforcement action because an adviser or financial institution did not satisfy conditions of the rule or the PTEs during the “gap” period in which the rule becomes applicable before a delay is implemented, including a failure to provide retirement investors with disclosures or other documents intended to comply with provisions of the rule or the related PTEs. 
  • If DOL decides not to issue a delay in the fiduciary duty rule and related PTEs, the DOL will not initiate an enforcement action because an adviser or financial institution, as of the April 10 applicability date of the rule, failed to satisfy conditions of the rule or the PTEs, provided that the adviser or financial institution satisfies the applicable conditions of the rule or PTEs, including sending out required disclosures or other documents to retirement investors, within a reasonable period after the publication of a decision not to delay the April 10 applicability date.

Field Assistance Bulletin 2017-01 provides that, to the extent circumstances
surrounding its decision on the proposed delay of the April 10 applicability date give rise to the need for other temporary relief, including retroactive prohibited transaction relief, the DOL will consider taking such additional steps as necessary with respect to the arrangements and transactions covered by the DOL temporary enforcement policy and any subsequent related DOL enforcement guidance. Following the issuance of the FAB, stakeholders have raised concerns about the potential application of excise taxes under Code § 4975 and related reporting obligations in cases covered by the DOL’s temporary enforcement policy. 

Because the Code and ERISA contemplate consistency in the enforcement of the prohibited transaction rules by the IRS and the DOL, the Treasury Department and the IRS determined it appropriate to adopt a corresponding temporary excise tax non-applicability policy that conforms with the DOL’s temporary enforcement policy described in FAB 2017-01. Accordingly, ,Because the Code and ERISA contemplate consistency in the enforcement of the prohibited transaction rules by the IRS and the DOL, as further reflected in and facilitated by the statutory Reorganization Plan, the Treasury Department and the IRS have determined that it is appropriate to adopt a temporary excise tax non-applicability policy that conforms with the DOL’s temporary enforcement policy described in FAB 2017-01. Accordingly, Announcement 2017-04 provides that the IRS will not apply § 4975 and related reporting obligations with respect to any transaction or agreement to which the DOL’s temporary enforcement policy, or other subsequent related enforcement guidance, would apply. 

The new collective guidance provides a short reprieve from the obligation to comply with the otherwise applicable of the fiduciary rule pending the new administration to review and reconsideration of that rule. How many will welcome this relief, plan sponsors, fiduciaries and service providers need to keep in mind that it’s provisions are temporary in nature and do not preclude a participant or beneficiary from seeking to establish liability of an individual providing advice or assistance with respect to services under the facts and circumstances in an ERISA lawsuit.  Because of the risk of litigation even when the agencies are standing down from enforcement, plan sponsors and fiduciaries and the service providers that assist them with reviewing and making investmentat all times should take care to be able to defend their actions under the fiduciary rules. 


Read Latest Version of Republican Health Reform Bill

March 21, 2017

Republicans continue to push health reform on the fast track. Read the Manager’s Amendment to H.R. 1628 at https://rules.house.gov/bill/115/hr-1628, which is scheduled to go before the House Rules Committee before a planned House vote Thursday.


Teach Patients To Protect Against Healthcare Associated Illnesses

March 18, 2017

Staff infections are only one category of serious infection risks that patients and their families face when getting health care treatment. Patients can reduce these infection risks by sharing the following tips from the Center for Disease Control:

  • Speak up. Talk to your doctor about any questions or worries. Ask what they’re doing to protect you.
  • Keep hands clean. Make sure everyone, including friends and family, clean their hands before touching you. If you don’t see your healthcare providers clean their hands, ask them to do so.
  • Ask each day if your central line catheter or urinary catheter is necessary. Leaving a catheter in place too long increases the chances you’ll get an infection. Let your doctor or nurse know immediately if the area around the central line becomes sore or red, or if the bandage falls off or looks wet or dirty.
  • Prepare for surgery. Let your doctor know about any medical problems you have. Ask your doctor how he/she prevents surgical site infections.
  • Ask your healthcare provider, “Will there be a new needle, new syringe, and a new vial for this procedure or injection?” Insist that your healthcare providers never reuse a needle or syringe on more than one patient.
  • Get Smart about antibiotics. Antibiotics only treat bacterial infections – they don’t work for viruses like the ones that cause colds and flu. Ask your healthcare provider if there are steps you can take to feel better without using antibiotics. If you’re prescribed an antibiotic, make sure to take the prescribed antibiotic exactly as your healthcare provider tells you and do not skip doses.
  • Watch out for deadly diarrhea (aka Clostridium difficile). Tell your doctor if you have 3 or more diarrhea episode services in 24 hours, especially if you’ve been taking an antibiotic.
  • Know the signs and symptoms of infection. Some skin infections, such as MRSA, appear as redness, pain, or drainage at an IV catheter site or surgery site and come with a fever. Infections can also lead to sepsis, a complication caused by the body’s overwhelming and life-threatening response to an infection.
  • Get Vaccinated. Getting yourself, family, friends, and caregivers vaccinated against the flu and other infections prevents spread of disease.
  • Cover your mouth and nose. When you sneeze or cough, germs can travel 3 feet or more. Use a tissue to avoid spreading germs with your hands.

Healthcare-associated infections are not only a problem for healthcare facilities – they represent a public health issue. Learn more about how to be a safe patient. Read: Patient Safety: What You Can Do to Be a Safe Patient.

©2017 Cynthia Marcotte Stamer. Nonexclusive license to republish granted to Solutions Law Press, Inc.


Update CMS Bookmarks By April 3

March 17, 2017

The Centers for Medicare & Medicaid Services (CMS) has merged all up-to-date content from its Road to 10 website to its main ICD-10 site, cms.gov/ICD10.
It expects to finish its  phase out the Road to 10 site by April 3.

In preparation for the merge, health care providers and other interested parties  should update all bookmarks and links for Roadto10.org to point to cms.gov/ICD10 as soon as possible and no later than April 3.


Read American Health Care Act

March 6, 2017

Paul Ryan released the American Health Care Act (Act)-the Republican leaderships’ proposed bill to repeal or reform the Obamacare law, the Patient Protection and Affordable Care Act (ACA).  

When introducing the Act, Speaker Ryan touted the Act as rescuing the US health care system from the ACA driving down costs, encouraging competition, and giving every American access to quality, affordable health insurance. 

Read the Act here and share your specific ideas and thoughts about the Act and your other input on what our health care system should look like going forward, how these proposals relate and the other reforms you believe Congress should make to build a better healthcare system for today that can survive into the future by joining the discussion in the Solutions Law Press, Inc. Coalition for Responsible Health Care Policy LinkedIn Group


CMS Extends Inpatient Rehab & Long Term Care Quality Data Reporting Deadlines

February 22, 2017

The Centers for Medicare & Medicaid Services (CMS) has extended the February 15th submission deadline for the Inpatient Rehabilitation Facility (IRF) and Long-Term Care Hospital (LTCH) Quality Reporting Program (QRP) for data submitted via the Centers for Disease Control and Prevention’s (CDC) National Health and Safety Network (NHSN) during Quarter 3, 2016.   Providers now have until Monday, May 15, 2017 to submit their data.   See IRF_LTCH QRP NHSN Data Submission Deadline Extension February 2017 Guidance Document.

About The Author

Recognized by LexisNexis® Martindale-Hubbell® as a “AV-Preeminent” (Top 1%/ the highest) and “Top Rated Lawyer,” with special recognition  as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Health Care,” “Labor & Employment,” “Tax: Erisa & Employee Benefits”  and “Business and Commercial Law” by D Magazine, the author of this update is widely known for her 29 plus years’ of work in health care, health benefit, health policy and regulatory affairs and other health industry concerns as a practicing attorney and management consultant, thought leader, author, public policy advocate and lecturer.

Throughout her adult life and nearly 30-year legal career, Ms. Stamer’s legal, management and governmental affairs work has focused on helping health industry, health benefit and other organizations and their management use the law, performance and risk management tools and process to manage people, performance, quality, compliance, operations and risk. Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer supports these organizations and their leaders on both a real-time, “on demand” basis as well as outsourced operations or special counsel on an interim, special project, or ongoing basis with strategic planning and product and services development and innovation; workforce and operations management,  crisis preparedness and response as well as to prevent, stabilize and cleanup legal and operational crises large and small that arise in the course of operations. Her experience encompasses  helping health industry clients manage workforce, medical staff, vendors and suppliers, medical billing, reimbursement, claims and other provider-payer relations, business partners, and their recruitment, performance, discipline, compliance, safety, compensation, benefits, and training ;board, medical staff and other governance;   compliance and internal controls; strategic planning, process and quality improvement; change management;  assess, deter, investigate and address staffing, quality, compliance  and other performance;  meaningful use, EMR, HIPAA and other data security and breach and other health IT and data; crisis preparedness and response; internal, government and third-party reporting, audits, investigations and enforcement; government affairs and public policy; and other compliance and risk management, government and regulatory affairs and operations concerns.

The American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting, former Vice President of the North Texas Health Care Compliance Professionals Association, past Chair of the ABA Health Law Section Managed Care & Insurance Section, past ABA JCEB Council Representative, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has worked closely with a diverse range of physicians, hospitals and healthcare systems, DME, Pharma, clinics, health care providers, managed care, insurance and other health care payers, quality assurance, credentialing, technical, research, public and private social and community organizations, and other health industry organizations and their management deal with governance; credentialing, patient relations and care; staffing, peer review, human resources and workforce performance management; outsourcing; internal controls and regulatory compliance; billing and reimbursement; physician, employment, vendor, managed care, government and other contracting; business transactions; grants; tax-exemption and not-for-profit; licensure and accreditation; vendor selection and management; privacy and data security; training; risk and change management; regulatory affairs and public policy and other concerns.

As a core component of her work,  Ms. Stamer has worked extensively throughout her career with health care providers, health plans and insurers, managed care organizations, health care clearinghouses, their business associates, employers, banks and other financial institutions, management services organizations, professional associations, medical staffs, accreditation agencies, auditors, technology and other vendors and service providers, and others on legal and operational compliance, risk management and compliance, public policies and regulatory affairs, contracting, payer-provider, provider-provider, vendor, patient, governmental and community relations and matters including extensive involvement advising, representing and defending public and private hospitals and health care systems; physicians, physician organizations and medical staffs; specialty clinics and pharmacies; skilled nursing, home health, rehabilitation and other health care providers and facilities; medical staff, accreditation, peer review and quality committees and organizations; billing and management services organizations; consultants; investors; technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, insurers, self-insured health plans and other payers; and other health industry clients to establish and administer compliance and risk management policies; comply with requirements, investigate and respond to Board of Medicine, Health, Nursing, Pharmacy, Chiropractic, and other licensing agencies, Department of Aging & Disability, FDA, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; JCHO and other accreditation and quality organizations; private litigation and other federal and state health care industry investigation, enforcement including  insurance or other liability management and allocation; process and product development, contracting, deployment and defense; evaluation, commenting or seeking modification of regulatory guidance, and other regulatory and public policy advocacy; training and discipline; enforcement, and a host of other related concerns for public and private health care providers, health insurers, health plans, technology and other vendors, employers, and others.and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns.

Past Chair of the ABA Managed Care & Insurance Interest Group and, a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also has extensive health care reimbursement and insurance experience advising and defending health care providers, payers, and others about Medicare, Medicaid, Medicare and Medicaid Advantage, Tri-Care, self-insured group, association, individual and group and other health benefit programs and coverages including but not limited to advising public and private payers about coverage and program design and documentation, advising and defending providers, payers and systems and billing services entities about systems and process design, audits, and other processes; provider credentialing, and contracting; providers and payer billing, reimbursement, claims audits, denials and appeals, coverage coordination, reporting, direct contracting, False Claims Act, Medicare & Medicaid, ERISA, state Prompt Pay, out-of-network and other nonpar insured, and other health care claims, prepayment, post-payment and other coverage, claims denials, appeals, billing and fraud investigations and actions and other reimbursement and payment related investigation, enforcement, litigation and actions.

Heavily involved in health care and health information technology, data and related process and systems development, policy and operations innovation and a Scribe for ABA JCEB annual agency meeting with OCR for many years who has authored numerous highly-regarded works and training programs on HIPAA and other data security, privacy and use, Ms. Stamer also is widely recognized for her extensive work and leadership on HIPAA, FACTA, PCI, trade secret, physician and other medical confidentiality and privacy, federal and state data security and data breach and other information privacy and data security rules and concerns including policy design, drafting, administration and training; business associate and other contracting; risk assessments, audits and other risk prevention and mitigation; investigation, reporting, mitigation and resolution of known or suspected breaches, violations or other incidents; and defending investigations or other actions by plaintiffs, DOJ, OCR, FTC, state attorneys’ general and other federal or state agencies, other business partners, patients and others.   Ms. Stamer has worked extensively with health care providers, health plans, health care clearinghouses, their business associates, employers and other plan sponsors, banks and other financial institutions, and others on risk management and compliance with HIPAA, FACTA, trade secret and other information privacy and data security rules, including the establishment, documentation, implementation, audit and enforcement of policies, procedures, systems and safeguards, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and enforcement, and a host of other related concerns. Her clients include public and private health care providers, health insurers, health plans, technology and other vendors, and others. In addition to representing and advising these organizations, she also has conducted training on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, MGMA, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

A former lead consultant to the Government of Bolivia on its Pension Privatization Project with extensive domestic and international public policy and governmental and regulatory affairs experience, Ms. Stamer also is widely recognized for regulatory and policy work, advocacy and outreach on healthcare, education, aging, disability, savings and retirement, workforce, ethics, and other policies.  Throughout her adult life and career, Ms. Stamer has provided thought leadership; policy and program design, statutory and regulatory development design and analysis; drafted legislation, proposed regulations and other guidance, position statements and briefs, comments and other critical policy documents; advised, assisted and represented health care providers, health plans and insurers, employers, professional. and trade associations, community and government leaders and others on health care, health, pension and retirement, workers’ compensation, Social Security and other benefit, insurance and financial services, tax, workforce, aging and disability, immigration, privacy and data security and a host of other international and domestic federal, state and local public policy and regulatory reforms through her involvement and participation in numerous client engagements, founder and Executive Director of the Coalition for Responsible Health Policy and its PROJECT COPE: the Coalition on Patient Empowerment, adviser to the National Physicians Congress for Healthcare Policy, leadership involvement with the US-Mexico Chamber of Commerce, the Texas Association of Business, the ABA JCEB, Health Law, RPTE, Tax, Labor, TIPS, International Life Sciences, and other Sections and Committees, SHRM Governmental Affairs Committee and a host of other  involvements and activities.

A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical  staff performance, quality, governance, reimbursement, privacy and data security, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications.

Beyond her extensive involvement advising and representing clients on privacy and data security concerns and other health industry matters, Ms. Stamer also has served for several years as a scrivener for the ABA JCEB’s meeting with OCR, the Chair of the Southern California ISSA Health Care Privacy & Security Summit, and an editorial advisory board member, author, program chair or steering committee member, and faculties for a multitude of other programs and publications regarding privacy, data security, technology and other compliance, risk management and operational concerns in the health care, health and other insurance, employee benefits and human resources, retail, financial services and other arenas.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her thought leadership, experience and advocacy on HIPAA and other concerns by her service in the leadership of a broad range of other professional and civic organization including her involvement as the Vice Chair of the North Texas Healthcare Compliance Association, Executive Director of the Coalition on Responsible Health Policy and its PROJECT COPE: Coalition on Patient Empowerment, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children; former Board Compliance Chair and Board member of the National Kidney Foundation of North Texas, current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, immediate past RPTE Representative to ABA Joint Committee on Employee Benefits Council Representative and current RPTE Representative to the ABA Health Law Coordinating Council, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.

Ms. Stamer also is a highly popular lecturer, symposium and chair, faculty member and author, who publishes and speaks extensively on health and managed care industry, human resources, employment and other privacy, data security and other technology, regulatory and operational risk management. Examples of her many highly regarded publications on these matters include “Protecting & Using Patient Data In Disease Management: Opportunities, Liabilities And Prescriptions,” “Privacy Invasions of Medical Care-An Emerging Perspective,” “Cybercrime and Identity Theft: Health Information Security: Beyond HIPAA,” as well as thousands of other publications, programs and workshops these and other concerns for the American Bar Association, ALI-ABA, American Health Lawyers, Society of Human Resources Professionals, the Southwest Benefits Association, the Society of Employee Benefits Administrators, the American Law Institute, Lexis-Nexis, Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, the HCCA, ISSA, HIMSS, Modern Healthcare, Managed Healthcare, Institute of Internal Auditors, Society of CPAs, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other symposia and publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, Insurance Thought Leadership and many other prominent publications and speaks and conducts training for a broad range of professional organizations.

For more information about Ms. Stamer or her health industry and other experience and involvements, see here or contact Ms. Stamer via telephone at (469) 767-8872 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources here such as:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating  your profile here.

©2017 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™  All other rights reserved.


$5.5M Memorial HIPAA Resolution Agreement Shows Need To Audit

February 16, 2017

Memorial Healthcare Systems (MHS) has paid the U.S. Department of Health and Human Services (HHS) $5.5 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. The nonprofit corporation which operates six hospitals, an urgent care center, a nursing home, and a variety of ancillary health care facilities throughout the South Florida area with affiliated physician offices through an Organized Health Care Arrangement (OHCA) also agreed to implement a robust corrective action plan as part of the Resolution Agreement.

The MHS Resolution sends a strong message to all health care providers, health plans health care clearinghouses (Covered Entities) and their business associates that simply adopting HIPAA policies alone is insufficient to avoid getting nailed by OCR under HIPAA;  Covered Entities and their business associates also must implement, audit and enforce those policies.

The MHS Resolution Agreement resulted from an investigation initiated by the HHS Office for Civil Rights (OCR) after  MHS reported to OCR that protected health information (PHI) of 115,143 individuals had been impermissibly accessed by its employees and impermissibly disclosed to affiliated physician office staff. This information consisted of the affected individuals’ names, dates of birth, and social security numbers. The login credentials of a former employee of an affiliated physician’s office had been used to access the ePHI maintained by MHS on a daily basis without detection from April 2011 to April 2012, affecting 80,000 individuals. 

The investigation revealed that although MHS had workforce access policies and procedures in place, MHS failed to implement procedures with respect to reviewing, modifying and/or terminating users’ right of access, as required by the HIPAA Rules. Further, MHS failed to regularly review records of information system activity on applications that maintain electronic protected health information by workforce users and users at affiliated physician practices, despite having identified this risk on several risk analyses conducted by MHS from 2007 to 2012.

MHS’ failure to follow through to implement the controls required by its policies and audit and enforce compliance with HIPAA and its HIPAA policies was a costly mistake.  Other Covered Entities should heed MHS’ painful lesson and take documented steps to ensure its HIPAA policies not only are adopted, but also implemented and monitored and audited for compliance.


%d bloggers like this: