Ensure Health Care & Other Compliance Practices Updated For New DOJ Voluntary Disclosure Policy

February 24, 2023

Health care, life sciences and other organizations and their leaders generally recognize the need for effective compliance programs to mitigate their organizational and individual criminal liability risks for violations of the constantly widening plethora of federal health care, tax, marketing, labor and employment, antitrust, marketing, securities, cyber liability, safety, environmental and other laws.

To maintain and promote the effectiveness of these efforts, organizations and their leaders now need to consider the advisability of enhancements or other modifications of their organization’s Federal Sentencing Guideline and other compliance programs and practices in light of the new corporate criminal conduct Voluntary Self-Disclosure Policy (“VSD policy”) announced by the Department of Justice on February 23, 2023. Concurrently, organizations and their leaders also will want to monitor and respond promptly to Justice Department statements and congressional recommendations on proposed Guideline changes providing critical insights into the Justice Department’s planned interpretation and enforcement of federal criminal laws and the Guidelines against organizations and their leaders like those available here.

While the application of the VSP policy inherently requires subjective decision-making, the VSP policy and other emerging statements reinforce to organizations and their leaders the advisability of ensuring their organizations adopt and administer effective Federal Sentencing Guideline compliance programs for the ever-growing list of laws applicable to their organizations that carry potential felony and class A misdemeanor criminal liability and timely to investigate and self-disclose violations with the assistance of legal counsel in accordance with the Guideline requirements for liability mitigation to mitigate the potential liability exposure of the organization and its leader.

VSD Policy Standardizes USAO Sentencing Guideline Organization Liability Determinations

Chapter 8 of the Federal Sentencing Guidelines sets standards for the assessment of criminal liability and punishment against corporations, partnerships, labor unions, pension funds, trusts, non-profit entities, and governmental units (“organizations”) and their leaders for legal violations committed by the organization that carry felony or Class A misdemeanor liability or when the Federal Sentencing Guidelines impute criminal liability to the organization for criminal acts that an employee of the organization commits an act within the apparent scope of his employment.

The standards for organizational sentencing offer organizations the opportunity to mitigate their liability exposure if it can persuade the prosecuting U.S. attorneys office (“USAO”) it had in place and followed an effective compliance program, promptly reported the violation to the authorities, and that high-level leaders were not involved in the actual offense conduct. On the other hand, an organization’s lack of an effective compliance program, delay in investigation, cover-up or failure or delay of timely disclosure and failure to make prompt restitution for violations are aggravating factors that can increase its potential sanction.

According to the Justice Department, the Justice Department intends that the VSD policy ensure that organizations can rely on receiving the same treatment and benefits for voluntarily self-disclosing criminal conduct under the Federal Sentencing Guidelines organizational liability rules to any USAO no matter where the organization operates by setting “a nationwide standard” for how USAOs will determine whether an organization has made a voluntary self-disclosure and making transparent the specific, tangible benefits to an organization that the USAO will offer the organization for making a voluntary self-disclosure, fully cooperating, and remediating the criminal conduct.

In furtherance of this goal, the new VSD policy provides that a USAG will consider an organization to have made a VSD for purposes of the Federal Sentencing Guidelines if it becomes aware of misconduct by employees or agents before that misconduct is publicly reported or otherwise known to the DOJ, and discloses all relevant facts known to the company about the misconduct to USAO in a timely fashion before an imminent threat of disclosure or government investigation. 

In the absence of any aggravating factor, the VSD policy calls for the USAG “significant benefits” to a corporation that voluntarily self-discloses criminal conduct committed by its employee or agent in accordance with the VSD policy, fully meets the other requirements of the VSD policy, fully cooperates and timely and appropriately remediates the criminal conduct including agreeing to pay all disgorgement, forfeiture, and restitution resulting from the misconduct.  The promised significant benefits for organizations making a qualifying VSD include that the USAO:

  • Will not seek a guilty plea;
  • May choose not to impose any criminal penalty and in any event will not impose a criminal penalty that is greater than 50% below the low end of the United States Sentencing Guidelines (USSG) fine range; and
  • Will not seek the imposition of an independent compliance monitor if the company demonstrates that it has implemented and tested an effective compliance program.

The VSD policy identifies three aggravating factors that could warrant a USAO seeking a guilty plea even if the other requirements of the VSD policy are met:

  • If the misconduct poses a grave threat to national security, public health, or the environment;
  • If the misconduct is deeply pervasive throughout the company; or
  • If the misconduct involved the current executive management of the company. 

The Justice Department says the presence of an aggravating factor does not necessarily mean that a guilty plea will be required. Rather, the USAO will assess the relevant facts and circumstances to determine the appropriate resolution.  If a guilty plea is ultimately required, the Justice Department says the organization will still receive the other benefits under the VSD policy, including that the USAO will recommend a criminal penalty of at least a 50% and up to a 75% reduction off the low end of the USSG fine range, and that the USAO will not require the appointment of a monitor if the company has implemented and tested an effective compliance program.

In cases where a company is being jointly prosecuted by a USAO and another DOJ component, or where the misconduct reported by the company falls within the scope of conduct covered by VSD policies administered by other DOJ components, the USAO will coordinate with, or, if necessary, obtain approval from, the DOJ component responsible for the VSD policy specific to the reported misconduct when considering a potential resolution.  Consistent with relevant provisions of the Justice Manual and as allowable under alternate VSD policies, the USAO may choose to apply any provision of an alternate VSD policy in addition to, or in place of, any provision of its policy.

VSD Policy Reenforces Necessity of Effective Compliance Program & Guideline Compliance

The stated goal of the VSD policy to incentivize companies to maintain effective compliance programs capable of identifying misconduct, expeditiously and voluntarily disclose and remediate misconduct, and cooperate fully with the government in corporate criminal investigations sends a strong message to organizations and their leaders to maintain and administer effective compliance programs and follow the VSD policy promptly when issues arise.

While the Justice Department touts the benefits of compliance with the VSD policy, its adoption also carries an implicit warning to organizations against failing to comply with its provisions.

With the Biden Administration accelerating enforcement of a wide range of federal laws carrying criminal liability, organizations and their leaders should heed this warning by auditing and enhancing their and their organization’s potential criminal exposures and the adequacy of their compliance policies, practices and documentation.

Because of the highly sensitive nature of this type of analysis for the organization and its leaders, before starting the review, and throughout its conduct organizations are urged to engage and seek guidance from qualified legal counsel to position their review for protection, within the scope of attorney, client privilege, and other evidentiary protections, as well as to maximize the benefit of the effort undertaken in the event of future investigations or enforcement.

Possessing an up-to-date understanding of material civil and criminal legal obligations and exposures is absolutely critical to the effectiveness of this review. With laws and regulations constantly changing, organizations and their leaders must establish a documented, provable culture of compliance. This starts with ensuring their organizations have adopted strong policies of compliance coupled with processes for monitoring and identifying laws carrying potential criminal liability, exposure or otherwise, requiring corporate compliance programs. Along with requirements to comply, leadership also must implement appropriate processes for auditing compliance as well as receiving and investigating complaints or other indicators that arguably put their organization or its leadership on notice of potential compliance concerns.

When implementing compliance procedures, for any specific law, organizations, and their leaders will also want to ensure that their processes and policies are designed to meet the seven criteria that Chapter 8 of the Federal Sentencing Guidelines outlines for establishing an “effective compliance program”

  • The maintenance and enforcement of compliance standards and procedures reasonably capable of reducing the prospect of criminal activity;
  • Oversight by high-level personnel;
  • Due care in delegating substantial discretionary authority;
  • Effective Communication to all levels of employees;
  • Reasonable steps to achieve compliance, which include systems for monitoring, auditing, and reporting suspected wrongdoing without fear of reprisal.
  • Consistent enforcement of compliance standards including disciplinary mechanisms; and
  • Reasonable steps to respond to and prevent further similar offenses upon detection of a violation.

Taking into account these criteria and the new VSP policy, organizations and their leaders also should ensure their organization has appropriate procedures and protocols for receiving, investigating and reports of potential violations and the organization’s timely and appropriate response in a manner that best positions the organization to demonstrate the culture of compliance, and other factors necessary to qualify for the maximum leniency under the guidelines. in a manner that best positions the organization to demonstrate the culture of compliance, and other factors necessary to qualify for the maximum leniency under the guidelines.

When designing and administering compliance investigations and responses, documentation and other evidence regarding actions taken, communications and deliberations, play a key role in deciding how the organization and its leaders will be treated under the VCD policy and the guidelines. For this reason, organizations should include appropriate procedures to determine when and how legal counsel will become involved to guide the process and allow for the use of attorney-client privilege to help protect, sensitive discussions along the way. Legal counsel also should assist in documenting the process and findings for presentation to the Justice Department and subsequent communications with it through resolution.

More Information

We hope this update is helpful. For more information about these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.  

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy. 

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely-known for 35 plus years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

A Fellow in the American College of Employee Benefit Counsel, Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee, Chair-Elect of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership on health and managed care and employer benefits legal, public policy and operational concerns in the healthcare, employer benefits, and insurance and financial services industries. She speaks and publishes extensively on HIPAA and other related compliance issues.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstances at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules make it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access to this publication. 

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2023 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™

Leave a Comment » | Anti-KickBack, ASC, Corporate Compliance, Employee Benefits, Employment, Federal Sentencing Guidelines, Health Care | Permalink
Posted by Cynthia Marcotte Stamer

F-1 Visa Guidance Could Impact Health Industry Work Eligibility Of Some Foreign Students

February 22, 2023

New policy guidance issued by the U.S. Citizenship and Immigration Services (“ICE”) could impact employment options of medical, nursing, technology and other foreign students options for work under F-1 student visas.

ICE’s new guidance clarifies the validity period of employment authorization for F-1 nonimmigrant students experiencing severe economic hardship due to emergent circumstances (also known as special student relief (SSR)) who are work authorized under the SSR provisions of 8 CFR. Health care and other organizations should note the update both to recognize the students’ expanded eligibility to work to avoid improper discrimination against foreign student applicants and as prospects for worker hires.

The policy update to the USCIS Policy Manual clarifies that in cases of severe economic hardship due to emergent circumstances, ICE may grant off-campus SSR employment authorization to an F-1 nonimmigrant student for the duration of the Federal Register notice validity period, which is typically 18-months. However, this employment authorization may not extend past the student’s academic program end date.

Emergent circumstances are events that affect F-1 nonimmigrant students from a particular region and create severe economic hardship. These events may include but are not limited to, natural disasters, financial crises, and military conflicts.

This policy update will be effective when published and will apply to all pending and future applications for SSR employment authorization.  

More Information

We hope this update is helpful. For more information about these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.  

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy. 

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely-known for 35 plus years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

A Fellow in the American College of Employee Benefit Counsel, Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee, Chair-Elect of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership on health and managed care and employer benefits legal, public policy and operational concerns in the healthcare, employer benefits, and insurance and financial services industries. She speaks and publishes extensively on HIPAA and other related compliance issues.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstances at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules make it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access to this publication. 

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2023 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™

Leave a Comment » | Health Care | Permalink
Posted by Cynthia Marcotte Stamer

DOJ Withdrawal Of Health Care Antitrust Policy & Enforcement Statements Signals Change For Health Care & Health Benefits

February 3, 2023

Hospitals, physicians and other providers, provider organizations, managed care and insurance and other health and managed care industry participants should proceed cautiously in response to the Justice Department Antitrust Divisions withdrawal of three decades-old healthcare antitrust policy statements it says are outdated. The Policy Statements are:

The withdrawal follows growing activity by DOJ and Federal Trade Commission in recent years challenging certain other health industry conduct as anticompetitive under Federal antitrust laws in recent years as well as new policies challenging noncompetition and other workforce practices used widely within the health care industry. (These developments were discussed in a September, 2022 Joint Committee on Employee Benefits webinar, Department of Justice Antitrust Enforcement Updateebi, moderated by Cynthia Marcotte Stamer.)

Following an uptake in DOJ health care and workforce antitrust enforcement in recent years, the announcement of the antitrust statement withdrawals confirms the Biden Administration led DOJ plans changes to care antitrust and other competition policies and enforcement impacting health care providers, payers, employers and other plan sponsors. In lieu of the principles previously provided by the withdrawn guidelines, DOJ says it will evaluate mergers and conduct in healthcare markets that may harm competition on a case-by-case basis. The announced plan to interpret antitrust law in health care on a case-by-case basis creates significant uncertainty about the scope of risk and safety of many contracting, business transactions and other activities in the health care, insurance, health information technology, pharmaceutical and related industries. All segments of the marketplace should monitor developments and proceed cautiously to avoid inadvertently triggering challenges or liability as a result of the newly created ambiguity.

In the face of these developments, health industry providers, payers, employers and other plan sponsors and others concerned about health industry competition should proceed cautiously and carefully monitor developments at DOJ and FTC. Stay tuned for further developments.

More Information

We hope this update is helpful. For more information about these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.  

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy. 

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely-known for 35 plus years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

A Fellow in the American College of Employee Benefit Counsel, Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee, Chair-Elect of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership on health and managed care and employer benefits legal, public policy and operational concerns in the healthcare, employer benefits, and insurance and financial services industries. She speaks and publishes extensively on HIPAA and other related compliance issues.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstances at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules make it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access to this publication. 

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2023 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™

Leave a Comment » | Anitrust, Antitrust, Health Care, Monopoly | Permalink
Posted by Cynthia Marcotte Stamer

Banner Health Pays $1.25 Million To Settle Cybersecurity Breach Impacting Nearly 3 Million Individuals

February 3, 2023

Phoenix-based nonprofit health system Banner Health and its affiliates (“Banner Health”) paid $1.25 million and agreed to take corrective actions to resolve its exposure to potentially much greater Health Insurance Portability and Accountability Act (HIPAA) Security Rule civil monetary penalty exposure for a 2016 cyber hacking breach that compromised the personal health information of 2.81 million consumers. OCR used its February 2 announcement of the Banner Health settlement to warn health care providers, health plans, health care clearinghouses (“covered entities”) and business associates covered by HIPAA to guard their own systems containing protected health information against breach by cyber hacking.

Banner Health Settlement

Banner Health is one of the largest non-profit health systems in the country, with over 50,000 employees and operating in six states. Banner Health is the largest employer in Arizona and one of the largest in northern Colorado.

In November 2016, OCR initiated an investigation of Banner Health following the receipt of a breach report stating that a threat actor had gained unauthorized access to electronic protected health information, potentially affecting millions.  The hacker accessed protected health information that included patient names, physician names, dates of birth, addresses, Social Security numbers, clinical details, dates of service, claims information, lab results, medications, diagnoses and conditions, and health insurance information.

OCR’s investigation found evidence of long-term, pervasive noncompliance with the HIPAA Security Rule across Banner Health’s organization, a serious concern given the size of this covered entity. Organizations must be proactive in their efforts to regularly monitor system activity for hacking incidents and have measures in place to sufficiently safeguard patient information from risk across their entire network.

The potential violations OCR identified specifically included:

  • A lack of an analysis to determine risks and vulnerabilities of electronic protected health information across the organization;
  • Insufficient monitoring of its health information systems’ activity to protect against a cyber-attack;
  • Failure to implement an authentication process to safeguard its electronic protected health information; and
  • Failure to have security measures in place to protect electronic protected health information from unauthorized access when it was being transmitted electronically.

Under the Resolution Agreement and Corrective Action Plan negotiated to resolve these potential violations, Banner Health paid $1,250,000 to OCR. Banner Health also agreed to implement a corrective action plan, which identifies steps Banner Health will take to resolve these potential violations of the HIPAA Security Rule and protect the security of electronic patient health information that will be monitored for two years by OCR to ensure compliance with the HIPAA Security Rule. Under the corrective action plan, Banner has agreed to take the following steps:

  • Conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic patient/system data across the organization
  • Develop and implement a risk management plan to address identified risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI
  • Develop, implement, and distribute policies and procedures for a risk analysis and risk management plan, the regular review of activity within their information systems, an authentication process to provide safeguards to data and records, and security measures to protect electronic protected health information from unauthorized access when it is being transmitted electronically, and
  • Report to HHS within thirty (30) days when workforce members fail to comply with the HIPAA Security Rule.

OCR Warns Other HIPAA-Covered Entities

In the health care sector, hacking is now the greatest threat to the privacy and security of protected health information. OCR’s announcement of the settlement reports 74 percent (74%) of the breaches reported to OCR in 2021 involved hacking/IT incidents.

The announcement also notes OCR offers an array of resources to help health care organizations bolster their cybersecurity posture and comply with the HIPAA Rules,

The settlement and OCR’s announcement warn other covered entities and business associates to use these and other necessary resources to protect their systems with protected health information from cyber hacking and other breaches.

In conjunction with reminding other covered entities of these resources, the settlement announcement quotes OCR Director Melanie Fontes Rainer as a warning, “Hackers continue to threaten the privacy and security of patient information held by health care organizations, including our nation’s hospitals, … It is imperative that hospitals and other covered entities and business associates be vigilant in taking robust steps to protect their systems, data, and records, and this begins with understanding their risks, and taking action to prevent, respond to and combat such cyber-attacks. … Cyber security is on all of us, and we must take steps to protect our health care systems from these attacks.”

OCR’s enforcement record confirms these are not idyl threats. Breaches of the Security or Breach Notification Rules often result in significant civil monetary penalty assessments or negotiated settlements to mitigate civil liability exposures arising out of such breaches. See e.g., Clinical Laboratory Pays $25,000 To Settle Potential HIPAA Security Rule Violations (May 25, 2021); Health Insurer Pays $5.1 Million to Settle Data Breach Affecting Over 9.3 Million People (January 15, 2021); Aetna Pays $1,000,000 to Settle Three HIPAA Breaches(October 28, 2020); Health Insurer Pays $6.85 Million to Settle Data Breach Affecting Over 10.4 Million People (September 25, 2020); HIPAA Business Associate Pays $2.3 Million to Settle Breach Affecting Protected Health Information of Over 6 million Individual – (September 23, 2020); Lifespan Pays $1,040,000 to OCR to Settle Unencrypted Stolen Laptop Breach (July 27, 2020); Small Health Care Provider Fails to Implement Multiple HIPAA Security Rule Requirements (July 23, 2020).

Alerts issued by OCR regarding heightened security risks in recent months and a growing tide of highly publicized breaches send a strong warning to other covered entities and their business associates to reconfirm the adequacy of their own HIPAA privacy, security, breach notification and other procedures and protections by among other things:

  • Reviewing and monitoring on a documented, ongoing basis the adequacy and susceptibilities of existing practices, policies, safeguards of their own organizations, as well as their business associates and their vendors within the scope of attorney-client privilege taking into consideration data available from OCR, data regarding known or potential susceptibilities within their own operations as well as in the media, and other developments to determine if additional steps are necessary or advisable.
  • Updating policies, privacy and other notices, practices, procedures, training and other practices as needed to promote compliance and defensibility.
  • Renegotiating and enhancing service provider agreements to detail the specific compliance, audit, oversight and reporting rights, workforce and vendor credentialing and access control, indemnification, insurance, cooperation and other rights and responsibilities of all entities and individuals that use, access or disclose, or provide systems, software or other services or tools that could impact on security; to clarify the respective rights, procedures and responsibilities of each party in regards to compliance audits, investigation, breach reporting, and mitigation; and other relevant matters.
  • Verifying and tightening technological and other tracking, documentation and safeguards and controls to the use, access and disclosure of protected health information and systems.
  • Conducting well-documented training as necessary to ensure that members of the workforce of each covered entity and business associate understand and are prepared to comply with the expanded requirements of HIPAA, understand their responsibilities and appropriate procedures for reporting and investigating potential breaches or other compliance concerns, and understand as well as are prepared to follow appropriate procedures for reporting and responding to suspected 
    violations or other indicia of potential security concerns.
  • Tracking and reviewing on a systemized, well-documented basis actual and near-miss security threats to evaluate, document decision-making and make timely adjustments to policies, practices, training, safeguards and other compliance components as necessary to identify and resolve risks.
  • Establishing and providing well-documented monitoring of compliance that includes board-level oversight and reporting at least quarterly and sooner in response to potential threat indicators.
  • Establishing and providing well-documented timely investigation and redress of reported 
    violations or other compliance concerns.
  • Establishing contingency plans for responding in the event of a breach. 
  • Establishing a well-documented process for monitoring and updating policies, practices and other efforts in response to changes in risks, practices and requirements.
  • Preparing and maintaining a well-documented record of compliance, risk, investigation and other security activities.
  • Pursuing other appropriate strategies to enhance the covered entity’s ability to demonstrate its compliance commitment both on paper and in operation.

Because of susceptibilities in systems, software and other vendors of business associates, suppliers and other third parties, covered entities and their business associates should use care to assess and manage business associate and other vendor-associated risks and compliance as well as tighten business associate and other service agreements to promote the improved cooperation, coordination, management and oversight required to comply with the new breach notification and other HIPAA requirements by specifically mapping out these details.

Beyond these HIPAA exposures, breaches and other HIPAA noncompliance carries other liability risks. Leaders of covered entities or their business associates also are cautioned that while HIPAA itself does not generally create any private right of action for victims of breach under HIPAA, breaches may create substantial liability for their organizations or increasingly, organizational leaders. For instance, the Department of Health & Human Services has warned health care providers participating in Medicare or other federal programs and Medicare Advantage health plans that HIPAA compliance is a program term of participation.

Health care providers and health insurers can face liability under state data privacy and breach, negligence or other statutory or common laws. In addition, physicians and other licensed parties may face professional discipline or other professional liability for breaches violating statutory or ethical standards.

Health plans also face a myriad of other exposures from failing to use appropriate cyber safeguards. Plan fiduciaries of employment-based health plans covered by the Employee Retirement Income Security Act (“ERISA”) risk liability under ERISA’s fiduciary responsibility rules. The Department of Labor Employee Benefit Security Administration (“EBSA”) now audits the adequacy of the cybersecurity and other HIPAA compliance of health plans and their third-party administrators and other business associates as part of EBSA’s oversight and enforcement of ERISA. Department of Labor Assistant Secretary for EBSA Lisa Gomez confirmed audit and enforcement of cybersecurity obligations is a key priority in EBSA’s current work plan in her February 4, 2023 comments to the American Bar Association.

Meanwhile, the Securities and Exchange Commission has indicated that it plans to pursue enforcement against leaders of public health care or other public companies that fail to use appropriate care to ensure their organizations comply with privacy and data security obligations.

Furthermore, appropriate cyber security practices also may be advisable elements for organizations to include in their Federal Sentencing Guideline Compliance Programs to mitigate potential organization liability risks under federal electronic crime and related laws.

In the face of these risks and warnings, all covered entities and their business associates should reassess and confirm the adequacy of their and their business associates’ cyber security defenses and breach response preparations.

More Information

We hope this update is helpful. For more information about these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.  

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy. 

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely-known for 35 plus years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

A Fellow in the American College of Employee Benefit Counsel, Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee, Chair-Elect of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership on health and managed care and employer benefits legal, public policy and operational concerns in the healthcare, employer benefits, and insurance and financial services industries. She speaks and publishes extensively on HIPAA and other related compliance issues.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstances at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules make it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access to this publication. 

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2023 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™

Leave a Comment » | Cyber crime, data breach, data security, DME, Doctor, Employer, ERISA, Federal Sentencing Guidelines, Health Care Finance, Health Care Provider, Health Insurance, Health IT, Health Plan, Health Plans, HHS, HIPAA, HIPAA Cyber Crime, HITECH Act, home health, Hospice, Hospital, hospitals, Licensing, Meaningful Use, Medicaid, Medicaid Advantage, Medical Licensure, Medical Malpractice, Medical Privacy, Medical Records, Medicare, Medicare Advantage, OCR, Peer Review, Physician Licensing, retaliation, Technology, Telemedicine, Whistleblower | Tagged: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

Federal Opiate Sting Arrests Warning To Other Providers

February 2, 2023

Nine Texas individuals were arrested this week in Houston on criminal charges related to their alleged involvement in the unlawful distribution of 1.5 million opioid pills and other controlled substances as a result of a joint federal-state investigation. 

According to court documents, Kent Lyons, 52, of Houston; Roquel Turner, 47, of Manvel; and Traunce Alfred, 43, of Baytown, are charged with illegally distributing controlled substances, including oxycodone and hydrocodone. From August 2017 until late 2022, Lyons and Turner allegedly operated pill-mill pharmacies as fronts to obtain opioids in their highest-strength and immediate-release pill form. They then allegedly sold the drugs on the black market – without the involvement of patients, prescriptions, or doctors – to drug traffickers like Alfred. Lyons and Turner allegedly concealed the drug proceeds using numerous bank accounts and real estate transactions. Lyons also allegedly used some of the proceeds to purchase luxury items, including a Rolls Royce, a Ford F-250, and a Mercedes Maybach.

Court documents allege starting around December 2020, Dwain Ross and Delores Mackey-Ross both of Pearland, and licensed pharmacist Ann Nguyen, of Stafford, allegedly used pharmacies to illegally distribute and dispense nearly half a million pills of oxycodone and hydrocodone. Dwain Ross and Mackey-Ross and David Ross of Houston; Kevin Peterson of Pearland; and Eleanor Marsh of Fulshear, also allegedly illegally ordered the opioid potentiators alprazolam, carisoprodol, promethazine with codeine – which are reported to enhance the high from opioids – from a pharmaceutical wholesaler and a pharmaceutical sales representative then allegedly illegally distributed the opioid potentiators in bulk. Dwain Ross and Mackey-Ross allegedly used numerous bank accounts and real estate transactions to conceal their ill-gotten gains. Dwain Ross also allegedly used some of the drug proceeds to purchase a Lamborghini.

The pharmacies alleged in the indictments to have been controlled by the defendants’ drug trafficking organizations are K Med Pharmacy, Nex Gen Pharmacy, TX United Pharmacy, Power Center Pharmacy #2, DR Pharmacy, and Nu Care Pharmacy. Several other pharmacies, including P&A Pharmacy and Pearland Holistic Pharmacy, voluntarily surrendered their DEA Registration numbers, which a pharmacy needs to legally purchase pharmaceutical opioids and other controlled substances.

Lyons, Turner, Alfred, Dwain Ross, Mackey-Ross, and Nguyen are each charged with illegal distribution of Schedule II opioids. Dwain Ross, Mackey-Ross, David Ross, Peterson, and Marsh are each charged with the illegal distribution of Schedule IV drugs. Lyons, Turner, Dwain Ross, and Mackey-Ross are also charged with money laundering crimes.

Regardless of the ultimate outcome of the current charges, the indictments demonstrate the continuing commitment by the Department of Justice and other federal and state agencies to investigate and prosecute opiate prescription and distribution.

If convicted, Lyons, Turner, Alfred, Dwain Ross, Mackey-Ross, and Nguyen face up to 20 years on the top counts. David Ross and Peterson each face up to five years. Marsh faces up to 10 years if convicted. Court documents allege that over 15 bank accounts, four real properties, and several luxury vehicles – including a Rolls Royce, a Bentley, and a Lamborghini – were involved in, or acquired with proceeds from, the scheme, and are subject to forfeiture if the defendants are convicted.

Of course, the facts alleged in the indictments are allegations. The Justice Department emphasized in announcing the arrests that alll defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law. If a conviction happens, a federal district court judge will determine any sentence after considering the U.S. Sentencing Guidelines and other statutory factors. Regardless of the outcome, the prosecution demonstrates the prioritization of the investigation and prosecution of abusive opiate prescribing or distribution.

More Information

We hope this update is helpful. For more information about these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.  

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy. 

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely-known for 35 plus years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

A Fellow in the American College of Employee Benefit Counsel, Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee, Chair-Elect of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership on health and managed care and employer benefits legal, public policy and operational concerns in the healthcare, employer benefits, and insurance and financial services industries. She speaks and publishes extensively on HIPAA and other related compliance issues.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstances at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules make it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access to this publication. 

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2023 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™

Leave a Comment » | Health Care | Permalink
Posted by Cynthia Marcotte Stamer