April 2025

Health Care Network’s $600,000 Settlement Highlights Health Industry HIPAA Hacking Liability Exposures & Risk Analysis Responsibilities

April 23, 2025

Conduct an appropriate risk analysis and take the required steps to protect your electronic health records from phishing and other hacking threats by conducting a thorough risk analysis and otherwise cleaning up your Health Insurance Portability and Accountability Act of 1996 compliance! That’s the clear message to the Department of Health and Human Services Office of Civil Rights (“OCR”) urges health care providers, health plans, health care clearinghouses (“Covered Entities”) and their business associates (collectively “Regulated Entities”) to learn from the $600,000 HIPAA Privacy, Security, and Breach Notification Rules (“HIPAA Rules”) settlement the Department of Health & Human Services Office of Civil Rights (“OCR”) announced with Southern California health care network PIH Health, Inc. (“PIH”) on April 23, 2025.

Hacking incidents present a significant cybersecurity threat to Regulated Entities’ electronic health and other data. Phishing and other hacking attacks are among the most common types of large breaches reported to OCR every year. Over the past five years, there has been a 256% increase in large breaches reported to OCR involving hacking and a 264% increase in ransomware. In 2023, hacking accounted for 79% of the large breaches reported to OCR. Between January 1 and April 23, 2025 alone, OCR received 161 hacking-related breach reports from Regulated Entities. OCR’s Breach Portal indicates that on April 23, 2025, OCR had a total of 554 open hacking-related breach investigations, 506 involving health care providers, 47 involving health plans, and one involving a health care clearinghouse.

The HIPAA Privacy, Security, and Breach Notification Rules require Regulated Entities to conduct and maintain documented risk analysis to assess their hacking and other threats to the security of their individually identifiable electronic protected health information (“ePHI”) and meet other specific standards to protect the privacy and security of protected health information against hacking and other improper access, destruction, or disclosure. As reflected in the following table of current HIPAA sanctions, violation of these HIPAA requirements exposes a Regulated Entity to significant civil monetary penalties or criminal sanctions.

HIPAA Sanctions

Tier	Civil Penalties[1]	Criminal Penalties
1	Lack of Knowledge: $141 – $71,162 per violation	Reasonable Cause or No Knowledge of Violation: Up to 1 year imprisonment
2	Reasonable Cause: $1,424 – $71,162 per violation	PHI Obtained Under False Pretenses: Up to 5 years imprisonment
3	Willful Neglect (corrected within 30 days): $14,232 – $71,162 per violation	PHI Obtained for Personal Gain or with Malicious Intent: Up to 10 years imprisonment
4	Willful Neglect (not corrected within 30 days): $71,162 – $2,134,831 per violation

Most Regulated Entities that OCR accused of violating the HIPAA requirements avoid paying the full amount of authorized civil monetary penalties by accepting OCR settlement offers. As the $600,000 PHI demonstrates, settlement with OCR allows Regulated Entities to avoid much greater potential civil monetary penalties by paying a much smaller, but still generally significant settlement amount.

PHI Breach and Settlement

The PHI settlement resolves an investigation that OCR conducted after receiving a breach report from PIH in January 2020 about a June 2019 phishing attack. The report stated the attack compromised forty-five of its employees’ email accounts, resulting in the breach of 189,763 individuals’ unsecured ePHI. PIH reported that the ePHI disclosed in the phishing attack included affected individuals’ names, addresses, dates of birth, driver’s license numbers, Social Security numbers, diagnoses, lab results, medications, treatment and claims information, and financial information.

OCR’s investigation found multiple potential violations of the HIPAA Rules, including:

Failure to use or disclose protected health information only as permitted or required by the HIPAA Privacy Rule.
Failure to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by PIH.
Failure to notify affected individuals, the HHS Secretary, and the media of a breach of unsecured protected health information within 60 days of its discovery.

Under the terms of the resolution agreement, PIH has agreed to implement a corrective action plan that OCR will monitor for two years and pay a $600,000 settlement to OCR. Under the corrective action plan, PIH is obligated to take definitive steps toward resolving potential violations of the HIPAA Rules, including:

Conducting an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI.
Developing and implementing a risk management plan to address and mitigate security risks and vulnerabilities identified in its risk analysis.
Developing, maintaining, and revising, as necessary, its written policies and procedures to comply with the HIPAA Rules.
Training its workforce members who have access to PHI on its HIPAA policies and procedures.

The findings of deficiencies in PIH’s risk analysis and requirements that PIH conduct an accurate and thorough risk analysis and implement a risk management plan to address and mitigate identified security risks and vulnerabilities are a recurrent theme in OCR breach investigations. OCR’s recent addition of a Risk Analysis Initiative to its compliance and enforcement priorities heightens the significance of OCR’s inclusion of these findings and requirements in the PIH settlement.

The HIPAA Security Rule requires a Regulated Entity to conduct an “accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI” and “[i]mplement policies and procedures to prevent, detect, contain, and correct security violations.” Meanwhile, the HIPAA Breach Notification Rule requires in 45 CFR § 164.402 that a Regulated Entity that experiences an impermissible acquisition, access, use, or disclosure (“breach”) of unsecured ePHI to conduct a documented risk assessment to determine whether the Regulated Entity must notify affected individuals, OCR and in the case of breaches involving the ePHI of 500 or more individuals, the media. OCR interprets these Rules together also to require Regulated Entities experiencing a breach of ePHI or having evidence putting the Regulated Entity on notice of a potential susceptibility creating a risk of a breach as triggering a duty by the Regulated Entity to conduct a Risk Assessment to assess the susceptibility of its ePHI to the risk and the actions reasonably necessary to mitigate it under the Security Rule.

OCR views Risk Analysis as foundational to the protection of ePHI. Consequently, OCR constantly has urged Regulated Entities to fulfill their Risk Analysis obligations since the earliest days of HIPAA in its guidance and educational outreach, as well as by regularly discussing the requirement and role of Risk Analysis deficiencies in creating the circumstances leading to enforcement actions against Regulated Entitles in its civil monetary penalty assessments and HIPAA settlement announcements.

Despite OCR’s constant and ever-rising efforts to promote compliance with the Risk Analysis requirements, however, OCR consistently has found deficiencies in Regulated Entities’ Risk Analysis in its breach investigations and audit findings since these rules became effective. As the number and magnitude of reported breaches of ePHI skyrocketing and massive breaches like those experienced in 2024 by UnitedHealthcare subsidiary Change Health, Ascension and others demonstrating the serious consequences ransomware and other cyberattacks can inflict on health care delivery, payment, and patient privacy, OCR is placing new emphasis on tightening both the requirements for Risk Analysis and its enforcement of compliance with the Risk Analysis requirements.

On December 27, 2024, for instance, OCR published a notice of proposed rulemaking that proposes to clarify and tighten significantly the Risk Analysis requirements and other elements of the HIPAA Security Rule. Along with proposing these heightened Risk Analysis requirements, OCR announced and now is zealously enforcing the current Risk Analysis requirements through its Risk Analysis Initiative to hold Regulated Entities accountable for failing to fulfill their Risk Analysis responsibilities as part of its heightened efforts to improve Regulated Entities’ fulfillment of their Risk Analysis obligations. Prior to its announcement of the PIH settlement, OCR in recent months previously announced seven Risk Analysis Initiative settlements including two in April. Although OCR’s PHI settlement announcement does not label the settlement as a Risk Analysis Initiative, OCR’s discussion makes clear OCR considered PIH’s failure to fulfill the Risk Analysis requirements a core failure contributing to the breach.

OCR Acting Director Anthony Archeval made a point of warning other Regulated Entities to ensure the adequacy of their own organizations’ Risk Analysis and other Security Rule compliance in OCR’s announcement of the PIH settlement by stating:

Ransomware and hacking are the primary cyber-threats to electronic protected health information within the health care industry. Failure to conduct a HIPAA risk analysis puts this information at risk and vulnerable to future ransomware attacks and other cyber-threats[.]

Required & Recommended Actions To Promote Defensibility Of Risk Analysis Compliance

With cyberattacks targeting health care and other Regulated Entities soaring and OCR stepping up its scrutiny of Regulated Entities’ Risk Analysis compliance in audits and enforcement actions, each health care provider and other Regulated Entity should review and tighten its Risk Analysis practices and documentation to reduce its susceptibility to potential breaches and to promote its ability to defend its compliance with the Risk Analysis requirements in the event of a breach investigation or audit.

Fulfill Current Risk Analysis Standards

To fulfill the “Risk Analysis” implantation specification, the Security Management Process Standard requires Regulated Entities enforce appropriate administrative, physical, and technical safeguards for the confidentiality, integrity, and security of electronic protected health information (“ePHI”) based on an up-to-date conduct of an up-to-date accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by that organization (“Risk Analysis”).

The Security Rule requires Regulated Entities to document each Risk Analysis in writing, to keep Risk Analysis documentation for six years, and to provide Risk Analysis documentation to OCR upon request.

Among other things, the Risk Analysis implementation standard requires regulated entities adequately to:

Identify where ePHI is located in the organization, including how ePHI enters, flows through, and leaves the organization’s information systems.
Integrate Risk Analysis and risk management into the organization’s business processes.
Ensure that audit controls are in place to record and examine information system activity.
Implement regular reviews of information system activity.
Utilize mechanisms to authenticate information to ensure only authorized users are accessing ePHI.
Encrypt ePHI in transit and at rest to guard against unauthorized access to ePHI when appropriate.
Incorporate lessons learned from incidents into the organization’s overall security management process.
Provide workforce members with regular HIPAA training that is specific to the organization and to the workforce members’ respective job duties.

Follow Proposed Rules & Enforcement Actions To Mitigate Risks

The proposed rule published by OCR on December 27, 2024, seeks to clarify and expand the original requirements of the Risk Assessment implementation standard based on OCR’s past HIPAA Security and Breach Rule investigation and enforcement experience. Under the proposed rule, a Regulated Entity’s Risk Analysis also would be required to include:

Require the development and revision of a technology asset inventory and a network map that illustrates the movement of ePHI throughout the regulated entity’s electronic information system(s) on an ongoing basis, at least once every 12 months and in response to a change in the regulated entity’s environment or operations that may affect ePHI.
Require greater specificity for conducting a risk analysis, including a written assessment that contains, among other things:
- A review of the technology asset inventory and network map;
- Identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI;
- Identification of potential vulnerabilities and predisposing conditions to the regulated entity’s relevant electronic information systems;
- An assessment of the risk level for each identified threat and vulnerability, based on the likelihood that each identified threat will exploit the identified vulnerabilities; and
- A review of the technology asset inventory and network map.

Other changes included in the proposed rule would further heighten the Risk Analysis and other Security Standard requirements for Regulated Entities. For instance, the proposed rule would require Regulated Entities:

To establish written procedures to restore the loss of certain relevant electronic information systems and data within 72 hours;
To perform an analysis of the relative criticality of their relevant electronic information systems and technology assets to determine the priority for restoration;
To establish written security incident response plans and procedures documenting how workforce members are to report suspected or known security incidents and how the regulated entity will respond to suspected or known security incidents;
To implement written procedures for testing and revising written security incident response plans;
To conduct a compliance audit at least once every 12 months to ensure their compliance with the Security Rule requirements;
To require business associates to verify at least once every 12 months for covered entities (and that business associate contractors verify at least once every 12 months for business associates) that they have deployed technical safeguards required by the Security Rule to protect ePHI through a written analysis of the business associate’s relevant electronic information systems by a subject matter expert and a written certification that the analysis has been performed and is accurate;
To encrypt ePHI at rest and in transit, with limited exceptions;
To establish and deploy technical controls for configuring relevant electronic information systems, including workstations, in a consistent manner including deployment of anti-malware protection, removal of extraneous software, and disabling network ports in accordance with the regulated entity’s risk analysis;
Use of multi-factor authentication, with limited exceptions;
Vulnerability scanning at least every six months and penetration testing at least once every 12 months;
Network segmentation;
Separate technical controls for backup and recovery of ePHI and relevant electronic information systems;
To review and test the effectiveness of certain security measures at least once every 12 months, in place of the current general requirement to maintain security measures;
Business associates to notify covered entities (and subcontractors to notify business associates) upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation;
Group health plans to include in their plan documents requirements for their group health plan sponsors to: comply with the administrative, physical, and technical safeguards of the Security Rule; ensure that any agent to whom they provide ePHI agrees to implement the administrative, physical, and technical safeguards of the Security Rule; and notify their group health plans upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation.

To help Regulated Entities understand and fulfill these responsibilities, OCR alone and in conjunction with the Office of the National Coordinator for Health Information Technology (“ONC”) also has published guidance like the HIPAA Security Risk Assessment (SRA) Tool. OCR guidance reflects that fulfillment of the Tool can help Regulated Entities may help defend but does not guarantee fulfillment of the Risk Assessment requirements, as the adequacy of the Risk Assessment always depends upon the unique facts and circumstances of the Regulated Entity at a particular time. This guidance confirms the importance of conducting timely and appropriate Risk Analysis in a manner that shows the Regulated Entity appropriately evaluated the risks to its e-PHI and acted reasonably in designing, administering, and updating that Risk Analysis to reasonably defend its e-PHI against breaches or other susceptibilities.

Since OCR’s guidance makes clear that the adequacy of a Regulated Entity’s Risk Analysis and other HIPAA Security compliance based on its evaluation and response to known and suspected susceptibility threats as conducted and documented pursuant to the Risk Analysis rule, health care providers and other Regulated Entities should view Risk Analysis as an ongoing process. While the Security Rule does not currently dictate how frequently a regulated entity must perform Risk Analysis, a proposed rule published by OCR on December 27, 2024 seeks to amend the existing Security Rule to expand the requirement to require regulated entities to develop and revise a technology asset inventory and a network map that illustrates the movement of ePHI throughout the regulated entity’s electronic information system(s) on an ongoing basis, at least once every 12 months and in response to a change in the regulated entity’s environment or operations that may affect ePHI. Although OCR has not officially adopted this and other changes contained in the proposed rule, substantial evidence exists that it already regularly administers the Risk Analysis requirement with the expectation that regulated entities will perform Risk Analysis at least this frequently. For instance, current OCR resolution agreements require impacted organizations to conduct Risk Analysis to identify and address vulnerabilities at least annually, and more frequently as needed in response to signs of potential breach or susceptibility. Likewise, since OCR developed the proposed rule from its past enforcement experience, wise Regulated Entities also will recognize the value of drawing upon the changes set forth in the proposed rule for helpful insights to strengthen the security of their ePHI generally and promoting the defensibility of the adequacy of their Risk Assessments.

Appropriate Processes Can Enhance Defensibility

With the continued explosion in ransomware and other cyberthreats heightening the risk of experiencing a breach or other incident likely to draw the attention of OCR, each health plan or other Regulated Entity should take assess and confirm the adequacy of their current Risk Analysis, both to protect its ePHI and to promote its ability to defend its compliance with the HIPAA Security Rule’s Risk Analysis and other requirements in light of OCR’s heightened emphasis on Risk Analysis compliance and enforcement. For purposes of conducting this analysis, Regulated Entities generally will want to use a process like the following to structure their evaluation of their existing Risk Analysis to take advantage of the opportunity to use attorney-client privilege and other evidentiary rules to help protect discoverability of sensitive discussions about possible deficiencies in their existing Risk Analysis and discussions about potential tradeoffs considered in current or future Risk Analysis response:

Engage legal counsel experienced with HIPAA and other cybersecurity-related risks and liabilities to advise and assist your organization in designing and administering your Risk Analysis processes and response within the scope of attorney-client privilege;
Appoint and designate leadership and technical leadership for team responsible for design and administration of your organization’s initial and ongoing cybersecurity Risk Analysis and response (“Cyber-Risk Team”) and process for board and senior management reporting of the Cyber-Risk Team;
Select and engage outside consulting service providers, cyber-liability insurers and other risk service providers expected to participate in the process; work with qualified legal counsel to contract with these business associates to include the business associate agreement and other reassurances required by the HIPAA Privacy, Security and Breach Notification Rule and other performances, cooperation to provide and back services in accordance with agreed-upon protocols in the contract;
Train Cyber-Risk Team in the appropriate processes for working with internal teams, outside service providers, leadership, and designated legal counsel to conduct Risk Analysis, investigation and response using attorney-client privilege and other evidentiary tools and processes to maximize defensibility;
Require the Cyber-Risk Team conduct an updated, document assessment of cyber-risk within scope of attorney-client privilege and work with legal counsel to develop a documented cyber-risk policy that captures analysis and determinations for your justification for the size, scope and timing of your periodic Risk Analysis and rules and processes for interim risk identification, reassessments and response in reaction to potential cyber-risk signs between periodic Risk Analysis for presentation and approval by the Board taking into account the insights from published final and proposed guidance, enforcement actions and industry standards;
Require, oversee and enforce Cyber-Risk Team’s documented administration of the initial and subsequently required Risk Analysis and response pursuant to the adopted cyber-risk policy to identify vulnerabilities and work with legal counsel within the scope of privilege to document your analysis and justifications for addressing identified vulnerabilities and other required actions in response to identified susceptibilities or event;
Review adequacy of incident detection and response arrangements, including reporting and response mechanisms, insurance and indemnification protection, and other critical elements for mitigation and recovery; and
Other actions as warranted based on advice of counsel taking into account emerging threats, guidance, and risk susceptibility.

Although civil monetary penalties or settlements are the most common sanction imposed for HIPAA Security and Breach Notification rule violations, willful and certain other violations of HIPAA can trigger criminal liability subject to the Federal Sentencing Guidelines. Consequently, beyond fulfilling the specific requirements of HIPAA, an adequate Risk Assessment also can be an invaluable tool for helping mitigate Federal Sentencing Guideline exposures of a Regulated Entity and its leaders under the Federal Sentencing Guidelines Organizational Liability rules.

Beyond these specific HIPAA-associated exposures, Regulated Entities and their leaders should keep in mind that HIPAA is likely only one of many laws that define their responsibilities to secure, report, and respond to breaches of ePHI or other sensitive data. Depending on the location, nature and other circumstances, Regulated Entities and their leaders also may have additional responsibilities and liability exposures under a variety of other federal and state laws, ethical or other professional standards, and contractual obligations. For instance, inadequate data safeguards for ePHI also can trigger liability under the Fair and Accurate Credit Transactions Act, the Federal Trade Commission Act, and various electronic crimes statutes. The Securities and Exchange Commission rules can trigger disclosure and other obligations for publicly traded hospital or other health care providers, insurers, or their business associates. Health care providers, payers and others are likely to face specific additional health care or insurance-specific licensing and ethics rules, as well as other confidential information privacy, cybersecurity and breach reporting obligations and liability under various state statutes and regulations. Regulated Entities and their leaders generally will want to fully evaluate and manage these risks in conjunction with their compliance with the Risk Analysis and other requirements of the HIPAA Security and Breach Notification Rules.

The author of this update, Cynthia Marcotte Stamer is nationally known and celebrated for her experience providing advice and representation to health care providers, health insurers, employers and other health plan sponsors, health plans, health plan fiduciaries and administrators, third party administrators, human resources and health plan technology, and other businesses about HIPAA and other compliance, risk management and operational matters. If you have questions or need advice or help evaluating or addressing these or other compliance, risk management, or other concerns, contact her.

For More Information Or Help

We hope this update is helpful. For more information about these or other health or other employee benefits, human resources, or health care developments, please contact the author, Cynthia Marcotte Stamer, via e-mail or telephone at (214) 452-8297.

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating in and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Cynthia Marcotte Stamer is a Martindale-Hubble AV-Preeminent (highest/top 1%) practicing attorney recognized as a “Top Woman Lawyer,” “Top Rated Lawyer,” and “LEGAL LEADER™” in Health Care Law and Labor and Employment Law; among the “Best Lawyers In Dallas” in “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law recognized for her experience, scholarship, thought leadership and advocacy on HIPAA and other data and technology use, security and compliance in connection with her work with health care and life sciences, employee benefits, insurance, education, technology and other highly regulated and performance-dependent clients.

Board certified in labor and employment law by the Texas Board of Legal Specialization and a Fellow in the American College of Employee Benefits Counsel, Ms. Stamer works with these and other highly regulated or data and performance reliant businesses to design, risk manage, and defend their employment and other workforce, data and technology and other operations to promote legal and operational compliance, reduce regulatory and other liability and promote other operational goals.

Along with her decades of legal and strategic consulting experience, Ms. Stamer also contributes her leadership and experience to many professional, civic and community organizations. She currently serves as Co-Chair of the ABA Real Property Trusts and Estates (“RPTE”) Section Welfare Plan Committee, Co-Chair of the ABA International Section International Employment Law Committee and its Annual Meeting Program Planning Committee, Chair Emeritus and Vice Chair of the ABA Tort Trial and Insurance (“TIPS”) Section Medicine and Law Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee.

Additionally, more her ABA involvements include than a decade of service as a Scribe for the Joint Committee on Employee Benefits (“JCEB”) annual agency meetings with the Department of Health and Human Services and JCEB Council Representative, International Section Life Sciences Committee Chair, RPTE Section Employee Benefits Group Chair and a Substantive Groups Committee Member, Health Law Section Managed Care & Insurance Interest Group Chair, as TIPS Section Medicine and Law Committee Chair and Employee Benefits Committee and Workers Compensation Committee Vice Chair, Tax Section Fringe Benefit Committee Chair, and in various other ABA leadership capacities. Ms. Stamer also is a former Southwest Benefits Association Board Member and Continuing Education Chair, SHRM National Consultant Board Chair and Region IV Chair, Dallas Bar Association Employee Benefits Committee Chair, former Texas Association of Business State, Regional and Dallas Chapter Chair, a founding board member and Past President of the Alliance for Healthcare Excellence, as well as in the leadership of many other professional, civic and community organizations. She also is recognized for her contributions to strengthening health care policy and charitable and community service resolving health care challenges performed under PROJECT COPE Coalition For Patient Empowerment initiative and many other pro bono service involvements locally, nationally and internationally.

Ms. Stamer is the author of many highly regarded works published by leading professional and business publishers, the ABA, the American Health Lawyers Association, and others. Ms. Stamer also frequently speaks and serves on the faculty and steering committee for many ABA and other professional and industry conferences and conducts leadership and industry training for a wide range of organizations.

For more information about Ms. Stamer or her health industry and other experience and involvements, see http://www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press™

Solutions Law Press™ provides health care, insurance, human resources and employee benefit, data and technology, regulatory and operational performance, and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education. These include extensive resources on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press™ resources or training.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or admission. Solutions Law Press and its authors reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. Solutions Law Press and its authors disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2025 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press.™ For information about licensing for republication, please contact the author directly. All other rights reserved.

[1] The civil monetary penalty amounts are adjusted annually for inflation. OCR has not yet published the 2025 inflation adjusted amounts.

Leave a Comment » | Health Care | Tagged: ai, Cyber Security, cybersecurity, Security, Technology | Permalink
Posted by Cynthia Marcotte Stamer

Risk Analysis Critical For Health Care Providers & Other HIPAA-Covered Entities To Manage OCR & Other Data Breach Exposures

April 22, 2025

With the financial impact to businesses suffering data breaches in 2024 now averaging nearly $5 million and the announcement by the Department of Health and Human Services Office of Civil Rights (“OCR”) two additional Health Insurance Portability & Accountability Act (“HIPAA”) “Risk Analysis Initiative” settlements in seven days, health care providers, health plans, healthcare clearinghouses (“Covered Entities”) and their business associates (collectively “Regulated Entities”) face a growing imperative to act now to promote the defensibility of their practices under the Risk Analysis and other HIPAA Privacy, Security, and Breach Notification Rule requirements. Coupled with OCR’s steady announcement of enforcement actions like those announced this month against NERAD and others under its Risk Analysis Initiative, OCR clearly is warning health care providers and other Regulated Entities to clean up and strengthen their Risk Analysis and other HIPAA Security Rule compliance.

HIPAA Risk Analysis Requirement & OCR Risk Analysis Initiative

The need for Regulated Entities to ensure their fulfillment of HIPAA’s Risk Analysis requirements to prevent and mitigate their legal, financial and operational exposures from breaches of electronic protected health information (“ePHI”) and to defend against a potential OCR Risk Analysis enforcement action or audit is demonstrated by OCR’s announcement of HIPAA Security Rule enforcement actions and settlements with Northeast Radiology, P.C. (NERAD) on April 10, 2025, and Guam Memorial Hospital Authority (“GMHA”) on April 17, 2025, the sixth and seventh under OCR’s recently announced HIPAA “Risk Analysis Initiative” .

Risk Analysis Longstanding HIPAA Requirement

The HIPAA Privacy, Security, and Breach Notification Rules require Regulated Entities to meet specific standards to protect the privacy and security of protected health information. Violation of these requirements exposes Regulated Entities to civil monetary penalties or even criminal penalties depending on the nature of the violation.

Since the HIPAA Security Rule first took effect, risk analysis is one of the four required implementation specifications Regulated Entities must meet under the Security Management Process standard in 45 CFR § 164.308.

To fulfill this Risk Analysis requirement, a Regulated Entity must conduct an “accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI” and “[i]mplement policies and procedures to prevent, detect, contain, and correct security violations.”

Additionally, in 45 CFR § 164.402 the HIPAA Breach Notification Rule requires a Regulated Entity that experiences an impermissible acquisition, access, use, or disclosure (“breach”) of unsecured ePHI to conduct a documented risk assessment to determine whether the Regulated Entity must notify affected individuals, OCR and in the case of breaches involving the ePHI of 500 or more individuals, the media. As consistently interpreted and applied by OCR, experiencing a breach or the existence of evidence putting the Regulated Entity on notice of a potential susceptibility creating a risk of a breach triggers a duty by the Regulated Entity to conduct a Risk Assessment to assess the susceptibility of its ePHI to the risk and the actions reasonably necessary to mitigate it under the Security Rule.

OCR views Risk Analysis as foundational to the protection of ePHI. As OCR Acting Director Anthony Archeval recently stated to explain OCR’s emphasis on Risk Analysis compliance and enforcement, “Ransomware and hacking are the primary cyber-threats to electronic protected health information within the health care industry. Failure to conduct a HIPAA risk analysis puts this information at risk and vulnerable to future ransomware attacks and other cyber-threats[.]” Consequently, OCR constantly has urged Regulated Entities to fulfill their Risk Analysis obligations since the earliest days of HIPAA. To promote compliance, OCR persistently has communicated the necessity and importance of the Risk Analysis in guidance and sought to reinforce the consequences of inadequate Risk Analysis by discussing the role of Risk Analysis deficiencies in creating the circumstances leading to enforcement actions against Regulated Entitles in its civil monetary penalty assessments and HIPAA settlement announcements.

OCR Raising Risk Analysis Expectations & Enforcement

On December 27, 2024, for instance, OCR published a notice of proposed rulemaking that proposes to clarify and tighten significantly the Risk Analysis requirements and other elements of the HIPAA Security Rule. Along with proposing these heightened Risk Analysis requirements, OCR announced and now is zealously enforcing the current Risk Analysis requirements through its Risk Analysis Initiative to hold Regulated Entities accountable for failing to fulfill their Risk Analysis responsibilities as part of its heightened efforts to improve Regulated Entities’ fulfillment of their Risk Analysis obligations. With OCR’s announcement of the NERAD and GMHA enforcement actions on April 10 and April 17, respectively bringing to seven the number of Risk Analysis Initiative enforcement settlements in recent months, health care providers and other Regulated Entities should heed the schooling these and other similarly sanctioned organizations as a call to action to ensure their own Risk Analysis and other HIPAA Privacy, Security and Breach Rule compliance.

NERAD Enforcement Risk Analysis Initiative Enforcement Action & Settlement

The first of two Risk Analysis Initiative settlements announced in seven days in April and the sixth enforcement action and settlement specifically labeled as taken under the “Risk Analysis Initiative,” the NERAD enforcement action and settlement announced April 10, 2025 resolves liabilities for violation of the Risk Analysis Rule arising from OCR’s investigation of a breach of ePHI stored on NERAD’s Picture Archiving and Communication System (“PACS”) server for storing, retrieving, managing, and accessing radiology images.

OCR initiated its investigation of NERAD after receiving a NERAD breach report that between April 2019 and January 2020, unauthorized individuals accessed radiology images stored on NERAD’s PACS server. NERAD notified the 298,532 patients whose information was potentially accessible on the PACS server of this breach. OCR’s investigation found that NERAD had failed to conduct an accurate and thorough Risk Analysis to determine the potential risks and vulnerabilities to the ePHI in NERAD’s information systems.

To avoid potentially much greater HIPAA civil monetary penalties under the terms of the resolution agreement, NERAD paid OCR $350,000 and agreed to implement a corrective action plan that OCR will monitor for two years. Under the corrective action plan, NERAD will take steps to improve its compliance with the HIPAA Security Rule and protect the security of ePHI, including:

Conducting an accurate and thorough Risk Analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI;
Developing and implementing a risk management plan to address and mitigate security risks and vulnerabilities identified in its Risk Analysis;
Developing and implementing a written process to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports;
Developing, maintaining, and revising, as necessary, its written policies and procedures to comply with the HIPAA Rules; and
Augmenting its existing HIPAA and security training program to all of its workforce members who have access to PHI.

Guam Memorial Hospital Authority Risk Assessment Initiative & Ransomware Enforcement Action

Seven days after announcing the NERAD Risk Analysis enforcement action and settlement, OCR reaffirmed its commitment to enforcement of the Risk Analysis enforcement when it announced its first HIPAA settlement under the new Trump Administration with GMHA, a public hospital on the U.S. Territory, island of Guam, on April 17, 2025.

The seventh Risk Analysis Initiative enforcement action and eleventh ransomware enforcement action announced by OCR, the GMHA settlement arose from OCR’s investigation of two complaints alleging that GMHA impermissibly allowed the disclosure of ePHI of GMHA patients. OCR originally initiated its investigation in response to a January 2019 complaint alleging that GMHA experienced a ransomware attack affecting the ePHI of approximately 5,000 individuals. During the investigation, OCR received another complaint in March 2023 alleging that hackers accessed patient records. OCR’s investigation determined that GMHA had failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to ePHI held by GMHA.

Under the terms of the resolution agreement, GMHA paid OCR $25,000 and agreed to implement a corrective action plan that OCR will monitor for three years. In the corrective action plan, GMHA must take a number of steps to ensure compliance with the HIPAA Security Rule and protect the security of ePHI, including:

Conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI;
Develop and implement a risk management plan to address and mitigate security risks and vulnerabilities identified in its risk analysis;
Develop a written process to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports;
Develop, maintain, and revise, as necessary, written policies and procedures to comply with the HIPAA Privacy, Security and Breach Notification Rules;
Augment its existing HIPAA and security training program so all workforce members with access to PHI understand the HIPAA requirements and GMHA’s HIPAA policies and procedures;
Enhance workforce security and information access management by reviewing all access credentials that have been granted access to ePHI; and
Conduct breach risk assessments and provide evidence to OCR that all breach notification obligations have been conducted.

Required & Recommended Actions To Promote Defensibility Of Risk Analysis Compliance

Fulfill Current Risk Analysis Standards

Among other things, the Risk Analysis implementation standard requires regulated entities adequately to:

Identify where ePHI is located in the organization, including how ePHI enters, flows through, and leaves the organization’s information systems.
Integrate Risk Analysis and risk management into the organization’s business processes.
Ensure that audit controls are in place to record and examine information system activity.
Implement regular reviews of information system activity.
Utilize mechanisms to authenticate information to ensure only authorized users are accessing ePHI.
Encrypt ePHI in transit and at rest to guard against unauthorized access to ePHI when appropriate.
Incorporate lessons learned from incidents into the organization’s overall security management process.
Provide workforce members with regular HIPAA training that is specific to the organization and to the workforce members’ respective job duties.

Follow Proposed Rules & Enforcement Actions To Mitigate Risks

Require the development and revision of a technology asset inventory and a network map that illustrates the movement of ePHI throughout the regulated entity’s electronic information system(s) on an ongoing basis, at least once every 12 months and in response to a change in the regulated entity’s environment or operations that may affect ePHI.
Require greater specificity for conducting a risk analysis, including a written assessment that contains, among other things:
- A review of the technology asset inventory and network map;
- Identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI;
- Identification of potential vulnerabilities and predisposing conditions to the regulated entity’s relevant electronic information systems;
- An assessment of the risk level for each identified threat and vulnerability, based on the likelihood that each identified threat will exploit the identified vulnerabilities; and
- A review of the technology asset inventory and network map.

To establish written procedures to restore the loss of certain relevant electronic information systems and data within 72 hours;
To perform an analysis of the relative criticality of their relevant electronic information systems and technology assets to determine the priority for restoration;
To establish written security incident response plans and procedures documenting how workforce members are to report suspected or known security incidents and how the regulated entity will respond to suspected or known security incidents;
To implement written procedures for testing and revising written security incident response plans;
To conduct a compliance audit at least once every 12 months to ensure their compliance with the Security Rule requirements;
To require business associates to verify at least once every 12 months for covered entities (and that business associate contractors verify at least once every 12 months for business associates) that they have deployed technical safeguards required by the Security Rule to protect ePHI through a written analysis of the business associate’s relevant electronic information systems by a subject matter expert and a written certification that the analysis has been performed and is accurate;
To encrypt ePHI at rest and in transit, with limited exceptions;
To establish and deploy technical controls for configuring relevant electronic information systems, including workstations, in a consistent manner including deployment of anti-malware protection, removal of extraneous software, and disabling network ports in accordance with the regulated entity’s risk analysis;
Use of multi-factor authentication, with limited exceptions;
Vulnerability scanning at least every six months and penetration testing at least once every 12 months;
Network segmentation;
Separate technical controls for backup and recovery of ePHI and relevant electronic information systems;
To review and test the effectiveness of certain security measures at least once every 12 months, in place of the current general requirement to maintain security measures;
Business associates to notify covered entities (and subcontractors to notify business associates) upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation;
Group health plans to include in their plan documents requirements for their group health plan sponsors to: comply with the administrative, physical, and technical safeguards of the Security Rule; ensure that any agent to whom they provide ePHI agrees to implement the administrative, physical, and technical safeguards of the Security Rule; and notify their group health plans upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation.

Since OCR’s guidance makes clear that the adequacy of a Regulated Entity’s Risk Analysis and other HIPAA Security compliance based on its evaluation and response to known and suspected susceptibility threats as conducted and documented pursuant to the Risk Analysis rule, health care providers and other Regulated Entities should view Risk Analysis as a ongoing process. While the Security Rule does not currently dictate how frequently a regulated entity must perform Risk Analysis, a proposed rule published by OCR on December 27, 2024 seeks to amend the existing Security Rule to expand the requirement to require regulated entities to develop and revise a technology asset inventory and a network map that illustrates the movement of ePHI throughout the regulated entity’s electronic information system(s) on an ongoing basis, at least once every 12 months and in response to a change in the regulated entity’s environment or operations that may affect ePHI. Although OCR has not yet officially adopted this and other changes contained in the proposed rule, substantial evidence exists that it already regularly administers the Risk Analysis requirement with the expectation that regulated entities will perform Risk Analysis at least this frequently. For instance, current OCR resolution agreements require impacted organizations to conduct Risk Analysis to identify and address vulnerabilities at least annually, and more frequently as needed in response to signs of potential breach or susceptibility. Likewise, since OCR developed the proposed rule from its past enforcement experience, wise Regulated Entities also will recognize the value of drawing upon the changes set forth in the proposed rule for helpful insights to strengthen the security of their ePHI generally and promoting the defensibility of the adequacy of their Risk Assessments.

Use Appropriate Process To Audit, Update & Strengthen Risk Defensibility

Engage legal counsel experienced with HIPAA and other cybersecurity-related risks and liabilities to advise and assist your organization in designing and administering your Risk Analysis processes and response within the scope of attorney-client privilege;
Appoint and designate leadership and technical leadership for team responsible for design and administration of your organization’s initial and ongoing cybersecurity Risk Analysis and response (“Cyber-Risk Team”) and process for board and senior management reporting of the Cyber-Risk Team;
Select and engage outside consulting service providers, cyber-liability insurers and other risk service providers expected to participate in the process; work with qualified legal counsel to contract with these business associates to include the business associate agreement and other reassurances required by the HIPAA Privacy, Security and Breach Notification Rule and other performances, cooperation to provide and back services in accordance with agreed-upon protocols in the contract;
Train Cyber-Risk Team in the appropriate processes for working with internal teams, outside service providers, leadership, and designated legal counsel to conduct Risk Analysis, investigation and response using attorney-client privilege and other evidentiary tools and processes to maximize defensibility;
Require the Cyber-Risk Team conduct an updated, document assessment of cyber-risk within scope of attorney-client privilege and work with legal counsel to develop a documented cyber-risk policy that captures analysis and determinations for your justification for the size, scope and timing of your periodic Risk Analysis and rules and processes for interim risk identification, reassessments and response in reaction to potential cyber-risk signs between periodic Risk Analysis for presentation and approval by the Board taking into account the insights from published final and proposed guidance, enforcement actions and industry standards;
Require, oversee and enforce Cyber-Risk Team’s documented administration of the initial and subsequently required Risk Analysis and response pursuant to the adopted cyber-risk policy to identify vulnerabilities and work with legal counsel within the scope of privilege to document your analysis and justifications for addressing identified vulnerabilities and other required actions in response to identified susceptibilities or event;
Review adequacy of incident detection and response arrangements, including reporting and response mechanisms, insurance and indemnification protection, and other critical elements for mitigation and recovery; and
Other actions as warranted based on advice of counsel taking into account emerging threats, guidance, and risk susceptibility.

For More Information

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Additionally,more her ABA involvements include than a decade of service as a Scribe for the Joint Committee on Employee Benefits (“JCEB”) annual agency meetings with the Department of Health and Human Services and JCEB Council Representative, International Section Life Sciences Committee Chair, RPTE Section Employee Benefits Group Chair and a Substantive Groups Committee Member, Health Law Section Managed Care & Insurance Interest Group Chair, as TIPS Section Medicine and Law Committee Chair and Employee Benefits Committee and Workers Compensation Committee Vice Chair, Tax Section Fringe Benefit Committee Chair, and in various other ABA leadership capacities. Ms. Stamer also is a former Southwest Benefits Association Board Member and Continuing Education Chair, SHRM National Consultant Board Chair and Region IV Chair, Dallas Bar Association Employee Benefits Committee Chair, former Texas Association of Business State, Regional and Dallas Chapter Chair, a founding board member and Past President of the Alliance for Healthcare Excellence, as well as in the leadership of many other professional, civic and community organizations. She also is recognized for her contributions to strengthening health care policy and charitable and community service resolving health care challenges performed under PROJECT COPE Coalition For Patient Empowerment initiative and many other pro bono service involvements locally, nationally and internationally.

About Solutions Law Press™

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or an admission. Solutions Law Press and its authors reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often rapidly evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. Solutions Law Press and its authors disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Leave a Comment » | Conditions of Participation, Health Care, Health Care Provider, Health Care Quality, Health Insurance Exchange, Health IT, home health, Mental Heatlh, OCR | Tagged: ai, Cyber Security, cybersecurity, Data Breach, Health Care, Health Care Provider, Health Plan, HIPAA, Hospital, OCR, Physician, Privacy, Risk Analysis, Security, Technology | Permalink
Posted by Cynthia Marcotte Stamer

Trump 4/15 Executive Order Targets Prescription Drug Cost, Transparency and Competitiveness Reforms

April 17, 2025

Health care providers, health plans and insurers, pharmaceutical and prescription drug companies, prescription benefit manager and consumers should prepare for increased regulation of prescription drug benefit management arrangements and other changes in federal rules on prescription drug pricing, coverage and related practices in response to directives in President Trump’s April 15, 2025 Executive Order on Lowering Drug Prices By Once Again Putting Americans First (the “Executive Order”).

Intended to address widely shared concerns about prescription drug availability, cost and coverage, by the Executive Order declares optimization of health care programs, intellectual property protections, and safety regulations to provide access to prescription drugs at lower costs to American patients and taxpayers the policy of the United States. Persons potentially concerned or impacted by these concerns should monitor the affected agencies for calls for stakeholder input, proposed guidance, and other activities in furtherance of the shaping and implementation of these new policy initiatives.

Medicare-Focused Prescription Drug Reforms

To promote this policy, the Executive Order directs the Department of Health and Human Services (“HHS”) and various other federal agencies to take certain steps to implement this policy. The Executive Order includes several directives to HHS and certain other agencies that President Trump intends to lower the cost of prescription drugs within and outside the Medicare program.

By April 15, 2026, the Executive Order directs HHS to develop a better payment model to improve the ability of the Medicare program to obtain better value for high-cost prescription drugs and biological products covered by Medicare, including those not subject to the Medicare Drug Price Negotiation Program.

In addition, the Executive Order:

Directs HHS to work with the Congress to modify the Medicare Drug Price Negotiation Program to align the treatment of small molecule prescription drugs with that of biological products so as to end the distortion that undermines relative investment in small molecule prescription drugs, coupled with other reforms to prevent any increase in overall costs to Medicare and its beneficiaries;
By June 14, 2025,
- Requires HHS to propose changes to the Medicare Drug Price Negotiation Program regulations for the initial price applicability year 2028 and manufacturer implementation of maximum fair price under such program in 2026, 2027, and 2028 to improve the transparency of the Medicare Drug Price Negotiation Program, prioritize the selection of prescription drugs with high costs to the Medicare program, and minimize any negative impacts of the maximum fair price on pharmaceutical innovation within the United States; and
- Requires HHS to require health centers receiving Public Health Service Act Section 330(e) grants to establish practices to make insulin and injectable epinephrine available at or below the discounted price paid by the health center grantee or sub-grantee under the 340B Prescription Drug Program (plus a minimal administration fee) to low income individuals who have a high cost-sharing requirement for either insulin or injectable epinephrine; have a high unmet deductible; or have no healthcare insurance.
- Requires the Assistant to the President for Domestic Policy (“APDP”) in coordination with the Secretary, the Director of the Office of Management and Budget (“OMB Director”), and the Assistant to the President for Economic Policy (“APECP”), to provide recommendations to the President on how best to stabilize and reduce Medicare Part D premiums;
- Requires the HHS Secretary to publish a plan to conduct a survey under the Site-of-Service Price Transparency rules of Social Security Act Section 1833(t)(14)(D)(ii) to determine the hospital acquisition cost for covered outpatient drugs at hospital outpatient departments and propose appropriate adjustments to align Medicare payment with the cost of acquisition, consistent with the budget neutrality requirements;
- Requires HHS to evaluate and propose regulations to ensure that payment within the Medicare program is not encouraging a shift in drug administration volume away from less costly physician office settings to more expensive hospital outpatient departments.

Other Prescription Drug Reforms

In addition to these predominantly Medicare-focused programs, the Executive Order also orders federal agencies to

Requires the Secretary of Labor to propose regulations pursuant to section 408(b)(2)(B) of the Employee Retirement Income Security Act of 1974 to improve employer health plan fiduciary transparency into the direct and indirect compensation received by pharmacy benefit managers by October 12, 2025;
Requires the APDP, in coordination with the HHS Secretary, the OMB Director, and the APECP, to provide recommendations to the President on how best to promote a more competitive, efficient, transparent, and resilient pharmaceutical value chain that delivers lower drug prices for Americans by June 14, 2025;
Requires the Food and Drug Administration to streamline and improve the Importation Program under the Federal Food, Drug, and Cosmetic Act to make it easier for States to obtain approval without sacrificing safety or quality;
Requires the OMB Director, the APDP, and the Assistant to the President for Economic Policy )”APECP, and HHS Secretary to provide joint recommendations on how best to ensure that manufacturers pay accurate Medicaid drug rebates consistent with section 1927 of the Social Security Act, promote innovation in Medicaid drug payment methodologies, link payments for drugs to the value obtained, and support States in managing drug spending;
Requires the HHS Secretary, through the Commissioner of Food and Drugs, to issue a report providing administrative and legislative recommendations to accelerate approval of generics, biosimilars, combination products, and second-in-class brand name medications; and improve the process through which prescription drugs can be reclassified as over-the-counter medications, including recommendations to optimally identify prescription drugs that can be safely provided to patients over the counter;
Requires HHS, the Department of Justice, the Department of Commerce, and the Federal Trade Commission to conduct listening sessions and issue a report with recommendations to reduce anti-competitive behavior from pharmaceutical manufacturers.

Leave a Comment » | Doctor, drug treatment, Health Care, Health Care Reform, Health Insurance, Health Plan, Health Plans, healthcare, Heath Care Exchange, Home Health, Hospital, hospitals, managed care, Medicare, Medicare Advantage, Medicare Prescription Drug Program, Patient Empowerment, Pharmaceudical, pharmaceutical, Pharmacy, Physician, Preexisting Condition Insurance Plan, Reimbursement | Tagged: Health, healthcare, Medicare, news, politics | Permalink
Posted by Cynthia Marcotte Stamer

State Medicaid Programs Can Deny Out-Of-State Providers Supplemental Payments

April 9, 2025

While Medicaid rules require state Medicaid programs to provide reimbursements for out-of-state services provided to beneficiaries, the District Of Colombia Court of Appeals has ruled that states can limit supplemental payments funded through a tax or assessment on in-state providers to in-state providers.

In Asante v. Kennedy, No. 23-5055 (D.C. Cir. 2025), border hospitals caring for California residents covered by California’s Medi-Cal program argued California violated the Commerce Clause and the Equal Protection Clause of the Constitution by refusing to pay Medi-Cal supplemental payments provided to in-state hospitals caring for Medi-Cal beneficiaries to the border hospitals treating Medi-Cal beneficiaries seeking care outside California.

The Medi-Cal program is the program through which California participates in Medicaid. Federal Medicaid funding is available to States for expenditures related to the provision of a covered Medicaid service to a Medicaid beneficiary under 42 U.S.C. § 1396b.

For purposes of Asante, the Court distinguished between two types of State Medicaid expenditures:

Base payments, which CMS has defined as payments made to providers “on a per-claim basis for services rendered to a Medicaid beneficiary,” and
Supplemental payments, which are payments to providers separate from (and in addition to) the “per-claim” base payments for services rendered to a beneficiary.

See Medicare and Medicaid Programs; Minimum Staffing Standards for Long-Term Care Facilities and Medicaid Institutional Payment Transparency Reporting, 89 Fed. Reg. 40,876, 40,925 (June 21, 2024) (citing 42 U.S.C. § 1396b(bb)); 42 C.F.R. § 438.6(a).

The Medicaid law does not require states to fund their share of Medicaid expenditures entirely on their own. Instead, States may tax providers in accordance with specified criteria to generate funds that the federal government then matches. In 2009, California exercised this taxing authority by establishing a Quality Assurance Fee (“QAF”) as part of its administration of Medi-Cal. The QAF program operates by: (i) assessing a provider tax, which California calls a quality assurance fee, on nonexempt in-state hospitals; (ii) using those funds to generate matching federal Medicaid funding; and (iii) distributing the collected funds as supplemental payments to qualifying private in-state hospitals. Id. §§ 14169.50, 14169.52, 14169.54, 14169.55.

Following California’s original creation of the QAF program, a group of out-of-state hospitals located near the California border challenged the program in federal court in California, claiming an entitlement to receive the QAF supplemental payments, which by California law were to go solely to instate hospitals. At that time, California chose to settle rather than fight the out-of-state hospitals. Consequently, California entered into settlement agreements under which it gave QAF supplemental payments to those out-of-state hospitals through 2019. Those settlement agreements expired in 2019.

When California sought and obtained in 2020 CMS approval of the QAF program with payments restricted to in-state hospitals for the next two-year cycle, California again faced challenges from out-of-state hospitals along its border. A group of out-of-state hospitals located near the California border again argued in federal court that their exclusion from the QAF supplemental payments violates the Commerce Clause, the Equal Protection Clause, and federal Medicaid regulations. After district court granted summary judgment approving the California exclusion of the out-of-state providers, Asante v. Azar, 656 F. Supp. 3d 185, 190 (D.D.C. 2023), the border hospitals appealed.

In its ruling upholding California’s limitation of eligibility for the supplemental payments, the Court rejected each of the border hospital’s Constitutional challenges to their ineligibility.1

Regarding the Commerce Clause, the Court of Appeals rejected the border hospitals’ Commerce Clause’s claim that the QAF program discriminates against interstate commerce because California pays QAF supplemental payments only to in-state hospitals. The Appeals Court noted that both the QAF provider tax assessed against in-state hospitals and the QAF supplemental payments given to in-state hospitals are calculated based solely on the in-state provision of medical care to in-state patients. The QAF program does not assess a tax against out-of-state hospitals. Since California makes no “obvious effort to saddle those outside the State” with the costs of the QAF program. Since out-of-state hospitals neither incur the costs (the provider tax) nor receive the benefits (the supplemental payments) of the QAF program, the Appeals Court held that the program does not discriminate against interstate commerce—as it imposes no “differential burden on any part of the stream of commerce” here. See W. Lynn Creamery, Inc. v. Healy, 512 U.S. 186, 202 (1994).

The Court likewise rejected the border hospital’s claim that California violated the Equal Protection Clause. Noting that a challenged state law such as the California statute that does not include factors justifying heightened scrutiny must be upheld under the Equal Protection Clause “if there is any reasonably conceivable state of facts that could provide a rational basis” for it, the Court ruled that limiting eligibility for the supplemental payments to the in-state hospitals that paid the taxes that funds it. Accordingly, the Court ruled the border hospitals were not entitled to receive supplemental payments under the Equal Protection Clause.

Finally, the Appeals Court also rejected the border hospitals’ last argument that California’s QAF program violated HHS Regulations by denying the supplemental payments to the border hospitals because the supplemental payments are not reimbursements for services and therefore not covered by 42 C.F.R. § 431.52.

Accordingly, the Appeals Court ruled that California does not violate the Commerce Clause or Equal Protection Clause of the United States Constitution by excluding out-of-state hospitals located along the California border (“border hospitals”) that treat California residents enrolled in Medi-Cal from eligibility to collect Medi-Cal supplemental payments paid to California hospitals for treating Medi-Cal-covered Californians.

The author of this update, Cynthia Marcotte Stamer has decades of experience advising health care providers, Medicare and Medicaid Advantage and other public and private health plans and plan sponsors, government contractors and grant recipients, government health and social security programs, and their technology, data, third party administrators, and other managed care and other health care, defense, technology, life sciences and other clients about health industry quality, technology, reimbursement, licensing and accreditation, compliance, enforcement, governmental affairs, dispute resolution, and other compliance, risk management and operational matters. If you have questions or need advice or help evaluating or addressing these or other compliance, risk management, or other concerns, contact her.

For More Information

We hope this update is helpful. For more information about the or other health or other employee benefits, human resources, or health care developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452-8297.

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for her more than 35 years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications including leading edge work on workforce and other risk management and compliance.

Ms. Stamer’s work throughout her career has focused heavily on working with health care, health insurance and managed care, insurance and financial services, defense contractors, and other workforce and data sensitive businesses domestically and internationally on employment, benefits, data and other knowledge use and protection, Federal Sentencing Guidelines and other workforce and heath care management, internal and operational controls, regulatory and public policy and other legal and operational concerns. As a part of this work, she has had extensive involvement in the design, enforcement, investigation, mitigation and defense of trade secret and other information privacy and confidentiality, HRIS, claims, electronic medical records, payment, and other systems and technologies; HIPAA and other health industry, DOD, FACTA, GLB, EU, and other data privacy and security, trade secret and other confidential information; and other information privacy and security laws, policies, practices, contracts and requirements.

In addition, Ms. Stamer serves as a Scribe for the American Bar Association (“ABA”) Joint Committee on Employee Benefits annual agency meetings with OCR and shares her thought leadership as International Section Life Sciences Committee Vice Chair, and a former Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations.

Author of many highly regarded compliance, training and other resources on cybercrime and other data privacy and security, health and other employee benefits, health care, insurance, workforce and other risk management and compliance, Ms. Stamer is widely recognized for her thought leadership and advocacy in these matters.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides health care, human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on health care, leadership, governance, human resources, employee benefits, data security and privacy, insurance, and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources.

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. The author and Solutions Law Press, Inc. disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

Leave a Comment » | Academic medicine, Childrens Health Insurance Program, Health Care, Health Care Provider, health care reimbursement, Medicaid, Medicaid Advantage | Tagged: Health, healthcare, insurance, news, politics | Permalink
Posted by Cynthia Marcotte Stamer

Texas Pharmacist Ordered To Serve 17+ Years, Repay $115 Million & Forfeit Record $405 Million For Health Care Fraud

April 8, 2025

Plano, Texas pharmacist Dehshid “David” Nourian, must serve 17 years and six months in prison pay more than $115 million in restitution and forfeit a record $450 million in assets for his role in a $145 million scheme to defraud the Department of Labor by submitting fraudulent prescription compound creams claims.

According to court documents and evidence presented at trial, Nourian and others conspired to pay doctors to prescribe medically unnecessary compound creams to injured federal workers. Nourian and others owned and operated three pharmacies located in Fort Worth and Arlington, Texas. Over the course of the scheme, they paid doctors millions of dollars in illegal bribes and kickbacks for referring expensive compound medications to be filled by those pharmacies.

Evidence at trial showed these compounds were mixed in the back rooms of the pharmacies by untrained teenagers at a cost to the defendants of around $15 per prescription. The pharmacies then billed to the Department of Labor’s Office of Workers’ Compensation Programs (“DOL-OWCP”) for as much as $16,000 per prescription.

Patients who received the creams testified at trial to the creams’ ineffectiveness and that using the creams resulted in painful, irritating skin rashes in some instances.

The $450 million forfeiture is the highest forfeiture ever obtained in a health care fraud case in the Justice Department’s history.

In less than three years, between May 2014 and March 2017, the pharmacies billed the DOL-OWCP and Blue Cross Blue Shield more than $145 million and were paid more than $90 million for unnecessary prescriptions referred by medical providers in exchange for the illegal bribes and kickbacks.

Nourian and others then attempted to conceal their ill-gotten gains by laundering the money through purported holding companies and attempted to evade paying $24 million in federal income taxes on the illicit proceeds.

In November 2023, a federal jury in the Northern District of Texas convicted Nourian of one count of conspiracy to commit health care fraud, eight counts of health care fraud, one count of conspiracy to launder money, five counts of money laundering, and one count of conspiracy to defraud the United States by failing to report and attempting to evade the collection of taxes owed to the IRS.

A federal court ordered Nourian to serve a 17 and a half years prison sentence and to pay $115 million in restitution on February 21, 2025 as the sanction for his conviction.

In an order issued following Nourian’s sentencing, the court also ruled that Nourian will forfeit $405 million in seized assets tied to his crimes. Evidence at trial demonstrated that Nourian and his co-conspirators used a complex web of bank accounts and shell companies to launder their fraud proceeds, ultimately depositing tens of millions of dollars into Nourian’s and other family members’ bank and investment accounts. The forfeiture order returned that money to the taxpayers and included the forfeiture of $395 million in brokerage accounts, over $2 million in bank accounts, real estate in Dallas and Austin worth $8 million, and a BMW luxury vehicle.

The prosecution and sentencing shows the high price pharmacists and other health care providers can incur for dishonest or other fraudulent conduct in health care or coverage.

The author of this update, Cynthia Marcotte Stamer has decades of experience advising health care providers, Medicare and Medicaid Advantage and other public and private health plans and plan sponsors, government contractors and grant recipients, and their technology, data, third party administrators, and other managed care and other health care, defense, technology, life sciences and other clients about health industry quality, technology, reimbursement, licensing and accreditation, compliance, enforcement, governmental affairs, dispute resolution, and other compliance, risk management and operational matters. If you have questions or need advice or help evaluating or addressing these or other compliance, risk management, or other concerns, contact her.

For More Information

About the Author

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. The author and Solutions Law Press, Inc. disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Leave a Comment » | Health Care | Permalink
Posted by Cynthia Marcotte Stamer

Health Care Network’s $600,000 Settlement Highlights Health Industry HIPAA Hacking Liability Exposures & Risk Analysis Responsibilities

HIPAA Sanctions

PHI Breach and Settlement

Required & Recommended Actions To Promote Defensibility Of Risk Analysis Compliance

Fulfill Current Risk Analysis Standards

Follow Proposed Rules & Enforcement Actions To Mitigate Risks

Appropriate Processes Can Enhance Defensibility

For More Information Or Help

About the Author

About Solutions Law Press™

Risk Analysis Critical For Health Care Providers & Other HIPAA-Covered Entities To Manage OCR & Other Data Breach Exposures

HIPAA Risk Analysis Requirement & OCR Risk Analysis Initiative

Risk Analysis Longstanding HIPAA Requirement

OCR Raising Risk Analysis Expectations & Enforcement

NERAD Enforcement Risk Analysis Initiative Enforcement Action & Settlement

Guam Memorial Hospital Authority Risk Assessment Initiative & Ransomware Enforcement Action

Required & Recommended Actions To Promote Defensibility Of Risk Analysis Compliance

Fulfill Current Risk Analysis Standards

Follow Proposed Rules & Enforcement Actions To Mitigate Risks

Use Appropriate Process To Audit, Update & Strengthen Risk Defensibility

For More Information

About the Author

About Solutions Law Press™

Trump 4/15 Executive Order Targets Prescription Drug Cost, Transparency and Competitiveness Reforms

Medicare-Focused Prescription Drug Reforms

Other Prescription Drug Reforms

State Medicaid Programs Can Deny Out-Of-State Providers Supplemental Payments

For More Information

About the Author

About Solutions Law Press, Inc.™

Texas Pharmacist Ordered To Serve 17+ Years, Repay $115 Million & Forfeit Record $405 Million For Health Care Fraud

For More Information

About the Author

About Solutions Law Press, Inc.™

Recent Posts

Archives

About Cynthia Marcotte Stamer

Share this blog

Archives

Solutions Law Press Health Care Update

Health Care Network’s $600,000 Settlement Highlights Health Industry HIPAA Hacking Liability Exposures & Risk Analysis Responsibilities

HIPAA Sanctions

PHI Breach and Settlement

Required & Recommended Actions To Promote Defensibility Of Risk Analysis Compliance

Fulfill Current Risk Analysis Standards

Follow Proposed Rules & Enforcement Actions To Mitigate Risks

Appropriate Processes Can Enhance Defensibility

For More Information Or Help

About the Author

About Solutions Law Press™

Share this:

Risk Analysis Critical For Health Care Providers & Other HIPAA-Covered Entities To Manage OCR & Other Data Breach Exposures

HIPAA Risk Analysis Requirement & OCR Risk Analysis Initiative

Risk Analysis Longstanding HIPAA Requirement

OCR Raising Risk Analysis Expectations & Enforcement

NERAD Enforcement Risk Analysis Initiative Enforcement Action & Settlement

Guam Memorial Hospital Authority Risk Assessment Initiative & Ransomware Enforcement Action

Required & Recommended Actions To Promote Defensibility Of Risk Analysis Compliance

Fulfill Current Risk Analysis Standards

Follow Proposed Rules & Enforcement Actions To Mitigate Risks

Use Appropriate Process To Audit, Update & Strengthen Risk Defensibility

For More Information

About the Author

About Solutions Law Press™

Share this:

Trump 4/15 Executive Order Targets Prescription Drug Cost, Transparency and Competitiveness Reforms

Medicare-Focused Prescription Drug Reforms

Other Prescription Drug Reforms

Share this:

State Medicaid Programs Can Deny Out-Of-State Providers Supplemental Payments

For More Information

About the Author

About Solutions Law Press, Inc.™

Share this:

Texas Pharmacist Ordered To Serve 17+ Years, Repay $115 Million & Forfeit Record $405 Million For Health Care Fraud

For More Information

About the Author

About Solutions Law Press, Inc.™

Share this:

Recent Posts

Archives

About Cynthia Marcotte Stamer

Share this blog

Archives

Solutions Law Press Health Care Update