Ensure Health Care & Other Compliance Practices Updated For New DOJ Voluntary Disclosure Policy

February 24, 2023

Health care, life sciences and other organizations and their leaders generally recognize the need for effective compliance programs to mitigate their organizational and individual criminal liability risks for violations of the constantly widening plethora of federal health care, tax, marketing, labor and employment, antitrust, marketing, securities, cyber liability, safety, environmental and other laws.

To maintain and promote the effectiveness of these efforts, organizations and their leaders now need to consider the advisability of enhancements or other modifications of their organization’s Federal Sentencing Guideline and other compliance programs and practices in light of the new corporate criminal conduct Voluntary Self-Disclosure Policy (“VSD policy”) announced by the Department of Justice on February 23, 2023. Concurrently, organizations and their leaders also will want to monitor and respond promptly to Justice Department statements and congressional recommendations on proposed Guideline changes providing critical insights into the Justice Department’s planned interpretation and enforcement of federal criminal laws and the Guidelines against organizations and their leaders like those available here.

While the application of the VSP policy inherently requires subjective decision-making, the VSP policy and other emerging statements reinforce to organizations and their leaders the advisability of ensuring their organizations adopt and administer effective Federal Sentencing Guideline compliance programs for the ever-growing list of laws applicable to their organizations that carry potential felony and class A misdemeanor criminal liability and timely to investigate and self-disclose violations with the assistance of legal counsel in accordance with the Guideline requirements for liability mitigation to mitigate the potential liability exposure of the organization and its leader.

VSD Policy Standardizes USAO Sentencing Guideline Organization Liability Determinations

Chapter 8 of the Federal Sentencing Guidelines sets standards for the assessment of criminal liability and punishment against corporations, partnerships, labor unions, pension funds, trusts, non-profit entities, and governmental units (“organizations”) and their leaders for legal violations committed by the organization that carry felony or Class A misdemeanor liability or when the Federal Sentencing Guidelines impute criminal liability to the organization for criminal acts that an employee of the organization commits an act within the apparent scope of his employment.

The standards for organizational sentencing offer organizations the opportunity to mitigate their liability exposure if it can persuade the prosecuting U.S. attorneys office (“USAO”) it had in place and followed an effective compliance program, promptly reported the violation to the authorities, and that high-level leaders were not involved in the actual offense conduct. On the other hand, an organization’s lack of an effective compliance program, delay in investigation, cover-up or failure or delay of timely disclosure and failure to make prompt restitution for violations are aggravating factors that can increase its potential sanction.

According to the Justice Department, the Justice Department intends that the VSD policy ensure that organizations can rely on receiving the same treatment and benefits for voluntarily self-disclosing criminal conduct under the Federal Sentencing Guidelines organizational liability rules to any USAO no matter where the organization operates by setting “a nationwide standard” for how USAOs will determine whether an organization has made a voluntary self-disclosure and making transparent the specific, tangible benefits to an organization that the USAO will offer the organization for making a voluntary self-disclosure, fully cooperating, and remediating the criminal conduct.

In furtherance of this goal, the new VSD policy provides that a USAG will consider an organization to have made a VSD for purposes of the Federal Sentencing Guidelines if it becomes aware of misconduct by employees or agents before that misconduct is publicly reported or otherwise known to the DOJ, and discloses all relevant facts known to the company about the misconduct to USAO in a timely fashion before an imminent threat of disclosure or government investigation. 

In the absence of any aggravating factor, the VSD policy calls for the USAG “significant benefits” to a corporation that voluntarily self-discloses criminal conduct committed by its employee or agent in accordance with the VSD policy, fully meets the other requirements of the VSD policy, fully cooperates and timely and appropriately remediates the criminal conduct including agreeing to pay all disgorgement, forfeiture, and restitution resulting from the misconduct.  The promised significant benefits for organizations making a qualifying VSD include that the USAO:

  • Will not seek a guilty plea;
  • May choose not to impose any criminal penalty and in any event will not impose a criminal penalty that is greater than 50% below the low end of the United States Sentencing Guidelines (USSG) fine range; and
  • Will not seek the imposition of an independent compliance monitor if the company demonstrates that it has implemented and tested an effective compliance program.

The VSD policy identifies three aggravating factors that could warrant a USAO seeking a guilty plea even if the other requirements of the VSD policy are met:

  • If the misconduct poses a grave threat to national security, public health, or the environment;
  • If the misconduct is deeply pervasive throughout the company; or
  • If the misconduct involved the current executive management of the company. 

The Justice Department says the presence of an aggravating factor does not necessarily mean that a guilty plea will be required. Rather, the USAO will assess the relevant facts and circumstances to determine the appropriate resolution.  If a guilty plea is ultimately required, the Justice Department says the organization will still receive the other benefits under the VSD policy, including that the USAO will recommend a criminal penalty of at least a 50% and up to a 75% reduction off the low end of the USSG fine range, and that the USAO will not require the appointment of a monitor if the company has implemented and tested an effective compliance program.

In cases where a company is being jointly prosecuted by a USAO and another DOJ component, or where the misconduct reported by the company falls within the scope of conduct covered by VSD policies administered by other DOJ components, the USAO will coordinate with, or, if necessary, obtain approval from, the DOJ component responsible for the VSD policy specific to the reported misconduct when considering a potential resolution.  Consistent with relevant provisions of the Justice Manual and as allowable under alternate VSD policies, the USAO may choose to apply any provision of an alternate VSD policy in addition to, or in place of, any provision of its policy.

VSD Policy Reenforces Necessity of Effective Compliance Program & Guideline Compliance

The stated goal of the VSD policy to incentivize companies to maintain effective compliance programs capable of identifying misconduct, expeditiously and voluntarily disclose and remediate misconduct, and cooperate fully with the government in corporate criminal investigations sends a strong message to organizations and their leaders to maintain and administer effective compliance programs and follow the VSD policy promptly when issues arise.

While the Justice Department touts the benefits of compliance with the VSD policy, its adoption also carries an implicit warning to organizations against failing to comply with its provisions.

With the Biden Administration accelerating enforcement of a wide range of federal laws carrying criminal liability, organizations and their leaders should heed this warning by auditing and enhancing their and their organization’s potential criminal exposures and the adequacy of their compliance policies, practices and documentation.

Because of the highly sensitive nature Campus of this type of analysis for the organization and its leaders, before starting the review, and throughout its conduct organizations are urged to engage and seek guidance from qualified legal counsel to position their review for protection, within the scope of attorney, client privilege, and other evidentiary protections, as well as to maximize the benefit of the effort undertaken in the event of future investigations or enforcement.

Possessing an up-to-date understanding of material civil and criminal legal obligations and exposures is absolutely critical to the effectiveness of this review. With laws and regulations constantly changing, organizations and their leaders must establish a documented, provable culture of compliance. This starts with ensuring their organizations have adopted strong policies of compliance coupled with processes for monitoring and identifying laws carrying potential criminal liability, exposure or otherwise, requiring corporate compliance programs. Along with requirements to comply, leadership also must implement appropriate processes for auditing compliance as well as receiving and investigating complaints or other indicators that arguably put their organization or its leadership on notice of potential compliance concerns.

When implementing compliance procedures, for any specific law, organizations, and their leaders will also want to ensure that their processes and policies are designed to meet the seven criteria that Chapter 8 of the Federal Sentencing Guidelines outlines for establishing an “effective compliance program”

  • The maintenance and enforcement of compliance standards and procedures reasonably capable of reducing the prospect of criminal activity;
  • Oversight by high-level personnel;
  • Due care in delegating substantial discretionary authority;
  • Effective Communication to all levels of employees;
  • Reasonable steps to achieve compliance, which include systems for monitoring, auditing, and reporting suspected wrongdoing without fear of reprisal.
  • Consistent enforcement of compliance standards including disciplinary mechanisms; and
  • Reasonable steps to respond to and prevent further similar offenses upon detection of a violation.

Taking into account these criteria and the new VSP policy, organizations and their leaders also should ensure their organization has appropriate procedures and protocols for receiving, investigating and reports of potential violations and the organization’s timely and appropriate response in a manner that best positions the organization to demonstrate the culture of compliance, and other factors necessary to qualify for the maximum leniency under the guidelines. in a manner that best positions the organization to demonstrate the culture of compliance, and other factors necessary to qualify for the maximum leniency under the guidelines.

When designing and administering compliance investigations and responses, documentation and other evidence regarding actions taken, communications and deliberations, play a key role in deciding how the organization and its leaders will be treated under the VCD policy and the guidelines. For this reason, organizations should include appropriate procedures to determine when and how legal counsel will become involved to guide the process and allow for the use of attorney-client privilege to help protect, sensitive discussions along the way. Legal counsel also should assist in documenting the process and findings for presentation to the Justice Department and subsequent communications with it through resolution.

More Information

We hope this update is helpful. For more information about these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.  

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy. 

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely-known for 35 plus years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

A Fellow in the American College of Employee Benefit Counsel, Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee, Chair-Elect of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership on health and managed care and employer benefits legal, public policy and operational concerns in the healthcare, employer benefits, and insurance and financial services industries. She speaks and publishes extensively on HIPAA and other related compliance issues.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstances at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules make it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access to this publication. 

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2023 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™

Leave a Comment » | Anti-KickBack, ASC, Corporate Compliance, Employee Benefits, Employment, Federal Sentencing Guidelines, Health Care | Permalink
Posted by Cynthia Marcotte Stamer

Learn About DOJ Federal Antitrust Health Industry Market Competition Enforcement & Latest On $2.67 Billion BCBS Class Action Antitrust Settlement In 9/8 JCEB Webex

September 2, 2022

As qualifying individuals and companies that purchased or received health insurance await instructions on how to claim their share of the $2.67 billion In re: Blue Cross Blue Shield Antitrust Litigation private federal class action civil antitrust lawsuit settlement (“Settlement”) finally approved August 9, 2022 against the Blue Cross Blue Shield Association (“BCBSA”) and other settling individual Blue Cross Plans, employers and other plan sponsors, health care systems and providers, health insurers, pharmacy benefit managers, brokerages, and other health and health insurance market participants need to keep in mind that the private antitrust judgements are not their only exposure under federal antitrust laws. Health insurance and health industry market participants that engage in anticompetitive conduct or business transactions also risk investigation and prosecution under federal antitrust laws by the U.S. Department of Justice, the Federal Trade Commission and state regulators or attorneys general.

Market participants and others with health or health insurance industry market competitiveness concerns or interests should register and attend the September 8, 2022 Justice Department Health Industry Antitrust Enforcement Update to learn about key federal antitrust statutes regulating or prohibiting anticompetitive conduct and business transactions and hear how the Department of Justice uses these laws to promote market competition in the health care and health insurance marketplaces.

Hosted by the American Bar Association Joint Committee on Employee Benefits, the webinar will feature a discussion by U.S. Department of Justice Civil Division Healthcare and Consumer Products Section Antitrust Attorney Natalie Melada of basic federal antitrust rules and principles the Justice Department relies upon to safeguard market competitiveness and discusses selected Justice Department antitrust litigation and other compliance and enforcement initiatives the Department of Justice has undertaken to protect competition in the healthcare industry. Attorney and Solutions Law Press, Inc. editor and author Cynthia Marcotte Stamer also will provide an update on the In re: Blue Cross Blue Shield Antitrust Litigation and resulting $2.67 billion settlement approved August 9.

For more details and to register for the program, see here.

More Information

We hope this update is helpful. For more information about the these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and following and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.  

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

A Fellow in the American College of Employee Benefit Counsel, Vice Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on health and managed care industry legal, public policy and operational concerns. 

Ms. Stamer’s work throughout her 30 plus year career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. 

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here.  

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access of this publication. 

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2022 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™

Leave a Comment » | Academic medicine, Anethesiology, Antitrust, ASC, Childrens Health Insurance Program, Conditions of Participation, Cyber crime, data breach, Direct Primary Care, Durable Medical Equipment, E-Prescribing, Electronic Medical Records, Employee Benefits, Federal Sentencing Guidelines, Health Apps, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Quality, Health Insurance, Health Insurance Exchange, Health IT, Health Plan, Health Plans, healthcare, HHS, HIPAA, HIPAA Cyber Crime, HITECH Act, Home Health, home health, Hospice, Hospital, Hospital, hospitals, Indian Health, Inpatient Rehabilitation, Inpatient Rehabilitation Facility, managed care, Medical Licensure, Medical Records, Medicare, Mental Health, Mental Heatlh, nursing home, occupational health, OCR, Outpatient, participating provider, Pharmaceudical, Pharmacy, Physician, Physician Licensing, physician licensure, Prescription Drugs, Privacy, Psychiatric, public health, Reproductive Rights, Rural Health Care, Self-Insured Group health Plans, Skilled Nursing Facility, substance abuse treatment | Tagged: , , , , , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

HIPAA Covered Entity Nailed With $300,000+ HIPAA Settlement For Improper PHI Disposal

August 23, 2022

A Massachusetts dermatology practice’s Health Insurance Portability & Accountability Act (“HIPAA”) $300,000 plus settlement with the Department of Health & Human Services Office for Civil Rights (OCR) reminds health care providers, health plans, health care clearinghouses and their business associates (“Covered Entities”) to use proper practices and safeguards when disposing of protected health information (“PHI”).

Following up on other OCR enforcement involving improper protection and disposal of paper and electronic PHI, the settlement with New England Dermatology P.C., d/b/a New England Dermatology and Laser Center (“NDELC”) OCR announced today (August 23, 2022) resolves charges that NDELC violated the HIPAA Privacy Rules when it placed specimen containers with patient identifying PHI in its parking lot garbage bin.

OCR interprets HIPAA as requiring Covered Entities to appropriate steps to ensure that safeguards are in place when disposing of patient information to keep it from being accessible by the public. ”Improper disposal of protected health information creates an unnecessary risk to patient privacy,” said Acting OCR Director Melanie Fontes Rainer.

On May 11, 2021, NEDLC filed a breach report with OCR that reported empty specimen containers with the PHI on labels were placed in a garbage bin in their parking lot. The containers’ labels included patient names and dates of birth, dates of sample collection, and name of the provider who took the specimen. On March 31, 2021, a third-party security guard found one specimen container bearing a label containing patient names, dates of birth, dates of sample collection, and name of the provider who took the specimen.  During the investigation, NEDLC stated that from February 4, 2011 until March 31, 2021, it regularly discarded specimen containers with an attached label that contained PHI as regular waste, bagged and placed in an exterior dumpster accessible via the parking lot, without alteration to the PHI containing label.

OCR’s New England Regional Office found the practice of disposing of specimen containers with their labels containing PHI violated the HIPAA Privacy Rule including the impermissible use and disclosure of PHI and failure to maintain appropriate safeguards to protect the privacy of PHI.

Under the NEDLC Resolution Agreement negotiated to settle the alleged violations, NEDLC paid $300,640 to OCR and agreed to implement a “robust” corrective action plan that includes two years of  OCR monitoring.  Among other things, the corrective action plan requires NEDLC to:

  • Within 60 days, develop, maintain, and revise, as needed and present for OCR review its written policies and procedures to comply with the physical safeguard and disposal of PHI created, received or maintained by or on behalf of NEDLC and all other HIPAA Privacy, Security and Breach Notification and training protocols to ensure workforce member compliance with these policies; and sanctions for workforce members violating these requirements;
  • Implement the updated policies and procedures within 30 days of receipt of HHS approval;
  • Distribute the policies to existing members of its workforce within 30 days of receipt of HHS approval of the policies and subsequently to new members of the workforce within 30 days of their beginning of service and obtain a signed written or electronic initial compliance certification from all members of the workforce and relevant business associates stating that the workforce members have read, understand, and shall abide by such policies and procedures;
  • Assess, update, and revise, as necessary, the policies and procedures at least annually or as needed, provide the revised policies and procedures to HHS for review and approval, and redistribute to and obtained new compliance certifications from workforce members and business associates within 30 days of HHS approval;
  • If it receives information during the Compliance Term that a workforce member or business associate may have failed to comply with its policies and procedures for safeguarding PHI, promptly investigate and it the investigation finds a violation, notify HHS within 30 days of the violation and corrective action taken;
  • Comply with specified breach investigation and notification requirements;
  • Provide reports certified by a designated leader of the organization its implementation of the corrective action plan, annually and upon the occurrence of certain other events during the two-year monitoring period.

The NEDLC Resolution Agreement is not the first time OCR has nailed a Covered Entity for improper disposal of PHI. In 2015 Cornell Prescription Pharmacy paid OCR $125,000 and implemented a correction action plan to correct alleged HIPAA violations after an OCR investigation of a local news report confirmed unsecured paper documents containing PHI of more than 1600 patients were disposed of in an unlocked, open container on Cornell’s premises. The documents were not shredded and contained identifiable information regarding specific patients. See Cornell Prescription Pharmacy Resolution Agreement. See also $800,000 HIPAA Settlement in Medical Records Dumping Case.

To reduce their own exposure to potential HIPAA liability arising from improper disposal of PHI, covered entities should evaluate the adequacy of the PHI handling, security and disposal policies, procedures, training and compliance for potential weaknesses and take appropriate, timely documented corrective action to tighten their compliance with OCR’s regulations, OCR’s Frequently Asked Questions About the Disposal and other OCR enforcement actions and guidance on PHI disposal.   

Since these evaluations could uncover past or ongoing compliance concerns, Covered Entities and business associates should consider engaging legal counsel experienced with HIPAA compliance to advise and aid the Covered Entity to structure, conduct, evaluate findings and determine and implement any corrective actions that the review reveals as required or advisable within the scope of attorney client privilege.

Effective protection and disposal of PHI requires that Covered Entities recognize and keep track of all PHI in the various phases of its lifecycle in the organization including when it is being disposed or or migrating through various systems. Sanctions for disposal of specimen bottles containing PHI labels should raise the need for awareness of disposal practices for other patient labeled items including identification bracelets, medication containers and labels, meal trays and the plethora of other items containing patient specific information. PHI disposal issues also can arise out of the disposal of files, storage containers, computers, copiers or other devices. For instance, under the Affinity Health Plan, Inc. Resolution Agreement, Affinity Health paid OCR $1,215,780 to settle potential HIPAA Civil Monetary Sanctions after OCR found it exposed the PHI of up to 344,579 individuals by returning photocopiers to a leasing agent without erasing the data contained on the copier hard drives. 

Because HIPAA obligations continue even when a Covered Entity or business associate goes out of business, Covered Entities also need to take appropriate steps to provide for ongoing management, protection and disposal of PHI when they or a business associate ceases business. Thus, in the FileFax Resolution Agreement, for instance the receiver appointed to liquidate the assets of Filefax, Inc. agreed to pay $ 100,000 out of the receivership estate to OCR to settle potential HIPAA violations after Filefax shut its doors during the course of OCR’s investigation into alleged HIPAA violations.

Covered Entities must understand that these responsibilities generally cannot be met merely through adoption of a standard set of policies and procedures from a third-party. The HIPAA Privacy Rule requires all Covered Entities to prepare and document risk assessments and develop and enforce appropriate privacy and security policies and procedures. Security and disposal practices and procedures are among the elements of HIPAA compliance that OCR expects Covered Entities to address in the documented risk assessments the regulations require Covered Entities to prepare and maintain. See $750,000 HIPAA Settlement Underscores the Need for Organization Wide Risk Analysis. As with other HIPAA compliance responsibilities, OCR regulations require that Covered Entities include their documented assessment and decision-making about the adequacy and reasonableness of their PHI protection and destruction practices under HIPAA as part of their overall HIPAA risk assessment plan and practices.

While OCR guidance provides some examples of several practices that a Covered Entity might use that could or could not meet the destruction standards, these examples are not safe harbors. The regulations and guidance expect Covered Entities to conduct a documented review and assessment “of their own circumstances to determine what steps are reasonable to safeguard PHI through disposal and develop and implement policies and procedures to carry out those steps.”  OCR guidance directs that Covered Entities should assess potential risks to patient privacy, as well as consider such issues as the form, type, and amount of PHI to be disposed. Covered entities are responsible for conducting and documenting their analysis as well as their adoption, implementation and enforcement of the resulting policies and procedures.

If circumstances come to light that indicate a breach of the standards in the course of the disposal compliance assessment or otherwise, Covered Entities also promptly should work with legal counsel timely to investigate, determine and provide any required notifications or other corrective action and document their actions to meet applicable HIPAA and other legal obligations and mitigate liability.

Of course, Covered Entities and their leaders always must keep in mind that their responsibilities and potential liability for mishandling PHI could extend well beyond HIPAA. In addition to the civil monetary penalties HIPAA authorizes, mishandling the collection, protection or disposal of PHI or other sensitive data also can trigger other legal exposures. For instance, as HIPAA compliance is part of the Conditions of Participation that Medicare participating Covered Entities and Medicare Advantage Plans must meet to qualify for program participation, noncompliance could trigger program exclusion, False Claims Act or related exposures. Deficiencies in security or destruction of credit card, banking or other PHI that also qualifies as personal financial information could trigger exposure under Federal Trade Commission, state identity theft and privacy or other laws. Public companies and their leaders also may need to evaluate if deficiencies in their security or destruction protocols trigger investor disclosure obligations under Securities and Exchange Commission rules or other federal or state laws. Considering these and other exposures, documented, compliance and defensibility of PHI and other sensitive information use, protection, disclosure and destruction should rank high among the priorities of all Covered Entities and their leaders.

More Information

We hope this update is helpful. For more information about the these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.  

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

A Fellow in the American College of Employee Benefit Counsel, Vice Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on health and managed care industry legal, public policy and operational concerns. 

Ms. Stamer’s work throughout her 30 plus year career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. 

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here.  

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access of this publication. 

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2022 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™

Leave a Comment » | Academic medicine, Anethesiology, ASC, Childrens Health Insurance Program, Conditions of Participation, Cyber crime, data breach, Direct Primary Care, Durable Medical Equipment, E-Prescribing, Electronic Medical Records, Employee Benefits, Health Apps, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Quality, Health Insurance, Health Insurance Exchange, Health IT, Health Plan, Health Plans, healthcare, HHS, HIPAA, HIPAA Cyber Crime, HITECH Act, Home Health, home health, Hospice, Hospital, Hospital, hospitals, Indian Health, Inpatient Rehabilitation, Inpatient Rehabilitation Facility, managed care, Medical Licensure, Medical Records, Medicare, Mental Health, Mental Heatlh, nursing home, occupational health, OCR, Outpatient, participating provider, Pharmaceudical, Pharmacy, Physician, Physician Licensing, physician licensure, Prescription Drugs, Privacy, Psychiatric, public health, Reproductive Rights, Rural Health Care, Self-Insured Group health Plans, Skilled Nursing Facility, substance abuse treatment | Tagged: , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

SCOTUS: Emotional Injury Damages Not Recoverable In Patient’s Private Rehab Act and ACA Disability Discrimination Lawsuit But Other Significant Liability Risks Remain

May 2, 2022

Today’s Supreme Court ruling that emotional distress damages are not recoverable in a private action to enforce the disability discrimination and accommodation requirements of either the Rehabilitation Act of 1973 (“Rehab Act”) or the Patient Protection and Affordable Care Act (“ACA”) prevents health care and other businesses subject to these requirements against the risk of large emotional injury awards in private actions for discrimination based on these laws. However, health care providers and other organizations subject to these requirements should use care to maintain compliance to avoid large actual damage awards to plaintiffs bringing private lawsuits, program exclusion, penalties or other governmental sanctions or both.

Cummings Supreme Court Ruling

The May 1, 2022 United States Supreme Court ruling in Cummings v. Premier Rehab Keller authored by Supreme Court Justice John Roberts resulted from a suit that sought emotional distress damages brought by filed by a deaf and legally blind woman, Jane Cummings against Premier Rehab Keller after it denied her request that it provide an American Sign Language interpreter at her physical therapy sessions.  Premier Rehab told Cummings the therapist could communicate with her through other means,  Claiming Premier Rehab’s failure to provide an ASL interpreter constituted discrimination on the basis of disability in violation of the Rehab Act and Section 1557 of the ACA, Cummings sued Premier Rehab seeking various damages and other relief, including emotional distress damages.

The Supreme Court took notice that Premier Rehab was subject to these laws because its receipt of Medicare and Medicaid payments qualified as federal financial assistance triggering their applicability.

The Supreme Court affirmed the previous District Court and Fifth Circuit Court of Appeals’ rulings that emotional distress damages are not recoverable in a private action to enforce either the Rehab Act or the ACA.

The Supreme Court Majority based its decision on its finding that the Rehab Act and Act both are spending statutes that condition their offer of federal funding on a promise by the recipient not to discriminate creating what amounts essentially to a contract between the Government and the recipient of funds.  Following previously established Supreme Court precedent for “private spending clause actions,” the Court ruled the emotional distress or other remedy is not available unless “the funding recipient is on notice that by accepting federal funding, it exposes itself to liability of that nature.”

To decide whether emotional distress damages are available under the Spending Clause statutes in this case, the Court therefore asked if a prospective funding recipient deciding whether to accept
federal funds would have had “clear notice” regarding that liability. Because the two statutes are silent on the availability of emotional injury damages, the Supreme Court followed prior precedent by looking to whether the emotional damages sought by Cummings were the type of damages traditionally available in suits for breach of contract so as to put Premier Rehab and other defendants on notice of their exposure to such damages from actions under the Rehab Act or ACA.  While acknowledging some exceptional circumstances where punitive damages may be recovered where “the conduct constituting the breach is also a tort for which punitive damages are recoverable,” the Court found such damages “are generally not available for breach of contract.” Concluding that the recognized exception to the general rule was insufficient to give funding recipients the requisite notice that they could face such damages. the Supreme Court ruled that funding recipients under the Rehab Act and the ACA “have not, merely by accepting funds, implicitly consented to liability for punitive damages.” 

To read the full Majority opinion and related consenting and dissenting opinions, see here. 

Liability Risks Remain Substantial Despite Cummings Ruling

While the Supreme Court’s ruling means private litigants cannot recover emotional injury damages in discrimination actions brought to enforce the Rehabilitation Act or the ACA, health industry and other organizations remain subject to other substantial liability risks for improper discrimination in violation of those laws.  Beyond recoveries for actual damages, attorneys’ fees and costs recoverable by private litigants, covered organizations also can face substantial civil monetary penalties, program disqualification, in some instances even False Claims Act liability for billing in violation of program conditions of participation and other risks.  As federal agencies continue to make enforcement of these sanctions a priority, organization covered by either of these laws should use care to maintain appropriate compliance and risk management to ensure their ability to defend against any potential charges.  

For instance, HHS recently reaffirmed its continued commitment and prioritization of protecting disabled individuals against disability discrimination by its publication of its February 4, 2022 FAQs for Healthcare Providers during the COVID-19 Public Health Emergency: Federal Civil Rights Protections for Individuals with Disabilities under Section 504 and Section 1557. Published to remind health care providers of their obligations under law and provide examples of applicability, HHS clarifies in that guidance that federal civil rights laws apply to health care providers, including those administering COVID-19 testing, medical supplies, and medication. These rules also apply to entities providing hospitalization, long-term care, intensive treatments, and critical care, such as oxygen therapy and mechanical ventilators. HHS also confirm that federal civil rights laws apply to state Crisis Standard of Care plans, procedures, and related standards for triaging scarce resources that hospitals are required to follow. HHS Issues New Guidance for Health Care Providers on Civil Rights Protections for People with Disabilities. See also New Guidance to Boost Accessibility and Equity in COVID-19 Vaccine Programs (December 22, 2021); HHS Takes Action to Prevent Discrimination and Strengthen Civil Rights (November 18, 2021); HHS and DOJ Issue Guidance on “Long COVID” and Disability Rights Under the ADA, Section 504, and Section 1557 (July 26, 2021); OCR Provides Technical Assistance to the State of Arizona to Ensure Crisis Standards of Care Protect Against Age and Disability Discrimination (May 25, 2021); HHS Announces Prohibition on Sex Discrimination Includes Discrimination on the Basis of Sexual Orientation and Gender Identity (May 10, 2021); New Legal Guidance and Resources to Ensure — and Expand — Access to COVID-19 Vaccines for People with Disabilities and Older Adults (April 13, 2021).

HHS’ guidance announcements all include a warning like the one from OCR Director Lisa J. Pino in the February 4, 2022 announcment that “OCR will continue our robust enforcement of federal civil rights laws that protect people with disabilities from discrimination, including when Crisis Standards of Care are in effect.”

The current and historical enforcement record of HHS demonstrates the teeth behind this commitment. OCR has a long and continuing history of extracting substantial settlements or civil monetary penalties from health care or other organizations receiving Medicare, Medicaid or other federal funds administered by HSS for engaging in conduct OCR finds inconsistent with the ACA or Rehabilitation Act discrimination requirements. See, e.g., Settlement Agreement Reached with Rhode Island Department of Children, Youth and Families to Address Discrimination Against Parents with Disabilities (March 30, 2022); Massachusetts Healthcare Provider Resolves Allegations of Discriminatory Practices Regarding Patients Needing Opioid Use Disorder Treatment (December 22, 2021); HHS Office for Civil Rights and U.S. Attorney’s Office for the District of Massachusetts Settle Disability Discrimination Case with Baystate Medical Center (November 17, 2021); HHS Office for Civil Rights and U.S. Attorney’s Office Settle Disability Discrimination Case with Backus Hospital (October 5, 2021); Rhode Island, Massachusetts Healthcare Provider Resolves Allegations of Discriminatory Practices Regarding Patients Needing Opioid Use Disorder Treatment (August 9, 2021).

These OCR guidance and enforcement actions and similar activities by other federal agencies send a strong message that OCR and other federal agencies will continue and expand their zealous investigation and enforcement of disability and other violations by health care providers and other public and private organizations covered by the Rehabilitation Act, the ACA or other federal discrimination and civil rights laws. Health care providers and others regulated by these federal discrimination laws should consider auditing the adequacy of existing practices, reaffirming their own and their business partners’ compliance, retraining workforce and taking other appropriate steps to help prevent illegal discrimination within their organization and to position their organization to respond and defend against potential discrimination investigations or charges.

For Additional Information Or Assistance

If you need have questions or need assistance with health, health or other insurance, employee benefit, payroll, investment or other data, systems or other privacy or security related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.  Longtime scribe for the American Bar Association Joint Committee on Employee Benefits agency meeting with OCR and author of leading publications on HIPAA and other privacy and data security concerns, Ms. Stamer regularly assists clients and provides input to Congress, OCR and other agencies, publishes and speaks extensively on medical and other privacy and cybersecurity, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns.

Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. Her insights on HIPAA risk management and compliance frequently appear in medical privacy related publications of a broad range of health care, health plan and other industry publications.  She also is a highly-sought out speaker on privacy and data security who serves on the planning faculty and speaks for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.  You can get more information about her HIPAA and other experience here.  If you need assistance with these or other compliance concerns, wish to inquire about arranging for compliance audit or training, or need legal representation on other matters, e-mail Ms. Stamer or call (214) 452-8297.  

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here.  

Important Information About This Communication

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2022 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™

Leave a Comment » | 1335 Waiver, Academic medicine, ADA, air ambulance, Ambulatory care, Childrens Health Insurance Program, Civil Rights, Conditions of Participation, Corporate Compliance, Covid, Disability Discrimination, Discrimination, DME, early childhood education, Emergency Care, Employee Benefits, Employment, false claims act, Health Care, Health Care Fraud, Health Care Provider, health care reimbursement, Health Plan, Health Plans, healthcare, HHS, Home Health, home health, Hospice, Hospital, Hospital, hospitals, Indian Health, Inpatient Rehabilitation, Inpatient Rehabilitation Facility, Labor Law, Laws, Life Sciences, Medicaid, Medicare, Medicare Advantage, Medicare Prescription Drug Program, Mental Health, Mental Heatlh, nursing home, occupational health, OCR, OIG, Opiates, Outpatient, Pharmaceudical, Pharmacy, Physician, Physician Licensing, Prescription Drugs, Reimbursement, Section 1557 | Permalink
Posted by Cynthia Marcotte Stamer

CMS Updates COVID-19 Guidance For Visiting Nursing Homes & LTC Facility Vaccination During Omicron Surge

January 13, 2022

CMS recently updated its Nursing Home Resource Centerwith new pieces of informational guidance on visitation and vaccines in response to the recent surge in Omicron cases.

Visitation

As of January 6, CMS updated the Nursing Home Visitation FAQs (PDF) to give additional guidance about visitation during the Omicron surge and also created an infographic (PDF) to graphically represent how to safely conduct visits to nursing homes during this time of spiking COVID cases around the country. Nursing home providers, patients, caregivers, and CMS partners can use these 2 new resources to stay informed about CMS’ latest thinking for keeping nursing homes safe in the current COVID climate.

CMS also continues to urge long-term care settings, like nursing homes, assisted living, residential care communities, group homes, and senior housing, to ensure residents and staff get COVID-19 vaccine primary series and booster shots.

Vaccination

while long-term care and other Medicare and Medicaid participating healthcare providers continue to await the Supreme Court’s decision on the enforceability and validity of the Biden administration vaccine mandate for program participation, CMS continues to urge long-term care providers to coordinate access to COVID-19 vaccines, either in the local community or on-site using the newest CDC resources.

As a reminder, through enforcement discretion, CMS allows Medicare-enrolled immunizers, including but not limited to pharmacies working with the U.S., to bill directly and get direct reimbursement from the Medicare program for vaccinating Medicare skilled nursing facility residents. See, Medicare billing and payment information.

Long-term care another healthcare providers also need to continue to ensure that they meet all other contagious disease and related requirements for participation in these federal programs as well as our meeting and managing their occupational health and safety, occupational injury, sick and disability leave, employee benefit, accommodation and anti retaliation mandates. See, e.g. SCOTUS To Hear Oral Arguments on OSHA COVID-19 Vaccination Rule Enforceability On January 7; COVID-19 Vaccination Rule Injunctions Leave Employers With Significant Liability Challenges Even As OSHA Extends Comment Period on OSHA COVID-19 Vaccine ETS

More Information

We hope this update is helpful. For more information about the these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.  

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

Past Board President of the Richardson Development Program for Children ECE and Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, Vice Chair of the ABA International Section Life Sciences Committee, past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and the ABA RPTE Employee Benefits & Other Compensation Group, Ms. Stamer is most widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on health industry legal, public policy and operational concerns. 

Ms. Stamer’s work throughout her 30 plus year career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. 

As a part of this work, she has continuously and extensively worked with domestic and international health plans, their sponsors, fiduciaries, administrators, and insurers; managed care and insurance organizations; hospitals, health care systems, clinics, skilled nursing, long term care, rehabilitation and other health care providers and facilities; medical staff, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; EHR, claims, payroll and other technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, self-insured health and other employee benefit plans, their sponsors, fiduciaries, administrators and service providers, insurers and other payers, health industry advocacy and other service providers and groups and other health and managed care industry clients as well as federal and state legislative, regulatory, investigatory and enforcement bodies and agencies. 

This involvement encompasses helping health care systems and organizations, schools, ECEs, group and individual health care providers, health plans and insurers, health IT, life sciences and other health industry clients prevent, investigate, manage and resolve sexual assault, abuse, harassment and other organizational, provider and employee misconduct and other performance and behavior; manage Section 1557, Civil Rights Act and other discrimination and accommodation, and other regulatory, contractual and other compliance; vendors and suppliers; contracting and other terms of participation, medical billing, reimbursement, claims administration and coordination, Medicare, Medicaid, CHIP, Medicare/Medicaid Advantage, ERISA and other payers and other provider-payer relations, contracting, compliance and enforcement; Form 990 and other nonprofit and tax-exemption; fundraising, investors, joint venture, and other business partners; quality and other performance measurement, management, discipline and reporting; physician and other workforce recruiting, performance management, peer review and other investigations and discipline, wage and hour, payroll, gain-sharing and other pay-for performance and other compensation, training, outsourcing and other human resources and workforce matters; board, medical staff and other governance; strategic planning, process and quality improvement; meaningful use, EHR, HIPAA and other technology, data security and breach and other health IT and data; STARK, ant kickback, insurance, and other fraud prevention, investigation, defense and enforcement; audits, investigations, and enforcement actions; trade secrets and other intellectual property; crisis preparedness and response; internal, government and third-party licensure, credentialing, accreditation, HCQIA and other peer review and quality reporting, audits, investigations, enforcement and defense; patient relations and care; internal controls and regulatory compliance; payer-provider, provider-provider, vendor, patient, governmental and community relations; facilities, practice, products and other sales, mergers, acquisitions and other business and commercial transactions; government procurement and contracting; grants; tax-exemption and not-for-profit; privacy and data security; training; risk and change management; regulatory affairs and public policy; process, product and service improvement, development and innovation, and other legal and operational compliance and risk management, government and regulatory affairs and operations concerns. to establish, administer and defend workforce and staffing, quality, and other compliance, risk management and operational practices, policies and actions; comply with requirements; investigate and respond to Board of Medicine, Health, Nursing, Pharmacy, Chiropractic, and other licensing agencies, Department of Aging & Disability, FDA, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; JCHO and other accreditation and quality organizations; private litigation and other federal and state health care industry actions: regulatory and public policy advocacy; training and discipline; enforcement; and other strategic and operational concerns. 

Author of a multitude of health industry and other highly regarded publications and presentations, the American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting and a former Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. 

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here.  

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access of this publication. 

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2022 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™

Leave a Comment » | ASC, Centers For Disease Control, Conditions of Participation, Coronavirus, Corporate Compliance, Covid, Employee Benefits, Employer, Employment, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Quality, health care reimbursement, Health Plan, healthcare, HHS, Hospice, Inpatient Rehabilitation, Inpatient Rehabilitation Facility, Life Sciences, long-term care, Medicaid, Medicaid Advantage, Medicare, Medicare Advantage, occupational health, OSHA, Pandemic, participating provider, Provider contracting | Permalink
Posted by Cynthia Marcotte Stamer

Dentists Face OSHA Retaliation Suit For Retaliating Against Workers Asking About COVID Safety

July 16, 2021

A new U.S. Department of Labor Occupational Safety and Health Administration (“OSHA”) lawsuit against two North Texas dentists warns health industry and other employers to tread carefully when dealing with employees about COVID-19 or other safety concerns.

The charges arises from the dental practice’s failure to reinstate a dental hygienist and a dental assistant who expressed concerns about the coronavirus safety measures the practice would implement when it reopened in Spring 2020. The lawsuit filed in the U.S. District Court for the Northern District of Texas, Fort Worth Division, names Roger H. Bohannan, DDS Inc. and owners Roger Bohannan and David Bohannan.

In March and April 2020, OSHA says Roger Bohannan and David Bohannan, owners of Roger H. Bohannan DDS Inc. furloughed their employees after the state of Texas prohibited specific dental procedures at the height of the pandemic. While furloughed, the two employees asked what safety measures would be in place once patients and employees returned. After receiving a call to return to work, the employer did not reinstate the hygienist after the employee cited guidance from the Centers for Disease Control and OSHA.

The dental assistant was contacted for rehiring but the employer rescinded the offer after the assistant inquired about what safety measures were in place for their protection.

An OSHA investigation found Bohannan Dentistry discriminated against the employees for exercising their rights under section 11(c) of the Occupational Safety and Health Act and for engaging in the protected activity of making a good faith health and safety complaint. The two employees were not rehired while all of the other staff members at the North Richland Hills practice were reinstated when the furlough ended.

OSHA charges that Bohannan Dentistry violated employees’ rights by terminating them for reporting concerns about unsafe working conditions.

The complaint asks the court to order the dental practice to:

  • Pay the complainant damages, plus interest, for all past and future lost wages and benefits resulting from the termination; reimbursement for costs and expenses; compensatory damages, including for compensation for emotional pain and distress and exemplary or punitive damages in an amount to be determined at trial.
  • Post a notice for employees stating that the defendants will not in any manner discriminate against any employee for engaging in activities protected by Section 11(c) of the OSH Act.

The lawsuit highlights the OSHA retaliation exposure employers could face if found to retaliate against employees for expressing concern about COVID or other safety. This is just one on the many minefields employers face dealing with employees in relation to COVID-19 safety concerns, leave, vaccination, remote work, return to work, benefits and other concerns. Health care and other employers are urged to work closely with experienced employment counsel to decide and administer their policies and responses.

More Information

If you are interested in a more information about the concerns discussed in this article or other concerns or developments, see here.

If you would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.  For specific information or counsel about the these or other legal, management or public policy developments,  Ms. Stamer’s work, experience, involvements, other publications, or programs, contact Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297,  follow her on FacebookLinkedIn or Twitter or see Cynthia Marcotte Stamer, P.C. Website.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years working as an on demand, special project, consulting, general counsel or other basis with domestic and international business, charitable, community and government organizations of all types, sizes and industries and their leaders on labor and employment and other workforce compliance, performance management, internal controls and governance, compensation and benefits, regulatory compliance, investigations and audits, change management and restructuring, disaster preparedness and response and other operational, risk management and tactical concerns.

Most widely recognized for her work with health care, life sciences, insurance and data and technology organizations, she also has worked extensively with health plan and insurance, employee benefits, financial, transportation, manufacturing, energy, real estate, accounting and other services, public and private academic and other education, hospitality, charitable, civic and other business, government and community organizations. and their leaders.

Ms. Stamer has extensive experience advising, representing, defending and training domestic and international public and private health care and life sciences, charitable, community and governmental, and other business organizations and their leaders, employee benefit plans, their fiduciaries and service providers, insurers, and others.  A widely published author and popular speaker, Ms. Stamer also has published and spoken extensively on wage and other and other health  care, human resources, employee benefits and other workforce and services; insurance; workers’ compensation and occupational disease; business reengineering, disaster and distress;  and many other compliance, governance, risk management, operational and public and regulatory affairs concerns.

A former lead advisor to the Government of Bolivia on its pension  project, Ms. Stamer also has worked internationally and domestically as an advisor to health, managed care, insurance, and other business, community and government leaders on these and other legislative, regulatory and other legislative and regulatory design, drafting, interpretation and enforcement, as well as regularly advises and represents organizations on the design, administration and defense of workforce, employee benefit and compensation, safety, discipline, reengineering, regulatory and operational compliance and other management practices and actions.

Ms. Stamer also serves in leadership of a broad range of professional and civic organizations and provides insights and thought leadership through her extensive publications, public speaking and volunteer service with a diverse range of organizations including as Chair of the American Bar Association (“ABA”) Intellectual Property Section Law Practice Management Committee, Vice Chair of the International Section Life Sciences and Health Committee, Past ABA RPTE Employee Benefits & Other Compensation Group Chair and Council Representative and current Welfare Benefit Committee Co-Chair, Past Chair of the ABA Managed Care & Insurance Interest Group, past Region IV Chair and national Society of Human Resources Management Consultant Forum Board Member,  past Texas Association of Business BACPAC Chair, Regional Chair and Dallas Chapter Chair, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation and many others.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.  ©2021 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™

Leave a Comment » | Academic medicine, CDC, Centers For Disease Control, Coronavirus, Corporate Compliance, COVID-19, Disability Discrimination, Discrimination, Disease Management, Doctor, Employee Benefits, Employer, Employment, Employment law, Health Care, Health Care Finance, home health, Hospital, OSHA, Pandemic, Physician, Uncategorized | Tagged: , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

Biden-Harris Plan To Beat COVID-19 Includes Plan To Expand Medicare, Other Health Care Plans

January 21, 2021

Newly sworn in President Joe Biden chose to make an executive order outlining the core principles for his Administration’s policy for fighting COVID-19 the first signed in his new administration.

The text of the COVID-19: The Biden-Harris plan to beat COVID-19 reads as follows:

The American people deserve an urgent, robust, and professional response to the growing public health and economic crisis caused by the coronavirus (COVID-19) outbreak. President Biden believes that the federal government must act swiftly and aggressively to help protect and support our families, small businesses, first responders, and caregivers essential to help us face this challenge, those who are most vulnerable to health and economic impacts, and our broader communities – not to blame others or bail out corporations.

The Biden-Harris administration will always:

Listen to science
Ensure public health decisions are informed by public health professionals
Promote trust, transparency, common purpose, and accountability in our government
President Biden and Vice President Harris have a seven-point plan to beat COVID-19.

Ensure all Americans have access to regular, reliable, and free testing.

Double the number of drive-through testing sites.
Invest in next-generation testing, including at home tests and instant tests, so we can scale up our testing capacity by orders of magnitude.
Stand up a Pandemic Testing Board like Roosevelt’s War Production Board. It’s how we produced tanks, planes, uniforms, and supplies in record time, and it’s how we will produce and distribute tens of millions of tests.
Establish a U.S. Public Health Jobs Corps to mobilize at least 100,000 Americans across the country with support from trusted local organizations in communities most at risk to perform culturally competent approaches to contact tracing and protecting at-risk populations.
Fix personal protective equipment (PPE) problems for good.

President Biden is taking responsibility and giving states, cities, tribes, and territories the critical supplies they need.

Fully use the Defense Production Act to ramp up production of masks, face shields, and other PPE so that the national supply of personal protective equipment exceeds demand and our stores and stockpiles — especially in hard-hit areas that serve disproportionately vulnerable populations — are fully replenished.
Build immediately toward a future, flexible American-sourced and manufactured capability to ensure we are not dependent on other countries in a crisis.
Provide clear, consistent, evidence-based guidance for how communities should navigate the pandemic – and the resources for schools, small businesses, and families to make it through.

Social distancing is not a light switch. It is a dial. President Biden will direct the CDC to provide specific evidence-based guidance for how to turn the dial up or down relative to the level of risk and degree of viral spread in a community, including when to open or close certain businesses, bars, restaurants, and other spaces; when to open or close schools, and what steps they need to take to make classrooms and facilities safe; appropriate restrictions on size of gatherings; when to issue stay-at-home restrictions.
Establish a renewable fund for state and local governments to help prevent budget shortfalls, which may cause states to face steep cuts to teachers and first responders.
Call on Congress to pass an emergency package to ensure schools have the additional resources they need to adapt effectively to COVID-19.
Provide a “restart package” that helps small businesses cover the costs of operating safely, including things like plexiglass and PPE.
“THIS ISN’T ABOUT POLITICS. IT’S ABOUT SAVING LIVES.”

PRESIDENT BIDEN, SEPTEMBER 16, 2020
Plan for the effective, equitable distribution of treatments and vaccines — because development isn’t enough if they aren’t effectively distributed.

Invest $25 billion in a vaccine manufacturing and distribution plan that will guarantee it gets to every American, cost-free.
Ensure that politics plays no role in determining the safety and efficacy of any vaccine. The following 3 principles will guide the Biden-Harris administration: Put scientists in charge of all decisions on safety and efficacy; publicly release clinical data for any vaccine the FDA approves; and authorize career staff to write a written report for public review and permit them to appear before Congress and speak publicly uncensored.
Ensure everyone — not just the wealthy and well-connected — in America receives the protection and care they deserve, and consumers are not price gouged as new drugs and therapies come to market.
Protect older Americans and others at high risk.

President Biden understands that older Americans and others at high-risk are most vulnerable to COVID-19.

Establish a COVID-19 Racial and Ethnic Disparities Task Force, as proposed by Vice President Harris, to provide recommendations and oversight on disparities in the public health and economic response. At the end of this health crisis, it will transition to a permanent Infectious Disease Racial Disparities Task Force.
Create the Nationwide Pandemic Dashboard that Americans can check in real-time to help them gauge whether local transmission is actively occurring in their zip codes. This information is critical to helping all individuals, but especially older Americans and others at high risk, understand what level of precaution to take.
Rebuild and expand defenses to predict, prevent, and mitigate pandemic threats, including those coming from China.

Immediately restore the White House National Security Council Directorate for Global Health Security and Biodefense, originally established by the Obama-Biden administration.
Immediately restore our relationship with the World Health Organization, which — while not perfect — is essential to coordinating a global response during a pandemic.
Re-launch and strengthen U.S. Agency for International Development’s pathogen-tracking program called PREDICT.
Expand the number of CDC’s deployed disease detectives so we have eyes and ears on the ground, including rebuilding the office in Beijing.
Implement mask mandates nationwide by working with governors and mayors and by asking the American people to do what they do best: step up in a time of crisis.

Experts agree that tens of thousands of lives can be saved if Americans wear masks. President Biden will continue to call on:

Every American to wear a mask when they are around people outside their household.
Every Governor to make that mandatory in their state.
Local authorities to also make it mandatory to buttress their state orders.
Once we succeed in getting beyond this pandemic, we must ensure that the millions of Americans who suffer long-term side effects from COVID don’t face higher premiums or denial of health insurance because of this new pre-existing condition. The Biden-Harris Administration will work to ensure that the protections for those with pre-existing conditions that were won with Obamacare are protected. And, they will work to lower health care costs and expand access to quality, affordable health care through a Medicare-like public option.

As the new Administration and Congress get down to work, health industry organizations as well as all other  U.S. organizations and communities, their leaders, and individual employees and citizens should carefully follow, and share their input to the Administration, members of Congress, and other federal, state and local officials on the actions and proposals taken to implement this and other policy that impact their interests.  The need for careful attention and scrutiny is particularly important for health, managed care and insurance and management organizations as President Biden made clear throughout his campaign his intent to pursue legislative and regulatory reforms that would reverse actions of the previous administration as well as implement addition reforms to expand coverage and regulation of health care, workforce and other critical policies.

More Information

We hope this update is helpful. For more information about the these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is nationally recognized for her work and thought leadership on health and other health and employee benefit issues.

An attorney board certified in labor and employment law by the Texas Board of Legal Specialization and Fellow in the American College of Employee Benefit Counsel, Ms. Stamer has worked as an on demand, special project, consulting, general counsel or other basis with health care providers, health insurers, employer and other management organizations, health and other employee benefit plans, their sponsors, insurers, administrators, providers and others and others has published and spoken extensively on these concerns.

A former lead advisor to the Government of Bolivia on its pension  project, Ms. Stamer also has worked internationally and domestically as an advisor and advocate for employer and other plan sponsors, fiduciaries, administrators, insurers, technology and other service providers, managed care organizations, direct primary care and other health care providers and others  on these and other legislative, regulatory and other legislative and regulatory design, drafting, interpretation and enforcement, as well as regularly advises and represents organizations on the design, administration and defense of workforce, employee benefit and compensation, safety, discipline, reengineering, regulatory and operational compliance and other management practices and actions.

Ms. Stamer also serves in leadership of a broad range of professional and civic organizations and provides insights and thought leadership through her extensive publications, public speaking and volunteer service with a diverse range of organizations including as Chair of the American Bar Association (“ABA”) Intellectual Property Section Law Practice Management Committee, Vice Chair of the International Section Life Sciences and Health Committee, Past ABA RPTE Employee Benefits & Other Compensation Group Chair and Council Representative and current Welfare Benefit Committee Co-Chair, Past Chair of the ABA Managed Care & Insurance Interest Group, past Region IV Chair and national Society of Human Resources Management Consultant Forum Board Member,  past Texas Association of Business BACPAC Chair, Regional Chair and Dallas Chapter Chair, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation and many others.

For more information about these concerns or Ms. Stamer’s work, experience, involvements, other publications, or programs, see www.cynthiastamer.com or contact Ms. Stamer via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.  ©2021 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™

Leave a Comment » | CDC, Centers For Disease Control, Consumer Driven Health Care, Coronavirus, Corporate Compliance, COVID-19, Cultural diversity, Direct Primary Care, Disability Discrimination, DME, Doctor, Emergency Care, Employee Benefits, Employer, Employment, Employment law, ERISA, Evidence Based Medicine, Fast Track Approval, FDA, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Quality, Health Care Reform, health care reimbursement, Health Insurance, Health Plan, Health Plans, healthcare, HHS, home health, Hospice, Hospital, hospitals, Labor Law, Laws, managed care, Medicare, Medicare Advantage, Medicare Prescription Drug Program, Pandemic, Pharmaceudical, Physician, Reimbursement, Uncategorized | Tagged: , , | Permalink
Posted by Cynthia Marcotte Stamer

Comment & Begin Preparation For Compliance With Proposed HIPAA Privacy Rule Changes

December 21, 2020

Health care providers, health plans and health insurers, health care clearinghouses (“Covered Entities”) and their business associates should budget and begin compliance plans, even as they comment on proposed changes to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule announced by the Department of Health & Human Services Office of Civil Rights (“OCR”) in its December 10, 2020 Notice of Proposed Rulemaking (“Proposed Rule).  While the official Federal Register publication date has yet to be announced, OCR already is accepting comments pending the official publication. To assure consideration, comments must be received by OCR no later than 60 days from that official Federal Register publication date. 

More than 300 pages in length, the proposed HIPAA Privacy Rule changes include changes OCR intends to strengthen individuals’ rights to access their own electronic and other health information; improve information sharing for care coordination and case management for individuals; facilitate greater family and caregiver involvement in the care of individuals experiencing emergencies or health crises; enhance flexibilities for disclosures in the Opioid and COVID-19 public health emergencies or other emergency or threatening circumstances; and reduce administrative burdens on HIPAA covered health care providers and health plans. Highlights of some of the more significant proposed changes that the Proposed Rule will make if adopted as proposed include:

Individual Access Rights Expanded

The Proposed Rule includes a number of changes that if adopted as proposed, will increase significantly the burdens upon Covered Entities of complying with the individual access requirements of the Privacy Rule.  Among other things, these include the following:

  • Responding To Access Requests.  The Proposed Rule calls for:
  • Reducing the maximum period that Covered Entities have to respond to requests to “as soon as practicable,” but in no case later than 15 calendar days after receipt of the request” instead of current 30 calendar days; 
  • Clarifying the current requirement for Covered Entities to provide PHI in the form and format requested by the individual if “readily producible” in that form and format by providing that “readily producible” includes secure, standards-based APIs using applications chosen by the individuals, such as a “personal health application” and protect individual’s rights to take notes, videos, and photographs, or use other personal resources to view or capture PHI in person;
  • Requiring Covered Entities to allow individuals access to inspect or obtain copies of their own PHI Free of charge when inspecting in person or accessing PHI on the internet, but continue to permit certain fees for labor, supplies, and postage for certain other means of access in accordance with Privacy Rules parameters.  In acquiescence to the District Court’s January, 2020 holding that the prohibition against Covered Entities charging for third party copies in the current regulations exceeded its statutory authority in Ciox Health, LLC v. Azar, however the Proposed Rule would allow Covered Entities to charge limited fees to an individual directing transmission of an electronic copy of PHI to a third party under specified circumstances.  The Proposed Rule also would require Covered Entities to provide advance notice of estimated fee schedules on their websites (if they have one) for common types of requests for copies of PHI and, upon request, provide individualized estimates of fees for copies and an itemized list of actual costs for requests for copies. 
  • Right to Direct Copies to Third Parties.  The Proposed Rule will require  Covered Entities to transmit electronic PHI in an electronic health record to another Covered Entity as part of the individual’s access right.  In addition, also in response to the Coix Health, LLC ruling, the Proposed Rule will limit the current right of an individual to direct a copy of PHI to a third party to an electronic copy and will specify that third party direction request need not be in writing as long as it is “clear, conspicuous, and specific.”
  • Verification. The Proposed Rule also would prohibit a Covered Entity from imposing “unreasonable” identity verification measures on an individual, including notarization of requests, requiring the individual to provide proof of identity in person when remove verification would be practicable, or requiring the individual to complete a full HIPAA authorization form for an access request.

Encouraging Care Coordination and Case Management Activities

The Proposed Rule also would make a number of changes that OCR believes will remove the barriers created in the current Privacy Rule to Covered Entities, whether a health care provider or health plan, engaging in individual-level care coordination and case management activities.  Some of the key elements of these changes include the following:

  • Clarification of Rules For Individual-Level Care Coordination. The Proposed Rule would revise existing rules regarding sharing of information for individual-level care coordination to apply to Covered Entities involved in such coordination activities, whether or not the participating Covered Entity is participating in the actual care or treatment of the individual by:
    • Revising the definition of “health care operations” in the current version of the Privacy Rule to clarify that the Privacy Rule allows sharing of PHI for individual-level care coordination among Covered Entities whether or not the participating Covered Entity is one involved in treatment or non-treatment involved Covered Entities such as health plans;
    • Revises the current minimum necessary restriction on the disclosure of PHI for purposes of individual-level care coordination to treat all Covered Entities engaging in individual-based care coordination and case management activities the same, regardless of whether performing the activities under the “treatment” or “health care operations” functions as defined by HIPAA.  Currently non-treatment involved Covered Entities participating in care coordination and case management can only receive and share the minimum necessary PHI as their lack of involvement in treatment disqualifies them for reliance upon the treatment exception to the Privacy Rule’s general requirement to limit disclosures to the minimum necessary.
    • The Proposed Rule also would allow Covered Entities to disclose PHI to community-based organizations, home and community-based services (HCBS) providers, social services agencies, and other similar third parties providing health-related services for individual-level care coordination and case management without obtaining a valid authorization from the individual.

Required Updates To Notices of Privacy Practices

The Proposed Rule also would change the Privacy Rule Notice of Privacy Practices (“NPP”) requirements in a manner that would require most Covered Entities to update their NPPs and associated privacy policies. In the Proposed Rule, OCR proposes:

  • Replacing the requirement that certain Covered Entities that have a direct treatment relationship with an individual obtain, and retain copies of, written acknowledgements from that individual confirming their receipt of the NPP with a right for the individual to discuss the NPP with a designee of the Covered Entity.
    • Modification of the required NPP content to include an additional description and instruction as to how individuals can exercise their access rights and a new, more detailed and instructive, required header meeting new specifications about the information the NPP provides to individuals with respect to their rights, how to exercise them, and the availability of the Covered Entity’s designated contact person.

Disclosures to Family Members and Other Caretakers in Certain Situations

Continuing a trend that OCR has followed over the past several years in its other guidance, the Proposed Rule also would modify the Privacy Rule under specified conditions to facilitate if not encourage health care providers more broadly to disclose PHI to family members or other caretakers of individuals with substance use disorders (SUD) or serious mental illness (SMI) and in emergency situations with less concern about exposing themselves to liability under HIPAA.  The key elements of these changes are accomplished as follows:

  • The Proposed Rule would replace the current language that allows Covered Entities to make certain uses and disclosures of PHI based on their “exercise of professional judgment” with  language allowing disclosure based on a Covered Entity’s “good faith belief” that the use or disclosure is in the best interests of the individual and add a presumption of good faith by the health care provider for this purpose.
    • The Proposed Rule would enable Covered Entities to disclose PHI to avert a threat to the health or safety of a person or the public when a harm is “serious and reasonably foreseeable,” instead of the current stricter requirement that the Covered Entity see a “serious and imminent” threat to health or safety.

Clarification Regarding Disclosures to TRS Providers

The Proposed Rule also would amend the current Privacy Rules to remove  telephone relay service providers (“TRS providers”) from the definition of “business associates” and expressly to allow disclosures to TRS communications assistants for persons who are deaf, hard of hearing, deaf-blind, or who have a speech disability.

Act Now

HIPAA Covered Entities, business associates and other concerned or impacted persons immediately should begin evaluating the Proposed Rule as soon as possible.  As the current comment will end 60 days after the impending publication of the Proposed Rule in the Federal Register, concerned persons desiring a change to any provision of the Proposed Rule should prepare and submit appropriate comments to OCR in a timely fashion within the comment period.  In addition, all Covered Entities and their business associates should review the rule  in preparation for its provisions taking effect with a particular eye toward understanding the actions necessary to comply with the modified rules and to budget the financial and operational resources likely to be required to accomplish that compliance.

More Information

We hope this update is helpful. For more information about the these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.  

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.  

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

Scribe for the ABA JCEB Annual Agency Meeting with OCR, Vice Chair of the ABA International Section Life Sciences Committee, past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and the ABA RPTE Employee Benefits & Other Compensation Group, Ms. Stamer’s work throughout her 30 plus year career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns.  As a part of this work, she has continuously and extensively worked with domestic and international health plans, their sponsors, fiduciaries, administrators, and insurers; managed care and insurance organizations; hospitals, health care systems, clinics, skilled nursing, long term care, rehabilitation and other health care providers and facilities; medical staff, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; EMR, claims, payroll and other technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, self-insured health and other employee benefit plans, their sponsors, fiduciaries, administrators and service providers, insurers and other payers, health industry advocacy and other service providers and groups and other health and managed care industry clients as well as federal and state legislative, regulatory, investigatory and enforcement bodies and agencies.

Ms. Stamer is most widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on health and other privacy and data security and other health industry legal, public policy and operational concerns.  This  involvement encompasses helping health care systems and organizations, group and individual health care providers, health plans and insurers, health IT, life sciences and other health industry clients prevent, investigate, manage and resolve  sexual assault, abuse, harassment and other organizational, provider and employee misconduct and other performance and behavior; manage Section 1557, Civil Rights Act and other discrimination and accommodation, and other regulatory, contractual and other compliance; vendors and suppliers; contracting and other terms of participation, medical billing, reimbursement, claims administration and coordination, Medicare, Medicaid, CHIP, Medicare/Medicaid Advantage, ERISA and other payers and other provider-payer relations, contracting, compliance and enforcement; Form 990 and other nonprofit and tax-exemption; fundraising, investors, joint venture, and other business partners; quality and other performance measurement, management, discipline and reporting; physician and other workforce recruiting, performance management, peer review and other investigations and discipline, wage and hour, payroll, gain-sharing and other pay-for performance and other compensation, training, outsourcing and other human resources and workforce matters; board, medical staff and other governance; strategic planning, process and quality improvement; meaningful use, EMR, HIPAA and other technology,  data security and breach and other health IT and data; STARK, ant kickback, insurance, and other fraud prevention, investigation, defense and enforcement; audits, investigations, and enforcement actions; trade secrets and other intellectual property; crisis preparedness and response; internal, government and third-party licensure, credentialing, accreditation, HCQIA and other peer review and quality reporting, audits, investigations, enforcement and defense; patient relations and care;  internal controls and regulatory compliance; payer-provider, provider-provider, vendor, patient, governmental and community relations; facilities, practice, products and other sales, mergers, acquisitions and other business and commercial transactions; government procurement and contracting; grants; tax-exemption and not-for-profit; privacy and data security; training; risk and change management; regulatory affairs and public policy; process, product and service improvement, development and innovation, and other legal and operational compliance and risk management, government and regulatory affairs and operations concerns. to establish, administer and defend workforce and staffing, quality, and other compliance, risk management and operational practices, policies and actions; comply with requirements; investigate and respond to Board of Medicine, Health, Nursing, Pharmacy, Chiropractic, and other licensing agencies, Department of Aging & Disability, FDA, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; JCHO and other accreditation and quality organizations; private litigation and other federal and state health care industry actions: regulatory and public policy advocacy; training and discipline; enforcement;  and other strategic and operational concerns.

Author of leading works on HIPAA and a multitude of other health care, health plan and other health industry matters, the American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting and a former Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here such as: 

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

Leave a Comment » | 21st century cures act, Academic medicine, ambulance, ASC, Childrens Health Insurance Program, Coronavirus, Corporate Compliance, COVID-19, data breach, data security, Direct Primary Care, Disease Management, DME, Doctor, drug treatment, Electronic Medical Records, Emergency Care, Employee Benefits, Employer, FDA, Federal Health Center, Genetic Information, GINA, Health Care, Health Care Provider, Health Insurance, Health IT, Health Plan, Health Plans, healthcare, HIPAA, HITECH Act, Home Health, home health, Hospice, Hospital, Hospital, hospitals, Human Subjects Research, Inpatient Rehabilitation, Inpatient Rehabilitation Facility, Life Sciences, long-term care, managed care, medical devices, Medical Privacy, Medical Records, Medicare, Mental Health, Mental Heatlh, nursing home, occupational health, OCR, Pandemic, participating provider, Pharmaceudical, Pharmacy, Physician, Privacy, Psychiatric, public health, Rural Health Care, Skilled Nursing Facility, transplant, Uncategorized, Veterans Health Administration, Wellness | Permalink
Posted by Cynthia Marcotte Stamer

University of Rochester Medical Center Paying $3 Million For Unencrypted Laptop & Flash Drive

November 6, 2019

$3 million is the hefty price that the University of Rochester Medical Center (URMC) has agreed to pay to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules arising from the loss of unencrypted laptops and other mobile devices containing protected health information (PHI).  Like prior settlements and civil monetary penalties OCR previously assessed against HIPAA-covered entities for using or storing electronic protected health information (ePHI) on unencrypted mobile devices, the $3 million sanction and other requirements imposed in the   URMC Resolution Agreement and Corrective Action Plan  made public after the close of business on November 5 reaffirm OCR’s readiness to sanction harshly health care providers, health plans, healthcare clearinghouses and businesses associates for the loss or compromise of ePHI due to the covered entity’s failure to appropriately encrypt mobile devices.  Any HIPAA covered entity or business associate that has not already done so must act to avoid a similar fate by establishing and enforcing systematic procedures to ensure all mobile devices using, accessing, storing or otherwise dealing with  ePHI are properly encrypted at all times.

URMC Breach & Resolution Agreement

The URMC Resolution Agreement resolves potential charges resulting from an OCR investigation commenced in response to breach reports UMRC filed with OCR in 2013 and 2017. The breach reports disclosed UMRC’s discovery of the impermissible disclosure of PHI through the loss of an unencrypted flash drive and theft of an unencrypted laptop, respectively. URMC includes healthcare components such as the School of Medicine and Dentistry and Strong Memorial Hospital. URMC is one of the largest health systems in New York State with over 26,000 employees.

OCR’s investigation revealed that URMC failed to conduct an enterprise-wide risk analysis; implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level; utilize device and media controls; and employ a mechanism to encrypt and decrypt electronic protected health information (ePHI) when it was reasonable and appropriate to do so. Of note, in 2010, OCR investigated URMC concerning a similar breach involving a lost unencrypted flash drive and provided technical assistance to URMC. Despite the previous OCR investigation, and URMC’s own identification of a lack of encryption as a high risk to ePHI, URMC permitted the continued use of unencrypted mobile devices.

OCR made a point of reaffirming the requirement to encrypt laptops and other mobile devices containing ePHI when announcing the new Resolution Agreement. “Because theft and loss are constant threats, failing to encrypt mobile devices needlessly puts patient health information at risk,” said Roger Severino, OCR Director. “When covered entities are warned of their deficiencies, but fail to fix the problem, they will be held fully responsible for their neglect.”

As part of its punishment for allowing the ePHI breaches by failing to encrypt mobile devices, URMC must pay a $3 million monetary settlement as well as undertake a corrective action plan that includes two years of monitoring their compliance with the HIPAA Rules.

Mobile Device Encryption Requirement Well-Established

OCR repeatedly through published guidance and reported sanctions repeatedly  has warned covered entities and business associates not to permit ePHI to be used, accessed or stored on unencrypted laptops or other mobile devices.  In 2017, Children’s Medical Center of Dallas (Children’s) paid a  $3,217,000.00 Civil Monetary Penalty (CMP) after OCR issued its January 18, 2017 Final Determination that Children’s for years knowingly violated HIPAA by failing to encrypt or otherwise properly secure ePHI on laptops and other mobile devices and failing to comply with many other HIPAA requirements.  See Learn From Children’s New $3.2M+ HIPAA CMP For “Knowing” Violation of HIPAA Security Rules.   An OCR Newsletter Article on  Guidance on  Mobile Devices and Protected Health Information (PHI), for instance, states:

Entities regulated by the HIPAA Privacy, Security, and Breach Notification Rules (the HIPAA Rules) must be sure to include mobile devices in their enterprise-wide risk analysis and take action(s) to reduce risks identified with the use of mobile devices to a reasonable and appropriate level.
The article also shared insights about some of the steps OCR considers necessary to meet this expectation,  as including:

  • Implement policies for use of mobile devices that are used to handle PHI;
  • Consider using Mobile Device Management (MDM) software to secure mobile devices;
  • Install or enable automatic lock/logoff functions;
  • Require authentication to access devices;
  • Keep devices’ security features updated;
  • Procure encryption, anti-virus/anti-malware software, and remote wipe capabilities;
  • Use a privacy screen to prevent viewing by third-parties;
  • Assure that Wi-Fi networks used are secure;
  • Use a secure Virtual Private Network (VPN);
  • Institute policies regarding downloading third-party apps on devices which access PHI;
  • Delete all PHI from device before disposing of; and
  • Provide training on secure use of mobile devices for all employees.

Covered entities and business associates should promptly and continuously act to ensure on a systematic and carefully documented basis that their organization is taking these and and other steps necessary to ensure that all mobile device with ePHI are always appropriately encrypted.

We hope this information was helpful.  For more information about HIPAA or other related concerns, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

Solutions Law Press, Inc. invites you receive future updates and join discussions about these and other human resources, health and other employee benefit and patient empowerment concerns by participating and contributing to the discussions in our Solutions Law Press Health Care Risk Management & Operations Group and registering for updates on our Solutions Law Press Website.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

As a primary focus of this work, Ms. Stamer has worked extensively with domestic and international hospitals, health care systems, clinics, skilled nursing, long term care, rehabilitation and other health care providers and facilities; medical staff, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, insurers, self-insured health plans and other payers, health industry advocacy and other service providers and groups and other health industry clients as well as federal and state legislative, regulatory, investigatory and enforcement bodies and agencies.

Scribe for the ABA JCEB Annual Agency Meeting with OCR, Vice Chair of the ABA International Section Life Sciences Committee, past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, the ABA RPTE Employee Benefits & Other Compensation Group, Ms. Stamer is noted for her decades-long leading edge work, scholarship and thought leadership on health and other privacy and data security and other health industry legal, public policy and operational concerns. This involvement encompasses helping health care systems and organizations, group and individual health care providers, health plans and insurers, health IT, life sciences and other health industry clients prevent, investigate, manage and resolve sexual assault, abuse, harassment and other organizational, provider and employee misconduct and other performance and behavior; manage Section 1557, Civil Rights Act and other discrimination and accommodation, and other regulatory, contractual and other compliance; vendors and suppliers; contracting and other terms of participation, medical billing, reimbursement, claims administration and coordination, Medicare, Medicaid, CHIP, Medicare/Medicaid Advantage, ERISA and other payers and other provider-payer relations, contracting, compliance and enforcement; Form 990 and other nonprofit and tax-exemption; fundraising, investors, joint venture, and other business partners; quality and other performance measurement, management, discipline and reporting; physician and other workforce recruiting, performance management, peer review and other investigations and discipline, wage and hour, payroll, gain-sharing and other pay-for performance and other compensation, training, outsourcing and other human resources and workforce matters; board, medical staff and other governance; strategic planning, process and quality improvement; meaningful use, EMR, HIPAA and other technology, data security and breach and other health IT and data; STARK, antikickback, insurance, and other fraud prevention, investigation, defense and enforcement; audits, investigations, and enforcement actions; trade secrets and other intellectual property; crisis preparedness and response; internal, government and third-party licensure, credentialing, accreditation, HCQIA and other peer review and quality reporting, audits, investigations, enforcement and defense; patient relations and care; internal controls and regulatory compliance; payer-provider, provider-provider, vendor, patient, governmental and community relations; facilities, practice, products and other sales, mergers, acquisitions and other business and commercial transactions; government procurement and contracting; grants; tax-exemption and not-for-profit; privacy and data security; training; risk and change management; regulatory affairs and public policy; process, product and service improvement, development and innovation, and other legal and operational compliance and risk management, government and regulatory affairs and operations concerns. to establish, administer and defend workforce and staffing, quality, and other compliance, risk management and operational practices, policies and actions; comply with requirements; investigate and respond to Board of Medicine, Health, Nursing, Pharmacy, Chiropractic, and other licensing agencies, Department of Aging & Disability, FDA, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; JCHO and other accreditation and quality organizations; private litigation and other federal and state health care industry actions: regulatory and public policy advocacy; training and discipline; enforcement; and other strategic and operational concerns.

Author of leading works on HIPAA and a multitude of other health care, health plan and other health industry matters, the American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting and a former Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. For more information about Ms. Stamer or her services, experience and involvements, e-mail Ms. Stamer here or contact Ms. Stamer via telephone at (214) 452-8297 or see here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides legal risk management and compliance, business strategy and operations,  management, leadership  and other publications, coaching, , training and education tools and other resources on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, we invite you to register to receive other updates and review our other Solutions Law Press, Inc.™ resources available here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc. disclaim, and have no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2019 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.

Leave a Comment » | 21st century cures act, Academic medicine, Ambulatory care, ASC, Centers For Disease Control, Childrens Health Insurance Program, Civil Rights, Corporate Compliance, Cyber crime, data security, E-Prescribing, Electronic Health Records, Employee Benefits, Employer, Employment, Health Care, Health Care Finance, Health Care Provider, health care reimbursement, Health Insurance, Health Insurance Exchange, Health IT, Health Plan, Health Plans, healthcare, HIPAA Cyber Crime, HITECH Act, Home Health, Hospice, Hospital, hospitals, Inpatient Rehabilitation, Inpatient Rehabilitation Facility, Joint Commission, medical devices, Medical Privacy, NIST, Skilled Nursing Facility, Technology, Telemedicine, Uncategorized | Tagged: , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

Air Ambulance Bills Drawing Congressional “Surprise Billing” Scrutiny

July 31, 2019

Congress is looking into air ambulance rates. The top Republican on the House Ways and Means Committee Kevin Brady (R-TX) and Committee Chairman Richard E. Neal (D-MA) sent a letter to Department of Transportation (DOT) Secretary Elaine Chao, urging her to comply with congressional requirements and promptly convene the Air Ambulance and Patient Billing (AAPB) Advisory Committee.

Part of continuing Congressional concern about reports that patients and their families suffer financial hardship from “surprise bills” for emergency care, Congress directed DOT to establish this task force within 60 days of enactment of the FAA Reauthorization Act of 2018, but 10 months have passed since the President signed the bill into law and the advisory committee still has not met. The task force’s purpose is to inform Congress on air ambulance medical patient billing as Ways and Means Committee leaders work to address the issue of balance billing.

The Government Accountability Office (GAO) issued a report this year that found that nearly 70 percent of analyzed air ambulance transports conducted in 2017 for privately insured patients were out-of-network, a significantly higher rate than other emergency services. The cost of these out-of-network air ambulance services are leaving patients exposed to unexpectedly high out-of-pocket bills.

The AAPB Advisory Committee is required to provide Congress, DOT, and the Department of Health and Human Services with recommendations to protect consumers from balance billing for air ambulance transports, requirements for the disclosure of charges and fees for these services, and consumer protection and enforcement authorities of both the DOT and states. “This information is critical as Congress considers appropriate steps to find the best solution to protect consumers from surprise bills,” wrote Brady and Neal. “However, the committee has failed to convene, let alone produce a report. Additionally, Congress mandated the Secretary of DOT to submit a report to the appropriate committees of Congress on air ambulance oversight, which has also yet to be provided.”

Brady and Neal requested that, within 14 days, DOT provide updated deadlines for the appointment of individuals to the task force, along with a timeline for convening the advisory committee and providing recommendations and a final report.

Patients using air ambulance and other services used in emergency circumstances generally don’t have the option of choosing network participating providers and often their health plans may not cover or only provide limited coverage for that transportation. On the other hand, air ambulance operators point out that the services are costly to own and operate requiring substantial investment in equipment, staff, regulations and other operating costs on standby and ready to respond on demand. They also point out that limited coverage for their services already creates a high uncollectible debt load. Because of these and other challenges many cities, counties and other governmental entities assume or subsidize these operating costs to help preserve the availability of services. They caution that increased regulation likely would adversely impact the availability of these services in rural or other areas where prompt transportation can mean the difference between life and death for critical patients.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: Erisa & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

Ms. Stamer’s legal, management, governmental affairs work and speaking and publications have focused on helping health industry, health benefit and other organizations and their management use the law, performance and risk management tools and process to manage people, performance, quality, compliance, operations and risk.

Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer supports these organizations and their leaders on both a real-time, “on demand” basis as well as outsourced operations or special counsel on an interim, special project, or ongoing basis with strategic planning and product and services development and innovation; workforce and operations management, crisis preparedness and response as well as to prevent, stabilize and cleanup legal and operational crises large and small that arise in the course of operations.

As core components of this work, Ms. Stamer helps health industry, health plans and insurers, health IT, life sciences and other health industry clients manage regulatory, contractual and other compliance; vendors and suppliers; Medicare, Medicaid, CHIP, Medicare/Medicaid Advantage, ERISA and other private payer and other terms of participation, medical billing, reimbursement, claims administration and coordination, and other provider-payer relations, contracting, compliance and enforcement; Form 990 and other nonprofit and tax-exemption; fundraising, investors, joint venture, and other business partners; quality and other performance measurement, management, discipline and reporting; physician and other workforce recruiting, performance management, peer review and other investigations and discipline, wage and hour, payroll, gain-sharing and other pay-for performance and other compensation, training, outsourcing and other human resources and workforce matters; board, medical staff and other governance; strategic planning, process and quality improvement; meaningful use, EMR, HIPAA and other technology, data security and breach and other health IT and data; STARK, antikickback, insurance, and other fraud prevention, investigation, defense and enforcement; audits, investigations, and enforcement actions; trade secrets and other intellectual property; crisis preparedness and response; internal, government and third-party licensure, credentialing, accreditation, HCQIA and other peer review and quality reporting, audits, investigations, enforcement and defense; patient relations and care; internal controls and regulatory compliance; payer-provider, provider-provider, vendor, patient, governmental and community relations; facilities, practice, products and other sales, mergers, acquisitions and other business and commercial transactions; government procurement and contracting; grants; tax-exemption and not-for-profit; 1557 and other Civil Rights; privacy and data security; training; risk and change management; regulatory affairs and public policy; process, product and service improvement, development and innovation, and other legal and operational compliance and risk management, government and regulatory affairs and operations concerns.

Her clients include public and private, domestic and international hospitals, health care systems, clinics, skilled nursing, long term care, rehabilitation and other health care providers and facilities; medical staff, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, insurers, self-insured health plans and other payers; and other health industry clients to establish and administer compliance and risk management policies; comply with requirements, investigate and respond to Board of Medicine, Health, Nursing, Pharmacy, Chiropractic, and other licensing agencies, Department of Aging & Disability, FDA, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; JCHO and other accreditation and quality organizations; private litigation and other federal and state health care industry investigation, enforcement including insurance or other liability management and allocation; process and product development, contracting, deployment and defense; evaluation, commenting or seeking modification of regulatory guidance, and other regulatory and public policy advocacy; training and discipline; enforcement, and a host of other related concerns for public and private health care providers, health insurers, health plans, technology and other vendors, employers, and others.and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns.

Author of leading works on a multitude of health care, health plan and other health industry matters, the American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting, former Vice President of the North Texas Health Care Compliance Professionals Association, past Chair of the ABA Health Law Section Managed Care & Insurance Section, past ABA JCEB Council Representative and CLE and Marketing Committee Chair, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer’s health industry clients include public health organizations; public and private hospitals, healthcare systems, clinics and other health care facilities; physicians, physician practices, medical staff, and other provider organizations; skilled nursing, long term care, assisted living, home health, ambulatory surgery, dialysis, telemedicine, DME, Pharma, clinics, and other health care providers; billing, management and other administrative services organizations; insured, self-insured, association and other health plans; PPOs, HMOs and other managed care organizations, insurance, claims administration, utilization management, and other health care payers; public and private peer review, quality assurance, accreditation and licensing; technology and other outsourcing; healthcare clearinghouse and other data; research; public and private social and community organizations; real estate, technology, clinical pathways, and other developers; investors, banks and financial institutions; audit, accounting, law firm; consulting; document management and recordkeeping, business associates, vendors, and service providers and other professional and other health industry organizations; academic medicine; trade associations; legislative and other law making bodies and others.

Past Chair of the ABA Managed Care & Insurance Interest Group and, a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also has extensive health care reimbursement and insurance experience advising and defending health care providers, payers, and others about Medicare, Medicaid, Medicare and Medicaid Advantage, Tri-Care, self-insured group, association, individual and group and other health benefit programs and coverages including but not limited to advising public and private payers about coverage and program design and documentation, advising and defending providers, payers and systems and billing services entities about systems and process design, audits, and other processes; provider credentialing, and contracting; providers and payer billing, reimbursement, claims audits, denials and appeals, coverage coordination, reporting, direct contracting, False Claims Act, Medicare & Medicaid, ERISA, state Prompt Pay, out-of-network and other nonpar insured, and other health care claims, prepayment, post-payment and other coverage, claims denials, appeals, billing and fraud investigations and actions and other reimbursement and payment related investigation, enforcement, litigation and actions.

Heavily involved in health care and health information technology, data and related process and systems development, policy and operations innovation and a Scribe for ABA JCEB annual agency meeting with OCR for many years who has authored numerous highly-regarded works and training programs on HIPAA and other data security, privacy and use, Ms. Stamer also is widely recognized for her extensive work and leadership on leading edge health care and benefit policy and operational issues including meaningful use and EMR, billing and reimbursement, quality measurement and reimbursement, HIPAA, FACTA, PCI, trade secret, physician and other medical confidentiality and privacy, federal and state data security and data breach and other information privacy and data security rules and many other concerns. Her work includes both regulatory and public policy advocacy and thought leadership, as well as advising and representing a broad range of health industry and other clients about policy design, drafting, administration, business associate and other contracting, risk assessments, audits and other risk prevention and mitigation, investigation, reporting, mitigation and resolution of known or suspected violations or other incidents and responding to and defending investigations or other actions by plaintiffs, DOJ, OCR, FTC, state attorneys’ general and other federal or state agencies, other business partners, patients and others.

Ms. Stamer has worked extensively with health care providers, health plans, health care clearinghouses, their business associates, employers and other plan sponsors, banks and other financial institutions, and others on risk management and compliance with HIPAA, FACTA, trade secret and other information privacy and data security rules, including the establishment, documentation, implementation, audit and enforcement of policies, procedures, systems and safeguards, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and and enforcement, and a host of other related concerns. Her clients include public and private health care providers, health insurers, health plans, technology and other vendors, and others. In addition to representing and advising these organizations, she also has conducted training on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, MGMA, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

A former lead consultant to the Government of Bolivia on its Pension Privatization Project with extensive domestic and international public policy concerns in Pensions, healthcare, workforce, immigration, tax, education and other areas.

A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, privacy and data security, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her thought leadership, experience and advocacy on these and other related concerns by her service in the leadership of the Solutions Law Press, Inc. Coalition for Responsible Health Policy, its PROJECT COPE: Coalition on Patient Empowerment, and a broad range of other professional and civic organizations including North Texas Healthcare Compliance Association, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children (now Warren Center For Children); current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, past Representative and chair of various committees of ABA Joint Committee on Employee Benefits; a ABA Health Law Coordinating Council representative, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.

For more information about Ms. Stamer or her health industry and other experience and involvements, see here or contact Ms. Stamer via telephone at (469) 767-8872 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources here.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advise or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2019 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.

Leave a Comment » | air ambulance, ambulance, balance billing, Emergency Care, Employee Benefits, Employer, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Reform, health care reimbursement, Health Plan, HHS, Hospital, Reimbursement, Rural Health Care, Uncategorized | Permalink
Posted by Cynthia Marcotte Stamer

Providers, Other HIPAA-Covered Entities Must Provide PHI to Patient-Designated Apps; Liable For Security On Covered Entity Supplied Or Sponsored Apps

May 6, 2019

Health care providers, health plans and other entities (“covered entities”) subject to the Health Insurance Portability & Accountability Act (“HIPAA”) Privacy and Security Rules must deliver electronic protected health information (“ePHI”) to electronic applications or software (“apps”) used by plan members, and are responsible under HIPAA for the security of electronic PHI (“ePHI”) on apps the covered entity  sponsors or provides, according to new guidance from the Department of Health & Human Services (“HHS”) Office of Civil Rights (“OCR”). With health care providers and other covered entities increasingly offering or promoting the use of apps to patients or plan plan members to access, maintain and use their health information, covered entities and their business associates must understand and be prepared meet their HIPAA responsibilities to provide and protect ePHI to and on these apps, but may want to rethink sponsoring or providing a particular app for that purpose.

New HIPAA FAQ guidance (the “FAQs”) from OCR that addresses the implications of HIPAA on covered entities responsibility when asked to share or for ePHI shared or stored on apps or application programming interfaces (“APIs”) systems, covered entities have a legal obligation to disclose ePHI to an app when subjects of the ePHI or their personal representatives request such disclosures. However, the FAQs also state a covered entity or its business associates won’t be responsible for the security of the data shared to the app unless it sponsors or provides it.  The FAQs state that the liability of the covered entity for the security once delivered to the app depends upon whether the AP or API interface provider is a business associate of the covered entity versus just a third-party provider whose involvement and receipt of the PHI is requested and arranged by the subject of the PHI.

Covered Entities Obligated To Disclose ePHI to Apps Chosen By Individuals

The FAQs make crystal clear that covered entities do not have the option of refusing to share ePHI to an app when requested to do so by the subject of the ePHI or its personal representative. The FAQs states that covered entities cannot refuse to disclose ePHI to an app chosen by an individual because of concerns about how the app will use or disclose the ePHI it receives. In this regard, the FAQs state that the HIPAA Privacy Rule generally prohibits a covered entity from refusing to disclose ePHI to a third-party app designated by the individual if the ePHI is readily producible in the form and format used by the app. See 45 CFR 164.524(a)(1), (c)(2)(ii), (c)(3)(ii).According to the FAQ, the HIPAA Rules do not impose any restrictions on how an individual or the individual’s designee, such as an app, may use the health information that has been disclosed pursuant to the individual’s right of access. For instance, a covered entity is not permitted to deny an individual’s right of access to their ePHI where the individual directs the information to a third-party app because the app will share the individual’s ePHI for research or because the app does not encrypt the individual’s data when at rest.According to the FAQs, the liability a covered entity or business associate bears for sharing ePHI to an App under the HIPAA Privacy, Security, or Breach Notification Rules (HIPAA Rules) depends on the relationship between the covered entity and the app.

Breaches of Health Information Disclosed To An App

If an app that is neither a covered entity nor a business associate of the covered entity under HIPAA receives ePHI at the request of the subject or its personal representative, the FAQ states that the shared ePHI is no longer subject to the protections of the HIPAA Rules. Thus if the individual’s app – chosen by an individual to receive the individual’s requested ePHI – was not provided by or on behalf of the covered entity (and, thus, does not create, receive, transmit, or maintain ePHI on its behalf), the covered entity would not be liable under the HIPAA Rules for any subsequent use or disclosure of the requested ePHI received by the app. For example, the covered entity would have no HIPAA responsibilities or liability if such an app that the individual designated to receive their ePHI later experiences a breach. See also, See also OCR FAQ 2039, “What is the liability of a covered entity in responding to an individual’s access request to send the individual’s PHI to a third party.In contrast, however, the FAQ states that if the app was developed for, or provided by or on behalf of the covered entity – and, thus, creates, receives, maintains, or transmits ePHI on behalf of the covered entity – the covered entity could be liable under the HIPAA Rules for a subsequent impermissible disclosure because of the business associate relationship between the covered entity and the app developer. For example, if the individual selects an app that the covered health care provider uses to provide services to individuals involving ePHI, the FAQs state that the health care provider may be subject to liability under the HIPAA Rules if the app impermissibly discloses the ePHI received.

Transmission of ePHI to App Using Unsecured Method

The FAQs also address the potential exposures of covered entities and their business associates arising from the transmission of ePHI to an App using an unsecure method. According to the FAQs, the access rights HIPAA guarantees to individuals allows an individual to request that a covered entity to direct their ePHI to a third-party app in an unsecure manner or through an unsecure channel. See 45 CFR 164.524(a)(1), (c)(2)(ii), (c)(3)(ii). For instance, an individual may request that their unencrypted ePHI be transmitted to an app as a matter of convenience. The FAQ states that a covered entity that transmits ePHI through an unsecured means under such circumstances would not be responsible for unauthorized access to the individual’s ePHI while in transmission to the app. With respect to such apps, however, the FAQs also suggest that the covered entity may want to consider informing the individual of the potential risks involved the first time that the individual makes the request.

Post Transmission Exposure of Covered Entity’s EHR Systems Developer

The FAQ also discusses the potential exposure of a covered entity’s electronic health record (EHR) system developer under HIPAA after completing the transmission on behalf of a covered entity of ePHI to an app designated by the subject of the ePHI. According to the FAQs, the exposure of the HER system developer depends on the relationship, if any, between the covered entity, the EHR system developer, and the app chosen by the individual to receive the individual’s ePHI. A business associate relationship exists if an entity creates, receives, maintains, or transmits ePHI on behalf of a covered entity (directly or through another business associate) to carry out the covered functions of the covered entity. A business associate relationship exists between an EHR system developer and a covered entity. If the EHR system developer does not own the app, or if it owns the app but does not provide the app to, through, or on behalf of, the covered entity – e.g., if it creates the app and makes it available in an app store as part of a different line of business (and not as part of its business associate relationship with any covered entity) – the EHR system developer would not be liable under the HIPAA Rules for any subsequent use or disclosure of the requested ePHI received by the app.If the EHR system developer owns the app or has a business associate relationship with the app developer, and provides the app to, through or on behalf of, the covered entity (directly or through another business associate), however, the FAQs state the EHR system developer then potentially could face HIPAA liability (as a business associate of a HIPAA covered entity) for any impermissible uses and disclosures of the health information received by the app. For example, if an EHR system developer contracts with the app developer to create the app on behalf of a covered entity and the individual later identifies that app to receive ePHI, then the EHR system developer could be subject to HIPAA liability if the app impermissibly uses or discloses the ePHI received.

Covered Entity’s Duty To Enter Into Business Associate Agreement Depends Upon Relationship

Likewise, the FAQs also state that whether HIPAA requires a a covered entity or its EHR system developer to enter into a business associate agreement with an app designated by the individual in order to transmit ePHI to the app depends upon the relationship between the app developer and the covered entity and/or its EHR system developer. A business associate is a person or entity who creates, receives, maintains or transmits PHI on behalf of (or for the benefit of) a covered entity (directly or through another business associate) to carry out covered functions of the covered entity. An app’s facilitation of access to the individual’s ePHI at the individual’s request alone does not create a business associate relationship. Such facilitation may include API terms of use agreed to by the third-party app (i.e., interoperability arrangements).HIPAA does not require a covered entity or its business associate (e.g., EHR system developer) to enter into a business associate agreement with an app developer that does not create, receive, maintain, or transmit ePHI on behalf of or for the benefit of the covered entity (whether directly or through another business associate).  However if the app was developed to create, receive, maintain, or transmit ePHI on behalf of the covered entity, or was provided by or on behalf of the covered entity (directly or through its EHR system developer as the covered entity’s business associate), then a business associate agreement would be required.

Health Plan & Other Covered Entity Take Aways

The new FAQ raises several action items for health care providers and other covered entities and their business associates.  Among other things, covered entities must recognize and be prepared currently to provide PHI on the apps of the requesting individual’s preference within the time frames dictated by HIPAA.  Covered entities must recognize that the FAQs reflect this is a current, not future responsibility.

Second, covered entities that have or are considering providing apps or other tools to atients for use in accessing or using PHI also generally need to recognize that covered entity’s provision or sponsorship of the app generally makes the covered entity responsible under HIPAA for the adequacy of the security of the apps provided by or on behalf of the health plan or health care provider including any updates to the apps.  Given the general responsibility to provide PHI to any apps designated by a subject of PHI, many covered entities may want to rethink  whether providing or endorsing a particular app continues to make sense taking into account the HIPAA data privacy and security responsibilities and risks attendent to maintaining the security of PHI stored and accessed using those tools.  Those electing to provide apps or other tools need to take steps to ensure the current and future adequacy of the data security of the app and its associated storage and other components including any future modifications to those tools. 

Furthermore,  covered entities  also should consider the advisability of revising existing notices and authorizations in response to the new FAQs.  For instance, health plans, health care providers and others supplying PHI to an app designated by the requesting individual may want to consider revising forms to document the direction and consent of the requestor to the electronic delivery of the PHI to the designated app to better position themselves to claim the protection against liability for breaches on these subject designate apps described in the FAQs.  Meanwhile, covered entities providing apps also may wish to weigh options for supplementing disclosures to mitigate potential risks from use or failure to upgrade apps that might be viewed as covered entity provided or sponsored.   

Certainly, before sponsoring or allowing a business associate to offer or provide an app or other similar solution, health care providers and other covered entities must ensure that the business associate agreement requirements of HIPAA are met from the app developer and others providing services or the app as business associates to the covered entity.  Covered entities also should take steps to ensure that the interfaces between the apps and other systems are properly security at the point of implementation and during any subsequent upgrades keeping in mind that OCR guidance expects covered entities to reconfirm security for any system, software or app upgrades.  Meeting this expectation for apps within the possession of patients or plan members can present special challenges requiring careful planning. 

Beyond complying with the specific requirements of the FAQs concerning the obligation of health care providers and other covered entities to deliver PHI to apps in formats specified by patients, providers also need to take to heart OCR’s broader requirement that providers and other covered entities deliver and provide timely access to OHI as required by HIPAA generally. Recognizing that noncompliance with this rule remains a top violation, OCR has targeted enforcement of the access rules for increase enforcement. In addition, violations also expose providers to medical licensure and other discipline.

Have questions about the new FAQs or other health care regulatory developments or their implications on your organization, contact the author.  You also are invited to stay abreast of these and other health care developments by participating in our Solutions Law Press, Inc. Linkedin SLP Health Care Risk Management & Operations Group or COPE: Coalition On Patient Empowerment Group or Project COPE: Coalition on Patient Empowerment Facebook Page.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: Erisa & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of health industry, health and other benefit and insurance, workforce and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer’s clients include employers and other workforce management organizations; employer, union, association, government and other insured and self-insured health and other employee benefit plan sponsors, benefit plans, fiduciaries, administrators, and other plan vendors;  managed care organizations, insurers, self-insured health plans and other payers and their management; public and private, domestic and international hospitals, health care systems, clinics, skilled nursing, long term care, rehabilitation and other health care providers and facilities; medical staff, health care accreditation, peer review and quality committees and organizations; managed care organizations, insurers, third party administrative services organizations and other payer organizations;  billing, utilization management, management services organizations; group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; claims, billing and other health care and insurance technology and data service organizations; other health, employee benefit, insurance and financial services product and solutions consultants, developers and vendors; and other health, employee benefit, insurance, technology, government and other management clients.

A former lead consultant to the Government of Bolivia on its Pension Privatization Project with extensive domestic and international public policy concerns in pensions, healthcare, workforce, immigration, tax, education and other areas, Ms. Stamer has been extensively involved in U.S. federal, state and local health care and other legislative and regulatory reform impacting these concerns throughout her career. Her public policy and regulatory affairs experience encompassess advising and representing domestic and multinational private sector health, insurance, employee benefit, employer, staffing and other outsourced service providers, and other clients in dealings with Congress, state legislatures, and federal, state and local regulators and government entities, as well as providing advice and input to U.S. and foreign government leaders on these and other policy concerns.

Beyond her public policy and regulatory affairs involvement, Ms. Stamer also has extensive experience helping these and other clients to design, implement, document, administer and defend workforce, employee benefit, insurance and risk management, health and safety, and other programs, products and solutions, and practices; establish and administer compliance and risk management policies; comply with requirements, investigate and respond to government; accreditation and quality organizations; private litigation and other federal and state health care industry investigations and enforcement actions; evaluate and influence legislative and regulatory reforms and other regulatory and public policy advocacy; training and discipline; enforcement, and a host of other related concerns. Ms. Stamer’s experience in these matters includes supporting these organizations and their leaders on both a real-time, “on demand” basis with crisis preparedness, intervention and response as well as consulting and representing clients on ongoing compliance and risk management; plan and program design; vendor and employee credentialing, selection, contracting, performance management and other dealings; strategic planning; policy, program, product and services development and innovation; mergers, acquisitions, and change management; workforce and operations management, and other opportunities and challenges arising in the course of their operations.

Past Chair of the ABA Managed Care & Insurance Interest Group and, a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, heavily involved in health benefit, health care, health, financial and other information technology, data and related process and systems development, policy and operations throughout her career, and scribe of the ABA JCEB annual Office of Civil Rights agency meeting, Ms. Stamer also is widely recognized for her extensive work and leadership on leading edge health care and benefit policy and operational issues. She regularly helps employer and other health benefit plan sponsors and vendors, health industry, insurers, health IT, life sciences and other health and insurance industry clients design, document and enforce plans, practices, policies, systems and solutions; manage regulatory, contractual and other legal and operational compliance; vendors and suppliers; deal with Medicare, Medicaid, CHIP, Medicare/Medicaid Advantage, ERISA, state insurance law and other private payer rules and requirements; contracting; licensing; terms of participation; medical billing, reimbursement, claims administration and coordination, and other provider-payer relations; reporting and disclosure, government investigations and enforcement, privacy and data security; and other compliance and enforcement; Form 990 and other nonprofit and tax-exemption; fundraising, investors, joint venture, and other business partners; quality and other performance measurement, management, discipline and reporting; physician and other workforce recruiting, performance management, peer review and other investigations and discipline, wage and hour, payroll, gain-sharing and other pay-for performance and other compensation, training, outsourcing and other human resources and workforce matters; board, medical staff and other governance; strategic planning, process and quality improvement; HIPAA administrative simplification, meaningful use, EMR, HIPAA and other technology, data security and breach and other health IT and data; STARK, antikickback, insurance, and other fraud prevention, investigation, defense and enforcement; audits, investigations, and enforcement actions; trade secrets and other intellectual property; crisis preparedness and response; internal, government and third-party licensure, credentialing, accreditation, HCQIA, HEDIS and other peer review and quality reporting, audits, investigations, enforcement and defense; patient relations and care; internal controls and regulatory compliance; payer-provider, provider-provider, vendor, patient, governmental and community relations; facilities, practice, products and other sales, mergers, acquisitions and other business and commercial transactions; government procurement and contracting; grants; tax-exemption and not-for-profit; 1557 and other Civil Rights; privacy and data security; training; risk and change management; regulatory affairs and public policy; process, product and service improvement, development and innovation, and other legal and operational compliance and risk management, government and regulatory affairs and operations concerns.

Ms. Stamer has extensive health care reimbursement and insurance experience advising and defending plan sponsors, administrators, insurance and managed care organizations, health care providers, payers, and others about Medicare, Medicaid, Medicare and Medicaid Advantage, Tri-Care, self-insured group, association, individual and employer and association group and other health benefit programs and coverages including but not limited to advising public and private payers about coverage and program design and documentation, advising and defending providers, payers and systems and billing services entities about systems and process design, audits, and other processes; provider credentialing, and contracting; providers and payer billing, reimbursement, claims audits, denials and appeals, coverage coordination, reporting, direct contracting, False Claims Act, Medicare & Medicaid, ERISA, state Prompt Pay, out-of-network and other nonpar insured, and other health care claims, prepayment, post-payment and other coverage, claims denials, appeals, billing and fraud investigations and actions and other reimbursement and payment related investigation, enforcement, litigation and actions. Scribe for the ABA JCEB annual agency meeting with HHS OCR, she also has worked extensively on health and health benefit coding, billing and claims, meaningful use and EMR, billing and reimbursement, quality measurement and reimbursement, HIPAA, FACTA, PCI, trade secret, physician and other medical, workforce, consumer financial and other data confidentiality and privacy, federal and state data security, data breach and mitigation, and other information privacy and data security concerns.

Author of leading works on a multitude of health care, health plan and other health industry matters, the American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting, former Vice President of the North Texas Health Care Compliance Professionals Association, past Chair of the ABA Health Law Section Managed Care & Insurance Section, past ABA JCEB Council Representative and CLE and Marketing Committee Chair, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer’s health industry clients include public health organizations; public and private hospitals, healthcare systems, clinics and other health care facilities; physicians, physician practices, medical staff, and other provider organizations; skilled nursing, long term care, assisted living, home health, ambulatory surgery, dialysis, telemedicine, DME, Pharma, clinics, and other health care providers; billing, management and other administrative services organizations; insured, self-insured, association and other health plans; PPOs, HMOs and other managed care organizations, insurance, claims administration, utilization management, and other health care payers; public and private peer review, quality assurance, accreditation and licensing; technology and other outsourcing; healthcare clearinghouse and other data; research; public and private social and community organizations; real estate, technology, clinical pathways, and other developers; investors, banks and financial institutions; audit, accounting, law firm; consulting; document management and recordkeeping, business associates, vendors, and service providers and other professional and other health industry organizations; academic medicine; trade associations; legislative and other law making bodies and others.

A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, privacy and data security, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her thought leadership, experience and advocacy on these and other related concerns by her service in the leadership of the Solutions Law Press, Inc. Coalition for Responsible Health Policy, its PROJECT COPE: Coalition on Patient Empowerment, and a broad range of other professional and civic organizations including North Texas Healthcare Compliance Association, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children (now Warren Center For Children); current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, past Representative and chair of various committees of ABA Joint Committee on Employee Benefits; a ABA Health Law Coordinating Council representative, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.

For more information about Ms. Stamer or her health industry and other experience and involvements, see here or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources here such as:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advise or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2019 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.

 

 

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: Erisa & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

Ms. Stamer’s legal, management, governmental affairs work and speaking and publications have focused on helping health industry, health benefit and other organizations and their management use the law, performance and risk management tools and process to manage people, performance, quality, compliance, operations and risk.

Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer supports these organizations and their leaders on both a real-time, “on demand” basis as well as outsourced operations or special counsel on an interim, special project, or ongoing basis with strategic planning and product and services development and innovation; workforce and operations management, crisis preparedness and response as well as to prevent, stabilize and cleanup legal and operational crises large and small that arise in the course of operations.

As core components of this work, Ms. Stamer helps health industry, health plans and insurers, health IT, life sciences and other health industry clients manage regulatory, contractual and other compliance; vendors and suppliers; Medicare, Medicaid, CHIP, Medicare/Medicaid Advantage, ERISA and other private payer and other terms of participation, medical billing, reimbursement, claims administration and coordination, and other provider-payer relations, contracting, compliance and enforcement; Form 990 and other nonprofit and tax-exemption; fundraising, investors, joint venture, and other business partners; quality and other performance measurement, management, discipline and reporting; physician and other workforce recruiting, performance management, peer review and other investigations and discipline, wage and hour, payroll, gain-sharing and other pay-for performance and other compensation, training, outsourcing and other human resources and workforce matters; board, medical staff and other governance; strategic planning, process and quality improvement; meaningful use, EMR, HIPAA and other technology,  data security and breach and other health IT and data; STARK, antikickback, insurance, and other fraud prevention, investigation, defense and enforcement; audits, investigations, and enforcement actions; trade secrets and other intellectual property; crisis preparedness and response; internal, government and third-party licensure, credentialing, accreditation, HCQIA and other peer review and quality reporting, audits, investigations, enforcement and defense; patient relations and care;  internal controls and regulatory compliance; payer-provider, provider-provider, vendor, patient, governmental and community relations; facilities, practice, products and other sales, mergers, acquisitions and other business and commercial transactions; government procurement and contracting; grants; tax-exemption and not-for-profit; 1557 and other Civil Rights; privacy and data security; training; risk and change management; regulatory affairs and public policy; process, product and service improvement, development and innovation, and other legal and operational compliance and risk management, government and regulatory affairs and operations concerns.

Her clients include public and private, domestic and international hospitals, health care systems, clinics, skilled nursing, long term care, rehabilitation and other health care providers and facilities; medical staff, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, insurers, self-insured health plans and other payers; and other health industry clients to establish and administer compliance and risk management policies; comply with requirements, investigate and respond to Board of Medicine, Health, Nursing, Pharmacy, Chiropractic, and other licensing agencies, Department of Aging & Disability, FDA, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; JCHO and other accreditation and quality organizations; private litigation and other federal and state health care industry investigation, enforcement including insurance or other liability management and allocation; process and product development, contracting, deployment and defense; evaluation, commenting or seeking modification of regulatory guidance, and other regulatory and public policy advocacy; training and discipline; enforcement, and a host of other related concerns for public and private health care providers, health insurers, health plans, technology and other vendors, employers, and others.and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns.

Author of leading works on a multitude of health care, health plan and other health industry matters, the American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting, former Vice President of the North Texas Health Care Compliance Professionals Association, past Chair of the ABA Health Law Section Managed Care & Insurance Section, past ABA JCEB Council Representative and CLE and Marketing Committee Chair, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer’s health industry clients include public health organizations; public and private hospitals, healthcare systems, clinics and other health care facilities; physicians, physician practices, medical staff, and other provider organizations; skilled nursing, long term care, assisted living, home health, ambulatory surgery, dialysis, telemedicine, DME, Pharma, clinics, and other health care providers; billing, management and other administrative services organizations; insured, self-insured, association and other health plans; PPOs, HMOs and other managed care organizations, insurance, claims administration, utilization management, and other health care payers; public and private peer review, quality assurance, accreditation and licensing; technology and other outsourcing; healthcare clearinghouse and other data; research; public and private social and community organizations; real estate, technology, clinical pathways, and other developers; investors, banks and financial institutions; audit, accounting, law firm; consulting; document management and recordkeeping, business associates, vendors, and service providers and other professional and other health industry organizations; academic medicine; trade associations; legislative and other law making bodies and others.

Past Chair of the ABA Managed Care & Insurance Interest Group and, a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also has extensive health care reimbursement and insurance experience advising and defending health care providers, payers, and others about Medicare, Medicaid, Medicare and Medicaid Advantage, Tri-Care, self-insured group, association, individual and group and other health benefit programs and coverages including but not limited to advising public and private payers about coverage and program design and documentation, advising and defending providers, payers and systems and billing services entities about systems and process design, audits, and other processes; provider credentialing, and contracting; providers and payer billing, reimbursement, claims audits, denials and appeals, coverage coordination, reporting, direct contracting, False Claims Act, Medicare & Medicaid, ERISA, state Prompt Pay, out-of-network and other nonpar insured, and other health care claims, prepayment, post-payment and other coverage, claims denials, appeals, billing and fraud investigations and actions and other reimbursement and payment related investigation, enforcement, litigation and actions.

Heavily involved in health care and health information technology, data and related process and systems development, policy and operations innovation and a Scribe for ABA JCEB annual agency meeting with OCR for many years who has authored numerous highly-regarded works and training programs on HIPAA and other data security, privacy and use, Ms. Stamer also is widely recognized for her extensive work and leadership on leading edge health care and benefit policy and operational issues including meaningful use and EMR, billing and reimbursement, quality measurement and reimbursement, HIPAA, FACTA, PCI, trade secret, physician and other medical confidentiality and privacy, federal and state data security and data breach and other information privacy and data security rules and many other concerns. Her work includes both regulatory and public policy advocacy and thought leadership, as well as advising and representing a broad range of health industry and other clients about policy design, drafting, administration, business associate and other contracting, risk assessments, audits and other risk prevention and mitigation, investigation, reporting, mitigation and resolution of known or suspected violations or other incidents and responding to and defending investigations or other actions by plaintiffs, DOJ, OCR, FTC, state attorneys’ general and other federal or state agencies, other business partners, patients and others.

Ms. Stamer has worked extensively with health care providers, health plans, health care clearinghouses, their business associates, employers and other plan sponsors, banks and other financial institutions, and others on risk management and compliance with HIPAA, FACTA, trade secret and other information privacy and data security rules, including the establishment, documentation, implementation, audit and enforcement of policies, procedures, systems and safeguards, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and and enforcement, and a host of other related concerns. Her clients include public and private health care providers, health insurers, health plans, technology and other vendors, and others. In addition to representing and advising these organizations, she also has conducted training on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, MGMA, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

A former lead consultant to the Government of Bolivia on its Pension Privatization Project with extensive domestic and international public policy concerns in Pensions, healthcare, workforce, immigration, tax, education and other areas.

A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, privacy and data security, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her thought leadership, experience and advocacy on these and other related concerns by her service in the leadership of the Solutions Law Press, Inc. Coalition for Responsible Health Policy, its PROJECT COPE: Coalition on Patient Empowerment, and a broad range of other professional and civic organizations including North Texas Healthcare Compliance Association, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children (now Warren Center For Children); current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, past Representative and chair of various committees of ABA Joint Committee on Employee Benefits; a ABA Health Law Coordinating Council representative, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.

For more information about Ms. Stamer or her health industry and other experience and involvements, see here or contact Ms. Stamer via telephone at (469) 767-8872 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources here such as the following:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advise or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2019 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.

Leave a Comment » | E-Prescribing, Employee Benefits, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, Health Insurance Exchange, Health IT, home health, Hospital, Indian Health, Medicaid, Medicaid Advantage, Medical Licensure, Medicare Advantage, OCR, Physician, Uncategorized | Tagged: , , , | Permalink
Posted by Cynthia Marcotte Stamer

Provider Pays $3 Million For Breach With Delayed Investigation & Notice

May 6, 2019

A Franklin, Tennessee-based diagnostic medical imaging services provider Touchstone Medical Imaging (“Touchstone”) will pay $3,000,000 to the Office for Civil Rights (“OCR”) at the U.S. Department of Health and Human Services (“HHS”), and adopt a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security and Breach Notification Rules.  The Resolution Agreement and Corrective Action Plan announced May 6, 2019 illustrates for other health care providers, health plans, healthcare clearinghouses and their business associates (“Covered Entities”) the perils both of failing to properly secure and protect protected health information and the necessity for timely investigation and disclosure within the short time frames required by HIPAA.

The Resolution Agreement between Touchstone and OCR stems from Touchstone’s mishandling of a 2014 breach.  In May 2014, the Federal Bureau of Investigation (“FBI”) and OCR notified Touchstone that one of its FTP servers allowed uncontrolled access to protected health information (“PHI”).  This uncontrolled access permitted search engines to index the PHI of Touchstone’s patients, which remained visible on the Internet even after the server was taken offline.   While Touchstone initially claimed that no patient PHI was exposed,  in the course of OCR’s investigation, Touchstone subsequently admitted PHI of more than 300,000 patients was exposed including, names, birth dates, social security numbers, and addresses.  As a result of its delayed acknowledgement of the occurrence of the breach on May 9, 2014, Touchstone did not provide notice of the breach until October, 2014, months after OCR and FBI notified it of the breach.   See here.

OCR’s investigation found that Touchstone did not thoroughly investigate the security incident until several months after notice of the breach from both the FBI and OCR.  Consequently, Touchstone’s notification to individuals affected by the breach also was untimely.  OCR’s investigation further found that Touchstone failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of its electronic PHI (ePHI), and failed to have business associate agreements in place with its vendors, including their IT support vendor and a third-party data center provider as required by HIPAA.

In addition to the monetary settlement, Touchstone will undertake a robust corrective action plan that includes the adoption of business associate agreements, completion of an enterprise-wide risk analysis, and comprehensive policies and procedures to comply with the HIPAA Rules.

The Resolution Agreement illustrates the expensive price Covered Entities risk from failing to conduct risk assessments, obtain business associate agreements and fulfill other HIPAA requirements before a breach, then failing to promptly investigate, provide notification and redress a breach when discovered.  Covered Entities should learn from the painful lesson learned by Touchstone by reconfirming the adequacy of their current HIPAA  compliance and using care to timely and adequately investigate and provide notification if and when a breach occurs.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: Erisa & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

Ms. Stamer’s legal, management, governmental affairs work and speaking and publications have focused on helping health industry, health benefit and other organizations and their management use the law, performance and risk management tools and process to manage people, performance, quality, compliance, operations and risk.

Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer supports these organizations and their leaders on both a real-time, “on demand” basis as well as outsourced operations or special counsel on an interim, special project, or ongoing basis with strategic planning and product and services development and innovation; workforce and operations management, crisis preparedness and response as well as to prevent, stabilize and cleanup legal and operational crises large and small that arise in the course of operations.

As core components of this work, Ms. Stamer helps health industry, health plans and insurers, health IT, life sciences and other health industry clients manage regulatory, contractual and other compliance; vendors and suppliers; Medicare, Medicaid, CHIP, Medicare/Medicaid Advantage, ERISA and other private payer and other terms of participation, medical billing, reimbursement, claims administration and coordination, and other provider-payer relations, contracting, compliance and enforcement; Form 990 and other nonprofit and tax-exemption; fundraising, investors, joint venture, and other business partners; quality and other performance measurement, management, discipline and reporting; physician and other workforce recruiting, performance management, peer review and other investigations and discipline, wage and hour, payroll, gain-sharing and other pay-for performance and other compensation, training, outsourcing and other human resources and workforce matters; board, medical staff and other governance; strategic planning, process and quality improvement; meaningful use, EMR, HIPAA and other technology,  data security and breach and other health IT and data; STARK, antikickback, insurance, and other fraud prevention, investigation, defense and enforcement; audits, investigations, and enforcement actions; trade secrets and other intellectual property; crisis preparedness and response; internal, government and third-party licensure, credentialing, accreditation, HCQIA and other peer review and quality reporting, audits, investigations, enforcement and defense; patient relations and care;  internal controls and regulatory compliance; payer-provider, provider-provider, vendor, patient, governmental and community relations; facilities, practice, products and other sales, mergers, acquisitions and other business and commercial transactions; government procurement and contracting; grants; tax-exemption and not-for-profit; 1557 and other Civil Rights; privacy and data security; training; risk and change management; regulatory affairs and public policy; process, product and service improvement, development and innovation, and other legal and operational compliance and risk management, government and regulatory affairs and operations concerns.

Her clients include public and private, domestic and international hospitals, health care systems, clinics, skilled nursing, long term care, rehabilitation and other health care providers and facilities; medical staff, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, insurers, self-insured health plans and other payers; and other health industry clients to establish and administer compliance and risk management policies; comply with requirements, investigate and respond to Board of Medicine, Health, Nursing, Pharmacy, Chiropractic, and other licensing agencies, Department of Aging & Disability, FDA, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; JCHO and other accreditation and quality organizations; private litigation and other federal and state health care industry investigation, enforcement including insurance or other liability management and allocation; process and product development, contracting, deployment and defense; evaluation, commenting or seeking modification of regulatory guidance, and other regulatory and public policy advocacy; training and discipline; enforcement, and a host of other related concerns for public and private health care providers, health insurers, health plans, technology and other vendors, employers, and others.and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns.

Author of leading works on a multitude of health care, health plan and other health industry matters, the American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting, former Vice President of the North Texas Health Care Compliance Professionals Association, past Chair of the ABA Health Law Section Managed Care & Insurance Section, past ABA JCEB Council Representative and CLE and Marketing Committee Chair, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer’s health industry clients include public health organizations; public and private hospitals, healthcare systems, clinics and other health care facilities; physicians, physician practices, medical staff, and other provider organizations; skilled nursing, long term care, assisted living, home health, ambulatory surgery, dialysis, telemedicine, DME, Pharma, clinics, and other health care providers; billing, management and other administrative services organizations; insured, self-insured, association and other health plans; PPOs, HMOs and other managed care organizations, insurance, claims administration, utilization management, and other health care payers; public and private peer review, quality assurance, accreditation and licensing; technology and other outsourcing; healthcare clearinghouse and other data; research; public and private social and community organizations; real estate, technology, clinical pathways, and other developers; investors, banks and financial institutions; audit, accounting, law firm; consulting; document management and recordkeeping, business associates, vendors, and service providers and other professional and other health industry organizations; academic medicine; trade associations; legislative and other law making bodies and others.

Past Chair of the ABA Managed Care & Insurance Interest Group and, a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also has extensive health care reimbursement and insurance experience advising and defending health care providers, payers, and others about Medicare, Medicaid, Medicare and Medicaid Advantage, Tri-Care, self-insured group, association, individual and group and other health benefit programs and coverages including but not limited to advising public and private payers about coverage and program design and documentation, advising and defending providers, payers and systems and billing services entities about systems and process design, audits, and other processes; provider credentialing, and contracting; providers and payer billing, reimbursement, claims audits, denials and appeals, coverage coordination, reporting, direct contracting, False Claims Act, Medicare & Medicaid, ERISA, state Prompt Pay, out-of-network and other nonpar insured, and other health care claims, prepayment, post-payment and other coverage, claims denials, appeals, billing and fraud investigations and actions and other reimbursement and payment related investigation, enforcement, litigation and actions.

Heavily involved in health care and health information technology, data and related process and systems development, policy and operations innovation and a Scribe for ABA JCEB annual agency meeting with OCR for many years who has authored numerous highly-regarded works and training programs on HIPAA and other data security, privacy and use, Ms. Stamer also is widely recognized for her extensive work and leadership on leading edge health care and benefit policy and operational issues including meaningful use and EMR, billing and reimbursement, quality measurement and reimbursement, HIPAA, FACTA, PCI, trade secret, physician and other medical confidentiality and privacy, federal and state data security and data breach and other information privacy and data security rules and many other concerns. Her work includes both regulatory and public policy advocacy and thought leadership, as well as advising and representing a broad range of health industry and other clients about policy design, drafting, administration, business associate and other contracting, risk assessments, audits and other risk prevention and mitigation, investigation, reporting, mitigation and resolution of known or suspected violations or other incidents and responding to and defending investigations or other actions by plaintiffs, DOJ, OCR, FTC, state attorneys’ general and other federal or state agencies, other business partners, patients and others.

Ms. Stamer has worked extensively with health care providers, health plans, health care clearinghouses, their business associates, employers and other plan sponsors, banks and other financial institutions, and others on risk management and compliance with HIPAA, FACTA, trade secret and other information privacy and data security rules, including the establishment, documentation, implementation, audit and enforcement of policies, procedures, systems and safeguards, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and and enforcement, and a host of other related concerns. Her clients include public and private health care providers, health insurers, health plans, technology and other vendors, and others. In addition to representing and advising these organizations, she also has conducted training on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, MGMA, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

A former lead consultant to the Government of Bolivia on its Pension Privatization Project with extensive domestic and international public policy concerns in Pensions, healthcare, workforce, immigration, tax, education and other areas.

A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, privacy and data security, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her thought leadership, experience and advocacy on these and other related concerns by her service in the leadership of the Solutions Law Press, Inc. Coalition for Responsible Health Policy, its PROJECT COPE: Coalition on Patient Empowerment, and a broad range of other professional and civic organizations including North Texas Healthcare Compliance Association, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children (now Warren Center For Children); current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, past Representative and chair of various committees of ABA Joint Committee on Employee Benefits; a ABA Health Law Coordinating Council representative, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.

For more information about Ms. Stamer or her health industry and other experience and involvements, see here or contact Ms. Stamer via telephone at (469) 767-8872 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources here such as the following:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advise or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2019 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.

Leave a Comment » | E-Prescribing, Employee Benefits, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, Health Insurance Exchange, Health IT, home health, Hospital, Indian Health, Medicaid, Medicaid Advantage, Medical Licensure, Medicare Advantage, OCR, Physician, Uncategorized | Tagged: , , , | Permalink
Posted by Cynthia Marcotte Stamer

CMS Finalizes 2020 Medicare Advantage & Prescription Drug Program Rule Updates & Implements Other Integrity Rule Changes

April 8, 2019

Health care providers, health plans, and Medicare and Medicare Advantage Program beneficiaries should note the program changes the Centers for Medicare & Medicare (“CMS”) is implementing through the Medicare and Medicaid Programs; Policy and Technical Changes to the Medicare Final Rule (“Final Rule”) that updates CMS’ governing regulations regarding the Medicare Advantage (MA or Part C) and Medicare Prescription Drug Benefit (Part D) programs for 2020.

Scheduled for official publication in the Federal Register on April 16, 2019, the advance copy of the 600 plus page Final Rule unofficially released last Friday, April 6, 2019 indicates that the Final Rule will:

  • Revise the Medicare Advantage (MA) program (Part C) regulations and Prescription Drug Benefit program (Part D) regulations to modify the appeals and grievances requirements for certain Medicaid managed care and MA special needs plans for dual eligible individuals to implement certain provisions of the Bipartisan Budget Act of 2018;
  • Implements certain other provisions of the Bipartisan Budget Act of 2018;
  • Makes changes to improve quality and accessibility;
  • Clarifies certain program integrity policies for MA, Part D, and cost plans and PACE organizations;
  • Seeks to reduce burden on providers, MA plans, and Part D sponsors through providing additional policy clarification;
  • Implement other technical changes regarding quality improvement; and

Contract Year 2020 Medicare Advantage and Part D Flexibility Final Rule 
(CMS-4185-F)

After expanding the MA plan choices for the 2019 plan year, CMS now also plans to continue to expanding patient options to provide patients more choice of MA plans to meet their unique health needs. In continuing the efforts to increase plan flexibility and plan choices for patients, CMS reports it is finalizing additional flexibilities to allow patients more MA options and new benefits.  Interested persons should watch for further guidance.

Implementing the Bipartisan Budget Act of 2018 Provisions

The Final Rule also implements the following provisions of the Bipartisan Budget Act of 2018, Public Law 115-123:

  • Section 50323 allows MA plans to offer “additional telehealth benefits” as part of the government-funded “basic benefits”;
  • Section 50311 requires increased integration of Medicare and Medicaid benefits and appeals and grievance processes for MA Dual Eligible Special Needs Plans (D-SNPs); and
  • Section 50354 requires the Secretary to establish a process to allow Part D plan sponsors to request standard extracts of Medicare Parts A and B claims data regarding their enrollees.

Medicare Advantage Plans Offering Additional Telehealth Benefits

MA plans always could offer patients in MA plans more telehealth services than those in Original Medicare.  With the Final Rule implementing the Bipartisan Budget Act of 2018’s provisions allowing MA plans to include “additional telehealth benefits” (telehealth benefits beyond what Original Medicare allows) in their bids for the basic Medicare benefits beginning plan year 2020, the Final Rule gives MA plans more flexibility than currently available in how they pay for coverage of telehealth benefits after 2019. As these changes allow MA plans more options to offer expanded telehealth coverage to meet the needs of their patients within the parameters of the Final Rule, MA patients are even more likely post 2019 to have access to telehealth services from more providers and in more parts of the country than before, whether they live in rural or urban areas.

Integration Requirements for D-SNPs

CMS is finalizing new minimum criteria for Medicare and Medicaid integration in D-SNPs for contract year 2021 and subsequent years. Pursuant to the requirements in the Bipartisan Budget Act of 2018, CMS plans to require that D-SNPs meet the integration criteria either by, at a minimum:

  • Covering Medicaid long-term services and supports and/or behavioral health services through a capitated payment from a state Medicaid agency; or
  • Notifying the state Medicaid agency (or its designee) of hospital and skilled nursing facility admissions for at least one group of high-risk full-benefit dual eligible individuals, as determined by the state Medicaid agency.

Unified Grievance and Appeals Procedures for D-SNPs

The Bipartisan Budget Act of 2018 requires compliance with unified grievance and appeal procedures beginning in contract year 2021.  CMS is finalizing rules to unify Medicare and Medicaid grievance and appeals processes for certain D-SNPs and affiliated Medicaid managed care plans. The processes will apply to D-SNPs with fully aligned enrollment and the affiliated Medicaid managed care organization, where one organization is responsible for managing Medicare and Medicaid benefits for all enrollees. In such D-SNPs, enrollees will have simpler, more straightforward grievance and appeals processes.

Improving Program Quality and Accessibility

As part of CMS efforts to continually improve the Star Ratings methodology, the Final Rules finalize several measure updates, an enhanced methodology for determining cut points, and a policy to adjust the methodology for Star Ratings for affected MA and Part D plans in the event of extreme and uncontrollable circumstances, such as hurricanes.

The final policy for extreme and uncontrollable circumstances is similar to the one implemented for the 2019 Star Ratings.

Based on stakeholder feedback to the Contract Year 2019 Medicare Advantage and Part D proposed rule (CMS-4182-P) and analyses of the data,  the Final Rule also provides an enhanced cut point methodology for data collected during the 2020 measurement year and associated 2022 Star Ratings that CMS intends to improve stability and predictability and reduce the influence of outliers by implementing a guardrail, so that cut points do not increase or decrease more than a 5 percent cap from one year to the next.

Clarifying Program Integrity Policies

The Final Rule also clarifies and tightens various program integrity policies.

Preclusion List Requirements for Prescribers in Part D and Individuals and Entities in MA, Cost Plans, and Programs of All-Inclusive Care for the Elderly (PACE)
CMS announced in April 2018 that the agency would prohibit payment for Part D drugs and MA items or services prescribed or furnished by prescribers and providers on a “preclusion list.” The Final Rule revises the preclusion list process to clarify the expectations for stakeholders through the following changes:

  • Length of time on the preclusion list for providers or prescribers with a felony conviction
  • Consolidation of the appeals process
  • Timeframe for additions to the preclusion list
  • Beneficiary “hold harmless” provisions
  • Beneficiary notification

Medicare Advantage Risk Adjustment Data Validation Provisions

CMS conducts contract-level Risk Adjustment Data Validation (RADV) audits to verify the accuracy of payments made to MA organizations and recover improper payments. In 2012, CMS released a white paper informing MA and Part D sponsors of its intention to extrapolate audit recovery findings starting with payment year 2011 contract-level audits. The proposed provision in CMS-4185-P updated stakeholders on our plans to use various sampling and extrapolation methodologies in these and subsequent RADV audits. The comment period for the RADV proposals was extended beyond the initial December 31, 2018 deadline to April 30, 2019 in order to maximize the opportunity for the public to provide meaningful input to CMS. Because the comment period was extended to April 30, 2019, the final rule does not address the RADV proposals. CMS says it intend to address the RADV provisions in a final rule at a later time.

Effective Dates

The provisions of the Final Regulations generally take effect January 1, 2020.  However, amendments to §§ 422.107(c)(9), (d), (e)(2), 422.560(a)(4) and (b)(5), 422.566(a), 422.629 through 422.634, 422.752(d), 438.210, 438.400, and 438.402 take effect January 1, 2021 and amendments to §§ 422.222(a)(2), 423.120(c)(6)(iv), and 498.5(n)(1) take effect in June, 60 days after publication of the Final Regulation.

Have questions about the Final Regulations or other health care regulatory developments or their implications on your organization, contract the author.  You als are invited to stay abreast of these and other health care developments by participating in our Solutions Law Press, Inc. Linkedin SLP Health Care Risk Management & Operations Group or COPE: Coalition On Patient Empowerment Group or Project COPE: Coalition on Patient Empowerment Facebook Page.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: Erisa & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

Ms. Stamer’s legal, management, governmental affairs work and speaking and publications have focused on helping health industry, health benefit and other organizations and their management use the law, performance and risk management tools and process to manage people, performance, quality, compliance, operations and risk.

Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer supports these organizations and their leaders on both a real-time, “on demand” basis as well as outsourced operations or special counsel on an interim, special project, or ongoing basis with strategic planning and product and services development and innovation; workforce and operations management, crisis preparedness and response as well as to prevent, stabilize and cleanup legal and operational crises large and small that arise in the course of operations.

As core components of this work, Ms. Stamer helps health industry, health plans and insurers, health IT, life sciences and other health industry clients manage regulatory, contractual and other compliance; vendors and suppliers; Medicare, Medicaid, CHIP, Medicare/Medicaid Advantage, ERISA and other private payer and other terms of participation, medical billing, reimbursement, claims administration and coordination, and other provider-payer relations, contracting, compliance and enforcement; Form 990 and other nonprofit and tax-exemption; fundraising, investors, joint venture, and other business partners; quality and other performance measurement, management, discipline and reporting; physician and other workforce recruiting, performance management, peer review and other investigations and discipline, wage and hour, payroll, gain-sharing and other pay-for performance and other compensation, training, outsourcing and other human resources and workforce matters; board, medical staff and other governance; strategic planning, process and quality improvement; meaningful use, EMR, HIPAA and other technology,  data security and breach and other health IT and data; STARK, antikickback, insurance, and other fraud prevention, investigation, defense and enforcement; audits, investigations, and enforcement actions; trade secrets and other intellectual property; crisis preparedness and response; internal, government and third-party licensure, credentialing, accreditation, HCQIA and other peer review and quality reporting, audits, investigations, enforcement and defense; patient relations and care;  internal controls and regulatory compliance; payer-provider, provider-provider, vendor, patient, governmental and community relations; facilities, practice, products and other sales, mergers, acquisitions and other business and commercial transactions; government procurement and contracting; grants; tax-exemption and not-for-profit; 1557 and other Civil Rights; privacy and data security; training; risk and change management; regulatory affairs and public policy; process, product and service improvement, development and innovation, and other legal and operational compliance and risk management, government and regulatory affairs and operations concerns.

Her clients include public and private, domestic and international hospitals, health care systems, clinics, skilled nursing, long term care, rehabilitation and other health care providers and facilities; medical staff, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, insurers, self-insured health plans and other payers; and other health industry clients to establish and administer compliance and risk management policies; comply with requirements, investigate and respond to Board of Medicine, Health, Nursing, Pharmacy, Chiropractic, and other licensing agencies, Department of Aging & Disability, FDA, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; JCHO and other accreditation and quality organizations; private litigation and other federal and state health care industry investigation, enforcement including insurance or other liability management and allocation; process and product development, contracting, deployment and defense; evaluation, commenting or seeking modification of regulatory guidance, and other regulatory and public policy advocacy; training and discipline; enforcement, and a host of other related concerns for public and private health care providers, health insurers, health plans, technology and other vendors, employers, and others.and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns.

Author of leading works on a multitude of health care, health plan and other health industry matters, the American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting, former Vice President of the North Texas Health Care Compliance Professionals Association, past Chair of the ABA Health Law Section Managed Care & Insurance Section, past ABA JCEB Council Representative and CLE and Marketing Committee Chair, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer’s health industry clients include public health organizations; public and private hospitals, healthcare systems, clinics and other health care facilities; physicians, physician practices, medical staff, and other provider organizations; skilled nursing, long term care, assisted living, home health, ambulatory surgery, dialysis, telemedicine, DME, Pharma, clinics, and other health care providers; billing, management and other administrative services organizations; insured, self-insured, association and other health plans; PPOs, HMOs and other managed care organizations, insurance, claims administration, utilization management, and other health care payers; public and private peer review, quality assurance, accreditation and licensing; technology and other outsourcing; healthcare clearinghouse and other data; research; public and private social and community organizations; real estate, technology, clinical pathways, and other developers; investors, banks and financial institutions; audit, accounting, law firm; consulting; document management and recordkeeping, business associates, vendors, and service providers and other professional and other health industry organizations; academic medicine; trade associations; legislative and other law making bodies and others.

Past Chair of the ABA Managed Care & Insurance Interest Group and, a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also has extensive health care reimbursement and insurance experience advising and defending health care providers, payers, and others about Medicare, Medicaid, Medicare and Medicaid Advantage, Tri-Care, self-insured group, association, individual and group and other health benefit programs and coverages including but not limited to advising public and private payers about coverage and program design and documentation, advising and defending providers, payers and systems and billing services entities about systems and process design, audits, and other processes; provider credentialing, and contracting; providers and payer billing, reimbursement, claims audits, denials and appeals, coverage coordination, reporting, direct contracting, False Claims Act, Medicare & Medicaid, ERISA, state Prompt Pay, out-of-network and other nonpar insured, and other health care claims, prepayment, post-payment and other coverage, claims denials, appeals, billing and fraud investigations and actions and other reimbursement and payment related investigation, enforcement, litigation and actions.

Heavily involved in health care and health information technology, data and related process and systems development, policy and operations innovation and a Scribe for ABA JCEB annual agency meeting with OCR for many years who has authored numerous highly-regarded works and training programs on HIPAA and other data security, privacy and use, Ms. Stamer also is widely recognized for her extensive work and leadership on leading edge health care and benefit policy and operational issues including meaningful use and EMR, billing and reimbursement, quality measurement and reimbursement, HIPAA, FACTA, PCI, trade secret, physician and other medical confidentiality and privacy, federal and state data security and data breach and other information privacy and data security rules and many other concerns. Her work includes both regulatory and public policy advocacy and thought leadership, as well as advising and representing a broad range of health industry and other clients about policy design, drafting, administration, business associate and other contracting, risk assessments, audits and other risk prevention and mitigation, investigation, reporting, mitigation and resolution of known or suspected violations or other incidents and responding to and defending investigations or other actions by plaintiffs, DOJ, OCR, FTC, state attorneys’ general and other federal or state agencies, other business partners, patients and others.

Ms. Stamer has worked extensively with health care providers, health plans, health care clearinghouses, their business associates, employers and other plan sponsors, banks and other financial institutions, and others on risk management and compliance with HIPAA, FACTA, trade secret and other information privacy and data security rules, including the establishment, documentation, implementation, audit and enforcement of policies, procedures, systems and safeguards, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and and enforcement, and a host of other related concerns. Her clients include public and private health care providers, health insurers, health plans, technology and other vendors, and others. In addition to representing and advising these organizations, she also has conducted training on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, MGMA, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

A former lead consultant to the Government of Bolivia on its Pension Privatization Project with extensive domestic and international public policy concerns in Pensions, healthcare, workforce, immigration, tax, education and other areas.

A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, privacy and data security, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her thought leadership, experience and advocacy on these and other related concerns by her service in the leadership of the Solutions Law Press, Inc. Coalition for Responsible Health Policy, its PROJECT COPE: Coalition on Patient Empowerment, and a broad range of other professional and civic organizations including North Texas Healthcare Compliance Association, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children (now Warren Center For Children); current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, past Representative and chair of various committees of ABA Joint Committee on Employee Benefits; a ABA Health Law Coordinating Council representative, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.

For more information about Ms. Stamer or her health industry and other experience and involvements, see here or contact Ms. Stamer via telephone at (469) 767-8872 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources here such as:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advise or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2019 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.

Leave a Comment » | air ambulance, ambulance, balance billing, Consumer Driven Health Care, Corporate Compliance, Emergency Care, Employee Benefits, Health Care, Health Care Finance, health care reimbursement, Health Insurance, Health Plan, Health Plans, healthcare, Hospital, hospitals, managed care, Medicaid Advantage, Medicare Advantage, Medicare Fee Schedule, participating provider, Physician, Provider contracting, Reimbursement, surprise billing, Telemedicine, Uncategorized | Tagged: , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

Beef Up Patient Education & Management Tools With Diabetes Alert Day Resources

March 26, 2019

Physicians and other health care providers concerned about helping patients and others prevent and deal with Type 2 Diabetes should use today’s annual Diabetes Awareness Day observances and resources to beef up their Diabetes screening and management efforts and toolkits.

With 1 in 3 adult Americans at risk for Type 2 diabetes, the Centers for Disease Control (“CDC”) and other public and private organizations partnering in The National Diabetes Prevention Program are urging all physicians and other health care providers to partner in their efforts to prevent, delay and manage Type 2 diabetes.

Celebrated every year on the fourth Tuesday in March, Diabetes Alert Day promotes awareness of the prevalence and risks of undiagnosed or unmanaged Type 2 Diabetes to Americans, American taxpayers, health benefit programs and their communities.

  • More than 30 million people in the United States have diabetes and an additional 84 million adults—over a third—have prediabetes, and 90% of them don’t know they have it.
  • Diabetes is the 7th leading cause of death in the United States (and may be underreported).
  • Type 2 diabetes accounts for about 90% to 95% of all diagnosed cases of diabetes; type 1 diabetes accounts for about 5%.
  • In the last 20 years, the number of adults diagnosed with diabetes has more than tripled as the American population has aged and become more overweight or obese
  • Undiagnosed or unmanaged Type 2 diabetes threatens serious and disabling medical risks for afflicted individuals that also are financially costly for patients and their families, their health plans, taxpayers and communities.

While Type 2 Diabetes and its costs often can be prevented or minimized through appropriate diagnosis and treatment, Type 2 diabetes symptoms often develop over several years and go on for a long time without being noticed.  Health care providers generally recognize the need to screen patients for Type 2 Diabetes as well as educating patients to recognize the factors for Type 2 Diabetes and to contact their physician promptly when experiencing these symptoms, but often have limited time and resources to help educate patients and their families.

To start with, the CDC and its partners are encouraging all health care providers to urge their patients to take the online Type 2 Diabetes Risk, screen and educate patients and promote use of CDC-recognized lifestyle change programs to individuals suffering or at risk for Type 2 diabetes.

To help health care providers participate more effectively in the fight to prevent, detect and manage Type 2 Diabetes, the CDC and its partners provide a number of Diabetes screening and management resources for physicians and other health care providers.  These resources include a variety of patient education and screening tools, resources on Medicare and other coverage for diabetes screening and management, a list of

Physicians and other health care providers should check out the resources available from the CDC and take advantage of some of these resources to beef up their Type 2 and other Diabetes patient education, prevention, screening and management efforts, a directory of CDC-recognized lifestyle change programs and  more

Learn more about Type 2 Diabetes cost modeling, screening, prevention and other health care resources Project Cope: Coalition for Patient Empowerment Newsletter and share your own resources and ideas on diabetes and management and other health care best practices, challenges, policies and concerns by participating in our Linkedin  SLP Health Care Risk Management & Operations Group or COPE: Coalition On Patient Empowerment Group or Project COPE: Coalition on Patient Empowerment Facebook Page

About the Author 

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: Erisa & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

Ms. Stamer’s legal, management, governmental affairs work and speaking and publications have focused on helping health industry, health benefit and other organizations and their management use the law, performance and risk management tools and process to manage people, performance, quality, compliance, operations and risk.

Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer supports these organizations and their leaders on both a real-time, “on demand” basis as well as outsourced operations or special counsel on an interim, special project, or ongoing basis with strategic planning and product and services development and innovation; workforce and operations management, crisis preparedness and response as well as to prevent, stabilize and cleanup legal and operational crises large and small that arise in the course of operations.

As core components of this work, Ms. Stamer helps health industry, health plans and insurers, health IT, life sciences and other health industry clients manage regulatory, contractual and other compliance; vendors and suppliers; Medicare, Medicaid, CHIP, Medicare/Medicaid Advantage, ERISA and other private payer and other terms of participation, medical billing, reimbursement, claims administration and coordination, and other provider-payer relations, contracting, compliance and enforcement; Form 990 and other nonprofit and tax-exemption; fundraising, investors, joint venture, and other business partners; quality and other performance measurement, management, discipline and reporting; physician and other workforce recruiting, performance management, peer review and other investigations and discipline, wage and hour, payroll, gain-sharing and other pay-for performance and other compensation, training, outsourcing and other human resources and workforce matters; board, medical staff and other governance; strategic planning, process and quality improvement; meaningful use, EMR, HIPAA and other technology,  data security and breach and other health IT and data; STARK, antikickback, insurance, and other fraud prevention, investigation, defense and enforcement; audits, investigations, and enforcement actions; trade secrets and other intellectual property; crisis preparedness and response; internal, government and third-party licensure, credentialing, accreditation, HCQIA and other peer review and quality reporting, audits, investigations, enforcement and defense; patient relations and care;  internal controls and regulatory compliance; payer-provider, provider-provider, vendor, patient, governmental and community relations; facilities, practice, products and other sales, mergers, acquisitions and other business and commercial transactions; government procurement and contracting; grants; tax-exemption and not-for-profit; 1557 and other Civil Rights; privacy and data security; training; risk and change management; regulatory affairs and public policy; process, product and service improvement, development and innovation, and other legal and operational compliance and risk management, government and regulatory affairs and operations concerns.

Her clients include public and private, domestic and international hospitals, health care systems, clinics, skilled nursing, long term care, rehabilitation and other health care providers and facilities; medical staff, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, insurers, self-insured health plans and other payers; and other health industry clients to establish and administer compliance and risk management policies; comply with requirements, investigate and respond to Board of Medicine, Health, Nursing, Pharmacy, Chiropractic, and other licensing agencies, Department of Aging & Disability, FDA, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; JCHO and other accreditation and quality organizations; private litigation and other federal and state health care industry investigation, enforcement including insurance or other liability management and allocation; process and product development, contracting, deployment and defense; evaluation, commenting or seeking modification of regulatory guidance, and other regulatory and public policy advocacy; training and discipline; enforcement, and a host of other related concerns for public and private health care providers, health insurers, health plans, technology and other vendors, employers, and others.and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns.

Author of leading works on a multitude of health care, health plan and other health industry matters, the American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting, former Vice President of the North Texas Health Care Compliance Professionals Association, past Chair of the ABA Health Law Section Managed Care & Insurance Section, past ABA JCEB Council Representative and CLE and Marketing Committee Chair, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer’s health industry clients include public health organizations; public and private hospitals, healthcare systems, clinics and other health care facilities; physicians, physician practices, medical staff, and other provider organizations; skilled nursing, long term care, assisted living, home health, ambulatory surgery, dialysis, telemedicine, DME, Pharma, clinics, and other health care providers; billing, management and other administrative services organizations; insured, self-insured, association and other health plans; PPOs, HMOs and other managed care organizations, insurance, claims administration, utilization management, and other health care payers; public and private peer review, quality assurance, accreditation and licensing; technology and other outsourcing; healthcare clearinghouse and other data; research; public and private social and community organizations; real estate, technology, clinical pathways, and other developers; investors, banks and financial institutions; audit, accounting, law firm; consulting; document management and recordkeeping, business associates, vendors, and service providers and other professional and other health industry organizations; academic medicine; trade associations; legislative and other law making bodies and others.

Past Chair of the ABA Managed Care & Insurance Interest Group and, a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also has extensive health care reimbursement and insurance experience advising and defending health care providers, payers, and others about Medicare, Medicaid, Medicare and Medicaid Advantage, Tri-Care, self-insured group, association, individual and group and other health benefit programs and coverages including but not limited to advising public and private payers about coverage and program design and documentation, advising and defending providers, payers and systems and billing services entities about systems and process design, audits, and other processes; provider credentialing, and contracting; providers and payer billing, reimbursement, claims audits, denials and appeals, coverage coordination, reporting, direct contracting, False Claims Act, Medicare & Medicaid, ERISA, state Prompt Pay, out-of-network and other nonpar insured, and other health care claims, prepayment, post-payment and other coverage, claims denials, appeals, billing and fraud investigations and actions and other reimbursement and payment related investigation, enforcement, litigation and actions.

Heavily involved in health care and health information technology, data and related process and systems development, policy and operations innovation and a Scribe for ABA JCEB annual agency meeting with OCR for many years who has authored numerous highly-regarded works and training programs on HIPAA and other data security, privacy and use, Ms. Stamer also is widely recognized for her extensive work and leadership on leading edge health care and benefit policy and operational issues including meaningful use and EMR, billing and reimbursement, quality measurement and reimbursement, HIPAA, FACTA, PCI, trade secret, physician and other medical confidentiality and privacy, federal and state data security and data breach and other information privacy and data security rules and many other concerns. Her work includes both regulatory and public policy advocacy and thought leadership, as well as advising and representing a broad range of health industry and other clients about policy design, drafting, administration, business associate and other contracting, risk assessments, audits and other risk prevention and mitigation, investigation, reporting, mitigation and resolution of known or suspected violations or other incidents and responding to and defending investigations or other actions by plaintiffs, DOJ, OCR, FTC, state attorneys’ general and other federal or state agencies, other business partners, patients and others.

Ms. Stamer has worked extensively with health care providers, health plans, health care clearinghouses, their business associates, employers and other plan sponsors, banks and other financial institutions, and others on risk management and compliance with HIPAA, FACTA, trade secret and other information privacy and data security rules, including the establishment, documentation, implementation, audit and enforcement of policies, procedures, systems and safeguards, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and and enforcement, and a host of other related concerns. Her clients include public and private health care providers, health insurers, health plans, technology and other vendors, and others. In addition to representing and advising these organizations, she also has conducted training on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, MGMA, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

A former lead consultant to the Government of Bolivia on its Pension Privatization Project with extensive domestic and international public policy concerns in Pensions, healthcare, workforce, immigration, tax, education and other areas.

A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, privacy and data security, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her thought leadership, experience and advocacy on these and other related concerns by her service in the leadership of the Solutions Law Press, Inc. Coalition for Responsible Health Policy, its PROJECT COPE: Coalition on Patient Empowerment, and a broad range of other professional and civic organizations including North Texas Healthcare Compliance Association, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children (now Warren Center For Children); current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, past Representative and chair of various committees of ABA Joint Committee on Employee Benefits; a ABA Health Law Coordinating Council representative, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.

For more information about Ms. Stamer or her health industry and other experience and involvements, see here or contact Ms. Stamer via telephone at (469) 767-8872 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources here such as:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advise or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2019 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.

Leave a Comment » | ambulance, Centers For Disease Control, Childrens Health Insurance Program, Clinical pathway, Conditions of Participation, Consumer Driven Health Care, Corporate Compliance, Diabetes, Disease Management, Doctor, drug treatment, Emergency Care, Employee Benefits, Health Care, Health Care Finance, Health Care Provider, Health Care Quality, Health Care Reform, health care reimbursement, Health Insurance, Health Plan, Health Plans, Health Policy, healthcare, home health, Hospital, hospitals, Human Subjects Research, Joint Commission, Life Sciences, managed care, Medicare Fee Schedule, participating provider, Patient Empowerment, Pharmacy, Physician, Provider contracting, public health, Reimbursement, surprise billing, Uncategorized | Tagged: , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

New GAO Report Likely To Fuel Scrutiny Of Air Ambulance Charges

March 21, 2019

Expect greater Congressional, regulatory and payer scrutiny of air ambulance coverage and services in response to a new US Government Accountability Office (GAO) Report entitled Air Ambulance: Available Data Show Privately-Insured Patients Are at Financial Risk released yesterday.

The report raises the alarm that out-of-network air ambulance transport costs and the risk of its balance billing poses a risk to patients.

The report analyzed FAIR Health data to show that about two-thirds (69 percent) of air ambulance transports for privately insured patients in 2017 were out of network, and that the proportion was similar (75 percent) in 2012. The report noted that the proportion is higher than the rate research shows for ground ambulance transports and other types of emergency services.

Further analyzing FAIR Health data, the GAO found that the median prices charged for air ambulance transport rose in recent years. Prices for helicopter transport and fixed-wing transport increased over 60 percent from 2012 to 2017.

The GAO turned to FAIR Health because our data repository was determined to be “the most complete data source we identified with data on prices charged for and the network status of air ambulance transports for privately-insured patients.” The GAO determined the reliability of FAIR Health data by “reviewing related documentation, interviewing relevant officials, checking for internal consistency, and comparing our results across data sets and to published sources.”

The release of the report comes as insurers and other payers are pushing Federal and state legislators and regulators to clamp down on out of network emergency and other charges.

The Patient Protection and Affordable Care Act (“ACA”) sought to protect patients from “surprise bills” for out-of-network services incurred when the need for emergency care denied the patient the option of choosing a in-network provider contracted with the patient’s health plan to provide care at discounted rates.

Insurers are complaining to legislators and regulators that this emergency coverage provision is Driving up healthcare costs by incentivizing the growth of out-of- network emergency care. Payers accuse healthcare providers that are out of network of driving up healthcare costs by overcharging for their services. payers are lobbying to obtain controls on these out of network services through federal and state legislation limiting coverage and balance billing for these services.

Meanwhile, air ambulance and other emergency transportation services generally contend that high operating costs and unreasonable coverage practices by payers are the problem. These providers argue their rates are driven by high operating costs to provide these services, the high number of uninsured or underinsured patients needing the services, and the exclusion or limitation of coverage for the services and refusal to reimburse providers at adequate rates. They also point out that aside from limiting reimbursement rates, many insurers exclude air ambulance services from coverage in their entirety. Accordingly, patient is transported by air ambulance generally incur substantial uncovered charges whether or not the ambulance happens to be contracted as an in network provider.  Many out of network and other air ambulance providers argue that payers seek to exercise and do market pressure to try to compel providers to deliver care and services at prices that are not financially viable and to restrict care in a manner that is inconsistent with patient needs.  They caution that cutbacks in reimbursement will further endanger patients needing immediate transportation by limiting the availability of the services in what often are life and death situations.

With the debate over “surprise billing” versus “surprise denials” heating up and emergency services and their costs, look for heightened scrutiny of charges and a slew of new regulatory proposals ahead.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: Erisa & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

Ms. Stamer’s legal, management, governmental affairs work and speaking and publications have focused on helping health industry, health benefit and other organizations and their management use the law, performance and risk management tools and process to manage people, performance, quality, compliance, operations and risk.

Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer supports these organizations and their leaders on both a real-time, “on demand” basis as well as outsourced operations or special counsel on an interim, special project, or ongoing basis with strategic planning and product and services development and innovation; workforce and operations management, crisis preparedness and response as well as to prevent, stabilize and cleanup legal and operational crises large and small that arise in the course of operations.

As core components of this work, Ms. Stamer helps health industry, health plans and insurers, health IT, life sciences and other health industry clients manage regulatory, contractual and other compliance; vendors and suppliers; Medicare, Medicaid, CHIP, Medicare/Medicaid Advantage, ERISA and other private payer and other terms of participation, medical billing, reimbursement, claims administration and coordination, and other provider-payer relations, contracting, compliance and enforcement; Form 990 and other nonprofit and tax-exemption; fundraising, investors, joint venture, and other business partners; quality and other performance measurement, management, discipline and reporting; physician and other workforce recruiting, performance management, peer review and other investigations and discipline, wage and hour, payroll, gain-sharing and other pay-for performance and other compensation, training, outsourcing and other human resources and workforce matters; board, medical staff and other governance; strategic planning, process and quality improvement; meaningful use, EMR, HIPAA and other technology,  data security and breach and other health IT and data; STARK, antikickback, insurance, and other fraud prevention, investigation, defense and enforcement; audits, investigations, and enforcement actions; trade secrets and other intellectual property; crisis preparedness and response; internal, government and third-party licensure, credentialing, accreditation, HCQIA and other peer review and quality reporting, audits, investigations, enforcement and defense; patient relations and care;  internal controls and regulatory compliance; payer-provider, provider-provider, vendor, patient, governmental and community relations; facilities, practice, products and other sales, mergers, acquisitions and other business and commercial transactions; government procurement and contracting; grants; tax-exemption and not-for-profit; 1557 and other Civil Rights; privacy and data security; training; risk and change management; regulatory affairs and public policy; process, product and service improvement, development and innovation, and other legal and operational compliance and risk management, government and regulatory affairs and operations concerns.

Her clients include public and private, domestic and international hospitals, health care systems, clinics, skilled nursing, long term care, rehabilitation and other health care providers and facilities; medical staff, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, insurers, self-insured health plans and other payers; and other health industry clients to establish and administer compliance and risk management policies; comply with requirements, investigate and respond to Board of Medicine, Health, Nursing, Pharmacy, Chiropractic, and other licensing agencies, Department of Aging & Disability, FDA, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; JCHO and other accreditation and quality organizations; private litigation and other federal and state health care industry investigation, enforcement including insurance or other liability management and allocation; process and product development, contracting, deployment and defense; evaluation, commenting or seeking modification of regulatory guidance, and other regulatory and public policy advocacy; training and discipline; enforcement, and a host of other related concerns for public and private health care providers, health insurers, health plans, technology and other vendors, employers, and others.and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns.

Author of leading works on a multitude of health care, health plan and other health industry matters, the American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting, former Vice President of the North Texas Health Care Compliance Professionals Association, past Chair of the ABA Health Law Section Managed Care & Insurance Section, past ABA JCEB Council Representative and CLE and Marketing Committee Chair, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer’s health industry clients include public health organizations; public and private hospitals, healthcare systems, clinics and other health care facilities; physicians, physician practices, medical staff, and other provider organizations; skilled nursing, long term care, assisted living, home health, ambulatory surgery, dialysis, telemedicine, DME, Pharma, clinics, and other health care providers; billing, management and other administrative services organizations; insured, self-insured, association and other health plans; PPOs, HMOs and other managed care organizations, insurance, claims administration, utilization management, and other health care payers; public and private peer review, quality assurance, accreditation and licensing; technology and other outsourcing; healthcare clearinghouse and other data; research; public and private social and community organizations; real estate, technology, clinical pathways, and other developers; investors, banks and financial institutions; audit, accounting, law firm; consulting; document management and recordkeeping, business associates, vendors, and service providers and other professional and other health industry organizations; academic medicine; trade associations; legislative and other law making bodies and others.

Past Chair of the ABA Managed Care & Insurance Interest Group and, a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also has extensive health care reimbursement and insurance experience advising and defending health care providers, payers, and others about Medicare, Medicaid, Medicare and Medicaid Advantage, Tri-Care, self-insured group, association, individual and group and other health benefit programs and coverages including but not limited to advising public and private payers about coverage and program design and documentation, advising and defending providers, payers and systems and billing services entities about systems and process design, audits, and other processes; provider credentialing, and contracting; providers and payer billing, reimbursement, claims audits, denials and appeals, coverage coordination, reporting, direct contracting, False Claims Act, Medicare & Medicaid, ERISA, state Prompt Pay, out-of-network and other nonpar insured, and other health care claims, prepayment, post-payment and other coverage, claims denials, appeals, billing and fraud investigations and actions and other reimbursement and payment related investigation, enforcement, litigation and actions.

Heavily involved in health care and health information technology, data and related process and systems development, policy and operations innovation and a Scribe for ABA JCEB annual agency meeting with OCR for many years who has authored numerous highly-regarded works and training programs on HIPAA and other data security, privacy and use, Ms. Stamer also is widely recognized for her extensive work and leadership on leading edge health care and benefit policy and operational issues including meaningful use and EMR, billing and reimbursement, quality measurement and reimbursement, HIPAA, FACTA, PCI, trade secret, physician and other medical confidentiality and privacy, federal and state data security and data breach and other information privacy and data security rules and many other concerns. Her work includes both regulatory and public policy advocacy and thought leadership, as well as advising and representing a broad range of health industry and other clients about policy design, drafting, administration, business associate and other contracting, risk assessments, audits and other risk prevention and mitigation, investigation, reporting, mitigation and resolution of known or suspected violations or other incidents and responding to and defending investigations or other actions by plaintiffs, DOJ, OCR, FTC, state attorneys’ general and other federal or state agencies, other business partners, patients and others.

Ms. Stamer has worked extensively with health care providers, health plans, health care clearinghouses, their business associates, employers and other plan sponsors, banks and other financial institutions, and others on risk management and compliance with HIPAA, FACTA, trade secret and other information privacy and data security rules, including the establishment, documentation, implementation, audit and enforcement of policies, procedures, systems and safeguards, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and and enforcement, and a host of other related concerns. Her clients include public and private health care providers, health insurers, health plans, technology and other vendors, and others. In addition to representing and advising these organizations, she also has conducted training on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, MGMA, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

A former lead consultant to the Government of Bolivia on its Pension Privatization Project with extensive domestic and international public policy concerns in Pensions, healthcare, workforce, immigration, tax, education and other areas.

A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, privacy and data security, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her thought leadership, experience and advocacy on these and other related concerns by her service in the leadership of the Solutions Law Press, Inc. Coalition for Responsible Health Policy, its PROJECT COPE: Coalition on Patient Empowerment, and a broad range of other professional and civic organizations including North Texas Healthcare Compliance Association, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children (now Warren Center For Children); current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, past Representative and chair of various committees of ABA Joint Committee on Employee Benefits; a ABA Health Law Coordinating Council representative, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.

For more information about Ms. Stamer or her health industry and other experience and involvements, see here or contact Ms. Stamer via telephone at (469) 767-8872 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources here such as:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advise or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2019 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.

Leave a Comment » | air ambulance, ambulance, balance billing, Consumer Driven Health Care, Corporate Compliance, Emergency Care, Employee Benefits, Health Care, Health Care Finance, health care reimbursement, Health Insurance, Health Plan, Health Plans, healthcare, Hospital, Hospital, hospitals, managed care, Medicare Fee Schedule, participating provider, Physician, Provider contracting, Reimbursement, surprise billing, Uncategorized | Permalink
Posted by Cynthia Marcotte Stamer

Tax Exemption Determination Procedures Changing

March 15, 2019

Tax exempt organizations and employee benefit plans take note. The Internal Revenue Service (IRS) exempt organization determination procedures are changing.

Revenue Procedure 2019-5 updates the Exempt Organization determination letters procedures. Changes include:

  • Adding references to “new” Form 1024-A, Application for Recognition of Exemption Under Section 501(c)(4) of the Internal Revenue Code
  • Clarifying that the IRS won’t rule on a request under IRC Section 501(c)(6) for an organization whose purpose relates to a controlled substance that is illegal under federal law
  • Increasing user fees for certain miscellaneous determinations from $1,000 to $2,000
  • Changing the name of the Office of Associate Chief Counsel, Tax Exempt and Government Entities, to the Office of Associate Chief Counsel, Employee Benefits, Exempt Organizations and Employment Taxes.

These changes will impact processes for submitting approval applications and other exempt organization, VEBA, fraternal benefit association and qualified employee plan dealings with the IRS. Impacted organizations, their leaders and advisors will want to adjust accordingly.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: Erisa & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

Ms. Stamer’s legal, management, governmental affairs work and speaking and publications have focused on helping health industry, health benefit and other organizations and their management use the law, performance and risk management tools and process to manage people, performance, quality, compliance, operations and risk. Ms. Stamer supports these organizations and their leaders on both a real-time, “on demand” basis as well as outsourced operations or special counsel on an interim, special project, or ongoing basis with strategic planning and product and services development and innovation; workforce and operations management, crisis preparedness and response as well as to prevent, stabilize and cleanup legal and operational crises large and small that arise in the course of operations.

As core components of this work, Ms. Stamer helps health industry, health plans and insurers, health IT, life sciences and other health industry clients manage regulatory, contractual and other compliance; vendors and suppliers; Medicare, Medicaid, CHIP, Medicare/Medicaid Advantage, ERISA and other private payer and other terms of participation, medical billing, reimbursement, claims administration and coordination, and other provider-payer relations, contracting, compliance and enforcement; Form 990 and other nonprofit and tax-exemption; fundraising, investors, joint venture, and other business partners; quality and other performance measurement, management, discipline and reporting; physician and other workforce recruiting, performance management, peer review and other investigations and discipline, wage and hour, payroll, gain-sharing and other pay-for performance and other compensation, training, outsourcing and other human resources and workforce matters; board, medical staff and other governance; strategic planning, process and quality improvement; meaningful use, EMR, HIPAA and other technology,  data security and breach and other health IT and data; STARK, antikickback, insurance, and other fraud prevention, investigation, defense and enforcement; audits, investigations, and enforcement actions; trade secrets and other intellectual property; crisis preparedness and response; internal, government and third-party licensure, credentialing, accreditation, HCQIA and other peer review and quality reporting, audits, investigations, enforcement and defense; patient relations and care;  internal controls and regulatory compliance; payer-provider, provider-provider, vendor, patient, governmental and community relations; facilities, practice, products and other sales, mergers, acquisitions and other business and commercial transactions; government procurement and contracting; grants; tax-exemption and not-for-profit; 1557 and other Civil Rights; privacy and data security; training; risk and change management; regulatory affairs and public policy; process, product and service improvement, development and innovation, and other legal and operational compliance and risk management, government and regulatory affairs and operations concerns.

Her clients include public and private, domestic and international hospitals, health care systems, clinics, skilled nursing, long term care, rehabilitation and other health care providers and facilities; medical staff, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, insurers, self-insured health plans and other payers; and other health industry clients to establish and administer compliance and risk management policies; comply with requirements, investigate and respond to Board of Medicine, Health, Nursing, Pharmacy, Chiropractic, and other licensing agencies, Department of Aging & Disability, FDA, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; JCHO and other accreditation and quality organizations; private litigation and other federal and state health care industry investigation, enforcement including insurance or other liability management and allocation; process and product development, contracting, deployment and defense; evaluation, commenting or seeking modification of regulatory guidance, and other regulatory and public policy advocacy; training and discipline; enforcement, and a host of other related concerns for public and private health care providers, health insurers, health plans, technology and other vendors, employers, and others.and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns.

Author of leading works on a multitude of health care, health plan and other health industry matters, the American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting, former Vice President of the North Texas Health Care Compliance Professionals Association, past Chair of the ABA Health Law Section Managed Care & Insurance Section, past ABA JCEB Council Representative and CLE and Marketing Committee Chair, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer’s health industry clients include public health organizations; public and private hospitals, healthcare systems, clinics and other health care facilities; physicians, physician practices, medical staff, and other provider organizations; skilled nursing, long term care, assisted living, home health, ambulatory surgery, dialysis, telemedicine, DME, Pharma, clinics, and other health care providers; billing, management and other administrative services organizations; insured, self-insured, association and other health plans; PPOs, HMOs and other managed care organizations, insurance, claims administration, utilization management, and other health care payers; public and private peer review, quality assurance, accreditation and licensing; technology and other outsourcing; healthcare clearinghouse and other data; research; public and private social and community organizations; real estate, technology, clinical pathways, and other developers; investors, banks and financial institutions; audit, accounting, law firm; consulting; document management and recordkeeping, business associates, vendors, and service providers and other professional and other health industry organizations; academic medicine; trade associations; legislative and other law making bodies and others.

Past Chair of the ABA Managed Care & Insurance Interest Group and, a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also has extensive health care reimbursement and insurance experience advising and defending health care providers, payers, and others about Medicare, Medicaid, Medicare and Medicaid Advantage, Tri-Care, self-insured group, association, individual and group and other health benefit programs and coverages including but not limited to advising public and private payers about coverage and program design and documentation, advising and defending providers, payers and systems and billing services entities about systems and process design, audits, and other processes; provider credentialing, and contracting; providers and payer billing, reimbursement, claims audits, denials and appeals, coverage coordination, reporting, direct contracting, False Claims Act, Medicare & Medicaid, ERISA, state Prompt Pay, out-of-network and other nonpar insured, and other health care claims, prepayment, post-payment and other coverage, claims denials, appeals, billing and fraud investigations and actions and other reimbursement and payment related investigation, enforcement, litigation and actions.

Heavily involved in health care and health information technology, data and related process and systems development, policy and operations innovation and a Scribe for ABA JCEB annual agency meeting with OCR for many years who has authored numerous highly-regarded works and training programs on HIPAA and other data security, privacy and use, Ms. Stamer also is widely recognized for her extensive work and leadership on leading edge health care and benefit policy and operational issues including meaningful use and EMR, billing and reimbursement, quality measurement and reimbursement, HIPAA, FACTA, PCI, trade secret, physician and other medical confidentiality and privacy, federal and state data security and data breach and other information privacy and data security rules and many other concerns. Her work includes both regulatory and public policy advocacy and thought leadership, as well as advising and representing a broad range of health industry and other clients about policy design, drafting, administration, business associate and other contracting, risk assessments, audits and other risk prevention and mitigation, investigation, reporting, mitigation and resolution of known or suspected violations or other incidents and responding to and defending investigations or other actions by plaintiffs, DOJ, OCR, FTC, state attorneys’ general and other federal or state agencies, other business partners, patients and others.

Ms. Stamer has worked extensively with health care providers, health plans, health care clearinghouses, their business associates, employers and other plan sponsors, banks and other financial institutions, and others on risk management and compliance with HIPAA, FACTA, trade secret and other information privacy and data security rules, including the establishment, documentation, implementation, audit and enforcement of policies, procedures, systems and safeguards, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and and enforcement, and a host of other related concerns. Her clients include public and private health care providers, health insurers, health plans, technology and other vendors, and others. In addition to representing and advising these organizations, she also has conducted training on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, MGMA, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

A former lead consultant to the Government of Bolivia on its Pension Privatization Project with extensive domestic and international public policy concerns in Pensions, healthcare, workforce, immigration, tax, education and other areas.

A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, privacy and data security, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her thought leadership, experience and advocacy on these and other related concerns by her service in the leadership of the Solutions Law Press, Inc. Coalition for Responsible Health Policy, its PROJECT COPE: Coalition on Patient Empowerment, and a broad range of other professional and civic organizations including North Texas Healthcare Compliance Association, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children (now Warren Center For Children); current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, past Representative and chair of various committees of ABA Joint Committee on Employee Benefits; a ABA Health Law Coordinating Council representative, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.

For more information about Ms. Stamer or her health industry and other experience and involvements, see here or contact Ms. Stamer via telephone at (469) 767-8872 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources here.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advise or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2019 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.

Leave a Comment » | Academic medicine, Corporate Compliance, Employee Benefits, Fiduciary Responsibility, Health Care, Health Care Finance, Health Care Provider, Health Care Quality, health care reimbursement, Health Insurance, Health Insurance Exchange, Health Plan, Health Plans, healthcare, Nonprofits, Tax, Tax-Exemption, Uncategorized | Permalink
Posted by Cynthia Marcotte Stamer

Year-End $3 Million HIPAA Settlement Pushes 2018 OCR HIPAA Recoveries Over $28 Million; Act Promptly To Strengthen Compliance & Share Ideas For Simplification

February 7, 2019

Health care providers, health plans, health care clearinghouse and their business associates (“Covered Entities”) should reconfirm the adequacy of their organization’s Health Insurance Portability and Accountability Act (“HIPAA”) compliance in light the U.S Department of Health and Human Services Office of Civil Rights (“OCR”) February 7, 2019 announcement that OCR reached a 2018 year-end $3 Million Resolution Agreement with California-based Cottage Health that pushed OCR’s already record-setting 2018 enforcement HIPAA recoveries to more than $28.7 million in a year already distinguished by OCR’s record-setting $16 million resolution payment collection from Anthem.

Along with acting to ensure their own organization’s ability to defend their HIPAA compliance, Covered Entities and their leaders also should take advantage of the opportunity to provide input to OCR on opportunities for simplifying and improving OCR’s HIPAA regulations and enforcement by submitting relevant comments by February 12, 2019 in response to a Request for Information published by OCR in December that invites public input.

Learn more de

2018 Cottage Health Resolution Agreement

According to OCR’s February 7, 2019 announcement, Cottage Health agreed in OCR’s final settlement of 2017 to pay OCR $3 million and to adopt a substantial corrective action plan to settle charges of HIPAA violations resulting from OCR’s investigations into two HIPAA Breach notifications Cottage Health filed regarding breaches of unsecured electronic protected health information (ePHI) affecting over 62,500 individuals.

  • A December 2, 2013 breach notification that the removal of electronic security protections by a Cottage Health contractor rendered ePHI such as patient names, addresses, dates of birth, diagnoses/conditions, lab results and other treatment information of 33,349 individuals on a Cottage Health server accessible for download without a username or password from the internet to anyone outside Cottage Health.  In an update to its original report filed on July 2, 2014, Cottage Health increased the number of individuals affected by this breach to 50,917. OCR’s investigation determined that security configuration settings of the Windows operating system permitted access to files containing ePHI without requiring a username and password.  As a result, patient names, addresses, dates of birth, diagnoses, conditions, lab results and other treatment information were available to anyone with access to Cottage Health’s server.
  • A December 1, 2015, that the misconfiguration of a server following an IT response to a troubleshooting ticket, exposed unsecured ePHI including patient names, addresses, dates of birth, social security numbers, diagnoses, conditions, and other treatment information of 11,608 individuals over the internet.

Based upon its investigation into the two breach reports, OCR concluded Cottage Health violated HIPAA by failing to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the ePHI; failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level; failed to perform periodic technical and non-technical evaluations in response to environmental or operational changes affecting the security of ePHI; and failed to obtain a written business associate agreement with a contractor that maintained ePHI on its behalf.

To resolve its exposure to potentially must greater civil monetary sanctions that OCR might seek for such potential violations under HIPAA’s civil monetary sanction rules, Cottage Health entered into December, 2018 Resolution Agreement to pay the $3 million settlement and undertake what OCR characterizes as “a robust corrective action plan to comply with the HIPAA Rules.” Among other things, the corrective action plan requires Cottage Health to:

  • Conduct an enterprise-wide risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by Cottage Health (“Risk Analysis”) that OCR views as satisfactory to meet the requirements of 45 CFR 164.308(a)(1)(ii)(A);
  • Develop and implement a risk management plan to address and mitigate any security risks and vulnerabilities identified in the Risk Analysis acceptable to OCR;
  • Implement a process for regularly evaluating environmental and operational changes that affect the security of Cottage Health’s  ePHI;
  • Develop, maintain, and revise, as necessary, written policies and procedures to comply with the Federal standards that govern the privacy and security of individually identifiable health information under 45 C.F.R. Part 160 and Subparts A, C, and E of Part 164 (the “Privacy Rule” and “Security Rule”).
  • Distribute to and conduct training on the HIPAA policies and procedures from all existing and new members of the Cottage Health workforce with access to PHI.  Additionally, Cottage Health require all workforce members that have access to PHI to certify their receipt of, understanding and commitment to comply with the HIPAA Policies before allowing access to PHI and must deny access to PHI to any workforce member that has not provided the required certification.
  • Submit to ongoing notification and reporting requirements to keep OCR informed about its compliance efforts.

2018 Record Setting HIPAA Enforcement Year

The final Resolution Agreement negotiated by OCR in 2018, the $3 million Cottage Health Resolution Agreement signed on December 11, 2018 added to an already record-setting year of HIPAA enforcement recoveries by OCR.  In addition to recovering the single largest individual HIPAA settlement in history of $16 million with Anthem, Inc.  OCR’s recovery of the following HIPAA settlements and fines totaling nearly $28.7 million surpassed its previous 2016 record of $23.5 million by 22 percent.

Date Name

Amount
Jan. 2018 Filefax, Inc (settlement) $      100,000
Jan. 2018 Fresenius Medical Care North America (settlement) $   3,500,000
June 2018 MD Anderson (judgment) $   4,348,000
Aug. 2018 Boston Medical Center (settlement) $      100,000
Sep. 2018 Brigham and Women’s Hospital (settlement) $      384,000
Sep. 2018 Massachusetts General Hospital (settlement) $      515,000
Sep. 2018 Advanced Care Hospitalists (settlement) $      500,000
Oct. 2018 Allergy Associates of Hartford (settlement) $      125,000
Oct. 2018 Anthem, Inc (settlement) $ 16,000,000
Nov. 2018 Pagosa Springs (settlement) $      111,400
Dec. 2018 Cottage Health (settlement) $   3,000,000
Total (settlements and judgment) $ 28,683,400

Aside from the previously discussed Cottage Health Resolution Agreement OCR announced on February 7, 2019, these OCR 2018 enforcement recoveries included:

  • FileFax Resolution Agreement.  In January 2018, OCR settled for $100,000 with Filefax, Inc., a medical records maintenance, storage, and delivery services provider.  OCR’s investigation found that Filefax impermissibly disclosed protected health information (PHI) by leaving the PHI in an unlocked truck in the Filefax parking lot, or by granting permission to an unauthorized person to remove the PHI from Filefax, and leaving the PHI unsecured outside the Filefax facility.
  • Fresenius Medical Care North America Resolution Agreement.  In January 2018, OCR also settled for $3.5 million with Fresenius Medical Care North America (FMCNA), a provider of products and services for people with chronic kidney failure.  FMCNA filed five breach reports for separate incidents occurring between February 23, 2012 and July 18, 2012, implicating the electronic protected health information (ePHI) of five FMCNA owned covered entities.  OCR’s investigation revealed that FMCNA failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of its ePHI.  Additional potential violations included failure to implement policies and procedures and failure to implement a mechanism to encrypt and decrypt ePHI, when it was reasonable and appropriate to do so under the circumstances.
  • MD Anderson ALJ Ruling.  In June 2018, an HHS Administrative Law Judge ruled in favor of OCR and required The University of Texas MD Anderson Cancer Center (MD Anderson), a Texas cancer center, to pay $4.3 million in civil money penalties for HIPAA violations.  OCR investigated MD Anderson following three separate data breach reports in 2012 and 2013 involving the theft of an unencrypted laptop from the residence of an MD Anderson employee and the loss of two unencrypted universal serial bus (USB) thumb drives containing the unencrypted ePHI of over 33,500 individuals.  OCR’s investigation found that MD Anderson had written encryption policies going back to 2006 and that MD Anderson’s own risk analyses had found that the lack of device-level encryption posed a high risk to the security of ePHI. Despite the encryption policies and high risk findings, MD Anderson did not begin to adopt an enterprise-wide solution to encrypt ePHI until 2011, and even then it failed to encrypt its inventory of electronic devices containing ePHI between March 24, 2011 and January 25, 2013.  This matter is under appeal with the HHS Departmental Appeals Board.
  • MMC/BWH/MGH Resolution Agreements.  In September 2018, OCR announced that it has reached separate settlements totaling $999,000, with Boston Medical Center (BMC), Brigham and Women’s Hospital (BWH), and Massachusetts General Hospital (MGH) for compromising the privacy of patients’ PHI by inviting film crews on premises to film an ABC television network documentary series, without first obtaining authorization from patients.
  • ACH Resolution Agreement.  In September 2018, OCR also settled with Advanced Care Hospitalists (ACH), a contractor physician group, for $500,000.  ACH filed a breach report confirming that ACH patient information was viewable on a medical billing services’ website.  OCR’s investigation revealed that ACH never had a business associate agreement with the individual providing medical billing services to ACH, and failed to adopt any policy requiring business associate agreements until April 2014.  Although ACH had been in operation since 2005, it had not conducted a risk analysis or implemented security measures or any other written HIPAA policies or procedures before 2014.
  • Allergy Associates Resolution Agreement.  In October 2018, OCR settled with Allergy Associates, a health care practice that specializes in treating individuals with allergies, for $125,000.  In February 2015, a patient of Allergy Associates contacted a local television station to speak about a dispute that had occurred between the patient and an Allergy Associates’ doctor. OCR’s investigation found that the reporter subsequently contacted the doctor for comment and the doctor impermissibly disclosed the patient’s PHI to the reporter.
  • Anthem Resolution Agreement.  In October 2018, Anthem, Inc. also paid $16 million to OCR and agreed to take substantial corrective action to settle potential violations of the HIPAA Rules after a series of cyberattacks led to the largest U.S. health data breach in history.  Anthem filed a breach report after discovering cyber-attackers had gained access to their IT system via an undetected continuous and targeted cyberattack for the apparent purpose of extracting data, otherwise known as an advanced persistent threat attack.  After filing their breach report, Anthem discovered cyber-attackers had infiltrated their system through spear phishing emails sent to an Anthem subsidiary after at least one employee responded to the malicious email and opened the door to further attacks. OCR’s investigation revealed that between December 2, 2014 and January 27, 2015, the cyber-attackers stole the ePHI of almost 79 million individuals, including names, social security numbers, medical identification numbers, addresses, dates of birth, email addresses, and employment information.
  • Pegosa Springs Medical Center.  In November 2018, Pagosa Springs Medical Center (PSMC), a critical access hospital, paid $111,400 to OCR to resolve potential violations concerning a former PSMC employee that continued to have remote access to PSMC’s web-based scheduling calendar, which contained patients’ ePHI, after separation of employment. OCR’s investigation revealed that PSMC impermissibly disclosed the ePHI of 557 individuals to its former employee and to the web-based scheduling calendar vendor without a business associate agreement in place.

These 2018 Resolution Agreements reaffirm the growing risks that Covered Entities and their business associates run by failing to take adequate steps to prevent and respond to breaches of ePHI and otherwise to maintain their compliance with HIPAA.  Covered entities and business associates and their leaders should recognize and respond to these growing risks by reevaluating and strengthening their HIPAA compliance and risk management efforts to minimize the likelihood of violations and enhance their ability to mitigate potential liability that can result from breaches of HIPAA by responding efficiently and effectively.

Other Regulatory & Enforcement Developments

In addition to reaffirming their ongoing compliance with the longstanding requirements of HIPAA and other related federal and state laws, Covered Entities also should use care to carefully monitor and respond to new regulatory and other developments that might create new responsibilities or new opportunities to simplify their HIPAA compliance.  In this respect, Covered Entities should take note of the 2018 and ongoing efforts by OCR to develop and publish new rules and other guidance intended to help health care providers and other Covered Entities, patients and caregivers and others understand their rights and responsibilities when dealing with protected health information in relation to patients afflicted with substance abuse and mental illness.   Undertaken as part of the Trump Administration’s broader effort to combat opiate and other substance abuse within the United States, OCR in October published a package of guidance on How HIPAA Allows Doctors To Respond To The Opioid Crisis.  Covered Entities and others concerned with the management of patients afflicted with substance abuse and mental illness should evaluate this guidance to understand and tailor their practices to respond to OCR’s perspectives of how HIPAA impacts the use, access and disclosure of protected health information as part of these efforts.

Covered Entities and others concerned about HIPAA compliance and interpretation also should carefully monitor and provide appropriate and timely input on developing HIPAA guidance that could impact their operations.  In this regard, Covered Entities with ideas about opportunities for improving existing HIPAA guidance are encouraged to submit comments to OCR by February 12, 2019 in response to its Request for Information on improving care coordination and reducing the regulatory burdens of the HIPAA Rules  published on December 12, 2018.  In that RFI, OCR invites input from the public on how the HIPAA Privacy Rule, could be modified to:

  • Encourage information-sharing for treatment and care coordination;
  • Facilitate parental involvement in care;
  • Address the opioid crisis and serious mental illness;
  • Account for disclosures of PHI for treatment, payment, and health care operations as required by the HITECH Act;
  • Change the current requirement for certain providers to make a good faith effort to obtain an acknowledgment of receipt of the Notice of Privacy Practices; and/or
  • Otherwise simplify or improve the existing HIPAA rules.

As a part of these efforts, Covered Entities and other concerned parties also should anticipate that OCR will be focusing heavily in the upcoming year on the potential HIPAA privacy and security implications of efforts by its sister agency, the Office of the National Coordinator for Health Information Technology (“ONC”), to promote greater interoperability of electronic medical records discussed in ONC’s recent 2018 Report to Congress: Annual Update on the Adoption of a Nationwide System for the Electronic Use and Exchange of Health Information (“Report”).

Under the 21st Century Cures Act, Congress gave ONC authority to enhance innovation, scientific discovery, and expand the access and use of health information through provisions related to:

  • The development and use of upgraded health IT capabilities;
  • Transparent expectations for data sharing, including through open application programming interfaces (APIs); and
  • Improvement of the health IT end-user experience, including by reducing administrative burden.

These priorities seek to increase nationwide interoperability of health information and reduce clinician burden.  The Report says increases in the adoption of health IT means most Americans receiving health care services now have their health data recorded electronically. However, this information is not always accessible across systems and by all end users—such as patients, health care providers, and payers—in the market in productive ways.  While the Report states ONC intends to move forward to promote efforts to help ensure that electronic health information can be shared safely and securely where appropriate to improve the health and care of all Americans, these activities inherently will raise many HIPAA concerns and challenges.  Covered Entities and others concerned with these activities will want to carefully monitor the concurrent activities of OCR and ONC as these efforts progress, both to help tailor their planning and compliance efforts to respond to the anticipated demand for greater interoperability as required by ONC and to help shape these rules by providing timely input as appropriate in response to these developments.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: Erisa & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of managed care and other health industry, health and other benefit and insurance, workforce and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

Past Chair of the ABA Managed Care & Insurance Interest Group and, a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer has been continuously involved the design, regulation, administration and defense of managed care and other health and employee benefit, health care, human resources and other staffing and workforce arrangements, contracts, systems, and processes.  As a continuous component of this work, Ms. Stamer has worked closely with these and other clients on the design, development, administration, defense, and breach and data recovery of health care, workforce, insurance and financial services, trade secret and other information technology, data and related process and systems development, policy and operations throughout her career.

Scribe of the ABA JCEB annual Office of Civil Rights agency meeting, Ms. Stamer also is widely recognized for her extensive work and leadership on leading edge health care and benefit policy and operational issues.

Ms. Stamer’s clients include public and private, domestic and international hospitals, health care systems, clinics, skilled nursing, long-term care, rehabilitation and other health care providers and facilities; medical staff, health care accreditation, peer review and quality committees and organizations; employers and other workforce management organizations; employer, union, association, government and other insured and self-insured health and other employee benefit plan sponsors, benefit plans, fiduciaries, administrators, and other plan vendors;  managed care organizations, insurers, self-insured health plans and other payers and their management; managed care organizations, insurers, third-party administrative services organizations and other payer organizations; billing, utilization management, management services organizations; group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; claims, billing and other health care and insurance technology and data service organizations; other health, employee benefit, insurance and financial services product and solutions consultants, developers and vendors; and other health, employee benefit, insurance, technology, government and other management clients.

A former lead consultant to the Government of Bolivia on its Pension Privatization Project with extensive domestic and international public policy concerns in pensions, healthcare, workforce, immigration, tax, education and other areas, Ms. Stamer has been extensively involved in U.S. federal, state and local health care and other legislative and regulatory reform impacting these concerns throughout her career. Her public policy and regulatory affairs experience encompasses advising and representing domestic and multinational private sector health, insurance, employee benefit, employer, staffing and other outsourced service providers, and other clients in dealings with Congress, state legislatures, and federal, state and local regulators and government entities, as well as providing advice and input to U.S. and foreign government leaders on these and other policy concerns.

Beyond her public policy and regulatory affairs involvement, Ms. Stamer also has extensive experience helping these and other clients to design, implement, document, administer and defend workforce, employee benefit, insurance and risk management, health and safety, and other programs, products and solutions, and practices; establish and administer compliance and risk management policies; comply with requirements, investigate and respond to government; accreditation and quality organizations; private litigation and other federal and state health care industry investigations and enforcement actions; evaluate and influence legislative and regulatory reforms and other regulatory and public policy advocacy; training and discipline; enforcement, and a host of other related concerns. Ms. Stamer’s experience in these matters includes supporting these organizations and their leaders on both a real-time, “on demand” basis with crisis preparedness, intervention and response as well as consulting and representing clients on ongoing compliance and risk management; plan and program design; vendor and employee credentialing, selection, contracting, performance management and other dealings; strategic planning; policy, program, product and services development and innovation; mergers, acquisitions, and change management; workforce and operations management, and other opportunities and challenges arising in the course of their operations.

Ms. Stamer also has extensive health care reimbursement and insurance experience advising and defending plan sponsors, administrators, insurance and managed care organizations, health care providers, payers, and others about Medicare, Medicaid, Medicare and Medicaid Advantage, Tri-Care, self-insured group, association, individual and employer and association group and other health benefit programs and coverages including but not limited to advising public and private payers about coverage and program design and documentation, advising and defending providers, payers and systems and billing services entities about systems and process design, audits, and other processes; provider credentialing, and contracting; providers and payer billing, reimbursement, claims audits, denials and appeals, coverage coordination, reporting, direct contracting, False Claims Act, Medicare & Medicaid, ERISA, state Prompt Pay, out-of-network and other nonpar insured, and other health care claims, prepayment, post-payment and other coverage, claims denials, appeals, billing and fraud investigations and actions and other reimbursement and payment related investigation, enforcement, litigation and actions. Scribe for the ABA JCEB annual agency meeting with HHS OCR, she also has worked extensively on health and health benefit coding, billing and claims, meaningful use and EMR, billing and reimbursement, quality measurement and reimbursement, HIPAA, FACTA, PCI, trade secret, physician and other medical, workforce, consumer financial and other data confidentiality and privacy, federal and state data security, data breach and mitigation, and other information privacy and data security concerns.

Author of leading works on a multitude of health care, health plan and other health industry matters, the American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting, former Vice President of the North Texas Health Care Compliance Professionals Association, past Chair of the ABA Health Law Section Managed Care & Insurance Section, past ABA JCEB Council Representative and CLE and Marketing Committee Chair, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer’s health industry clients include public health organizations; public and private hospitals, healthcare systems, clinics and other health care facilities; physicians, physician practices, medical staff, and other provider organizations; skilled nursing, long-term care, assisted living, home health, ambulatory surgery, dialysis, telemedicine, DME, Pharma, clinics, and other health care providers; billing, management and other administrative services organizations; insured, self-insured, association and other health plans; PPOs, HMOs and other managed care organizations, insurance, claims administration, utilization management, and other health care payers; public and private peer review, quality assurance, accreditation and licensing; technology and other outsourcing; healthcare clearinghouse and other data; research; public and private social and community organizations; real estate, technology, clinical pathways, and other developers; investors, banks and financial institutions; audit, accounting, law firm; consulting; document management and recordkeeping, business associates, vendors, and service providers and other professional and other health industry organizations; academic medicine; trade associations; legislative and other law making bodies and others.

A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about contracting, credentialing and quality assurance,  compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, privacy and data security, and other risk management and operational matters. Author of works on Payer and Provider Contracting and many other managed care concerns, Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her thought leadership, experience and advocacy on these and other related concerns by her service in the leadership of the Solutions Law Press, Inc. Coalition for Responsible Health Policy, its PROJECT COPE: Coalition on Patient Empowerment, and a broad range of other professional and civic organizations including North Texas Healthcare Compliance Association, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children (now Warren Center For Children); current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, past Representative and chair of various committees of ABA Joint Committee on Employee Benefits; an ABA Health Law Coordinating Council representative, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.

For more information about Ms. Stamer or her health industry and other experience and involvements, see here or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources here such as:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advise or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2019. Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.

Leave a Comment » | 21st century cures act, Academic medicine, ADA, ASC, Consumer Driven Health Care, Controlled Substances, Corporate Compliance, Cyber crime, data breach, Direct Primary Care, Disease Management, DME, Doctor, drug treatment, Durable Medical Equipment, E-Prescribing, Electronic Health Records, Electronic Medical Records, Employee Benefits, Employer, ERISA, Evidence Based Medicine, FACTA, FDA, Federal Health Center, Genetic Information, GINA, Health Care, Health care coding, Health Care Finance, Health Care Provider, Health Care Quality, health care reimbursement, Health Insurance, Health Insurance Exchange, Health IT, Health Plan, Health Plans, healthcare, HHS, HIPAA, HIPAA Cyber Crime, HITECH Act, Home Health, home health, Hospice, Hospital, hospitals, Human Subjects Research, Indian Health, Inpatient Rehabilitation, Joint Commission, Laws, legal epidemiology, managed care, Meaningful Use, Medicaid, medical devices, Medical Licensure, Medical Privacy, Medical Records, Medicare, Medicare Advantage, Medicare Fee Schedule, Mental Health, Mental Heatlh, NIOSH, NIST, OCR, Opiates, Outpatient, participating provider, Physician, Prescription Drugs, Privacy, Prospective Payment, Provider contracting, public health, Public Policy, quality reporting, quality repoting, Reimbursement, research, Skilled Nursing Facility, Substance Abuse, Technology, Telemedicine, Veterans Health, Veterans Health Care, Wellness | Tagged: , , , , | Permalink
Posted by Cynthia Marcotte Stamer

ONC Report Signals New Interoperability Demands Coming

January 8, 2019

Interoperability will be a key priority for the Office of the National Coordinator for Health Information Technology (“ONC”) going forward.

That’s the message in the just released 2018 Report to Congress: Annual Update on the Adoption of a Nationwide System for the Electronic Use and Exchange of Health Information (“Report”).

The plan to promote interoperability raises new business and compliance planning opportunities for health care providers, health insurers and other payers, health data and information technology (IT) providers and others.

The Report describes barriers, actions taken, and recommendations as well as ONC’s path forward to implement the 21st Century Cures Act.

Under the 21st Century Cures Act, Congress gave HHS authority to enhance innovation, scientific discovery, and expand the access and use of health information through provisions related to:

  • The development and use of upgraded health IT capabilities;
  • Transparent expectations for data sharing, including through open application programming interfaces (APIs); and
  • Improvement of the health IT end user experience, including by reducing administrative burden.

These priorities seek to increase nationwide interoperability of health information and reduce clinician burden..

Current Status

The Report says increases in the adoption of health IT means most Americans receiving health care services now have their health data recorded electronically. However, this information is not always accessible across systems and by all end users—such as patients, health care providers, and payers—in the market in productive ways. For example:

  • Despite the individual right to access health information about themselves established by the HIPAA Privacy Rule, patients often lack access to their own health information, which hinders their ability to manage their health and shop for medical care at lower prices;
  • Health care providers often lack access to patient data at the point of care, particularly when multiple health care providers maintain different pieces of data, own different systems, or use health IT solutions purchased from different developers; and
  • Payers often lack access to clinical data on groups of covered individuals to assess the value of services provided to their customers.
  • The Report says these limitations create several problems, including:
      • Patients should be able to easily and securely access their medical data through their smartphones. Currently, patients electronically access their health information through patient portals that prevent them from easily pulling from multiple sources or health care providers. Patient access to their electronic health information also requires repeated use of logins and manual data updates.
    • For health care providers and payers, interoperable access and exchange of health records is focused on accessing one record at a time.
    • Payers cannot effectively represent their members if they lack computational visibility into which health care providers offer the highest quality care at the lowest cost. Without the capability to access multiple records across a population of patients, health care providers and payers will not benefit from the value of using modern computing solutions—such as machine learning and artificial intelligence—to inform care decisions and identify trends.
    • Payers and employer group health plans which purchase health care have little information on health outcomes. Often, health care providers and payers negotiate contracts based on the health care provider’s reputation rather than on the quality of care that health care provider offers to patients. Health care providers should instead compete based on the entire scope of the quality and value of care they provide, not on how exclusively they can craft their networks. Outcome data will allow payers to apply machine learning and artificial intelligence to have better insight into the value of the care they purchase.
  • Current Barriers
  • According to the Report, HHS heard from stakeholders over the past year that barriers to interoperable access to health information remain, including technical, financial, trust, and business practice barriers. These barriers impede the movement of health information to where it is needed across the care continuum. In addition, burden arising from quality reporting, documentation, administrative, and billing requirements that prescribe how health IT systems are designed also hamper the innovative usability of health IT.
  • Current and Upcoming Actions
  • The Report states HHS has many efforts to help ensure that electronic health information can be shared safely and securely where appropriate to improve the health and care of all Americans.
  • ONC also reports Federal agencies, states, and industry have taken steps to address technical, trust, and financial challenges to interoperable health information access, exchange, and use for patients, health care providers, and payers (including insurers). HHS aims to build on these successes through the ONC Health IT Certification Program, HHS rulemaking, health IT innovation projects, and health IT coordination.
  • In accordance with the Cures Act, HHS is actively leading and coordinating a number of key programs and projects. These include continued work to deter and penalize poor business practices and that HHS conducted multiple outreach efforts to engage the clinical community and health IT stakeholders to better understand these barriers, challenges, and health care provider burden.
  • Recommendations
  • The Report makes the following overarching recommendations for future actions HHS plans to support through its policies and that the health IT community as a whole can take to accelerate progress:
      • Focus on improving interoperability and upgrading technical capabilities of health IT, so patients can securely access, aggregate, and move their health information using their smartphones (or other devices) and health care providers can easily send, receive, and analyze patient data.
      Increase transparency in data sharing practices and strengthen technical capabilities of health IT so payers can access population-level clinical data to promote economic transparency and operational efficiency to lower the cost of care and administrative costs.
      Prioritize improving health IT and reducing documentation burden, time inefficiencies, and hassle for health care providers, so they can focus on their patients rather than their computers.

    The Report also says interoperable access underpins HHS’s efforts to pursue a health care system where data are available when and where needed.

    ONC intends to particularly focus on promoting open APIs. Open APIs are technology that allow one software program to access the services provided by another software program and can improve access and exchange of health information. ONC says APIs can:

    • Support patients’ ability to have more access to information electronically through, for example, smartphones and mobile applications. HHS applauds the emergence of patient-facing applications that allow patients to access, aggregate, and act on their health information; and
    • Allow payers to receive necessary and appropriate information on a group of members without having to access one record at a time.
    • Increase institutional accountability, support value- based care models, and lead to competitive medical care pricing that benefits patients.

    The Report claims patients, health care providers, and payers with appropriate access to health information can use modern computing solutions to generate value from the data. Improved interoperability can strengthen market competition, result in greater quality, safety, and value for the healthcare system, and enable patients, health care providers, and payers to experience the benefits of health IT.

    Prepare For Enhanced Operability Requirements

    ONC’s plan to achieve greater interoperability presents new business and compliance planning opportunities and challenges for health care providers, health insurers and other payers, health data and information technology (IT) providers and others. Among other things, participants in the healthcare system and their suppliers will need to prepare to comply with new expectations and mandates for interoperability. Meeting these demands will require financial expenditures as well as present technological challenges.The increased availability and access to electronica medical records and information resulting from these changes also a can be expected to drive new challenges and demands. Among other things, businesses relying on control of health information or records to influence or control patience, reimbursement, or other business value need to reevaluate and adjust their business models accordingly.

    Improve accessibility and interoperability also is likely to create new expectations and demands by patients, payers, other providers and perhaps most significantly for providers and payers, regulators. Participants in the system will need to understand these applications and prepare to both defend their business performance as well as their compliance taking into account these new demands.

    Amid all of this, of course, providers, pears, and their business associates can anticipate continued if not enhanced demands for enhanced data security and privacy protections and accompanying enforcement of these standards.

    As ONC move forward on its plans to enhance interoperability, all concerned stakeholders will want to monitor developments and provide thoughtful and timely input. The time to get started is now. ONC and it’s sister agency, the Office of Civil Rights currently are inviting public comments about how to achieve these and other health IT and privacy improvements. Those interested in providing input should make sure their comments are submitted by the applicable deadlines next month.

    Read the full Report here and share your input by the specified deadlines.

    About the Author

    Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: Erisa & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of managed care and other health industry, health and other benefit and insurance, workforce and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

    Past Chair of the ABA Managed Care & Insurance Interest Group and, a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer has been continuously involved the design, regulation, administration and defense of managed care and other health and employee benefit, health care, human resources and other staffing and workforce arrangements, contracts, systems, and processes.  As a continuous component of this work, Ms. Stamer has worked closely with these and other clients on the design, development, administration, defense, and breach and data recovery of health care, workforce, insurance and financial services, trade secret and other information technology, data and related process and systems development, policy and operations throughout her career.

    Scribe of the ABA JCEB annual Office of Civil Rights agency meeting, Ms. Stamer also is widely recognized for her extensive work and leadership on leading edge health care and benefit policy and operational issues.

    Ms. Stamer’s clients include employers and other workforce management organizations; employer, union, association, government and other insured and self-insured health and other employee benefit plan sponsors, benefit plans, fiduciaries, administrators, and other plan vendors;  managed care organizations, insurers, self-insured health plans and other payers and their management; public and private, domestic and international hospitals, health care systems, clinics, skilled nursing, long-term care, rehabilitation and other health care providers and facilities; medical staff, health care accreditation, peer review and quality committees and organizations; managed care organizations, insurers, third-party administrative services organizations and other payer organizations; billing, utilization management, management services organizations; group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; claims, billing and other health care and insurance technology and data service organizations; other health, employee benefit, insurance and financial services product and solutions consultants, developers and vendors; and other health, employee benefit, insurance, technology, government and other management clients.

    A former lead consultant to the Government of Bolivia on its Pension Privatization Project with extensive domestic and international public policy concerns in pensions, healthcare, workforce, immigration, tax, education and other areas, Ms. Stamer has been extensively involved in U.S. federal, state and local health care and other legislative and regulatory reform impacting these concerns throughout her career. Her public policy and regulatory affairs experience encompasses advising and representing domestic and multinational private sector health, insurance, employee benefit, employer, staffing and other outsourced service providers, and other clients in dealings with Congress, state legislatures, and federal, state and local regulators and government entities, as well as providing advice and input to U.S. and foreign government leaders on these and other policy concerns.

    Beyond her public policy and regulatory affairs involvement, Ms. Stamer also has extensive experience helping these and other clients to design, implement, document, administer and defend workforce, employee benefit, insurance and risk management, health and safety, and other programs, products and solutions, and practices; establish and administer compliance and risk management policies; comply with requirements, investigate and respond to government; accreditation and quality organizations; private litigation and other federal and state health care industry investigations and enforcement actions; evaluate and influence legislative and regulatory reforms and other regulatory and public policy advocacy; training and discipline; enforcement, and a host of other related concerns. Ms. Stamer’s experience in these matters includes supporting these organizations and their leaders on both a real-time, “on demand” basis with crisis preparedness, intervention and response as well as consulting and representing clients on ongoing compliance and risk management; plan and program design; vendor and employee credentialing, selection, contracting, performance management and other dealings; strategic planning; policy, program, product and services development and innovation; mergers, acquisitions, and change management; workforce and operations management, and other opportunities and challenges arising in the course of their operations.

    Ms. Stamer also has extensive health care reimbursement and insurance experience advising and defending plan sponsors, administrators, insurance and managed care organizations, health care providers, payers, and others about Medicare, Medicaid, Medicare and Medicaid Advantage, Tri-Care, self-insured group, association, individual and employer and association group and other health benefit programs and coverages including but not limited to advising public and private payers about coverage and program design and documentation, advising and defending providers, payers and systems and billing services entities about systems and process design, audits, and other processes; provider credentialing, and contracting; providers and payer billing, reimbursement, claims audits, denials and appeals, coverage coordination, reporting, direct contracting, False Claims Act, Medicare & Medicaid, ERISA, state Prompt Pay, out-of-network and other nonpar insured, and other health care claims, prepayment, post-payment and other coverage, claims denials, appeals, billing and fraud investigations and actions and other reimbursement and payment related investigation, enforcement, litigation and actions. Scribe for the ABA JCEB annual agency meeting with HHS OCR, she also has worked extensively on health and health benefit coding, billing and claims, meaningful use and EMR, billing and reimbursement, quality measurement and reimbursement, HIPAA, FACTA, PCI, trade secret, physician and other medical, workforce, consumer financial and other data confidentiality and privacy, federal and state data security, data breach and mitigation, and other information privacy and data security concerns.

    Author of leading works on a multitude of health care, health plan and other health industry matters, the American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting, former Vice President of the North Texas Health Care Compliance Professionals Association, past Chair of the ABA Health Law Section Managed Care & Insurance Section, past ABA JCEB Council Representative and CLE and Marketing Committee Chair, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer’s health industry clients include public health organizations; public and private hospitals, healthcare systems, clinics and other health care facilities; physicians, physician practices, medical staff, and other provider organizations; skilled nursing, long-term care, assisted living, home health, ambulatory surgery, dialysis, telemedicine, DME, Pharma, clinics, and other health care providers; billing, management and other administrative services organizations; insured, self-insured, association and other health plans; PPOs, HMOs and other managed care organizations, insurance, claims administration, utilization management, and other health care payers; public and private peer review, quality assurance, accreditation and licensing; technology and other outsourcing; healthcare clearinghouse and other data; research; public and private social and community organizations; real estate, technology, clinical pathways, and other developers; investors, banks and financial institutions; audit, accounting, law firm; consulting; document management and recordkeeping, business associates, vendors, and service providers and other professional and other health industry organizations; academic medicine; trade associations; legislative and other law making bodies and others.

    A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about contracting, credentialing and quality assurance,  compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, privacy and data security, and other risk management and operational matters. Author of works on Payer and Provider Contracting and many other managed care concerns, Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns.

    A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her thought leadership, experience and advocacy on these and other related concerns by her service in the leadership of the Solutions Law Press, Inc. Coalition for Responsible Health Policy, its PROJECT COPE: Coalition on Patient Empowerment, and a broad range of other professional and civic organizations including North Texas Healthcare Compliance Association, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children (now Warren Center For Children); current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, past Representative and chair of various committees of ABA Joint Committee on Employee Benefits; an ABA Health Law Coordinating Council representative, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.

    For more information about Ms. Stamer or her health industry and other experience and involvements, see here or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

    About Solutions Law Press, Inc.™

    Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources here such as:

    If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

    NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advise or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

    Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

    ©2019. Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.

    Leave a Comment » | 21st century cures act, Academic medicine, ADA, ASC, Consumer Driven Health Care, Controlled Substances, Corporate Compliance, Cyber crime, data breach, Direct Primary Care, Disease Management, DME, Doctor, drug treatment, Durable Medical Equipment, E-Prescribing, Electronic Health Records, Electronic Medical Records, Employee Benefits, Employer, ERISA, Evidence Based Medicine, FACTA, FDA, Federal Health Center, Genetic Information, GINA, Health Care, Health care coding, Health Care Finance, Health Care Provider, Health Care Quality, health care reimbursement, Health Insurance, Health Insurance Exchange, Health IT, Health Plan, Health Plans, healthcare, HHS, HIPAA, HIPAA Cyber Crime, HITECH Act, Home Health, home health, Hospice, Hospital, hospitals, Human Subjects Research, Indian Health, Inpatient Rehabilitation, Joint Commission, Laws, legal epidemiology, managed care, Meaningful Use, Medicaid, medical devices, Medical Licensure, Medical Privacy, Medical Records, Medicare, Medicare Advantage, Medicare Fee Schedule, Mental Health, Mental Heatlh, NIOSH, NIST, OCR, Opiates, Outpatient, participating provider, Physician, Prescription Drugs, Privacy, Prospective Payment, Provider contracting, public health, Public Policy, quality reporting, quality repoting, Reimbursement, research, Skilled Nursing Facility, Substance Abuse, Technology, Telemedicine, Veterans Health, Veterans Health Care, Wellness | Tagged: , , , , | Permalink
    Posted by Cynthia Marcotte Stamer

    CMS Hosts EDGE Server Webinar Series VIII for Health Insurers, TPAs

    November 1, 2018

    The Centers for Medicare & Medicaid Servhces (CMS) will conduct a webinar session on the EDGE Server 29.0 Maintenance Release Detail and Global Reference Data Updates on Tuesday, November 6, 2018 from 11:30 a.m. – 12:30 p.m. ET.

    CMS will conduct this session using two (2)-way audio conferencing for

    • Health Insurance Issuers of Marketplace and Non-Marketplace Plans § Amazon and On-Premise EDGE server Issuers
    • Health Plan Third Party Administrators (TPAs)

    Register here at least 24 hours prior to the scheduled session.

    Leave a Comment » | Affordable Care Act, Consumer Driven Health Care, Corporate Compliance, Electronic Health Records, Employee Benefits, ERISA, Health IT, Health Plan, Health Plans, healthcare, HHS, Medicare Advantage, Reimbursement, Uncategorized | Permalink
    Posted by Cynthia Marcotte Stamer

    Congress Set To Pass Opiate Addition Crisis Bill

    September 26, 2018

    Legislation targeting opiate addition crisis in the United States is heading to President Trump for signature.

    Yesterday (September 25, 2018), House and Senate leaders reached an agreement on the reconciliation of differences in versions of legislation passed in the House and Senate targeting opiate and other drug addition crisis.

    The Opiate Crisis

    Opiate addition increasingly is recognized as one of the leading and most costly social and financial challenges in the U.S.

    The misuse of and addiction to opioids—including prescription pain relievers, heroin, and synthetic opioids such as fentanyl—is considered a serious national crisis that affects public health as well as social and economic welfare.

    according to the National Institutes of Health (NIH), more than 115 people in the United States die after overdosing on opioids every day.

    The Centers for Disease Control and Prevention estimates that the total “economic burden” of prescription opioid misuse alone in the United States is $78.5 billion a year, including the costs of healthcare, lost productivity, addiction treatment, and criminal justice involvement.

    Concern about the addiction crisis prompted President Trump to make addressing the opiate epidemic a key Administration priority and reform efforts generally enjoy widespread bipartisan support with Congress.

    The Bill

    In June, the House passed H.R. 6, the SUPPORT for Patients and Communities Act by a vote of 396-14. On September 17th, the Senate passed the Opioid Crisis Response Act of 2018 by a vote of 99-1.

    The bipartisan, bicameral agreement allows the final legislation negotiated through the reconciliation process, the “Substance Use–Disorder Prevention that Promotes Opioid Recovery and Treatment for Patients and Communities Act” more commonly referred to as the ‘‘SUPPORT for Patients and Communities Act’’ to move swiftly through both chambers of congress and to the president’s desk.

    Among other things, the Bill:

    • Expands opiate addition treatment coverage, requires added utilization management and oversight for coverage of opiate prescriptions and makes other changes to opiate-related Medicare and federal rules, including adding requirements for automatic escalation to external review under a Medicare part D drug management program for at-risk beneficiaries and suspension of payments by Medicare prescription drug plans and MA–PD plans pending investigations of credible allegations of fraud,
    • Requiring expanded coverage and Clains reporting about by healthcare payers including requiring reporting by group health plans of prescription drug coverage information for purposes of identifying primary payer situations under the Medicare program,
    • Modifies provisions regarding electronic prescriptions and post-surgical pain management,
    • Requires prescription drug plan sponsors to establish drug management programs for at-risk beneficiaries,
    • Establishes and expands programs to support increased detection and monitoring of fentanyl and other synthetic opioids,
    • Increases the maximum number of patients that health care practitioners may initially treat with medication-assisted treatment (i.e., under a buprenorphine waiver),
    • Clarifies FDA regulation of non-addictive pain products.
    • Requires the FDA to develop and implement guidelines for opiate prescribing and new safety-enhancing packaging,
    • Targets illegal distribution with new notification, nondistribution, and controlled substances recall rules, expanding controls on illegal importation, and strengthening FDA and CBP coordination and capacity
    • Creating or expanding a plethora of social, treatment, oversight and other programs and services.

    Read the full text of the legislation here. For more information about the Bill or its effects, contact the author.

    About the Author

    Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: Erisa & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

    Ms. Stamer’s legal, management, governmental affairs work and speaking and publications have focused on helping health industry, health benefit and other organizations and their management use the law, performance and risk management tools and process to manage people, performance, quality, compliance, operations and risk.

    Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer’s clients include public and private, domestic and international hospitals, health care systems, clinics, skilled nursing, long term care, rehabilitation and other health care providers and facilities; medical staff, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, insurers, self-insured health plans and other payers; and other health industry clients as well as a diverse array of other business and government entities. Ms. Stamer’s health industry clients include public health organizations; public and private hospitals, healthcare systems, clinics and other health care facilities; physicians, physician practices, medical staff, and other provider organizations; skilled nursing, long term care, assisted living, home health, ambulatory surgery, dialysis, telemedicine, DME, Pharma, clinics, and other health care providers; billing, management and other administrative services organizations; insured, self-insured, association and other health plans; PPOs, HMOs and other managed care organizations, insurance, claims administration, utilization management, and other health care payers; public and private peer review, quality assurance, accreditation and licensing; technology and other outsourcing; healthcare clearinghouse and other data; research; public and private social and community organizations; real estate, technology, clinical pathways, and other developers; investors, banks and financial institutions; audit, accounting, law firm; consulting; document management and recordkeeping, business associates, vendors, and service providers and other professional and other health industry organizations; academic medicine; trade associations; legislative and other law making bodies and others.

    Ms. Stamer supports these organizations and their leaders on both a real-time, “on demand” basis as well as outsourced operations or special counsel on an interim, special project, or ongoing basis with operational compliance and risk management; strategic planning; product and services development and innovation; workforce and operations management: crisis preparedness and response; public and regulatory affairs and host of other concerns.

    As part of this work, Ms. Stamer continuously advises clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, privacy and data security, and other risk management and operational matters.   She helps clients to establish and administer compliance and risk management policies; comply with requirements, investigate and respond to Board of Medicine, Health, Nursing, Pharmacy, Chiropractic, and other licensing agencies, Department of Aging & Disability, FDA, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; JCHO and other accreditation and quality organizations; private litigation and other federal and state health care industry investigation, enforcement including insurance or other liability management and allocation; process and product development, contracting, deployment and defense; evaluation, commenting or seeking modification of regulatory guidance, and other regulatory and public policy advocacy; training and discipline; enforcement, and a host of other related concerns for public and private health care providers, health insurers, health plans, technology and other vendors, employers, and others.and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns.  She also helps health industry, health plans and insurers, health IT, life sciences and other health industry clients manage regulatory, contractual and other legal and operational compliance; vendors and suppliers; Medicare, Medicaid, CHIP, Medicare/Medicaid Advantage, ERISA and other private payer and other terms of participation, medical billing, reimbursement, claims administration and coordination, and other provider-payer relations, contracting, compliance and enforcement; Form 990 and other nonprofit and tax-exemption; fundraising, investors, joint venture, and other business partners; quality and other performance measurement, management, discipline and reporting; physician and other workforce recruiting, performance management, peer review and other investigations and discipline, wage and hour, payroll, gain-sharing and other pay-for performance and other compensation, training, outsourcing and other human resources and workforce matters; board, medical staff and other governance; strategic planning, process and quality improvement; meaningful use, EMR, HIPAA and other technology,  data security and breach and other health IT and data; STARK, antikickback, insurance, and other fraud prevention, investigation, defense and enforcement; audits, investigations, and enforcement actions; trade secrets and other intellectual property; crisis preparedness and response; internal, government and third-party licensure, credentialing, accreditation, HCQIA and other peer review and quality reporting, audits, investigations, enforcement and defense; patient relations and care;  internal controls and regulatory compliance; payer-provider, provider-provider, vendor, patient, governmental and community relations; facilities, practice, products and other sales, mergers, acquisitions and other business and commercial transactions; government procurement and contracting; grants; tax-exemption and not-for-profit; 1557 and other Civil Rights; privacy and data security; training; risk and change management; regulatory affairs and public policy; process, product and service improvement, development and innovation, and other legal and operational compliance and risk management, government and regulatory affairs and operations concerns.

    Past Chair of the ABA Managed Care & Insurance Interest Group and, a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also has extensive health care reimbursement and insurance experience advising and defending health care providers, payers, and others about Medicare, Medicaid, Medicare and Medicaid Advantage, Tri-Care, self-insured group, association, individual and group and other health benefit programs and coverages including but not limited to advising public and private payers about coverage and program design and documentation, advising and defending providers, payers and systems and billing services entities about systems and process design, audits, and other processes; provider credentialing, and contracting; providers and payer billing, reimbursement, claims audits, denials and appeals, coverage coordination, reporting, direct contracting, False Claims Act, Medicare & Medicaid, ERISA, state Prompt Pay, out-of-network and other nonpar insured, and other health care claims, prepayment, post-payment and other coverage, claims denials, appeals, billing and fraud investigations and actions and other reimbursement and payment related investigation, enforcement, litigation and actions.

    Heavily involved in health care and health information technology, data and related process and systems development, policy and operations innovation and a Scribe for ABA JCEB annual agency meeting with OCR for many years who has authored numerous highly-regarded works and training programs on HIPAA and other data security, privacy and use, Ms. Stamer also is widely recognized for her extensive work and leadership on leading edge health care and benefit policy and operational issues including meaningful use and EMR, billing and reimbursement, quality measurement and reimbursement, HIPAA, FACTA, PCI, trade secret, physician and other medical confidentiality and privacy, federal and state data security and data breach and other information privacy and data security rules and many other concerns. Her work includes both regulatory and public policy advocacy and thought leadership, as well as advising and representing a broad range of health industry and other clients about policy design, drafting, administration, business associate and other contracting, risk assessments, audits and other risk prevention and mitigation, investigation, reporting, mitigation and resolution of known or suspected violations or other incidents and responding to and defending investigations or other actions by plaintiffs, DOJ, OCR, FTC, state attorneys’ general and other federal or state agencies, other business partners, patients and others.

    As part of this work, Ms. Stamer has worked extensively with health care providers, health plans, health care clearinghouses, their business associates, employers and other plan sponsors, banks and other financial institutions, and others on risk management and compliance with HIPAA, FACTA, trade secret and other information privacy and data security rules, including the establishment, documentation, implementation, audit and enforcement of policies, procedures, systems and safeguards, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and and enforcement, and a host of other related concerns. Her clients include public and private health care providers, health insurers, health plans, technology and other vendors, and others. In addition to representing and advising these organizations, she also has conducted training on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, MGMA, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

    A former lead consultant to the Government of Bolivia on its Pension Privatization Project with extensive domestic and international public policy concerns in pensions, healthcare, workforce, immigration, tax, education and other areas, Ms. Stamer also continuously works with a diverse array of clients to monitor, shape and respond to federal and state legislative, regulatory, enforcement and other public policy and regulatory affairs concerns.

    Author of leading works on a multitude of these and other concerns, the American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting, former Vice President of the North Texas Health Care Compliance Professionals Association, past Chair of the ABA Health Law Section Managed Care & Insurance Section, past ABA JCEB Council Representative and CLE and Marketing Committee Chair, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, and Board Certified by the Texas Board of Legal Specialization in Labor and Employment Law, Ms. Stamer also shares her thought leadership, experience and advocacy on these and other related concerns by her service in the leadership of the Solutions Law Press, Inc. Coalition for Responsible Health Policy, its PROJECT COPE: Coalition on Patient Empowerment, and a broad range of other professional and civic organizations including North Texas Healthcare Compliance Association, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children (now Warren Center For Children); current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, past Representative and chair of various committees of ABA Joint Committee on Employee Benefits; a ABA Health Law Coordinating Council representative, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.

    For more information about Ms. Stamer or experience publications, speaking, public advocacy or other involvements, see here or contact Ms. Stamer via telephone at (469) 767-8872 or via e-mail here.

    About Solutions Law Press, Inc.™

    Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources here.

    If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

    NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advise or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

    Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

    ©2018 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.

    Leave a Comment » | Anethesiology, billing, Border Health, Centers For Disease Control, Consumer Driven Health Care, Controlled Substances, Doctor, drug treatment, E-Prescribing, Electronic Health Records, Employee Benefits, Employer, ERISA, Evidence Based Medicine, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, health care reimbursement, Health IT, Health Plan, Health Plans, home health, Hospital, managed care, Medicaid, Medical Malpractice, Medical Records, Medicare, Medicare Advantage, Medicare Prescription Drug Program, Mental Heatlh, Opiates, Outpatient, pain management, Pharmacy, Physician, Physician Licensing, Prescription Drugs, Reimbursement, Substance Abuse, substance abuse treatment, Uncategorized, Veterans Health Administration | Permalink
    Posted by Cynthia Marcotte Stamer

    Key House Committee Votes To Advance HSA & Other Health Choice Reforms; Plans 7/17 Health Care Fraud Hearings

    July 13, 2018

    A flurry of activity in the House Ways & Means Committee and other Congressional committees over the past few weeks signals the advisability of keeping a close eye on health care and health benefit reform proposals this Summer in anticipation of both the Fall health benefit enrollment and renewal season and the mid-term November Congressional elections.

    Certainly continued Congressional commitment to pursue reform is evident from the House Ways & Means Committee’s health care heavy agenda of hearings and votes that this week alone resulted in its voting in favor of 11 health care reform bills promising new flexibility for employers about how to design their health plans and American families more health care choices and choice about how to pay for it and what coverage to buy popular with many providers, patients and employer and other health plan sponsors. While it remains to be seen if the House and Senate can agree on any or all of these proposal, the bi-partisan sponsorship of many of these proposals and the intensity of the focus of the Committee and others in Congress reflects a strong interest in health care reform by both parties leading up to November that could impact health benefit and other health care choices for providers, employers and American families in the Fall annual enrollment season.

    The legislation passed by the Ways & Means Committee this weeks include bills that would:

    • Provide relief for employers relief from the Obamacare’s employer mandate and delay for an additional year the effective date of the widely disliked “Cadillac Tax;”
    • Overrule the “Use it Or Lose It” requirement in current Internal Revenue Regulations for healthcare flexible spending arrangement plans (HFSAs) that currently forces employers sponsoring HFSAs to draft their plans to require employees to forfeit unused salary reduction contributions in their HFSA accounts at the end of the year;
    • Offer individuals and families eligible for Obamacare created health premium subsidies more choice about where to obtain that coverage using their subsidies; and
    • Expand expand the availability and usability of HSAs in a multitude of ways.

    While the recurrent stalling of past reform efforts over the past few years calls into question whether any or all of these proposals can make it through the highly politicized and divided Congress, bi-partisian sponsorship of most of the bills reported out this week at least raises the possibility that some of these proposals enjoy sufficient bi-partisan support to potentially pass before the elections. With both parties viewing health care reform as a key issue in the upcoming elections, voter feedback on these proposals could play a big role in determining the prospects for passage this Summer.

    Passage of any or all of these proposed reforms between now and year end likely will fuel the need for last minute reconsideration and potential adjustments in plan design choices of employers and other health plan sponsors and administrators, reconsideration of health benefit enrollment choices of individual Americans and their families and a reconsideration of practice billing and health plan participation decisions of physicians and other health care providers. Accordingly, health care providers, employers and other health plan sponsors, American taxpayers and their families and others impacted by health care and health benefit policies will want to carefully monitor these reforms as the Summer progresses:

    • To provide timely input to Congress on proposed reforms of particular benefit or concern;
    • To help plan for and deal with rules changes that could impact their options and choices during the upcoming health plan renewal and enrollment season this Fall and going forward; and
    • To be prepared to make informed choices when voting in the upcoming mid-term Congressional elections in November.

    To learn more details about this proposed legislation, its potential implications or other related concerns, see here or contact the author.

    About the Author

    After holding hearings on health savings account reforms and passing a flurry of health care reform bills intended to give employers relief from two key Obamacare mandates, to allow Obamacare subsidy-eligible Americans the choice to use the subsidies to purchase health care coverage not offered by the Obamacare exchanges,  and a host of bills that would expand availability and usability of health savings account (HSA) and health care flexible spending account (HFSA) programs this week, the House Ways and Means Committee will turn its attention to health care fraud oversight and reform next week by holding hearings Tuesday on those health concerns.  Health care providers, employer and other health plan sponsors, individual Americans and their families, and others interested in health benefit and health care reform will want to keep a close eye on these and other developments as Congress continues to debate health care reform in the runup to the upcoming 2018 health benefit plan renewal and annual enrollment season and November’s mid-term elections.

    Committee Approved 11 Health Care Reform Bills This Week

    As a part of its health reform efforts this week, the Committee voted to advance 11 health care reform bills offering new flexibility for employers about how to design their health plans and American families more health care choices and choice about how to pay for it and what coverage to buy popular with many providers, patients and employer and other health plan sponsors.

    Among the approved legislation is a bill that would provide key relief for employers from certain key Obamacare mandates that have been widely unpopular with employers.  H.R. 4616, the “Employer Relief Act of 2018,” sponsored by Rep. Devin Nunes (R-CA) and Rep. Mike Kelly (R-PA), which would give employers sponsoring health plans for their employees retroactive relief from Obamacare’s onerous employer mandate and delay for an additional year the effective date of another Obamacare requirement that when effective, will forces employers to pay the 40 percent tax on amounts paid for employer sponsored health care coverage  that exceeds cost limits specified in the Obamacare legislation commonly known as the “Cadillac Tax.”  Relief from the Cadillac Tax is widely perceived as benefiting bother employers and their employees, as its provisions penalize employers for spending more for employee health coverage than limits specified in the Obamacare law.  These provisions also are particularly viewed by many as unfair because rising health plan costs since Obamacare’s passage make it likely that many employers will incur the tax penalty simply by sponsoring relatively basic health plans meeting the Obamacare mandates.

    In addition to H.R. 4616,  the Committee also voted to approve H.R. 6313, the “Responsible Additions and Increases to Sustain Employee Health Benefits Act of 2018,” sponsored by Rep. Steve Stivers (R-OH), which would overrule the “Use it Or Lose It” requirement in current Internal Revenue Regulations for HFSAs.  Currently, this rule forces employers sponsoring HFSAs to draft their plans to require employees to forfeit unused salary reduction contributions in their HFSA accounts at the end of the year.  The bill would allow employers to eliminate this forfeiture requirement so that employees could carry over any remaining unused balances in their HFSAs at the end of the year to use in a later  year.

    The Committee also voted to advance legislation to offer individuals and families eligible for Obamacare created health premium subsidies more choice about where to obtain that coverage.  H.R. 6311, the “Increasing Access to Lower Premium Plans Act of 2018,” sponsored by Chairman Peter Roskam (R-IL) and Rep. Michael C. Burgess, M.D. (R-TX), would provide individuals receiving subsidies to help purchase health care coverage through the Obamacare-created health insurance exchange the option to use their premium tax credit to purchase health care coverage from qualified plans offered outside of the exchanges.  Currently, subsidies may only be used to purchase coverage from health plans offered through the exchange, which often are much more costly and offer substantially fewer coverage options and less provider choice.  In addition, the bill would expand access to the lowest-premium plans available for all individuals purchasing coverage in the individual market and allows the premium tax credit to be used to offset the cost of such plans.

    Along with these reforms, the Committee also voted to pass a host of bills that would expand the availability and usability of HSAs including:

    • H.R. 6301, the “Promoting High-Value Health Care Through Flexibility for High Deductible Health Plans Act of 2018,” co-sponsored by Health Subcommittee Chairman Peter Roskam (R-IL) and Rep. Mike Thompson (D-CA), which seeks to expand access and enhance  the utility of Health Savings Accounts (HSAs) by offering patients greater flexibility in designing their plan design while still being able to maintain their eligibility for HSA contributions.
    • H.R. 6305, the “Bipartisan HSA Improvement Act of 2018,” sponsored by Rep. Mike Kelly (R-PA) and Rep. Earl Blumenauer (D-OR), which also would expand HSA access and  utility by allowing spouses to also make contributions to HSAs is their spouse has an FSA and lets employers offer certain services to employees through on-site or retail clinics.
    • H.R. 6317, the “Primary Care Enhancement Act of 2018,” co-sponsored by Rep. Erik Paulsen (R-MN) and Rep. Earl Blumenauer (D-OR), which seeks to protect HSA-eligible individuals who participate in a direct primary care (DPC) arrangement from losing their HSA-eligibility merely because of their participation in a DPC. In addition, it allows DPC provider fees to be covered with HSAs.
    • H.R. 6312, the “Personal Health Investment Today (PHIT) Act,” sponsored by Rep. Jason Smith (R-MO) and Rep. Ron Kind (D-WI), which seeks to fight obesity and promote wellness by allowing taxpayers to use tax-preferred accounts to pay costs of gym membership or exercise classes, children’s school sports programs and certain other wellness programs and activities.
    • H.R. 6309, the “Allowing Working Seniors to Keep Their Health Savings Accounts Act of 2018,” sponsored by Rep. Erik Paulsen (R-MN), which would expand HSA eligibility to include Medicare eligible seniors who are still in the workforce.
    • H.R.6199, the “Restoring Access to Medication Act of 2018,” sponsored by Rep. Lynn Jenkins (R-KS) and Rep. Grace Meng (D-NY), which would reverse Obamacare’s prohibition on using tax-favored health accounts to purchase over-the-counter medical products and would add feminine products to the list of qualified medical expenses for the purposes of these tax-favored health accounts.
    • H.R. 6306, the “Improve the Rules with Respect to Health Savings Accounts,” sponsored by Rep. Erik Paulsen (R-MN), which would increase the contribution limits for HSAs and further enhances flexibility in plans by allowing both spouses to contribute to make catch-up contributions to the same account and creating a new grace period for medical expenses incurred before the HSA was established.
    • H.R. 6314, the “Health Savings Act of 2018,” sponsored by Rep. Burgess (R-TX) and Rep. Roskam (R-IL), would expand eligibility and access to HSAs by allowing plans categorized as “catastrophic” and “bronze” in the exchanges to qualify for HSA contributions.

    Committee Considers Health Care Fraud Next Week 

    The Committee next week will turn its attention to health care fraud by holding two hearings on Tuesday.

    Both hearings are scheduled to take place in Room 1100 Longworth and their proceedings will be live streamed on YouTube.

    The Committee’s health care reform focus this week and next are reflective of the continued emphasis of members of Congress in both parties on health care reform legislation as they prepare for the impending mid-term elections in November.  As a part of these efforts,  the House and Senate already over the past several months have held a wide range of hearings in various committees and key votes on a multitude of reform proposals.  Numerous other hearings and votes are planned over the next several months as Congressional leaders from both parties work to advance their health care agendas in anticipation of the upcoming elections.

    Key health care and health benefit reform  proposals that the Republican Majority has designated for priority consideration include:

    • Prescription drug costs by checking perceived negative effects of health industry and health plan consolidations involving large health insurers, pharmacy benefit  management companies (PBMs), pharmacy companies and other health industry and health insurance organizations on health care costs and patient, plan sponsor and plan sponsor choice and health care quality;
    • Oversight and reform of existing STARK, anti-kickback and other federal health care rules and exemptions relied upon by PBMs and other health industry organizations;
    • Efforts to understand and address health care treatment, health care and coverage costs and related social concerns associated with mental health and opioid and other substance abuse conditions and their treatment;
    • Efforts promote health  benefit and health care choice, affordability and coverage;  improve patient and employer choice; promote broader health care access and quality; reduce counterproductive regulation; and other health insurance and care improvements through expanded availability of health savings accounts, direct primary care and other consumer directed health care options, association health plan and other program options, streamlining quality reporting and regulation, billing and coding, physician and other health care provider electronic billing and recordkeeping,  and other provider,  payer, employer, individual and other health insurance mandates and other federal health care and health plan rules; and
    • More.

    Health care providers, employers and other health plan sponsors, American taxpayers and their families and others will want to carefully monitor these reforms as the Summer progresses:

    • To provide timely input to Congress on proposed reforms of particular benefit or concern;
    • To help plan for and deal with rules changes that could impact their options and choices during the upcoming health plan renewal and enrollment season this Fall and going forward; and
    • To be prepared to make informed choices when voting in the upcoming mid-term Congressional elections in November.

    About the Author

    Recognized repeatedly by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: Erisa & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of health industry, health and other benefit, workforce and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

    Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer’s clients include employer, associations, government and other health benefit sponsors and administrators, public and private, domestic and international hospitals, health care systems, clinics, skilled nursing, long term care, rehabilitation and other health care providers and facilities; medical staff, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, insurers, self-insured health plans and other payers; and other health industry, insurance, technology, government and other management clients.

    A former lead consultant to the Government of Bolivia on its Pension Privatization Project with extensive domestic and international public policy concerns in pensions, healthcare, workforce, immigration, tax, education and other areas, Ms. Stamer has been extensively involved in U.S. federal, state and local health care and other legislative and regulatory reform impacting these concerns throughout her career.

    Beyond her public policy and regulatory affairs involvement, Ms. Stamer also has extensive experience helping these and other clients to design and reform programs and practices; establish and administer compliance and risk management policies; comply with requirements, investigate and respond to government; accreditation and quality organizations; private litigation and other federal and state health care industry investigations and enforcement actions; evaluate and influence legislative and regulatory reforms and other regulatory and public policy advocacy; training and discipline; enforcement, and a host of other related concerns. supports these organizations and their leaders on both a real-time, “on demand” basis as well as outsourced operations or special counsel on an interim, special project, or ongoing basis with strategic planning and product and services development and innovation; workforce and operations management, crisis preparedness and response as well as to prevent, stabilize and cleanup legal and operational crises large and small that arise in the course of operations.

    Past Chair of the ABA Managed Care & Insurance Interest Group and, a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer has extensive health care reimbursement and insurance experience advising and defending health care providers, payers, and others about Medicare, Medicaid, Medicare and Medicaid Advantage, Tri-Care, self-insured group, association, individual and employer and association group and other health benefit programs and coverages including but not limited to advising public and private payers about coverage and program design and documentation, advising and defending providers, payers and systems and billing services entities about systems and process design, audits, and other processes; provider credentialing, and contracting; providers and payer billing, reimbursement, claims audits, denials and appeals, coverage coordination, reporting, direct contracting, False Claims Act, Medicare & Medicaid, ERISA, state Prompt Pay, out-of-network and other nonpar insured, and other health care claims, prepayment, post-payment and other coverage, claims denials, appeals, billing and fraud investigations and actions and other reimbursement and payment related investigation, enforcement, litigation and actions.

    Heavily involved in health care and health information technology, data and related process and systems development, policy and operations innovation and a Scribe for ABA JCEB annual agency meeting with OCR for many years who has authored numerous highly-regarded works and training programs on HIPAA and other data security, privacy and use, Ms. Stamer also is widely recognized for her extensive work and leadership on leading edge health care and benefit policy and operational issues including meaningful use and EMR, billing and reimbursement, quality measurement and reimbursement, HIPAA, FACTA, PCI, trade secret, physician and other medical confidentiality and privacy, federal and state data security and data breach and other information privacy and data security rules and many other concerns.

    Ms. Stamer helps health industry, health plans and insurers, health IT, life sciences and other health industry clients design, document and enforce plans, practices, policies, systems and solutions; manage regulatory, contractual and other legal and operational compliance; vendors and suppliers; Medicare, Medicaid, CHIP, Medicare/Medicaid Advantage, ERISA and other private payer and other terms of participation, medical billing, reimbursement, claims administration and coordination, and other provider-payer relations, contracting, compliance and enforcement; Form 990 and other nonprofit and tax-exemption; fundraising, investors, joint venture, and other business partners; quality and other performance measurement, management, discipline and reporting; physician and other workforce recruiting, performance management, peer review and other investigations and discipline, wage and hour, payroll, gain-sharing and other pay-for performance and other compensation, training, outsourcing and other human resources and workforce matters; board, medical staff and other governance; strategic planning, process and quality improvement; meaningful use, EMR, HIPAA and other technology, data security and breach and other health IT and data; STARK, antikickback, insurance, and other fraud prevention, investigation, defense and enforcement; audits, investigations, and enforcement actions; trade secrets and other intellectual property; crisis preparedness and response; internal, government and third-party licensure, credentialing, accreditation, HCQIA and other peer review and quality reporting, audits, investigations, enforcement and defense; patient relations and care; internal controls and regulatory compliance; payer-provider, provider-provider, vendor, patient, governmental and community relations; facilities, practice, products and other sales, mergers, acquisitions and other business and commercial transactions; government procurement and contracting; grants; tax-exemption and not-for-profit; 1557 and other Civil Rights; privacy and data security; training; risk and change management; regulatory affairs and public policy; process, product and service improvement, development and innovation, and other legal and operational compliance and risk management, government and regulatory affairs and operations concerns.

    Author of leading works on a multitude of health care, health plan and other health industry matters, the American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting, former Vice President of the North Texas Health Care Compliance Professionals Association, past Chair of the ABA Health Law Section Managed Care & Insurance Section, past ABA JCEB Council Representative and CLE and Marketing Committee Chair, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer’s health industry clients include public health organizations; public and private hospitals, healthcare systems, clinics and other health care facilities; physicians, physician practices, medical staff, and other provider organizations; skilled nursing, long term care, assisted living, home health, ambulatory surgery, dialysis, telemedicine, DME, Pharma, clinics, and other health care providers; billing, management and other administrative services organizations; insured, self-insured, association and other health plans; PPOs, HMOs and other managed care organizations, insurance, claims administration, utilization management, and other health care payers; public and private peer review, quality assurance, accreditation and licensing; technology and other outsourcing; healthcare clearinghouse and other data; research; public and private social and community organizations; real estate, technology, clinical pathways, and other developers; investors, banks and financial institutions; audit, accounting, law firm; consulting; document management and recordkeeping, business associates, vendors, and service providers and other professional and other health industry organizations; academic medicine; trade associations; legislative and other law making bodies and others.

    A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, privacy and data security, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns.

    A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her thought leadership, experience and advocacy on these and other related concerns by her service in the leadership of the Solutions Law Press, Inc. Coalition for Responsible Health Policy, its PROJECT COPE: Coalition on Patient Empowerment, and a broad range of other professional and civic organizations including North Texas Healthcare Compliance Association, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children (now Warren Center For Children); current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, past Representative and chair of various committees of ABA Joint Committee on Employee Benefits; a ABA Health Law Coordinating Council representative, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.

    For more information about Ms. Stamer or her health industry and other experience and involvements, see here or contact Ms. Stamer via telephone at (469) 767-8872 or via e-mail here.

    About Solutions Law Press, Inc.™

    Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources here.

    If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

    NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advise or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

    Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

    ©2018 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved

    Leave a Comment » | Affordable Care Act, Anti-KickBack, Antitrust, Child Care, Consumer Driven Health Care, Controlled Substances, Corporate Compliance, Direct Primary Care, E-Prescribing, Employee Benefits, Employment, Evidence Based Medicine, FDA, Fiduciary Responsibility, Health Care, Health care coding, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Quality, Health Care Reform, health care reimbursement, Health Insurance, Health Insurance Exchange, Health IT, Health Plan, Health Plans, Health Policy, healthcare, HHS, Home Health, home health, Hospital, hospitals, managed care, Medicaid, Medical Licensure, Medicare, Medicare Advantage, Medicare Fee Schedule, Medicare Prescription Drug Program, Mental Health, Mental Heatlh, Patient Empowerment, Pharmaceudical, Pharmacy, Physician, Preexisting Condition Insurance Plan, Prescription Drugs, Psychiatric, Public Policy, quality reporting, Reimbursement, Rural Health Care, substance abuse treatment, Tax, Tax-Exemption, Uncategorized, Veterans Health, Veterans Health Administration, Veterans Health Care | Permalink
    Posted by Cynthia Marcotte Stamer

    HIPAA Lessons Every Health Plan, Health Care Provider & Business Associate Should Learn From Bankrupt FileFax’s HIPAA Settlement

    February 16, 2018

    Health care providers, health plans and insurers, health care clearinghouses (Covered Entities) and their business associates within the meaning of the Health Insurance Portability & Accountability Act (HIPAA) should heed the warnings contained in the new Resolution Agreement (FileFax Resolution Agreement) with former HIPAA business associate FileFax, Inc. announced by the Department of Health & Human Services (HHS) Office of Civil Rights (OCR) about their own need to ensure that they and their business associates comply with HIPAA’s business associate and other Privacy, Security, Breach Notification rules as well as the advisability of tightening up their risk management and oversight of business associates that handle protected health information (PHI).

    Significant for business associates as what appears to be the first announced resolution agreement with a business associate directly charged by OCR with violating HIPAA and the second resolution agreement pursued and reached with a HIPAA-regulated entity in bankruptcy, the FileFax, Inc. Resolution Agreement OCR announced February 13, 2018 also contains critical lessons for Covered Entities about their dealings with their own business associates when read in conjunction with the April, 2017 resolution agreement the Center for Children’s Digestive Health (CCDH) agreed to resolve OCR charges CCDC, as a Covered Entity, violated HIPAA by allowing FileFax, Inc. to act as its business associate without adequately complying with HIPAA’s business associate requirements.

    With widespread media coverage over large scale breaches of health care and other sensitive information placing further pressure upon OCR and other governmental agencies to act to protect Americans’ privacy and data fueling even greater demands for OCR and other agencies to take meaningful action to enforce HIPAA and other privacy and data security requirements, health plans, health care providers, health care clearinghouses (Covered Entities) and their business associates can expect OCR and other agencies to continue to turn up the heat on investigation and enforcement of HIPAA compliance.

    In the face of these developments, Covered Entities, their business associates and those responsible for their leadership and operations need to recognize and take the necessary steps both effectively to manage their own HIPAA compliance and risk management as well as to anticipate and make provision to deal with the likelihood that they may face HIPAA responsibilities, exposures and other fallout from their own or another business partner’s breach of PHI or other sensitive data or other HIPAA violations, bankruptcy or other business distress, or other compliance or business event.

    HIPAA Privacy, Security & Breach Notification Rule Responsibilities & Risks

    The Privacy Rule requires that Covered Entities and their vendors that qualify as “business associates” under HIPAA comply with detailed requirements concerning the protection, use, access, destruction and disclosure of PHI.  As part of these requirements, Covered Entities and their business associates must adopt, administer and enforce detailed policies and practices, assess, monitor and maintain the security of electronic protected health information (ePHI) and other protected health information, provide notices of privacy practices and breaches of “unsecured” ePHI, afford individuals that are the subject of protected health information certain rights and comply with other requirements as specified by the Privacy, Security and Breach Notification Rules.  In addition, Covered Entities and business associates also must enter into a written and signed business associate agreement that contains the elements specified in Privacy Rule § 164.504(e) before the business associate creates, uses, accesses or discloses PHI of the Covered Entity. Furthermore, the Privacy Rule includes extensive documentation and keeping requirements require that Covered Entities and BAs maintain copies of these BAAs for a minimum of six years and to provide that documentation to OCR upon demand.

    Violations of the Privacy Rule can carry stiff civil monetary penalties or even criminal penalties.  Pursuant to amendments to HIPAA enacted as part of the HITECH Act, civil penalties typically do not apply to violations punished under the criminal penalty rules of HIPAA set forth in Social Security Act , 42 U.S.C § 1320d-6 (Section 1177).

    Resolution Agreements the just announced FileFax Resolution Agreement allow Covered Entities and business associates to resolve potentially substantially larger civil monetary penalty liabilities that OCR can impose under the civil enforcement provisions of HIPAA for HIPAA violations through a negotiated settlement process.  As amended by the HITECH Act, the civil enforcement provisions of HIPAA empower OCR to impose Civil Monetary Penalties on both Covered Entities and BAs for violations of any of the requirements of the Privacy or Security Rules.  The penalty ranges for civil violations depends upon the circumstances associated with the violations and are subject to upward adjustment for inflation.  As most recently adjusted here effective September 6, 2016, the following currently are the progressively increasing Civil Monetary Penalty tiers:

    • A minimum penalty of $100 and a maximum penalty of $50,000 per violation, for violations which the CE or BA “did not know, and by exercising reasonable diligence would not have known” about using “the business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances;”
    • A minimum penalty of $1,000 and a maximum penalty of $50,000 per violation, for violations for “reasonable cause” which do not rise to the level of “willful neglect” where “reasonable cause” means the “circumstances that would make it unreasonable for the Covered Entity, despite the exercise of ordinary business care and prudence, to comply with the violated Privacy Rule requirement;”
    • A minimum penalty of $10,000 and a maximum penalty of $50,000 per violation, for violations attributed to “willful neglect,” defined as “the conscious, intentional failure or reckless indifference to the obligation to comply” with the requirement or prohibition; and
    • A minimum penalty of $50,000 and a maximum penalty of $1.5 million per violation, for violations attributed to “willful neglect” not remedied within 30 days of the date that the Covered Entity or BA knew or should have known of the violation.

    For continuing violations such as failing to implement a required BAA, OCR can treat each day of noncompliance as a separate violation.  However, sanctions under each of these tiers generally are subject to a maximum penalty of $1,500,000 for violations of identical requirements or prohibitions during a calendar year.  For violations such as the failure to implement and maintain a required BAA where more than one Covered Entity bears responsibility for the violation, OCR an impose Civil Monetary Penalties against each culpable party. OCR considers a variety of mitigating and aggravating facts and circumstances when arriving at the amount of the penalty within each of these applicable tiers to impose.

    In addition to these potential civil liability exposures, Covered Entities, their business associates and other individuals or organizations that wrongfully use, access or disclose electronic or other protected health information also can face civil liability under various circumstances.  The criminal enforcement provisions of HIPAA authorize the Justice Department to prosecute a person who knowingly in violation of the Privacy Rule (1) uses or causes to be used a unique health identifier; (2) obtains individually identifiable health information relating to an individual; or (3) discloses individually identifiable health information to another person, punishable by the following criminal sanctions and penalties:

    • A fine of up to $50,000, imprisoned not more than 1 year, or both;
    • If the offense is committed under false pretenses, a fine of up to $100,000, imprisonment of not more than 5 years, or both; and
    • If the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, a fine of up to $250,000, imprisoned not more than 10 years, or both.

    Because HIPAA Privacy Rule criminal violations are Class A Misdemeanors or felonies, Covered Entities and business associates should include HIPAA compliance in their Federal Sentencing Guideline Compliance Programs and practices and need to be concerned both about criminal exposure for their own direct violations, as well as imputed organizational liability for violations committed by their employees or agents under the Federal Sentencing Guidelines, particularly where their failure to implement or administer these required compliance policies and practices or failure to properly investigate or redress potential violations enables, perpetuates or covers up the criminal breach.

    FileFax, Inc.  Breach & Resolution Agreement

    While Congress amended the Civil Monetary Penalty provisions of HIPAA enforced by OCR to make many of the requirements and Civil Monetary Penalty sanctions of HIPAA directly enforceable by OCR against business associates as part of the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, the FileFax Resolution Agreement appears to be the first HIPAA resolution agreement with a business associate announced by OCR.

    Indeed, OCR’s enforcement action that resulted in the FileFax Resolution Agreement would never have occurred had FileFax, Inc. not become involved in handling medical records containing PHI in the capacity of a business associate for Covered Entities.

    Before filing for bankruptcy in 2016, FileFax, Inc. advertised it provided HIPAA-compliant storage, maintenance, and delivery of medical records for HIPAA Covered Entities including Illinois based health care provider CCDC, which entered into a resolution agreement with OCR in April, 2017 to resolve OCR charges that it violated HIPAA by allowing FileFax, Inc. to handle PHI without fulfilling HIPAA’s business associate agreement requirements.

    Like the CCDC Resolution Agreement, the FileFax, Inc. Resolution Agreement resulted from an investigation of FileFax, Inc. that OCR began in response to a February 10, 2015 anonymous complaint filed with OCR about FileFax, Inc. about deficiencies in its delivery of these HIPAA services in its capacity as a business associate to Covered Entities. The complaint to OCR alleged that FileFax, Inc. violated these requirements because an individual transported medical records obtained from FileFax, Inc. to a shredding and recycling facility to sell on February 6 and 9, 2015.

    OCR’s investigation of the complaint against FileFax, Inc. confirmed that an individual had left medical records of approximately 2,150 patients at the shredding and recycling facility, and that these medical records contained patients’ PHI.  OCR’s investigation additionally found that between January 28, 2015, and February 14, 2015, FileFax, Inc. impermissibly disclosed the PHI of 2,150 individuals by leaving the PHI in an unlocked truck in the FileFax, Inc.  parking lot, or by granting permission to an unauthorized person to remove the PHI from FileFax, Inc. and leaving the PHI unsecured outside the FileFax, Inc. facility.

    After OCR commenced its investigation of the complaint, FileFax, Inc. was placed into bankruptcy and a receiver was appointed to liquidate FileFax, Inc.’s assets for distribution to creditors and others in 2016.  Despite the bankruptcy, OCR continued to pursue enforcement against FileFax, Inc. for the HIPAA violations it found through its investigation.  On February 13, 2018, OCR announced that that the receiver on behalf of FileFax, Inc. had agreed in the FileFax Resolution Agreement to pay a $100,000 monetary settlement out of the bankruptcy estate and to arrange to properly store and dispose of remaining medical records found at FileFax, Inc.’s facility in compliance with HIPAA to resolve OCR’s HIPAA charges against FileFax, Inc.

    OCR Previously Sanctioned Covered Entity For Involvement With FileFax, Inc.

    Beyond affirming the exposure business associates to OCR civil monetary penalties or other enforcement for violating HIPAA, the FileFax Resolution Agreement in conjunction with OCR’s previously announced April 20, 2017 resolution agreement (CCDC Resolution Agreement) with CCDC also demonstrates the need for Covered Entities to recognize that their organizations are likely to face HIPAA investigations or enforcement from HIPAA violations by or OCR audits or investigations of the conduct of their business associates.

    In fact, this is exactly what happened to CCDC.  A small, Illinois based Covered Entity, CCDC used FileFax, Inc. to store and dispose of medical records.  As a consequence of the FileFax, Inc. investigation, OCR conducted a compliance review of CCDC.  OCR reports that its compliance review revealed that while CCDC had disclosed to and allowed FileFax, Inc. to store records containing PHI for CCDC since in 2003, neither party could produce a signed business associate agreement (BAA) prior to October 12, 2015.   As a consequence, OCR charged CCDC with violating HIPAA by disclosing PHI to FileFax, Inc. in violation of HIPAA’s business associate requirements.

    To resolve its exposure to potentially much greater civil monetary penalties associated with this charge, CCDC agreed under the CCDC Resolution Agreement to pay OCR a $31,000 resolution payment and take a variety of corrective actions.  Beyond requiring CCDC to implement and maintain  written business associate agreements before allowing business associates to possess or access PHI, the corrective action plan imposed as part of the CCDC Resolution Agreement also expressly requires CCDC to promptly investigate information of a possible violation of its HIPAA policies and procedures by  a “workforce member,” which the Privacy Rule defines to include a business associate, and if the investigation reveals a violation, to report the violation and corrective action taken to OCR.

    OCR Enforces HIPAA Against Covered Entities & Business Associates In Bankruptcy

    OCR’s announcement of the FileFax Resolution Agreement also is significant in its reaffirmation of OCR to its commitment to HIPAA enforcement, even if the HIPAA-violating Covered Entity or business associate goes bankruptcy.

    OCR’s enforcement action against FileFax, Inc. despite its bankruptcy and its successful negotiation of the FileFax Resolution Agreement within the bankruptcy should alert Covered Entities and business associates that OCR does not consider the bankruptcy of a Covered Entity or business associate as an obstacle to OCR enforcement against Covered Entities or business associates that violate HIPAA.   The seriousness of OCR’s commitment to enforcement, even in the face of bankruptcy is driven home by its announcement of the FileFax Resolution Agreement on the heels of its December, 2017 announcement of its first OCR HIPAA resolution agreement secured with the formal approval of a bankruptcy court, a resolution agreement (21CO Resolution Agreement) against bankrupt health care provider, 21CO.

    Secured with bankruptcy court approval, the 21CO Resolution Agreement resolved potentially much larger civil monetary penalties that the Fort Myers, Florida based provider of cancer care services and radiation oncology could have faced for alleged HIPAA breaches OCR charged it committed in connection with its failure to adequately act to prevent and respond to hacking and misappropriation of records containing sensitive electronic protected health information (ePHI) of up to 2,213597 individuals.

    The OCR charges against 21CO arose from an OCR investigation commenced after the Federal Bureau of Investigation (FBI) notified 21CO on November 13, 2015 and a second time on December 13, 2015 than unauthorized third party illegally obtained 21CO sensitive patient information and produced 21CO patient files purchased by a FBI informant.  As part of its internal investigation, 21CO hired a third party forensic auditing firm in November 2015. 21CO determined that the attacker may have accessed 21CO’s network SQL database as early as October 3, 2015, through Remote Desktop Protocol from an Exchange Server within 21CO’s network. 21CO determined that it is possible that 2,213,597 individuals may have been affected by the impermissible access to their names, social security numbers, physicians’ names, diagnoses, treatment and insurance information.

    Although it knew of the breaches in November and December, 2015, 21CO waited more than three months after the FBI notified it of the breaches before it sent HIPAA or other breach notifications about the data breach to patients or notified investors in March, 2016. Its March 4, 2016 Securities and Exchange Commission 8-K on Data Security Incident (Breach 8-K) states 21CO delayed notification at the request of the FBI to avoid interfering in the criminal investigation of the breach.

    When announcing the breach, 21CO provided all individuals affected by the breach with a free one-year subscription to the Experian ProtectMyID fraud protection service. At that time, 21CO said it had no evidence that any patient information actually had been misused.  However some victims of the breach subsequently have claimed being victimized by a variety of scams since the breach in news reports and lawsuits about the breach.

    At the time of the breach and its March 4, 2016 announcement of the breach, 21CO already was working to resolve other compliance issues.  On December 16, 2015, 21CO announced that a 21CO subsidiary had agreed to pay $19.75 million to the United States and $528,000 in attorneys’ fees and costs and comply with a corporate integrity agreement related to a qui tam action in which it was accused of making false claims to Medicare and other federal health programs. See 21CO 8-K Re: Entry into a Material Definitive Agreement (December 22, 2015).  Among other things, the corporate integrity agreement required by that settlement required 21CO to appoint a compliance officer and take other steps to maintain compliance with federal health care laws.  In addition, five days after releasing the March 4, 2017 Breach 8-K, 21CO notified investors that its subsidiary, 21st Century Oncology, Inc. (“21C”), had agreed to pay $37.4 million to settle health care fraud law charges relating to billing and other protocols of certain staff in the utilization of state-of-the-art radiation dose calculation system used by radiation oncologists called GAMMA.  See 21CO 8-K Re: GAMMA Settlement March 9, 2016 ;  See also United States Settles False Claims Act Allegations Against 21st Century Oncology for $34.7 Million.

    Based on OCR’s subsequent investigation into these breaches, OCR found:

    • 21CO impermissibly disclosed certain PHI of 2,213,597 of its patients in violation of 45 C.F.R. § 164.502(a);
    • 21CO failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the electronic protected health information (ePHI) held by 21CO in violation of 45 C.F.R. § 164.308(a)(1)(ii)(A);
    • 21CO failed to implement certain security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with 45 C.F.R. § 164.306(A) in violation of 45 C.F.R. § 164.308(a)(1)(ii)(B);
    •  21CO failed to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports as required by 45 C.F.R. §164.308(a)(1)(ii)(D);
    • 21CO disclosed protected health information to a third party vendors, acting as its business associates, without obtaining satisfactory assurances in the form of a written business associate agreement in violation of HIPAA’s business associate rule requirements under 45 C.F.R. §§ 164.502(e) and 164.308(b)(3).

    In return for OCR’s agreement not to further pursue charges or penalties relating to the breach investigation, the Resolution Agreement entered into with the approval of the Bankruptcy Court requires that 21CO pay OCR a $2.3 million Resolution Amount and implement to OCR’s satisfaction a corrective action plan that among other things requires that 21CO complete a detailed series of corrective actions to the satisfaction of OCR.

    In addition to the OCR investigation that lead to the 21CO Resolution Agreement announced by OCR on December 28, 2017, 21CO experienced other fallout following its March 4, 2016 public disclosure of the breach.  Not surprisingly, the breach notification led to a multitude of class-action civil lawsuits by breach victims and shareholders.  See, e.g., 16 Data Breach Class Action Lawsuits Filed Against 21st Century Oncology Consolidated; 21st Century Oncology data breach prompts multiple lawsuits.  Reports of spoofing and other misleading contacts made to 21CO patients following the breach prompted the Federal Trade Commission (FTC) to issue a specific notice alerting victims about potential false breach notifications and other misleading contacts.  See April 4, 2016 FTC Announcement Re: 21st Century Oncology breach exposes patients’ info.

    These and other developments also had significant consequences on 21CO’s financial status and leadership.  By March 31, 2015, 21CO notified the SEC and investors that it needed added time to complete its financial statements.  Subsequent SEC filings document its restatement of financial statements, the departure of board members and other leaders, default on credit terms, and ultimately its filing for Chapter 11 bankruptcy protection in the United States Bankruptcy Court for the Southern District of New York on May 25, 2017.

    Because 21CO sought bankruptcy court protection from the fallout of its HIPAA breaches and other compliance and business issues, the 21CO Resolution Agreement required bankruptcy court approval. Funds for payment of the required $2.3 million resolution payment and other charges associated with the investigation apparently are being provided in part from breach liability insurance coverage provided under a policy issued by Beazley Insurance, as the Bankruptcy Court order directs Beazley Breach Response Policy No. W140E2150301 to make immediate payment to the OCR of the resolution amount and the payment of fees incurred by 21CO in connection with regulatory defense issues.

    HIPAA & Data Breach Enforcement & Other Risks Growing 

    Covered Entities, their business associates, their leaders, investors and members of their workforce need to recognize that the FileFax, CCDC, 21CO and other resolution agreements are part of a growing trend, rather than isolated incidents of enforcement and that their exposure to investigation and enforcement is likely to continue to rise in the face of growing public and Congressional concern about privacy and data security.

    While civil monetary penalty enforcement remains much more common than criminal prosecution, Covered Entities, their business associates and members of their workforce must understand that HIPAA enforcement and resulting liability is growing and that this trend is likely to continue if not increase.

    While Department of Justice federal criminal prosecutions and convictions under HIPAA remain relatively rare, they occur and are growing.  See e.g.,  Former Hospital Employee Sentenced for HIPAA Violations (Texas man sentenced to 18 months in federal prison for obtaining protected health information with the intent to use it for personal gain); Three Life Sentences Imposed On Man Following Convictions For Drug Trafficking, Kidnapping, Using Firearms and HIPAA Violations (drug king pin gets multiple 10 year consecutive prison terms for unauthorized access to private health information in violation of HIPAA; his health care worker friend sentenced for accessing electronic medical files and reporting information to him); Former Therapist Charged In HIPAA Case; Hefty Prison Sentence in ID Theft Case (former assisted living facility worker gets 37 months in prison after pleading guilty to wrongful disclosure of HIPAA protected information and other charges); Hefty Prison Sentence in ID Theft Case (former medical supply company owner sentenced to 12 years for HIPAA violations and fraud).  While the harshest sentences tend to be associated with health care fraud or other criminal conduct, lighter criminal sentences are imposed against defendants in other cases as well. See e.g., Sentencing In S.C. Medicaid Breach Case (former South Carolina state employee sentenced to three years’ probation, plus community service, for sending personal information about more than 228,000 Medicaid recipients to his personal e-mail account.); HIPAA Violation Leads To Prison Term (former UCLA Healthcare System surgeon gets four months in prison after admitting he illegally read private electronic medical records of celebrities and others.)

    While criminal enforcement of HIPAA remains relatively rare and OCR to date only actually has assessed HIPAA civil monetary penalties against certain Covered Entities for violating HIPAA in a couple isolated instances, the growing list of multi-million dollar resolution payments against Covered Entities and with the FileFax Resolution Agreement announcement, now also business associates for violating HIPAA make clear that HIPAA enforcement is both meaningful and growing.   See e.g., Learn From Children’s New $3.2M+ HIPAA CMP For “Knowing” Violation of HIPAA Security Rules ($3.2 million Children’s Medical Center HIPAA Civil Monetary Penalty);  1st HIPAA Privacy Civil Penalty of $4.3 Million Signals CMS Serious About HIPAA Enforcement;  $400K HIPAA Settlement Shows Need To Conduct Timely & Appropriate Risk Assessments; $5.5M Memorial HIPAA Resolution Agreement Shows Need To Audit.  For more examples, also see here.

    The experiences of FileFax, Inc., CCDC, 21CO and these other OCR HIPAA Resolution Agreements provide strong evidence that that health plans and other Covered Entities and their business associates can anticipate that OCR will continue to zealously investigate HIPAA breaches and other HIPAA violations.  Aside from OCR’s recurrent affirmations of its commitment to HIPAA enforcement, Covered Entities, their business associates and their leaders must recognize that public and Congressional privacy and data security concerns fueled by the ever growing stream of massive data breaches at Alteryx, eBay, Paypal owner TIO Networks, Uber, Equifax and a long list of other previously trusted prominent businesses are creating additional pressure upon OCR and other agencies to pursue even stronger and more aggressive HIPAA oversight and enforcement. Amid this growing concern, OCR, the FTC and other federal and state agencies with regulatory or enforcement authority over HIPAA or other data security and privacy concerns face increasing scrutiny and pressure to take meaningful action to regulate and enforce HIPAA and other laws intended to protect sensitive data even as private litigants enjoy increasing success in obtaining civil judgments from damages resulting from breaches of their PHI or other sensitive personal information using an expanding arsenal of legal theories of recovery.  In the face of these growing concerns about privacy and data security, OCR can be expected to continue, if not increase its HIPAA compliance enforcement and oversight by OCR.

    Furthermore, the experiences of FileFax, Inc., 21CO, CCDC and other Covered Entities and business associates that already have become the subject of OCR investigation or enforcement also reflect that HIPAA resolution payments or penalties paid to OCR and other costs and expenses associated with the defense and resolution of OCR’s investigations and enforcement actions typically only a portion of the financial and other business consequences that Covered Entities or business associates might expect to incur as a consequence of a breach of PHI or other substantial HIPAA violation or charge.

    Beyond their potential HIPAA enforcement exposures following a HIPAA covered data breach or other violation, health care or other Covered Entities and members of their workforce experiencing breaches of ePHI or other PHI often also face FTC or other government investigations and enforcement relating their data breaches under the Fair and Accurate Credit Transactions Act (FACTA) and other federal or state identity theft, data privacy and security, electronic crimes and other laws.  They or members of their workforce may face licensing board, credentialing, accreditation, contractual or other investigations or sanctions.  Victims, business partners, investors and others often bring civil litigation to address losses or other injures associated with the breach or other misconduct.  In addition, losses and disruptions in patients, plan member, vendor, investor, employee, management and other business relationships, and other business disruptions also are common.

    Where the breach of other HIPAA violation involves a health plan, health plans, their fiduciaries and sponsors also need to give due consideration to the implications and exposures that might arise under the fiduciary responsibility rules of the Employee Retirement Income Security Act (ERISA). Beyond the direct exposure of their health plan to HIPAA and other compliance liabilities, health plan fiduciaries generally will want to consider whether their fiduciary responsibility under ERISA requires that prudent or other steps be taken to safeguard health plan information and maintain and administer their health plan in accordance with HIPAA and other laws.  As a consequence, fiduciaries generally will want to ensure that they take and document prudent steps to evaluate, monitor and address HIPAA and other privacy and data security safeguards to minimize not only the liability exposures of their health plans, but also to help mitigate their own potential personal liability exposures that could arise or be asserted in response to a HIPAA breach or other HIPAA violation involving their health plans.

    In the face of these growing risks and liabilities, Covered Entities and their business leaders face a strong imperative to clean up and maintain their HIPAA compliance and other data security to minimize their exposure to similar consequences.  In addition to reaffirming the need for Covered Entities and their business associates to take the necessary steps to maintain and effectively demonstrate the adequacy of their own HIPAA compliance, the CCDC and FileFax Resolution Agreements alert Covered Entities and business associates of the advisability of greater oversight and risk management of their dealings and relationships with the other Covered Entities and business associates with access to or involvement with their PHI or other critical functions.

    In light of these rises, leaders, investors, insurers, lenders and others involved with Covered Entities and their business associates should take steps to verify that the Covered Entities and their business associates not only maintain compliance with HIPAA and its business associate and other privacy, data security and breach notification and response requirements, but also maintain appropriate practices, insurance and other safeguards to prevent, respond to and mitigate exposures in the event of a breach of protected health information or other sensitive data.  The bankruptcies and other financial and business fallout of HIPAA or other data breaches experienced by FileFax, Inc. 21CO and other HIPAA-covered and non-HIPAA regulated entities also makes clear that Covered Entities and business associates should anticipate that their own fallout from a breach or other HIPAA event and resulting responsibilities and consequences could be impacted by their own or a business associate’s financial distress or bankruptcy.  Beyond the risk that their own or another entity’s breach, compliance issues, or other financial or business issues could trigger breach investigation, notice or other responsibilities for their own organizations, Covered Entities, business associates and their leaders also should evaluate and revise their HIPAA risk assessments and security plans to address foreseeable threats to the availability, access, retention and security of PHI and associated records and systems.

    The Bankruptcy Court’s order to 21CO’s cyber liability insurer to pay the resolution payment required under the 21CO Resolution Agreement and other costs of investigation and defense also strongly suggests that the purchase of insurance and other arrangements for funding costs of defense or settlement should be included in these evaluations.

    In light of these rises, leaders, investors, insurers, lenders and others involved with Covered Entities and their business associates should take steps to verify that the Covered Entities and their business associates not only maintain compliance with HIPAA, but also comply with data security, privacy and other information protection requirements arising under other laws, regulations, and contracts, as well as the practical business risks that typically follow the announcement of a breach.  Considering these risks, Covered Entities and their business associates should recognize the advisability of taking meaningful, documented action to verify their existing compliance and ongoing oversight to ensure their organizations can demonstrate appropriate action to maintain appropriate practices, insurance and other safeguards to prevent, respond to and mitigate exposures in the event of a breach of protected health information or other sensitive data.

    As part of these efforts, Covered Entities and their business associates should ensure that they have conducted, and maintain and are ready to produce appropriate policies and procedures backed up by a well-documented, up-to-date industry wide risk assessment of their organization’s susceptibility to breaches or other misuse of electronic or other protected health information.  The starting point of these efforts should be to adopt and enforce updated written policies, procedures, technical and physical safeguards, processes and training to prevent the improper use, access, destruction or disclosure of patient PHI.  Processes also should create, retain and be designed to cost effectively track, capture, and retain both all protected health information, its use, access, protection, destruction and disclosure, and the requisite supportive documentation supporting the appropriateness of those action to position the organization cost-effectively and quickly to fulfill required accounting, reporting and other needs in the event of a data breach, audit, participant inquiry or other event.

    As part of this process, Covered Entities and business associates should maintain strong and ongoing processes for assessing and monitoring the adequacy of their policies and practices.  In addition to ensuring that their organization has a comprehensive risk management and compliance assessment, Covered Entities and business associates need to conduct documented periodic audits and spot HIPAA audits and assessments.  In doing so, they must use care to look outside the four corners of their Privacy Policies and core operating systems to ensure that their policies, practices, oversight and training address all protected health information within their operations on an entity wide basis. This entity-wide assessment should include communications and requests for information normally addressed to the Privacy Officer as well as requests and communications that could arise in the course of media or other public relations, practice transition, workforce communication and other operations not typically under the direct oversight and management of the Privacy Officer.

    In connection with these efforts, the enforcement actions make clear that Covered Entities and business associates should adopt, implement and monitor PHI privacy, and security on an entity wide basis.  These efforts should include general policies, practices and procedures as well as specifically tailored policies, processes and training to protect PHI and preserve HIPAA compliance throughout their organization. Testing and analysis should be conducted on a regular basis.  Documented reassessments and testing should be performed in response to software, hardware or other changes or events that could impact security or other operations.  Beyond security, attention also should cover business or system interruption including losses that might occur from the bankruptcy, termination of business or other disruptions of business associates or other parties.  Attention should be paid both to protecting access and use of PHI and ePHI in the course of business as well as the transmission, transport, storage and destruction of records or systems containing such information.

    Careful attention should be devoted to ensuring that business associate agreements   as well and other processes provide for HIPAA compliance with respect to all PHI created, used, accessed or disclosed to business associates or others not part of their direct workforce or operating outside the core boundaries of their facilities.

    Covered entities and their business associates also must recognize and design their compliance efforts and documentation recognizing that HIPAA compliance is a living process, which require both constant diligence about changes in systems or other events that may require reevaluation or adjustments, whether from changes in software, systems or processes or external threats.

    Because the cost of responding to and investigating breaches or other compliance concern can be quite burdensome, Covered Entities and their business associates also generally will want to pursue options to plan for and minimize potential expenses in the design and administration of their programs as well as to minimize and cover the potentially extraordinary costs of breach or other compliance investigation and results that commonly arise following a breach or other compliance event.  As a part of this planning, Covered Entities and their business associates also generally will want to add consideration of changes to federal tax rules on the deductibility of compliance penalty and other related compliance expenditures.

    While the Internal Revenue Code traditionally has prohibited businesses and individuals from deducting penalties, fines and other expenditures arising from violations of federal or state laws under Section 162(f) of the Internal Revenue Code, Section 13306 of the Tax Cuts and Jobs Creation Act creates a new exception for amounts  (other than amounts paid or incurred any amount paid or incurred as reimbursement to the government or entity for the costs of any investigation or litigation) that a taxpayer establishes meet the following requirements:

    • Constitute restitution (including remediation of property) for damage or harm which was or may be caused by the violation of any law or the potential violation of any law, or
    • Are paid to come into compliance with any law which was violated or otherwise involved in the investigation or inquiry into a violation or potential violation of any law;
    • Are identified as restitution or as an amount paid to come into compliance with such law, as the case may be, in the court order or settlement agreement, and
    • In the case of any amount of restitution for failure to pay any tax imposed under this title in the same manner as if such amount were such tax, would have been allowed as a deduction under this chapter if it had been timely paid.

    Because the true effect of these modifications will be impacted by implementing regulations and a number of other special conditions and rules may impact the deductibility of these payments and the reporting obligations attached to their payment, Covered Entities will want to consult with legal counsel about these rules and monitor their implementation to understand their potential implications on compliance expenditures and penalties.

    About The Author

    Repeatedly recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, a Fellow in the American College of Employee Benefit Council, the American Bar Foundation and the Texas Bar Foundation and board certified in labor and employment law by the Texas Board of Legal Specialization, Cynthia Marcotte Stamer is a practicing attorney, management consultant, author, public policy advocate and lecturer widely known for health and managed care, employee benefits, insurance and financial services, data and technology and other management work, public policy leadership and advocacy, coaching, teachings, and publications. Nationally recognized for her work, experience, leadership and publications on HIPAA and other medical privacy and data use and security, FACTA, GLB, trade secrets and other privacy and data security concerns, Ms. Stamer has worked extensively with health care providers, health plans, insurers and financial services, and other clients and the government on cybersecurity, technology and processes and other issues involved in the use and management of medical, insurance and other financial, workforce, trade secrets and other sensitive data and information throughout her career.  Scribe or co-scribe of the ABA Joint Committee on Employee Benefits Agency meeting with OCR since 2011 and author of a multitude of highly regarded publications on HIPAA and other health care, insurance, financial and other privacy and data security, Ms. Stamer is widely known for her extensive and leading edge experience, advising, representing, training and coaching health care providers, health plans, healthcare clearinghouses, business associates, their information technology and other solutions providers and vendors, and others on HIPAA and other privacy, data security and cybersecurity design, documentation, administration, audit and oversight, business associate and other data and technology contracting, breach investigation and response, and other related concerns including extensive involvement representing clients in dealings with OCR and other Health & Human Services, Federal Trade Commission, Department of Labor, Department of Treasury, state health, insurance and attorneys’ general, Congress and state legislators and other federal officials.

    Ms. Stamer also has an extensive contributes her leadership and insights with other professionals, industry leaders and lawmakers.    Her insights on HIPAA risk management and compliance often appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, SHRM, HIMMS, the American Bar Association, the Health Care Compliance Association, a multitude of health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.  You can get more information about her HIPAA and other experience here. For additional information about Ms. Stamer, see here, e-mail her here or telephone Ms. Stamer at (214) 452-8297.

    About Solutions Law Press, Inc.™

    Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources here including:

    If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

    NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

    Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

    ©2018 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™  For information about republication, please contact the author directly. All other rights reserved.

     

    Leave a Comment » | Academic medicine, Ambulatory care, Anethesiology, Centers For Disease Control, Childrens Health Insurance Program, Civil Rights, Conditions of Participation, Corporate Compliance, Cyber crime, data breach, data security, Doctor, E-Prescribing, Electronic Health Records, Electronic Medical Records, Employee Benefits, Employer, ERISA, FACTA, Federal Health Center, Federal Sentencing Guidelines, Fiduciary Responsibility, Genetic Information, Health Care, Health care coding, Health Care Provider, health care reimbursement, Health Insurance Exchange, Health IT, Health Plan, Health Plans, Health Policy, healthcare, HHS, HIPAA, HIPAA Cyber Crime, home health, Hospital, Indian Health, Inpatient Rehabilitation, Inpatient Rehabilitation Facility, Joint Commission, Medical Privacy, Medical Records, Mental Health, Pharmaceudical, Pharmacy, Privacy, Public Policy, Technology, Uncategorized | Permalink
    Posted by Cynthia Marcotte Stamer

    $400K HIPAA Settlement Shows Need To Conduct Timely & Appropriate Risk Assessments

    April 12, 2017

    Metro Community Provider Network (MCPN), a federally-qualified health center (FQHC), must pay $400,000 and implement a corrective action plan to resolve U.S. Department of Health and Human Services, Office for Civil Rights (OCR) charges it violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule by failing to implement  a security management process to safeguard electronic protected health information (ePHI).  The settlement is the latest reminder to health providers, payers and their business associates to conduct timely risk assessments, implement needed security and otherwise manage HIPAA compliance.

    The Resolution Agreement and Corrective Action Plan, like most others before it, resulted from an investigation opened in response to a breach report.  On January 27, 2012, MCPN filed a breach report with OCR indicating that a hacker accessed employees’ email accounts and obtained 3,200 individuals’ ePHI through a phishing incident. OCR’s investigation revealed that MCPN took necessary corrective action related to the phishing incident.  However, the investigation also revealed that MCPN failed to conduct a risk analysis until mid-February 2012 – well after the hacking incident reported in the breach report.

    Prior to the breach incident, MCPN had not conducted a risk analysis to assess the risks and vulnerabilities in its ePHI environment, and, consequently, had not implemented any corresponding risk management plans to address the risks and vulnerabilities identified in a risk analysis. 

    When MCPN finally conducted a risk analysis, OCR found that risk analysis, as well as all subsequent risk analyses, were insufficient to meet the requirements of the Security Rule.

    OCR made a point in announcing the Resolution Agreement of noting it considered MCPN’s status as a FQHC when balancing the significance of the violation with MCPN’s ability to maintain sufficient financial standing to ensure the provision of ongoing patient care. MCPN provides primary medical care, dental care, pharmacies, social work, and behavioral health care services throughout the greater Denver, Colorado metropolitan area to approximately 43,000 patients per year, a large majority of whom have incomes at or below the poverty level.  It is likely that OCR would have imposed a much greater settlement amount had the covered entity not been a FQHC serving the poor.

    About The Author

    Recognized by LexisNexis® Martindale-Hubbell® as a “AV-Preeminent” (Top 1%/ the highest) and “Top Rated Lawyer,” with special recognition as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Health Care,” “Labor & Employment,” “Tax: Erisa & Employee Benefits” and “Business and Commercial Law” by D Magazine, the author of this update is widely known for her 29 plus years’ of work in health care, health benefit, health policy and regulatory affairs and other health industry concerns as a practicing attorney and management consultant, thought leader, author, public policy advocate and lecturer.

    Throughout her adult life and nearly 30-year legal career, Ms. Stamer’s legal, management and governmental affairs work has focused on helping health industry, health benefit and other organizations and their management use the law, performance and risk management tools and process to manage people, performance, quality, compliance, operations and risk. Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer supports these organizations and their leaders on both a real-time, “on demand” basis as well as outsourced operations or special counsel on an interim, special project, or ongoing basis with strategic planning and product and services development and innovation; workforce and operations management, crisis preparedness and response as well as to prevent, stabilize and cleanup legal and operational crises large and small that arise in the course of operations. 

    Throughout her career, she has  helped health industry clients manage workforce, medical staff, vendors and suppliers, medical billing, reimbursement, claims and other provider-payer relations, business partners, and their recruitment, performance, discipline, compliance, safety, compensation, benefits, and training ;board, medical staff and other governance; compliance and internal controls; strategic planning, process and quality improvement; change management; assess, deter, investigate and address staffing, quality, compliance and other performance; meaningful use, EMR, HIPAA and other data security and breach and other health IT and data; crisis preparedness and response; internal, government and third-party reporting, audits, investigations and enforcement; government affairs and public policy; and other compliance and risk management, government and regulatory affairs and operations concerns.

    Author of leading works on HIPAA and other privacy and data security works and the scribe leading the American Bar Association Joint Committee on Employee Benefits Annual Agency Meeting with OCR, her experience includes extensive compliance, risk management and data breach and other crisis event investigation, response and remediation under HIPAA and other laws.  

    The American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting, former Vice President of the North Texas Health Care Compliance Professionals Association, past Chair of the ABA Health Law Section Managed Care & Insurance Section, past ABA JCEB Council Representative, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has worked closely with a diverse range of physicians, hospitals and healthcare systems, DME, Pharma, clinics, health care providers, managed care, insurance and other health care payers, quality assurance, credentialing, technical, research, public and private social and community organizations, and other health industry organizations and their management deal with governance; credentialing, patient relations and care; staffing, peer review, human resources and workforce performance management; outsourcing; internal controls and regulatory compliance; billing and reimbursement; physician, employment, vendor, managed care, government and other contracting; business transactions; grants; tax-exemption and not-for-profit; licensure and accreditation; vendor selection and management; privacy and data security; training; risk and change management; regulatory affairs and public policy and other concerns.
    As a core component of her work, Ms. Stamer has worked extensively throughout her career with health care providers, health plans and insurers, managed care organizations, health care clearinghouses, their business associates, employers, banks and other financial institutions, management services organizations, professional associations, medical staffs, accreditation agencies, auditors, technology and other vendors and service providers, and others on legal and operational compliance, risk management and compliance, public policies and regulatory affairs, contracting, payer-provider, provider-provider, vendor, patient, governmental and community relations and matters including extensive involvement advising, representing and defending public and private hospitals and health care systems; physicians, physician organizations and medical staffs; specialty clinics and pharmacies; skilled nursing, home health, rehabilitation and other health care providers and facilities; medical staff, accreditation, peer review and quality committees and organizations; billing and management services organizations; consultants; investors; technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, insurers, self-insured health plans and other payers; and other health industry clients to establish and administer compliance and risk management policies; comply with requirements, investigate and respond to Board of Medicine, Health, Nursing, Pharmacy, Chiropractic, and other licensing agencies, Department of Aging & Disability, FDA, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; JCHO and other accreditation and quality organizations; private litigation and other federal and state health care industry investigation, enforcement including insurance or other liability management and allocation; process and product development, contracting, deployment and defense; evaluation, commenting or seeking modification of regulatory guidance, and other regulatory and public policy advocacy; training and discipline; enforcement, and a host of other related concerns for public and private health care providers, health insurers, health plans, technology and other vendors, employers, and others.and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns.
    Past Chair of the ABA Managed Care & Insurance Interest Group and, a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also has extensive health care reimbursement and insurance experience advising and defending health care providers, payers, and others about Medicare, Medicaid, Medicare and Medicaid Advantage, Tri-Care, self-insured group, association, individual and group and other health benefit programs and coverages including but not limited to advising public and private payers about coverage and program design and documentation, advising and defending providers, payers and systems and billing services entities about systems and process design, audits, and other processes; provider credentialing, and contracting; providers and payer billing, reimbursement, claims audits, denials and appeals, coverage coordination, reporting, direct contracting, False Claims Act, Medicare & Medicaid, ERISA, state Prompt Pay, out-of-network and other nonpar insured, and other health care claims, prepayment, post-payment and other coverage, claims denials, appeals, billing and fraud investigations and actions and other reimbursement and payment related investigation, enforcement, litigation and actions.

    Heavily involved in health care and health information technology, data and related process and systems development, policy and operations innovation and a Scribe for ABA JCEB annual agency meeting with OCR for many years who has authored numerous highly-regarded works and training programs on HIPAA and other data security, privacy and use, Ms. Stamer also is widely recognized for her extensive work and leadership on leading edge health care and benefit policy and operational issues including meaningful use and EMR, billing and reimbursement, quality measurement and reimbursement, HIPAA, FACTA, PCI, trade secret, physician and other medical confidentiality and privacy, federal and state data security and data breach and other information privacy and data security rules and many other concerns. Her work includes both regulatory and public policy advocacy and thought leadership, as well as advising and representing a broad range of health industry and other clients about policy design, drafting, administration, business associate and other contracting, risk assessments, audits and other risk prevention and mitigation, investigation, reporting, mitigation and resolution of known or suspected violations or other incidents and responding to and defending investigations or other actions by plaintiffs, DOJ, OCR, FTC, state attorneys’ general and other federal or state agencies, other business partners, patients and others.

    Ms. Stamer has worked extensively with health care providers, health plans, health care clearinghouses, their business associates, employers and other plan sponsors, banks and other financial institutions, and others on risk management and compliance with HIPAA, FACTA, trade secret and other information privacy and data security rules, including the establishment, documentation, implementation, audit and enforcement of policies, procedures, systems and safeguards, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and and enforcement, and a host of other related concerns. Her clients include public and private health care providers, health insurers, health plans, technology and other vendors, and others. In addition to representing and advising these organizations, she also has conducted training on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, MGMA, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

    A former lead consultant to the Government of Bolivia on its Pension Privatization Project with extensive domestic and international public policy concerns in Pensions, healthcare, workforce, immigration, tax, education and other areas.

    A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, privacy and data security, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns.

    A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her thought leadership, experience and advocacy on these and other related concerns by her service in the leadership of the Solutions Law Press, Inc. Coalition for Responsible Health Policy, its PROJECT COPE: Coalition on Patient Empowerment, and a broad range of other professional and civic organizations including North Texas Healthcare Compliance Association, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children (now Warren Center For Children); current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, past Representative and chair of various committees of ABA Joint Committee on Employee Benefits; a ABA Health Law Coordinating Council representative, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.

    Ms. Stamer also is a highly popular lecturer, symposium and chair, faculty member and author, who publishes and speaks extensively on health and managed care industry, human resources, employment and other privacy, data security and other technology, regulatory and operational risk management. Examples of her many highly regarded publications on these matters include “Protecting & Using Patient Data In Disease Management: Opportunities, Liabilities And Prescriptions,” “Privacy Invasions of Medical Care-An Emerging Perspective,” “Cybercrime and Identity Theft: Health Information Security: Beyond HIPAA,” as well as thousands of other publications, programs and workshops these and other concerns for the American Bar Association, ALI-ABA, American Health Lawyers, Society of Human Resources Professionals, the Southwest Benefits Association, the Society of Employee Benefits Administrators, the American Law Institute, Lexis-Nexis, Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, the HCCA, ISSA, HIMSS, Modern Healthcare, Managed Healthcare, Institute of Internal Auditors, Society of CPAs, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other symposia and publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, Insurance Thought Leadership and many other prominent publications and speaks and conducts training for a broad range of professional organizations.

    For more information about Ms. Stamer or her health industry and other experience and involvements, see here or contact Ms. Stamer via telephone at (469) 767-8872 or via e-mail here.

    About Solutions Law Press, Inc.™

    Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources here

    If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

    ©2017 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ All other rights reserved. For information about republication or other use, please contact Ms. Stamer here.
     

    Leave a Comment » | Academic medicine, Ambulatory care, ASC, Border Health, Childrens Health Insurance Program, Civil Rights, Conditions of Participation, Consumer Driven Health Care, Corporate Compliance, data breach, data security, Disease Management, DME, Doctor, drug treatment, E-Prescribing, Electronic Health Records, Electronic Medical Records, Employee Benefits, Employer, Employment, ERISA, Federal Health Center, Federal Sentencing Guidelines, Health Care, Health Care Finance, Health Care Provider, Health Insurance Exchange, Health IT, Health Plans, HIPAA, HIPAA Cyber Crime, HITECH Act, Home Health, Hospice, Hospital, Hospital, hospitals, Inpatient Rehabilitation, Inpatient Rehabilitation Facility, managed care, Meaningful Use, Medical Privacy, Medical Records, Medicare Advantage, Mental Health, Mental Heatlh, OCR, Patient Empowerment, Peer Review, Pharmaceudical, Pharmacy, Physician, Physician Licensing, Prescription Drugs, Privacy, Psychiatric, public health, Rural Health Care, Technology, Telemedicine, Veterans Health, Veterans Health Administration, Veterans Health Care, Wellness | Permalink
    Posted by Cynthia Marcotte Stamer

    $5.5M Memorial HIPAA Resolution Agreement Shows Need To Audit

    February 16, 2017

    Memorial Healthcare Systems (MHS) has paid the U.S. Department of Health and Human Services (HHS) $5.5 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. The nonprofit corporation which operates six hospitals, an urgent care center, a nursing home, and a variety of ancillary health care facilities throughout the South Florida area with affiliated physician offices through an Organized Health Care Arrangement (OHCA) also agreed to implement a robust corrective action plan as part of the Resolution Agreement.

    The MHS Resolution sends a strong message to all health care providers, health plans health care clearinghouses (Covered Entities) and their business associates that simply adopting HIPAA policies alone is insufficient to avoid getting nailed by OCR under HIPAA;  Covered Entities and their business associates also must implement, audit and enforce those policies.

    The MHS Resolution Agreement resulted from an investigation initiated by the HHS Office for Civil Rights (OCR) after  MHS reported to OCR that protected health information (PHI) of 115,143 individuals had been impermissibly accessed by its employees and impermissibly disclosed to affiliated physician office staff. This information consisted of the affected individuals’ names, dates of birth, and social security numbers. The login credentials of a former employee of an affiliated physician’s office had been used to access the ePHI maintained by MHS on a daily basis without detection from April 2011 to April 2012, affecting 80,000 individuals. 

    The investigation revealed that although MHS had workforce access policies and procedures in place, MHS failed to implement procedures with respect to reviewing, modifying and/or terminating users’ right of access, as required by the HIPAA Rules. Further, MHS failed to regularly review records of information system activity on applications that maintain electronic protected health information by workforce users and users at affiliated physician practices, despite having identified this risk on several risk analyses conducted by MHS from 2007 to 2012.

    MHS’ failure to follow through to implement the controls required by its policies and audit and enforce compliance with HIPAA and its HIPAA policies was a costly mistake.  Other Covered Entities should heed MHS’ painful lesson and take documented steps to ensure its HIPAA policies not only are adopted, but also implemented and monitored and audited for compliance.

    Leave a Comment » | Academic medicine, Ambulatory care, ASC, Border Health, Childrens Health Insurance Program, Civil Rights, Consumer Driven Health Care, Corporate Compliance, data breach, data security, Doctor, drug treatment, E-Prescribing, Electronic Health Records, Electronic Medical Records, Employee Benefits, Employer, Federal Health Center, Federal Sentencing Guidelines, Genetic Information, GINA, Health Care, Health Care Provider, Health Care Quality, Health Insurance Exchange, Health IT, Health Plan, Health Plans, healthcare, HIPAA, HIPAA Cyber Crime, HITECH Act, Home Health, Hospice, Hospital, hospitals, Indian Health, Inpatient Rehabilitation, Inpatient Rehabilitation Facility, Laws, Meaningful Use, Medicaid, Medical Licensure, Medical Privacy, Medical Records, Medicare Advantage | Tagged: , , , , , , | Permalink
    Posted by Cynthia Marcotte Stamer

    Prepare For Changing IRS Tax-Exempt Org & Employee Plan Audit & Exam Info Request Rules

    November 22, 2016

    Health care organizations sponsoring tax-qualified employee benefit plans or operating as tax-exempt entities under the Internal Revenue (Code) should expect changes in the practices Internal Revenue Service (IRS) agents use to issue and enforce document requests (IDRs) in connection with an IRS audit or other investigation of their employee benefit plans’ tax status or compliance after March 1, 2017.

    The IRS Tax Exempt and Government Entities Division (TEGE) just issued internal guidance (Guidance) outlining the new procedures its agents will use to gather information for employee benefit plan and exempt organization examinations including information requests made in connection with:

    • Employee Benefit Form 5500 Examination Procedures
    • Exempt Organizations Pre-Audit Procedures
    • On-Site Examinations
    • Tax Exempt Bonds Examinations
    • Indian Tribal Government Examinations and
    • Federal, State and Local Governments (FSLG) Examinations

    The new Guidance follows other recent announcements of changes of IRS employee plan or exempt organization procedures such as recently announced changes in IRS employee plan correction procedures.  See, e.g., IRS Qualified Plan Correction Procedures Changing 1/1/17.

    The new procedures defined in the Guidance apply more broadly and take effect April 1, 2017.  The Guidance also requires that TEGE update the following IRMs to specifically reflect the new procedures within the next two years:

    • IRM 4.71.1, Overview of Form 5500 Examination Procedures;
    • IRM 4.75.10, Exempt Organizations Pre-Audit Procedures;
    • IRM 4.75.11, On-Site Examination Guidelines;
    • IRM 4.81.5, Tax Exempt Bonds Examination Program Procedures – Conducting the Examination;
    • IRM 4.86.5, Conducting Indian Tribal Government Examinations; and
    • IRM 4.90.9, Federal, State and Local Governments (FSLG) – Procedures, Workpapers and Report Writing.

    According to TEGE the new procedures set forth in the Guidance are designed to “ensure” that IRS Counsel is prepared to enforce IDRs through the issuance of a summons when necessary while also reinforcing the IRS’ commitment to the respect of taxpayer rights under the Taxpayer Bill of Rights.  TEGE says the updated procedures established in the Guidance will promote these goals by:

    • Providing for open and meaningful communication between the IRS and taxpayers;
    • Reducing taxpayer burdens
    • Providing for consistent treatment of taxpayers;
    • Allowing the IRS to secure more complete and timely responses to IDRs;
    • Providing consistent timelines for IRS agents to review IDR responses; and
    • Promoting timely issue resolution.

    In furtherance of these goals, the new Guidance, among other things requires:

    • “Active involvement” by managers of IRS examiners’ early in the process;
    • Taxpayers to be involved in the IDR process;
    • Examiners to discuss the issue being examined and the information needed with the taxpayer prior to issuing an IDR;
    • Examiners to ensure that the IDR clearly states the issue and the relevant information they are requesting;
    • If the taxpayer does not timely provide the information requested in the IDR by the agreed upon date, including extensions, examiners to issue a delinquency notice;
    • If the taxpayer fails to respond to the delinquency notice or provides an incomplete response, for the examiner to issue a pre-summons notice to advise the taxpayer that the IRS will issue a summons unless the missing items are fully provided; and
    • For a summons to be issued if the taxpayer fails to provide a complete response to the pre-summons letter by its response due date.

    While it remains to be seen exactly how well the new procedures will promote the intended goals in operation, leaders, sponsors, administrators and tax advisors to employee benefit plans and exempt organizations tagged for audits after the Guidelines will need to understand these new procedures to take advantage of all available options for mitigating exposures and liability from the audit as well as to avoid unfortunate missteps that could result in forfeiture of otherwise available tax-related rights and options or otherwise increase the tax and other associated risks and liabilities of the entities or others associated with them arising from the audit.

    Along with responding to these tax-related risks, leaders and advisors of health care or other tax-exempt organizations and sponsors and sponsors, fiduciaries, and administrators of tax-qualified employee benefit plans also should keep in mind and take steps to ensure the often substantial non-tax related risks that usually arise concurrently or evolve from a TEGE or other tax-related audit or investigation of their benefit programs or tax-exempt status when preparing for or responding to a TEGE audit or investigation.  These often substantial tax and non-tax exposures typically makes it desirable if not necessary to involve experienced legal counsel in the process as soon as possible.

    To help their entities or employee benefit plans respond appropriately to an audit and manage tax and non-tax related risks and responsibilities that the audit may trigger or enhance the entity, its responsible sponsoring entities, fiduciaries, officers and board members, or other responsible parties generally should seek legal advice within the scope of attorney-client privilege from legal counsel not only immediately upon receiving an IDR or other notice of an IRS audit or investigation, as well periodically before notification of an audit or investigation. Early involvement of legal counsel generally is necessary both to understand and manage both the tax and non-tax exposures associated with the audit, as well as to preserve and utilize the potential benefits of attorney-client privilege and other evidentiary privileges that could help to mitigate both the tax and non-tax related risks for the entity and other responsible parties.  Pre-audit consultation with qualified legal counsel within the scope of attorney-client privilege also can help to prevent or resolve potential tax-qualification or other compliance concerns on a coordinated, holistic basis in advance or more efficiently in the event of an audit or investigation.  Such pre-audit review and planning often can help entities and their leaders prevent or resolve problems with more flexibility and less risk for the entity and responsible leaders.

    When planning for or responding to a TEGE or other audit or other investigation, tax-exemption hospitals and employee benefit plan sponsors and fiduciaries generally will want to engage qualified legal counsel to guide these activities and maximize the availability of attorney-client privileged, work product and other evidentiary privileges.  While federal tax rules afford some evidentiary privileges to certain accounting professionals when providing tax representation or advice, the protective scope of such privileges generally are more limited than attorney-client privilege and work product evidentiary privileges and typically do not apply to non-tax matters.  The narrower availability of evidentiary privileges generally makes it advisable to engage legal counsel at the beginning of the process to help maximize the availability of evidentiary privileges throughout the process.  As a result, most entities and their leaders will want to consider involvement of legal counsel to maximize privilege protections and non-tax related exposures even if the parties plan for a qualified tax professional or other consultant to play a significant role in assisting them to prepare for and respond to the audit.

    About The Author

    Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: Erisa & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney and management consultant, author, public policy advocate and lecturer widely known for work, teachings and publications.

    Ms. Stamer works with health industry and other businesses and their management, employee benefit plans, governments and other organizations deal with all aspects of human resources and workforce, internal controls and regulatory compliance, change management and other performance and operations management and compliance. She supports her clients both on a real-time, “on demand” basis and with longer term basis to deal with daily performance management and operations, emerging crises, strategic planning, process improvement and change management, investigations, defending litigation, audits, investigations or other enforcement challenges, government affairs and public policy.

    A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her thought leadership, experience and advocacy on these and other concerns by her service in the leadership of a broad range of other professional and civic organization including her involvement as the Vice Chair of the North Texas Healthcare Compliance Association; Executive Director of the Coalition on Responsible Health Policy and its PROJECT COPE: Coalition on Patient Empowerment; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children; former Gulf Coast TEGE Council Exempt Organization Coordinator; a founding Board Member and past President of the Alliance for Healthcare Excellence; former board member and Vice President of the Managed Care Association; past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; a member and advisor to the National Physicians’ Council for Healthcare Policy; current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee; current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section; Past Chair of the ABA Health Law Section Managed Care & Insurance Section; a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group; immediate past RPTE Representative to ABA Joint Committee on Employee Benefits Council Representative and current RPTE Representative to the ABA Health Law Coordinating Council; past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee; a former member of the Board of Directors, Treasurer, Member and Continuing Education Chair of the Southwest Benefits Association and others.

    Ms. Stamer also is a highly popular lecturer, symposia chair and author, who publishes and speaks extensively on health and managed care industry, human resources, employment, employee benefits, compensation, and other regulatory and operational risk management. Examples of her many highly regarded publications on these matters include the “Texas Payday Law” Chapter of Texas Employment Law, as well as thousands of other publications, programs and workshops these and other concerns for the American Bar Association, ALI-ABA, American Health Lawyers, Society of Human Resources Professionals, the Southwest Benefits Association, the Society of Employee Benefits Administrators, the American Law Institute, Lexis-Nexis, Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, the HCCA, ISSA, HIMSS, Modern Healthcare, Managed Healthcare, Institute of Internal Auditors, Society of CPAs, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other symposia and publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications and speaks and conducts training for a broad range of professional organizations and for clients on the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications. For additional information about Ms. Stamer, see CynthiaStamer.com   or contact Ms. Stamer via email here  or via telephone to (469) 767-8872.

    About Solutions Law Press, Inc.™

    Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources at SolutionsLawPress.com such as:

    If you or someone else you know would like to receive future updates about developments on these and other concerns, please provide your current contact information and preferences including your preferred e-mail by creating or updating your profile here.

    ©2016 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™  All other rights reserved.

     

    Leave a Comment » | Academic medicine, Affordable Care Act, Ambulatory care, Border Health, Consumer Driven Health Care, Corporate Compliance, DME, Employee Benefits, Employer, Employment law, Federal Sentencing Guidelines, Grants, Health Care, Health Care Finance, Health Care Provider, Health Plan, Health Plans, healthcare, Home Health, Hospice, Hospital, Indian Health, Nonprofits, public health, Tax, Tax-Exemption, Uncategorized | Tagged: , , , , , , , , , , , , | Permalink
    Posted by Cynthia Marcotte Stamer

    $2.4M+ St. Joseph Health HIPAA Settlement Teaching Lesson For Other HIPAA-Covered Entities & Business Associates

    October 25, 2016

    St. Joseph Health (SJH)  has agreed to pay  a $2.4 million plus settlement payment, conduct an enterprise-wide risk analysis and implement and administer a comprehensive correction plan under a Resolution Agreement and Corrective Action Plan (SJH Settlement) reached with the  Department of Health & Human Services (HHS) Office of Civil Rights (OCR)  to settle OCR charges that SJH violated the Privacy & Security Rules of the Health Insurance Portability & Accountability Act (HIPAA) by allowing files containing electronic protected health information (ePHI) of 31,800 individuals that SJH created for its participation in the Medicare meaningful use program to be publicly accessible on the internet from February 1, 2011, until February 13, 2012.  The SJH Settlement announced here by OCR on October 18, 2016 demonstrates the mounting HIPAA enforcement exposures that HIPAA-covered health care providers, health plans, healthcare clearinghouses and their business associates (Covered Entities) risk when a breach of ePHI or other prohibited use, access, destruction or disclosure of ePHI or other personal health information (PHI) results from the failure of the Covered Entity or its business associates to properly protect or secure it in accordance with HIPAA.  A review of the SJH Settlement drives home the point that Covered Entities should not assume that meaningful use or other electronic recordkeeping systems containing ePHI are properly secured in accordance with HIPAA.

    SJH Investigation & Charges Resulting In $2.4 Million+ Settlement

    A nonprofit integrated Catholic health care delivery system sponsored by the St. Joseph Health Ministry, who through its 24,000 employees and 6,000 physicians provides a range of health care services to more than 137,000 inpatients and 3.6 million outpatients each year at SHS’ 4 acute care hospitals, home health agencies, hospice care, outpatient services, skilled nursing facilities, community clinics and physician organizations located throughout California and in parts of Texas and New Mexico.

    OCR’s charges against SJH arose out of OCR’s investigation into a 2012 breach notification report SJS filed with OCR.  On February 14, 2012, SJH reported to OCR that files containing electronic protected health information (ePHI) of 31,800 individuals from five of the SJH hospitals-St. Jude Medical Center, Mission Hospital, Queen of the Valley Medical Center, Santa Rosa Memorial Hospital, and Petaluma Valley Hospital that SJH created for its participation in the meaningful use program were publicly accessible on the internet from February 1, 2011, until February 13, 2012, via Google and possibly other internet search engines.

    SJH’s report to OCR indicated that this public access resulted from a configuration within its network server in which PDF files containing following patient information were uploaded: patient names; BMI; blood pressure; lab results; smoking status; diagnoses lists; medication allergies; advance directive status and demographic information (language, ethnicity, race, sex, and birth date). The server SJH purchased to store the files included a file sharing application whose default settings allowed anyone with an internet connection to access them. Upon implementation of this server and the file sharing application, SJH did not examine or modify it. As a result, the public had unrestricted access to PDF files containing the ePHI of 31,800 individuals, including patient names, health statuses, diagnoses, and demographic information  from February 14, 2012 until SJH blocked external access to the ePHI when it shut down the application February 13, 2012.

    OCR’s investigation indicated the following potential violations of the HIPAA Rules:

    • From February 1, 2011 to February 13, 2012, SJH potentially disclosed the PHI of 31,800 individuals;
    • Evidence indicated that SJH failed to conduct an evaluation in response to the environmental and operational changes presented by implementation of a new server for its meaningful use project, thereby compromising the security of ePHI;
    • Although SJH hired a number of contractors to assess the risks and vulnerabilities to the confidentiality, integrity and availability of ePHI held by SJH, evidence indicated that this was conducted in a patchwork fashion and did not result in an enterprise-wide risk analysis, as required by the HIPAA Security Rule.

    SJH Settlement Agreement Highlights

    Under the settlement agreement with SJH that OCR announced on October 18, 2016, SJH must pay a $2,140,500 settlement payment and adopt a comprehensive corrective action plan which among other things, requires SJH to conduct an enterprise-wide risk analysis, develop and implement a risk management plan, revise its policies and procedures, and train its staff on these policies and procedures.  SJH’s Chief Executive Officer, Annette M. Walker, is named in the Corrective Action Plan as the SJH authorized representative and contact person responsible for overseeing the CAP implementation.

    Among other things, the Corrective Action Plan specifically requires that SJH:

    • Within 240 days, conduct an enterprise-wide analysis and provide a report to OCR which includes a complete inventory of all electronic equipment, data systems, and applications that contain or store ePHI, and prepare and deliver to OCR for review an enterprise-wide risk analysis that identifies all security risks and vulnerabilities that incorporates all electronic equipment, data systems, and applications controlled, administered, or owned by SJH, its workforce members, and affiliated staff that contains, stores, transmits, or receives electronic protected health information (ePHJ);
    • Revise this risk analysis plan as directed by OCR based on its review of the presented risk analysis;
    • Develop and implement to the satisfaction of OCR an organization-wide risk management plan to address and mitigate any security risks and vulnerabilities identified in the risk analysis;
    • Distribute the risk management plan as finally approved by OCR to to workforce members involved with implementation of the plan within 30 days of OCR approval;
    • Revise to OCR’s satisfaction, adopt and implement within 30 days of OCR’s approval compliant HIPAA policies and procedures;
    • Prepare for review of OCR training materials and once approved by OCR, provide initial training to required workforce members, and obtain certification of completion of that training from each required workforce member within 60 days of OCR’s approval of the training and thereafter at least annually as long as the Corrective Action Plan remains in force;
    • Promptly conduct a documented investigation of any information indicating a potential workforce member violation of the new HIPAA policies in the manner required by OCR and if the investigation confirms a violation (Reportable Event), notify OCR of the relevant facts, findings, corrective actions and sanctions imposed against the violating workforce member in the manner required by the Corrective Action Plan;
    • Submit annual report to OCR signed and attested to by an SJH officer, which contains the information and attestations of compliance with the requirements of the Corrective Action Plan in accordance with the Corrective Action Plan;
    • Retain for inspection and copying and provide to OCR upon request all documents and records relating to compliance with this Corrective Action Plan for six (6) years from the Effective Date of the SJH Settlement Agreement.

    Take Away For Other Covered Entities & Business Associates

    To help safeguard their own organizations against potential sanctions from OCR and other HIPAA enforcement risks, Covered Entities and their business associates should ensure that their organization possesses a well-documented current enterprise-wide risk assessment, as well as has in place and is administering as necessary to maintain the currency and adequacy of its risk assessment strong practices for conducting documented evaluations of their own HIPAA security, policies, practices, audits and investigations and other procedures necessary to comply with HIPAA, taking into account recent OCR guidance,  its initiation of its Phase II audit program, the insights offered by the SJH and other OCR’s ever growing list of enforcement actions and compliance tools, as well as changes in systems, documentation, software, equipment or other occurrences within the operations of the Covered Entity or business associate’s operations that could impact the currency and adequacy of its risk assessment or otherwise raise compliance risks..

     In this respect, Covered Entities and business associates are encouraged to take special note of the advisability of specifically reviewing and updating their HIPAA policies, practices, business associate agreements, training, oversight and documentation to in response to OCR’s;

    As breaches of PHI and other violations of HIPAA also frequently give rise to responsibilities or risks under a broad range of other federal and state laws medical and financial privacy and data security, Medicare and other terms of federal program participation, medical credentialing, licensure and ethics, insurance and Employee Retirement Income Security Act fiduciary responsibilities in the case of health plans, contractual,  tort and other exposures, Covered Entities and their business associates also generally are best served to take into account these other responsibilities and exposures in conjunction with the design and administration of their HIPAA compliance and risk management policies and practices.

    Covered Entities and their business associates also should seek advice from legal counsel regarding the adequacy of their compliance, investigatory, training, management oversight, training, reporting, documentation, document retention and other processes and procedures that could reduce risks of HIPAA violations and position the organization to effectively and more efficiently respond to a potential breach, audit, investigation or enforcement action and mitigate the costs and potential liability exposures that increasingly attends these events.  In addition, given the typically high financial, operational and legal costs typically incurred to conduct investigations, report and redress breaches, and respond to OCR audits or investigations, much less make any payments and implement any corrective actions required to settle OCR changes, most Covered Entities and their business associations will want to consider the advisability and adequacy of insurance and other sources of funding or indemnification for the often substantial costs that often attend a HIPAA breach, audit or enforcement event. Since HIPAA violations under certain circumstances also can give rise to felony criminal liability, boards of directors and other leaders of Covered Entities and business associates also will want to ensure that their HIPAA compliance policies and practices also are incorporated and monitored by management as part of their organization’s overall Federal Sentencing Guideline Compliance programs and practices.

    About The Author

    Cynthia Marcotte Stamer is a practicing attorney and management consultant, author, public policy advocate and lecturer widely recognized for her extensive work and pragmatic thought leadership, experience, publications and training on HIPAA and other privacy, medical records and data and other health care and health plan concerns.

    Recognized as “LEGAL LEADER™ Texas Top Rated Lawyer” in both Health Care Law and Labor and Employment Law, a “Texas Top Lawyer,” an “AV-Preeminent” and “Top Rated Lawyer” by Martindale-Hubble and as among the “Best Lawyers In Dallas” in employee benefits by D Magazine; Ms. Stamer has more than 28 years of extensive proven, pragmatic knowledge and experience representing and advising health industry clients and others on operational, regulatory and other compliance, risk management, product and process development, public policy and other key concerns.

    As a core component of her work as the Managing Shareholder of Cynthia Marcotte Stamer, PC, Ms. Stamer has worked extensively throughout her career with health care providers, health plans, health care clearinghouses, their business associates, employers, banks and other financial institutions, their technology and other vendors and service providers, and others on legal and operational risk management and compliance with HIPAA, FACTA, PCI, trade secret, physician and other medical confidentiality and privacy, federal and state data security and data breach and other information privacy and data security rules and concerns; prevention, investigation, response, mitigation and resolution of known or suspected data or privacy breaches or other incidents; defending investigations or other actions by plaintiffs, OCR, FTC, state attorneys’ general and other federal or state agencies; reporting and redressing known or suspected breaches or other violations; business associate and other contracting; insurance or other liability management and allocation; process and product development, contracting, deployment and defense; evaluation, commenting or seeking modification of regulatory guidance, and other regulatory and public policy advocacy; training and discipline; enforcement, and a host of other related concerns for public and private health care providers, health insurers, health plans, technology and other vendors, employers, and others.

    Beyond her extensive involvement advising and representing clients on privacy and data security concerns and other health industry matters, Ms. Stamer also has served for several years as a scrivener for the ABA JCEB’s meeting with OCR, the Chair of the Southern California ISSA Health Care Privacy & Security Summit, and an editorial advisory board member, author, program chair or steering committee member, and faculties for a multitude of other programs and publications regarding privacy, data security, technology and other compliance, risk management and operational concerns in the health care, health and other insurance, employee benefits and human resources, retail, financial services and other arenas.

    A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares shared her thought leadership, experience and advocacy on HIPAA and other concerns by her service in the leadership of a broad range of other professional and civic organization including her involvement as the Vice Chair of the North Texas Healthcare Compliance Association, Executive Director of the Coalition on Responsible Health Policy and its PROJECT COPE: Coalition on Patient Empowerment, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children; former Board Compliance Chair and Board member of the National Kidney Foundation of North Texas, current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, immediate past RPTE Representative to ABA Joint Committee on Employee Benefits Council Representative and current RPTE Representative to the ABA Health Law Coordinating Council, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.

    Ms. Stamer also is a highly popular lecturer, symposia chair and author, who publishes and speaks extensively on health and managed care industry, human resources, employment and other privacy, data security and other technology, regulatory and operational risk management. Examples of her many highly regarded publications on these matters include “Protecting & Using Patient Data In Disease Management: Opportunities, Liabilities And Prescriptions,” “Privacy Invasions of Medical Care-An Emerging Perspective,” “Cybercrime and Identity Theft: Health Information Security: Beyond HIPAA,” as well as thousands of other publications, programs and workshops these and other concerns for the American Bar Association, ALI-ABA, American Health Lawyers, Society of Human Resources Professionals, the Southwest Benefits Association, the Society of Employee Benefits Administrators, the American Law Institute, Lexis-Nexis, Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, the HCCA, ISSA, HIMSS, Modern Healthcare, Managed Healthcare, Institute of Internal Auditors, Society of CPAs, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other symposia and publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications and speaks and conducts training for a broad range of professional organizations and for clientson the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications. For additional information about Ms. Stamer, see CynthiaStamer.com  or contact Ms. Stamer via email here or via telephone to (469) 767-8872.

    About Solutions Law Press, Inc.™

    Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources at http://www.solutionslawpress.com such as:

    If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here.

    ©2016 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™  All other rights reserved.  

    Leave a Comment » | Academic medicine, Ambulatory care, ARRA, Civil Rights, Conditions of Participation, Corporate Compliance, data breach, data security, DME, Doctor, drug treatment, Durable Medical Equipment, E-Prescribing, Electronic Health Records, Electronic Medical Records, Employee Benefits, FACTA, Federal Health Center, Federal Sentencing Guidelines, Genetic Information, GINA, Health Care, Health Care Provider, Health IT, Health Plan, Health Plans, Health Policy, HIPAA, HIPAA Cyber Crime, HITECH Act, Home Health, Hospice, Hospital, Hospital, Indian Health, Laws, managed care, Meaningful Use, Medical Malpractice, Medical Privacy, Medical Records, Medicare Advantage, Mental Health, Mental Heatlh, Outcomes Data, Pharmaceudical, Pharmacy, Privacy, Psychiatric, Public Policy, Uncategorized, Wellness | Tagged: , , | Permalink
    Posted by Cynthia Marcotte Stamer

    All Covered Entities Should Learn Lessons From Mississippi Medical Center’s $2.75 Million HIPAA Resolution Agreement

    July 27, 2016

    Health care providers, health plans, healthcare clearinghouses (covered entities) and their business associates should reevaluate the adequacy of their practices and procedures for the protection of electronic protected health information (ePHI) on or accessible through laptops or other mobile devices in light of the $2.75 million penalty and other schooling the Department of Health and Human Services Office for Civil Rights (OCR) just gave the University of Mississippi (UM) Medical Center (UMMC) documented in a July 7, 2016 Resolution Agreement and Corrective Action Plan (Resolution Agreement) resolving OCR charges of multiple violations of the privacy, security and breach notification requirements of the Health Insurance Portability and Accountability Act (HIPAA) OCR says it uncovered while investigating UMMC’s breach notification report to OCR of the loss a laptop containing 328 files containing the ePHI of an estimated 10,000 patients.

    UMMC Report of Missing Laptop Leads To Multiple Charges & Resolution Agreement

    Mississippi’s sole public academic health science center, UMMC provides patient care in four specialized hospitals on the Jackson campus and at clinics throughout Jackson and the State as well as conducts medical education and research functions.  Its designated health care component, UMMC, includes University Hospital, the site of the breach in this case, located on the main UMMC campus in Jackson.

    The settlement agreed to by UMMC stems from charges resulting from an OCR investigation of UMMC triggered by a breach of unsecured electronic protected health information (“ePHI”) affecting approximately 10,000 individuals.

    Like many prior resolution agreements previously announced by OCR, UMMC’s HIPAA woes came to light after a laptop went missing.  OCR learned of the breach and opened its investigation in response to a March 21, 2013 notification UMMC filed with OCR.  UMMC made the breach notification to comply with HIPAA’s Breach Notification Rule requirement that health care providers, health plans and healthcare clearinghouses (Covered Entities) timely notify affected individuals, OCR and others of breaches of unsecured ePHI.

    UMMC’s breach notification disclosed that UMMC’s privacy officer had discovered a password-protected laptop containing ePHI of thousands of UMMC patients missing from UMMC’s Medical Intensive Care Unit (MICU). UMMC additionally reported that based on its investigation, UMMC believed that the missing laptop likely was stolen by a visitor to the MICU who had inquired about borrowing one of the laptops.

    After discovering the loss, UMMC disclosed the breach to local media and on its website and notified OCR of the breach but apparently did not individually notify the subjects of the missing ePHI.

    In keeping with its announced policy of investigating all breach reports impacting 500 or more individuals, OCR opened an investigation into UMMC’s breach report.  Based on this investigation, OCR concluded that while the laptop apparently was password protected, UMMC had breached the Security Rules because ePHI stored on a UMMC network drive was vulnerable to unauthorized access via UMMC’s wireless network because users could use a generic username and password to access an active directory containing 67,000 files including 328 files containing the ePHI of an estimated 10,000 patients.

    While OCR’s investigation confirmed that UMMC had implemented policies and procedures pursuant to the HIPAA Rules, OCR’s additionally found that the theft of the laptop that prompted UMMC’s breach report resulted from broad deficiencies in UMMC’s implementation and administration of these policies and its practices.

    Based on these findings, OCR charged UMMC with the following HIPAA violations:

    • From the compliance date of the Security Rule, April 20, 2005, through the settlement date, UMMC violated 45 C.F.R. §164.308(a)(1)(i) by failing to implement policies and procedures to prevent, detect, contain, and correct security violations, including conducting an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of the ePHI it holds, and implementing security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level;
    • From January 19, 2013, until March 1, 2014, UMMC violated 45 C.F.R. §164.310(c) by failing to implement physical safeguards for all workstations that access ePHI to restrict access to authorized users;
    • From the compliance date of the Security Rule, April 20, 2005, to March 14, 2013, UM violated 45 C.F.R. § 164.312 (a)(2)(i) by failing to assign a unique user name and/or number for identifying and tracking user identity in information systems containing ePHI including, for example, allowing workforce members to access ePHI on a shared department network drive through a generic account, preventing UMMC from tracking which specific users were accessing ePHI; and
    • While UMMC provided notification on UMMC’s website and in local media outlets following the discovery of the reported breach of unsecured ePHI,, UMMC violated the Breach Notification Rule by failing to notify each individual whose unsecured ePHI was reasonably believed to have been accessed, acquired, used, or disclosed as a result of the breach.

    Finally, OCR determined that UMMC was aware of risks and vulnerabilities to its systems as far back as April 2005, yet took no significant risk management activity until after the breach, due largely to organizational deficiencies and insufficient institutional oversight.

    To resolve these charges, UMMC agrees in the Resolution Agreement to pay OCR $2.75 million and implement a comprehensive compliance plan which among other things, requires UMMC to conduct a sweeping review and correct its HIPAA privacy, security and breach notification policies and their implementation and administration to comply with HIPAA as well as implement and administer detailed management and OCR oversight and reporting processes over the implementation and administration of these procedures.

    Lessons For Other Covered Entities From UMMC Resolution Agreement

    The UMMC charges and Resolution Agreement contains several key lessons for other covered entities and their business associates, which OCR’s July 21, 2016 announcement warns other covered entities and business associates to heed..

    Certainly, the $2.75 million settlement amount reaffirms that covered entities and their business associates risk substantial liability for failing to properly assess and protect the security of ePHI in accordance with HIPAA’s Privacy and Security Rule.

    Furthermore, the charges and Resolution Agreement also adds a new twist to OCR’s now well established to stiffly sanction covered entities and their business associates that fail appropriately assess and address risks to the security of their ePHI on or accessible from laptops or other mobile devices. Through previous resolution agreements and guidance, OCR has made clear that it interprets the HIPAA Security Rule as generally requiring that covered entities and business associates encrypt all laptops or other mobile devices containing ePHI.  The UMMC charges and Resolution Agreement makes clear that the responsibility to protect ePHI on or accessible through laptops or other mobile devices does not end with encryption.  Rather, the Resolution Agreement makes clear that covered entities and their business associates also must take appropriate, well-documented steps to monitor, assess, identify, and timely and effectively address other potential risks to the security of the ePHI.

    The Resolution Agreement makes clear that these additional responsibilities include, but are not necessarily limited to ensuring that proper safeguards are implemented and enforced to secure access not only to the ePHI contained on the laptop as well as other data bases and systems containing ePHI accessible through the laptop.  In this respect, the Resolution Agreement particularly highlights the need for covered entities and their business associates to assess risks and take appropriate steps:

    • To safeguard the physical security of laptops and other mobile devices;
    • To prevent the use of generic or other unsecure passwords to access ePHI on or accessible through the laptop or other mobile device;
    • To establish and administer appropriate, well-documented processes for assessing and addressing the adequacy of safeguards for and potential threats to the security of ePHI both initially and on an ongoing basis in a manner that meaningfully assesses the actual risks and effectiveness of safeguards against these risks, including those resulting from nonadherence to required safeguards and practices such as the sharing of passwords, changing systems or circumstances, and other developments that potentially threaten the adequacy of ePHI security.

    Furthermore, OCR’s July 21, 2016 press release concerning the Resolution Agreement also sends a clear message to all covered entities and business associates that OCR views HIPAA as requiring organizations not only to adopt written policies and procedures that comply on paper or in theory with HIPAA, but also to take steps to monitor and maintain the effectiveness of their safeguard by continuously assessing and monitoring their HIPAA risks and acting as necessary to ensure that required safeguards of protected health information and ePHI and other HIPAA requirements are effectively implemented and administered in operation as well as form.

    In OCR’s Press Release announcing the Resolution Agreement, OCR Director Jocelyn Samuels. Stated, “We at OCR remain particularly concerned with unaddressed risks that may lead to impermissible access to ePHI.”  She also warned “In addition to identifying risks and vulnerabilities to their ePHI, entities must also implement reasonable and appropriate safeguards to address them within an appropriate time frame.”

    Additionally, the Resolution Agreement also illustrates need for covered entities and business associates to timely provide all individual and other notifications and otherwise fully comply with all requirements of the Breach Notification Rules.

    Since the risk of a breach is ever-present even for Covered Entities and business associates exercising the highest degree of care to safeguard PHI and maintain compliance with HIPAA, Covered Entities and business associates are wise to take steps to position themselves to be able to demonstrate the adequacy of both their written policies and procedures and the effectiveness of their implementation and enforcement including ongoing documented practices for assessing, monitoring and addressing security risks and other compliance concerns as well as prepare to comply with the breach notification requirements in the event they experience their own breach of unsecured ePHI.

    About The Author

    A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, current American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, former scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting and JCEB Council Representative, former Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section,  the former Board President and Treasurer of the Richardson Development Center for Children Early Childhood Intervention Agency, and past  Board Compliance Chair of the National Kidney Foundation of North Texas, and Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, the author of this update, attorney Cynthia Marcotte Stamer, is AV-Preeminent (the highest) rated attorney repeatedly recognized for her nearly 30 years of experience and knowledge representing and advising healthcare, health plan and other health industry and others on these and other regulatory, workforce, risk management, technology, public policy and operations matters as a Martindale-Hubble as a “LEGAL LEADER™” and “Texas Top Rated Lawyer” in Health Care Law, Labor and Employment Law, and Business & Commercial Law and among the “Best Lawyers In Dallas” by D Magazine.

    Ms. Stamer’s health industry experience includes advising hospitals, nursing home, home health, rehabilitation and other health care providers and health industry clients to establish and administer compliance and risk management policies; prevent, conduct and investigate, and respond to peer review and other quality concerns; and to respond to Board of Medicine, Department of Aging & Disability, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns.

    Ms. Stamer also is known for her experience in HIPAA and other privacy and data security and breach concerns.  The scribe for ABA JCEB annual agency meeting with OCR for many years, Ms. Stamer has worked extensively with health care providers, health plans, health care clearinghouses, their business associates, employers and other plan sponsors, banks and other financial institutions, and others on risk management and compliance with HIPAA, FACTA, trade secret and other information privacy and data security rules, including the establishment, documentation, implementation, audit and enforcement of policies, procedures, systems and safeguards, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and enforcement, and a host of other related concerns. Her clients include public and private health care providers, health insurers, health plans, technology and other vendors, and others. In addition to representing and advising these organizations, she also has conducted training on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

    A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical  staff performance, quality, governance, reimbursement, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications.

    You can get more information about her health industry experience here or contact Ms. Stamer via telephone at (469) 767-8872 or via e-mail here.

     

    About Solutions Law Press Inc.™

    Solutions Law Press, Inc.™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns.

    If you found these updates of interest, you may be interested in other recent Solutions Law Press, Inc. updates like the following: