Health Care |

HHS Enforcement Actions Warns Providers & Grant Recipients To Honor Religious Conscience Rights

December 10, 2025

The U.S. Department of Health and Human Services, Office for Civil Rights (“OCR”) announcement of its fifth investigation examining compliance with Federal laws that safeguard conscience rights for health care professionals during President Trump’s second Administration warns States and other federal health program recipients against discriminating against or failing to appropriately accommodate faith-based organization and providers.

On December 8, 2025, OCR announced the launch of “a major investigation” into a State health department to assess whether its licensing policies, interpretations, or enforcement practices for behavioral health residential facilities and licensed behavioral health personnel violate Federal law by:

Discriminating against faith-based organizations in the administration and/or enforcement of licensing requirements, including requiring any facilitation of sex-rejecting procedures and female genital mutilation (FGM) and treating religious objections as grounds for adverse licensure action, including denial or termination of professional licenses;
Discriminating against institutional and/or individual health care entities for their religious objections to provide, pay for, provide coverage of, or refer for abortion, including through licensing, certification, or other determinations of legal status or participation; or
Requiring any individual in a health service program funded by HHS to perform or assist in the performance of services contrary to that individual’s religious beliefs or moral convictions, including counseling or other assistance related to abortion, sex-rejecting procedures, or FGM.

According to OCR, OCR’s investigation will proceed under applicable laws including:

The Equal Treatment for Faith-Based Organizations rule (45 C.F.R. part 87), which prohibits discrimination against faith-based providers in HHS-supported programs; and
Federal health care conscience protection statutes administered under 45 C.F.R. part 88, including the Weldon Amendment, the Coats-Snowe Amendment (42 U.S.C. § 238n), and the Church Amendments (42 U.S.C. § 300a-7).

The announcement also demonstrates continued efforts across HHS to preserve the fundamental rights of conscience and religious exercise.

Since OCR enforces Federal protections against discrimination based on conscience and religion in specific programs funded by HHS Federal financial assistance and grant and block grant programs that prohibit discrimination against individuals on the basis of religion, all entities involved in of these programs should reaffirm their compliance and mitigate exposures based on the Administration’s enforcement policies and priorities.

If you have questions about this or other health care concerns, contact the author.

More Information

We hope this update is helpful. For more information about the or other health or other employee benefits, human resources, or health care developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Peer recognized as “Top Rated Lawyer” and “LEGAL LEADER™ “Top Rated Lawyer” and “Best Lawyer” for her work in Health Care Law, Labor and Employment Law; ERISA & Employee Benefits,” and “Business and Commercial Law,” Cynthia Marcotte Stamer is an A Martindale-Hubble “AV-Preeminent” (Top 1%) attorneys board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for her more than 35 years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications including leading edge work on PBM, pharmacy and pharmaceutical and other health care, managed care, insurance, and insured and self-insured contracting, design, administration and regulation..

Author of numerous highly regarded works on PBM and other health plan contracting and design, Immediate Past Chair of the ABA International Section Life Sciences Committee and the Tort Trial and Insurance Practice Section Medicine and Law Committee, past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and past Group Chair and current Welfare Benefit Committee Co-Chair of the ABA RPTE Employee Benefits & Other Compensation Group, Ms. Stamer is most widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on health and other privacy and data security and other health industry legal, public policy and operational concerns.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. As a part of this work, she has continuously and extensively worked with domestic and international health plans, their sponsors, fiduciaries, administrators, and insurers; managed care and insurance organizations; third party administrators and other health benefit service providers; hospitals, health care systems and other health care providers, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; EMR, claims, payroll and other technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, self-insured health and other employee benefit plans, their sponsors, fiduciaries, administrators and service providers, insurers and other payers, health industry advocacy and other service providers and groups and other health and managed care industry clients as well as federal and state legislative, regulatory, investigatory and enforcement bodies and agencies.

She also has extensive experience helping health care systems and organizations, group and individual health care providers, health plans and insurers, health IT, life sciences and other health industry clients prevent, investigate, manage and resolve sexual assault, abuse, harassment and other organizational, provider and employee misconduct and other performance and behavior; manage Section 1557, Civil Rights Act and other discrimination and accommodation, and other regulatory, contractual and other compliance; vendors and suppliers; contracting and other terms of participation, medical billing, reimbursement, claims administration and coordination, Medicare, Medicaid, CHIP, Medicare/Medicaid Advantage, ERISA and other payers and other provider-payer relations, contracting, compliance and enforcement; Form 990 and other nonprofit and tax-exemption; fundraising, investors, joint venture, and other business partners; quality and other performance measurement, management, discipline and reporting; physician and other workforce recruiting, performance management, peer review and other investigations and discipline, wage and hour, payroll, gain-sharing and other pay-for performance and other compensation, training, outsourcing and other human resources and workforce matters; board, medical staff and other governance; strategic planning, process and quality improvement; meaningful use, EMR, HIPAA and other technology, data security and breach and other health IT and data; STARK, ant kickback, insurance, and other fraud prevention, investigation, defense and enforcement; audits, investigations, and enforcement actions; trade secrets and other intellectual property; crisis preparedness and response; internal, government and third-party licensure, credentialing, accreditation, HCQIA and other peer review and quality reporting, audits, investigations, enforcement and defense; patient relations and care; internal controls and regulatory compliance; payer-provider, provider-provider, vendor, patient, governmental and community relations; facilities, practice, products and other sales, mergers, acquisitions and other business and commercial transactions; government procurement and contracting; grants; tax-exemption and not-for-profit; privacy and data security; training; risk and change management; regulatory affairs and public policy; process, product and service improvement, development and innovation, and other legal and operational compliance and risk management, government and regulatory affairs and operations concerns. to establish, administer and defend workforce and staffing, quality, and other compliance, risk management and operational practices, policies and actions; comply with requirements; investigate and respond to Board of Medicine, Health, Nursing, Pharmacy, Chiropractic, and other licensing agencies, Department of Aging & Disability, FDA, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; JCHO and other accreditation and quality organizations; private litigation and other federal and state health care industry actions: regulatory and public policy advocacy; training and discipline; enforcement; and other strategic and operational concerns.

Author of publications on “Transparent PBM Contracting,” “ACOs, Direct Contracting: Legal & Practical Challenges For Employers, Providers & TPAs,” “The Medicare Advantage Contracting Manual,” “Third Party Administrator (TPA) Contracting Principles and Strategies and a multitude of other highly regarded publications and presentations, Stamer is widely recognized for her thought leadership on PBM and other managed care and health plan contracting and design, and a multitude of other health care, health plan and other health industry matters. In addition, Ms. Stamer contributes her time and leadership to numerous policy, professional, civil and other organizations including service as the, the American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting and a former Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstance at the particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often rapidly evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. The author and Solutions Law Press, Inc. disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2025 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.

Leave a Comment » | Academic medicine, Discrimination, Doctor, drug treatment, Health Care, Health Care Finance, Health Care Provider, Home Health, home health, Hospice, Hospital, Hospital, hospitals, Mental Health, public health, Religion, Reproductive Rights | Permalink
Posted by Cynthia Marcotte Stamer

OCR’s 8th Investigation Announcement Clearly Warns HHS-Funded Organizations To Ensure Merit-Based Decisions & Manage Antisemitism & Other Prohibited Discrimination Risks

May 14, 2025

Academic medicine and other education, health care, Medicare or Medicaid Advantage insurers, and other organizations received another warning to update and strengthen the defensibility of their policies and practices system-wide for preventing anti-Semitism, and other race, color, national origin, race, religious or other discrimination from the Department of Health & Human Service’s May 13, 2025, announcement of another investigation of another university for anti-Semitism in violation of the Civil Rights Act of 1964 (“CRA”) and other federal civil rights laws.

The Civil Rights Act of 1964 (the “CRA”), the Equal Protection Clause of the 14^th Amendment to the United States Constitution, Section 1557 of the Patient Protection and Affordable Care Act (“Section 1557”) and various other federal laws discrimination on the basis of race, national origin, color and certain other status by covered government or private organizations by health care, Medicare and Medicaid Advantage, academic medicine and other education, child care, research and other HHS-funded organizations, employers and other entities.

Since President Donald J. Trump (“President Trump”) took office in January, HHS OCR, the Departments of Education and Justice, the Equal Employment Opportunity Commission (“EEOC”) and other federal agencies are aggressively investigating anti-Semitism, anti-Christianity, and certain other race, color, national origin and religious discrimination by academic medicine and other educational institutions, health care organizations, health insurers, employers and other organizations covered by these civil rights laws. These investigations and enforcement actions target prohibited discrimination in all forms, including the use of race, national original, color, sex, religion and other non-merit based criteria, even when those criteria are applied to promote racial balancing, diversity or other similar goals.

Trump Merit-Based Civil Rights Executive Orders Heighten Public & Private Civil Rights & Other Discrimination Risks

This heightened investigation and enforcement emphasis is a direct response to the directives of President Trump in a series of Executive Orders directing federal agencies zealously to combat anti-Semitism, anti-Christian, and other discrimination or bias based on race, color, national origin and religion. See e.g., Executive Order 14188 – Additional Measures To Combat Anti-Semitism (January 29, 2025); Executive Order 14202, Eradicating Anti-Christian Bias (February 6, 2025); Executive Order 14291, Establishment of the Religious Liberty Commission (“May 11, 2025); and Executive Order 14291, Establishment of the Religious Liberty Commission (May 1, 2025).

As part of these directives, President Trump specifically singled out anti-Semitism for special attention and concern, In Executive Order 14188, for instance, President Trump directed HHS, the Justice Department and other agencies to vigorously enforce the Civil Rights Act to combat the rise of anti-Semitism and anti-Semitic incidents in the U.S. and around the world. While Executive Order 14188 specifically targeted the use of the Civil Rights Act and other federal prohibitions against race, color and national origin discrimination to fight anti-Semitism, Executive Order 14188 also noted that anti-Semitism also can violate federal protections against religious discrimination, stating:

…[Title VII] prohibits discrimination on the basis of race, color, and national origin in programs and activities receiving Federal financial assistance. While Title VI does not cover discrimination based on religion, individuals who face discrimination on the basis of race, color, or national origin do not lose protection under Title VI for also being a member of a group that shares common religious practices. Discrimination against Jews may give rise to a Title VI violation when the discrimination is based on an individual’s race, color, or national origin.

The Trump Administration’s emphasis on protecting federal right of conscience and other religious freedom protections is made more perilous by his sharp disagreement, revocation, and characterization as patently illegal various key aspects of the interpretation and enforcement policies of the Biden, Obama and other previous administration regarding federal right of conscience and other religious freedom, sexual orientation, reproductive rights and other civil rights policies and protections. See e.g., Executive Order 14281 -Restoring Equality of Opportunity and Meritocracy (April 23, 2025). These directives and widespread coverage and publicity of the actions by HHS and other federal agencies to implement and enforce the Administration’s Merit Based interpretation and enforcement of civil rights laws are fueling a a slew of new federal investigations and enforcement, as well as encouraging and shaping private discrimination claims by both parties advantaged or disadvantaged by the Administration’s interpretations.

As reflected by OCR’s May 13, 2025 announcement of its investigation of complaints against a “prestigious” midwestern university (“University”), OCR and other federal agencies are responding by zealously investigating complaints of anti-Semitism or other race, color, national origin and religious discrimination by academic and other health care, education, health insurance and other organizations receiving federal funding under programs managed by HHS.

Announced OCR Investigations Since February Show HHS Enforcement Risks

According to OCR, the investigation announced on May 13, 2025, and other investigations “[are] part of a broader effort by the Administration’s multi-agency Joint Task Force to Combat Anti-Semitism. OCR opened the investigation against the University in response to a complaint from a multi-stakeholder advocacy organization that alleges “systemic concerns regarding the University’s actions to maintain a campus climate, academic direction, and institutional policy that ensures nondiscrimination on the basis of race, color, and national origin.” OCR says its investigation will examine whether the University complied with its obligations under Title VI not to discriminate against Jewish students, such that it denied them an educational opportunity or benefit.

Before OCR issued is May 13, 2025, announcement, OCR and other federal agencies previously had announced Civil Rights Act and other investigations of illegal anti-Semitism at four academic medical centers based on their response to protests and other anti-Semitic activity during graduation and other activities. In addition, OCR also had announced similarly high-profile investigation or enforcement actions against Harvard University and Harvard Law Review, a HHS-funded health services research scholarship program; eight medical schools and hospitals; a HHS-funded health research program; a California-based medical school; the State of Maine and others for impermissibly applying race, color, national origin, sex, religious or other prohibited criteria in operating their programs.

The message from these and other HHS investigations and enforcements is clear. “Institutions of higher education receiving HHS Federal financial assistance are responsible for complying with Title VI’s nondiscrimination mandates,” said Anthony Archeval, Acting Director of the Office for Civil Rights at HHS. “OCR is committed to ensuring students’ education, safety, and well-being are not disrupted due to discrimination at institutions funded by taxpayer dollars.”

Dear Colleague Letter Advises Academic Medicine & Other HHS-Funded Organizations On Implementing Merit Based Decisionmaking

While warning academic medical and other health care and other HHS-funded organizations against the application of non-merit based criteria and other prohibited race, national origin, color, sex and religious discrimination, OCR also has sought to encourage covered entities to adapt their policies and practices to comply with President Trump’s merit based interpretation of the Civil Rights Act and other federal civil rights law prohibitions against race, color, national origin, sex and religious discrimination through a May 6, 2025, “Dear Colleague” Letter. In the dear Colleague Letter, OCR ‘clarifies’ its updated policies interpreting and enforcing what constitutes race-based discrimination under Title VI, Section 1557, and the Equal Protection Clause of the United States Constitution as applied to student admissions, academic and campus life, and the operation of university hospitals and clinics.

The Dear Colleague Letter reiterates that Title VI and Section 1557 prohibit academic medical and other covered organizations from relying on race-based criteria, racial stereotypes, and facially neutral criteria that operate as a pretext for race. Instead, citing to the Supreme Court’s decision in Students for Fair Admissions v. Harvard, 600 U.S. 181 (2023) and President Trump’s Executive Order 14173, Ending Illegal Discrimination and Restoring Merit-Based Opportunity, the Dear Colleague Letter warns HHS funded academic medicine and other organizations that these federal rules require health care providers, and those in the health professions pipeline make their selections and decisions “based on merit and clinical skills, not race” or other non-merit based criteria even when the purpose of the use of the criteria is to promote diversity or racial-balancing.

The Dear Colleague Letter discloses that in applying its merit-based interpretation of Title VI and Section 1557, OCR will prioritize enforcement against HHS funded organizations that:

Use race as part of their application or employment processes;

Require diversity, equity, and inclusion statements in connection with hiring or promotion; or
Lack clear policies demonstrating compliance with Students for Fair Admissions v. Harvard.

Accordingly, the Dear Colleague Letter advises medical schools and other HHS-funded organizations to:

Ensure their policies and procedures comply with existing federal civil rights laws;
Discontinue criteria, tools, or processes that serve as substitutes for race or are intended to advance race-based decision-making; and
End reliance on third-party contractors, clearinghouses, or data aggregators that engage in prohibited uses of race.

Act Now To Mitigate Risks From Past, Current & Future Non-Merit Based Decisions & Other Prohibited Discrimination

The new emphasis of HHS and other agencies on investigation and enforcement of federal protections for race, national origin, and other civil rights laws alone should prompt all health care and other HHS-regulated authorities prospectively to reevaluate and update their own practices to strengthen their defensibility under new standards.

As the Trump Administration civil rights directives and interpretations apply to all federal agencies, all organizations should consider and redress their exposure to civil rights or other discrimination under EEOC and other workforce, Department of Justice, and other applicable agency rules when assessing the adequacy of their existing policies and practices.

Organizations also should anticipate the likely need to defend past actions taking into account given the practice of HHS and other agency to apply the merit-based civil rights law interpretations of the Trump Administration even to events and actions that occurred while organizations were subject to the diversity, equity and inclusion friendly interpretations of federal civil rights laws during the Biden Administration. Since the investigation and enforcement actions announced by HHS and other agencies so far retroactively apply the newly announced Trump-era interpretations and standards to investigations of events and actions that occurred during the Biden Administration, prospective changes to enhance the defensibility of current and future actions alone may not be enough. Rather, health care and other organizations need to prepare for the possibility that HHS or other agencies may require their organization to defend Biden-era events under the new Trump Administration interpretations and enforcement policies. In the face of these developments, all health care organizations receiving funding from HHS should review their current and past policies and actions implicating federally civil rights laws to assess and manage their potential past exposures and mitigate future risks.

Because the process of reviewing and revising their policies and practices inevitably will require medicine and other HHS-funded institutions to identify and engage in legally and politically sensitive discussions of past and current policies, events, and actions affecting the competing interests of individuals or organizations whose opportunities are either helped or hurt by the Trump Administration’s transition to a merit-based interpretation of civil rights laws as well as potential whistleblower and retaliation exposures, academic medicine and other HHS-funded organizations generally should work with within the scope of attorney-client privilege with legal counsel experienced with these and other civil rights laws and dealing with OCR and other agencies in relation to investigations and enforcement actions under these rules.

The author of this update, Cynthia Marcotte Stamer has decades of experience advising, representing, and defending health care providers, Medicare and Medicaid Advantage and other public and private health plans and plan sponsors, public and private employers, government contractors and grant recipients, educational organizations, child care facilities, employers, technology, data, third party administrators, and other managed care and other health care, defense, technology, life sciences and other clients about Civil Rights Laws and other religious, civil rights and other discrimination, HIPAA and other privacy and data security, False Claims Act and other billing and reimbursement, quality, technology, licensing and accreditation, whistleblower and other workforce, enforcement, governmental affairs, dispute resolution, and other compliance, risk management and operational matters. If you have questions or need advice or help evaluating or addressing these or other compliance, risk management, or other concerns, contact her.

For More Information

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for her more than 35 years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications including leading edge work on workforce and other risk management and compliance.

Ms. Stamer’s work throughout her career has focused heavily on working with health care, health insurance and managed care, insurance and financial services, defense contractors, and other workforce and data sensitive businesses domestically and internationally on employment, benefits, data and other knowledge use and protection, Federal Sentencing Guidelines and other workforce and heath care management, internal and operational controls, regulatory and public policy and other legal and operational concerns. As a part of this work, she has had extensive involvement in Civil Rights Laws, Section 1557 and other discrimination compliance, training, risk management and defense.

In addition, Ms. Stamer serves as a Scribe for the American Bar Association (“ABA”) Joint Committee on Employee Benefits annual agency meetings with OCR and shares her thought leadership as International Section Life Sciences Committee Vice Chair, and a former Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations.

Author of many highly regarded compliance, training and other resources on cybercrime and other data privacy and security, health and other employee benefits, health care, insurance, workforce and other risk management and compliance, Ms. Stamer is widely recognized for her thought leadership and advocacy in these matters.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides health care, human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on health care, leadership, governance, human resources, employee benefits, data security and privacy, insurance, and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources including the following recent publications about related emerging developments:

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. The author and Solutions Law Press, Inc. disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Leave a Comment » | Academic medicine, Child Care, Childcare, Civil Rights, Conditions of Participation, Cultural diversity, dei, Direct Primary Care, Disability Discrimination, Discrimination, early childhood education, Education, Employee Benefits, Employer, Employment, Federal Health Center, Government contractor, Grant recipients, Grants, Health Care, Health Care, Health Care Finance, Health Care Provider, Health Insurance, Health Insurance Exchange, Health Plan, Health Plans, healthcare, Heath Care Exchange, HHS, Home Health, home health, Hospice, Hospital, Hospital, hospitals, Medicaid, Medicaid Advantage, Medical Licensure, Medicare, Medicare Advantage, Medicare Advantage, OCR, OCR, Patients, Pharmaceudical, Reproductive Rights, Rural Health Care, Section 1557, University, Veterans Health | Tagged: Civil Rights, donald-trump, Education, Merit-Based, news, politics, Trump | Permalink
Posted by Cynthia Marcotte Stamer

6/16 Deadline To Recommend On Patient-Centric Technology Design With CMS and ONC

May 14, 2025

June 16, 2025 is the deadline to share input on designing a seamless, secure, and patient-centered digital health infrastructure that will help seniors and their families use modern technology to control of their health and well-being, manage chronic conditions, and access care more efficiently in response to the request for information (“RFI”) of the Centers for Medicare & Medicaid Services (“CMS”) and the Office of the National Coordinator for Health Information Technology (“ONC”).

Following up on the CMS Interoperability and Patient Access Final Rule and part of Secretary Kennedy’s effotts to “Make America Healthy Again,” the RFI invites input from patients, caregivers, providers, payers, technology developers, and other stakeholders on how CMS and ONC can:

Drive the development and adoption of digital health management and care navigation applications;
Strengthen interoperability and secure access to health data through open, standards-based technologies;
Identify barriers preventing the seamless exchange of health information across systems; and
Reduce administrative burden while accelerating progress toward value-based, patient-centered care.

Many health care providers and others in the health industry have made significant investments in and have experience with patient focused health and wellness technologies. Sharing input can promote awareness of helpful design ideas and help deter investments or mandates of counterproductive technologies.

For More Information

©️2025 Cynthia Marcotte Stamer. Licensed for republication to Cynthia Marcotte Stamer.

Leave a Comment » | Electronic Health Records, Employee Benefits, Health Apps, Health Care, Health Care, Health Care Provider, Health Care Reform, Health Insurance, Health IT, Health Plan, Health Plans, healthcare, Patient Empowerment, Patients, public health, Wellness | Permalink
Posted by Cynthia Marcotte Stamer

Health Care Organizations Urged To Strengthen Right Of Conscience Defenses As HHS Opens 2 Right Of Conscience Investigations Within 1 Month Of Opening New Child Chemical Or Surgical Mutilation Whistleblower Portal

May 12, 2025

Health care organizations should move quickly to verify the defensibility of their current and past practices and actions for offering and providing religious accommodation and avoiding religious discrimination in light of the announcements by the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) of the opening of two new Church Amendment right of conscience investigations less than a month after of OCR published a new right of conscience guidance and launched a new online portal for whistleblowers to use to submit tips or complaints regarding the chemical and surgical mutilation of children. These developments are particularly concerning in light of the sharp reversal of the policies of the prior administration and the apparent current readiness of the agencies to treat actions taken under the previous administration’s policies as grounds for investigation or enforcement.

Federal Statutes Protect “Right of Conscience” In Health Care

While Federal protections against religious discrimination and infringement on rights of conscience and longstanding and well-established through the religious freedom and discrimination provisions of the First Amendment to the United States Constitution and the Civil Rights Act of 1964 (the “CRA”), and health care specific laws such as the Church Amendment, Section 1557 of the Patient Protection and Affordable Care Act (“Section 1557”) and other federal laws, President Trump’s policy directions on right of conscience and other religious freedom and discrimination are fueling new requirements and risks for health care organizations and other businesses and government organizations.

HHS interpretation and enforcement of the prohibitions against religious or other discrimination under Sectio 1557 and other federal rules protecting Rights of Conscience in health care is now rapidly evolving in response to recent Executive Orders of President Trump. Its announcement of two right of conscience investigations against health care organizations in less than a month illustrate the exploding risks that health care providers and other organizations receiving HHS funding face for excluding or discriminating against health care providers, patients, and certain other federal program participants who refuse on religious or moral grounds to participate in certain health care services under these federal health care right of conscience rules including the following:

Church Amendment

Enacted in the 1970s to protect the rights of individuals and entities to object to performing or assisting in the performance of certain procedures because of their religious beliefs or moral convictions, the Church Amendment:

Prohibits public officials and authorities from requiring recipients of certain federal financial assistance to provide or make their facilities available for abortion or sterilization when the recipient has a religious or moral objection to sterilization or abortion.
Prohibits entities that receive certain federal financial assistance from discriminating against physicians and health care personnel:
- because they performed a lawful sterilization, abortion, or other lawful health service or research activity,
- because they refused to perform a lawful sterilization, abortion, or other lawful health service or research activity, or
- because of their religious beliefs or moral convictions about sterilization, abortion, or any other lawful health services or research activities.
Protects individuals who object because of their religious or moral beliefs to performing or assisting in the performance of any part of a federally funded health service program or research activity.
Prohibits entities that receive certain federal financial assistance from discriminating against applicants for training or study because the applicant is reluctant or willing to participate in abortions or sterilizations due to their religious or moral beliefs.

Coats-Snow Amendment

The Coats-Snowe Amendment codified as Section 245 of the Public Health Service Act, prohibits the federal government and any state or local government receiving federal financial assistance from discriminating against any health care entity on the basis that the entity:

Refuses to undergo training in the performance of abortions;
Refuses to require or provide abortion training;
Refuses to perform abortions, or to provide referrals for abortion training or for abortions;
Refuses to make arrangements for any of the above activities related to abortion; or
Attends (or attended) a post-graduate physician training program, or any other program of training in the health professions, that does not (or did not) perform induced abortions or require, provide, or refer for training in the performance of induced abortions, or make arrangements for the provision of such training.

Weldon Amendment.

The Weldon Amendment provides that none of the funds made available in those HHS appropriations acts may be made available to a Federal agency or program, or to a state or local government, if the agency, program, or government discriminates against any institutional or individual health care entity on the basis that the health care entity does not provide, pay for, provide coverage of, or refer for abortions. It defines “health care entity” to include “an individual physician or other health care professional, a hospital, a provider-sponsored organization, a health maintenance organization, a health insurance plan, or any other kind of health care facility, organization, or plan.”

Trump Policy Directives Drive New Risks By Changing Prior Religion & Other Discrimination Interpretations & Prioritizing New Rule Enforcement For Past, Current & Future Actions

Although U.S. law long has protected religious freedom through the protections of the First Amendment to the United States Constitution, the Civil Rights Act of 1964 (the “CRA”), Section 1557 of the Patient Protection and Affordable Care Act (“Section 1557”) and other federal laws, President Trump’s policy directions on right of conscience and other religous freedom and discrimination, HHS interpretation and enforcement of these Rights of Conscience now are rapidly evolving in response to recent Executive Orders of President Trump.

Most directly, HHS’ new emphasis on investigation and enforcement of Rights of Conscience directly responds to Executive Orders of President Trump on religious freedom. On his Executive Order 14188 – Additional Measures To Combat Anti-Semitism (January 29, 2025), for instance, President Trump in declaring his administration’s commitment to combating the rise of anti-Semitism and anti-Semitic incidents in the United States and around the world and directing the Justice Department and other agencies to vigorously enforce Civil Rights Act Title VI, specifically noted the current prohibitions against anti-Semitism embedded in U.S. religious freedom laws, stating:

Title VI of the Civil Rights Act of 1964 (Title VI) prohibits discrimination on the basis of race, color, and national origin in programs and activities receiving Federal financial assistance. While Title VI does not cover discrimination based on religion, individuals who face discrimination on the basis of race, color, or national origin do not lose protection under Title VI for also being a member of a group that shares common religious practices. Discrimination against Jews may give rise to a Title VI violation when the discrimination is based on an individual’s race, color, or national origin.

In Executive Order 14202, Eradicating Anti-Christian Bias (February 6, 2025), President Trump ordered HHS and other agencies to review and recommend policy changes and other remedial actions to correct any unlawful anti-Christian policies, practices of the Biden Administration and develop other strategies to protect the religious liberties of Americans.

Subsequently, in his May 11, 2025, Executive Order 14291, Establishment of the Religious Liberty Commission, President Trump took aim at threats to religious freedom from efforts of certain Federal, state and local policies that President Trump views as infringing longstanding conscience protections, preventing parents from sending their children to religious schools, threatening loss of funding or denial of non-profit tax status for faith-based entities, and singling out religious groups and institutions for exclusion from governmental programs. To redress these threats, President Trump announced it is “the policy of the executive branch to vigorously enforce the historic and robust protections for religious liberty enshrined in Federal law” and to “promote citizens’ pride in our foundational history, identify emerging threats to religious liberty, uphold Federal laws that protect all citizens’ full participation in a pluralistic democracy, and protect the free exercise of religion.”

To implement this policy, President Trump established a “Religious Liberty Commission” to prepare a comprehensive report on the foundations of religious liberty in America, the impact of religious liberty on American society, current threats to domestic religious liberty, strategies to preserve and enhance religious liberty protections for future generations, and programs to increase awareness of and celebrate America’s peaceful religious pluralism. In defining the directives of the Commission, President Trump expressly included among the topics for consideration by the Commission “[c]onscience protections in the health care field and concerning vaccine mandates” and the Permitting time for voluntary prayer and rright of all Americans to freely exercise their faith without fear or Government censorship or retaliation. See Executive Order 14291, Establishment of the Religious Liberty Commission (May 1, 2025).

Beyond these religious freedom directives, President Trump also has issued other Executive Orders reversing key Biden Administration policies on politically sensitive policies often overlapping with issues of religious conscience. For instance, in one of his earliest actions upon commencing his second Presidency, President Trump overruled previous administrations’ policies that promoted and protected the right of individuals to self-define their own sex regardless of biological sex at birth and associated safeguards and protection by directing[1] that U.S. law recognize only two genders, male and female, the assignment of which is determined by the gender of an individual at birth.

Subsequently, in Executive Order 14187, Protecting Children From Chemical and Surgical Mutilation (January 28, 2025) overruled Biden Administration policies protective of gender transition and other treatments for gender dysphoria by ordering HHS to end take action to terminate all regulations and other policies and practices that allow or support chemical and surgical mutilation of children as a treatment of gender dysphoria.

Meanwhile, in his Executive Order 14182-Enforcing the Hyde Amendment (January 24, 2025), President Trump reversed key policies undertaken by the Biden Administration to mitigate the effects of the Supreme Court’s landmark Dobbs vs. Jackson Women’s Health Organization decision that overturned Roe vs. Wade by declaring the U.S. Constitution does not protect a woman’s right to an abortion.

In response to these and other Trump Executive Orders, HHS on April 14, 2025, published its new Guidance for Whistleblowers on the Chemical and Surgical Mutilation of Children (the “Whistleblower Guidance”). The Whistleblower Guidance explains the conditions under which the Health Insurance Portability & Accountability Act of 1996 (“HIPAA”) allows health care providers, health plans, health care clearinghouses or their business associates (“HIPAA Entities”) to disclose information about chemical or surgical mutilation of children in violation of Executive Order and key federal anti-retaliation protections for whistleblowers making these disclosures or engaging in other exercises of their Rights of Conscience under the Church Act.

New HIPAA Whistleblower Guidance

The HIPAA Privacy Rule generally prohibits use, disclosure, and protection of protected health information (“PHI) by HIPAA Entities. The Whistleblower Guidance notes that since its inception, the Privacy Rule has provided various pathways for HIPAA Entities to use and disclose PHI in connection with whistleblowing actions of their workforce members or business associates.

Along with the option to use de-identified information in whistleblower disclosures, the Whistleblower Guidance also notes that the whistleblower provision of the Privacy Rule provides that a HIPAA Entity is not considered to violate the Privacy Rule when a workforce member or business associate discloses PHI in the following circumstances:

The workforce member or business associate has a good faith belief that the conduct being reported is unlawful or otherwise violates professional or clinical standards, or that the care, services, or conditions provided by the covered entity potentially endangers one or more patients, workers, or the public[2], and
The workforce member or business associate of the covered entity discloses PHI to any of the following:

A health oversight agency[3] or public health authority[4] authorized by law to investigate or otherwise oversee the relevant conduct or conditions of the covered entity.
An appropriate health care accreditation organization[5], such as a state medical board, for the purpose of reporting the allegation of failure to meet professional standards[6] or misconduct by the covered entity.
An attorney retained by or on behalf of the workforce member or business associate for the purpose of determining his or her legal options with respect to whistleblowing.

Thus, the Whistleblower Guidance states the Privacy Rule protects a HIPAA Entity from liability for the good-faith whistleblower action of a member of its workforce or a business associate in these situations, but does not protect the HIPAA Entity where, for example, a member of its workforce or its business associate discloses PHI to a member of the media or in some other manner not in accordance with an allowable exception to the Privacy Rule.

Since the HIPAA Entities bear responsibility for inappropriate disclosures of PHI by whistleblowers from their workforce, the Whistleblower Guidance sends a strong message to HIPAA Entities to properly document and train workforce members about when and how HIPAA allows or prohibits the use of PHI when reporting known or suspected violations of the law.

Along with discussing when HIPAA allows whistleblowers to uses or disclose PHI to report illegal behavior, the Whistleblower Guidance also highlights the following as among the federal laws most likely pertinent for “protecting whistleblowers who take action related to ensuring compliance with” the Executive Order. EO 14187:

The National Defense Authorization Act of 2013 (“NDAA”) contains a broad whistleblower protection for employees of federal contractors and grantees by providing that “[a]n employee of a contractor, subcontractor, grantee, subgrantee, or personal services contractor may not be discharged, demoted, or otherwise discriminated against as a reprisal for disclosing to” certain statutorily defined officials and entities “information that the employee reasonably believes is evidence of gross mismanagement of a Federal contract or grant, a gross waste of Federal funds, an abuse of authority relating to a Federal contract or grant, a substantial and specific danger to public health or safety, or a violation of law, rule, or regulation related to a Federal contract (including the competition for or negotiation of a contract) or grant.”
The False Claims Act (“FCA”) anti-retaliation provisions protect “employee[s], contractor[s], [and] agent[s]” from discharge, demotion, suspension, or any other manner of discrimination “in the terms and conditions of employment” because of lawful acts taken by the individual in furtherance of a claim under the FCA or “other efforts to stop one or more violations of [the FCA]” where an individual must generally show that: (1) he or she is a covered “employee, contractor, or agent”; (2) he or she was engaged in activity protected by the statute; (3) he or she was retaliated against; and (4) the retaliation was “because of” protected activity.
The Church Amendments prohibits entities that receive certain federal financial assistance from discriminating “in the employment, promotion, or termination of employment of any physician or other health care personnel” or discriminating “in the extension of staff or other privileges to any physician or other health care personnel” because that individual “refused to perform or assist in the performance” of a “lawful sterilization procedure” “on the grounds that his performance or assistance in the performance of the procedure . . . would be contrary to his religious beliefs or moral convictions,” or “because of his religious beliefs or moral convictions respecting sterilization procedures[.]” In addition, 42 U.S.C. § 300a-7(d) provides: “No individual shall be required to perform or assist in the performance of any part of a health service program or research activity funded in whole or in part under a program administered by the Secretary of Health and Human Services if his performance or assistance in the performance of such part of such program or activity would be contrary to his religious beliefs or moral convictions.”
The HIPAA Privacy Rule generally requires HIPAA Entities to have and apply appropriate sanctions against members of its workforce who failed to comply with their privacy policies or procedures or with the requirements of the rule. However, Privacy Rule § 164.530€(1) explicitly excludes the application of sanctions to a member of the HIPAA Entity’s workforce for whistleblowing activity.

2 New Right Of Conscience Investigations Signal Growing Enforcement Risks

OCR’s announcement of its opening of two Right of Conscience investigations sends a clear warning to health care providers and other HHS-funded entities to ensure the defensibility of their own practices and policies for honoring the rights of conscience of their workforce and others they do business with in the course of their operations.

1st Right Of Conscience Investigation Announcement On April 14

On April 14, 2025, OCR announced its initiation of its first investigation of a major pediatric teaching hospital for allegedly terminating the employment of a whistleblower nurse for exercising her federally protected rights of conscience. According to the OCR announcement, the pediatric teaching hospital allegedly terminated the employment of a whistleblower nurse for exercising her federally protected rights of conscience. The OCR announcement states that the investigation will examine whether the pediatric hospital violated the Church Amendments by firing a whistleblower nurse after she requested a religious accommodation to avoid administering puberty blockers and cross-sex hormones to children, which she opposed due to religious beliefs about the sterilization effects of these interventions. The announcement also quotes Acting HHS OCR Director Anthony Archeval as stating, “The Department will robustly enforce Federal laws protecting these courageous whistleblowers, including laws that protect health care professionals from being forced to violate their religious beliefs or moral convictions.”

2^nd Right of Conscience Investigation Announcement On May 12

Less than one month after announcing its first investigation, OCR on May 12, 2025, announced its second right of conscience investigation against a hospital which is part of a larger health care system. According to the announcement, the investigation will focus on how the hospital accommodates its health care personnel who decline to perform or assist in the performance of abortion procedures contrary to their religious beliefs or moral convictions.

The second announcement notes that the investigations are “part of a larger effort to strengthen enforcement of laws protecting conscience and religious exercise.” It also quotes Acting OCR Director Archeval as stating, “The Department is committed to enforcement of our nation’s laws that safeguard the fundamental rights of conscience and religious exercise,” … “Health care professionals should not be coerced into, fired for, or driven out of the profession for declining to perform procedures that Federal law says they do not have to perform based on their religious beliefs or moral convictions.”

The new emphasis of HHS and other agencies on investigation and enforcement of federal protections for rights of conscience and other religious freedoms and other civil rights laws alone should prompt all health care and other HHS-regulated authorities prospectively to reevaluate and update their own practices to strengthen their defensibility under new standards. When assessing the adequacy of their existing policies and practices, health care and other covered organizations also should anticipate the likely need to defend past actions taking into account the Trump Administration’s sharp redirection of interpretations and enforcement away from the policies of the Biden Administration. Since the investigation and enforcement actions announced by HHS and other agencies so far retroactively apply the newly announced Trump-era interpretations and standards to investigations of events and actions that occurred during the Biden Administration, prospective changes to enhance the defensibility of current and future actions alone may not be enough. Rather, health care and other organizations need to prepare for the possibility that HHS or other agencies may require their organization to defend Biden-era events under the new Trump Administration interpretations of the Church Amendments, the CRA, Section 1557, and other federal rules on religious or other Civil Rights law discrimination. In the face of these developments, all health care organizations receiving funding from HHS should review their current and past policies and actions implicating potential exercises of rights of conscience regarding to the treatment of children for gender dysphoria, abortion and other reproductive rights and other areas likely to implicate the Church Amendments or other federally protected religious rights to assess their potential past exposures and mitigate future risks.

For More Information

About the Author

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. The author and Solutions Law Press, Inc. disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

[1] See e.g., Executive Order 14168, Defending Women From Gender Ideology Extremism and Restoring Biological Truth to the Federal Government (January 20, 2025).

[2] 45 CFR 164.502(j)(1)(i).

[3] 45 CFR 164.501.

[4] 45 CFR 164.501.

[5] 65 Fed. Reg. at 82492.

[6] See 65 Fed. Reg. at 82727

Leave a Comment » | Civil Rights, Conditions of Participation, dei, Discrimination, Employment, Health Care, Health Care, Health Care Finance, home health, Hospital, Medicaid, Medicaid Advantage, Medical Licensure, Medicare, Medicare Advantage, OCR, Physician, Reimbursement, Section 1557 | Tagged: Church Amendments, Health, Health Care, Health Care Fraud, HIPAA, Hospital, Medicare, Physician, politics, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

$1.5 Million Warby Parker Penalty Latest Reminder Of Cyberattack HIPAA Liability Risks

March 13, 2025

The $1,500,000 civil monetary penalty (“CMP”) the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) imposed against online prescription and nonprescription eyewear manufacturer and online retailer Warby Parker, Inc., for Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule violations warns other HIPAA-covered health care providers health plans, healthcare clearinghouses (“covered entities”) and their business associate service providers (collectively, “HIPAA Entities”) to protect electronic systems with electronic protected health information (“ePHI”) from ransomware and other hacking attacks.

HIPAA Hacking Responsibilities & Risks

The HIPAA Privacy, Security, and Breach Notification Rules (the “HIPAA Rules”) set requirements that HIPAA Entities must follow to protect the privacy and security of protected health information (“PHI”).

The HIPAA Security Rule establishes national standards to protect individuals’ ePHI created, received, used, disclosed, maintained, or transmitted by a HIPAA Dntity. It also requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, availability, and security of ePHI.

OCR guidance and enforcement make clear it considers protecting ePHI from improper access, use, disclosure, and destruction of other unavailability due to ransomware and other hacking threats.

Violation of HIPAA can trigger either civil monetary penalties or criminal penalties under HIPAA. As amended by the the HITECH Act, HIPAA provides for the following civil monetary penalties for HIPAA violations:

A minimum of $100 for each violation where the covered entity or business associate did not know and, by exercising reasonable diligence, would not have known that the covered entity or business associate violated such provision, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $25,000
A minimum of $1,000 for each violation due to reasonable cause and not to willful neglect, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $100,000. Reasonable cause means an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity or business associate did not act with willful neglect.
A minimum of $10,000 for each violation due to willful neglect and corrected within 30 days, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $250,000.
A minimum of $50,000 for each violation due to willful neglect and uncorrected within 30 days, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $1,500,000.

As required by law, OCR adjusts the CMP ranges for each penalty tier for inflation³ for violations after November 2, 2015.

Along with these potentially substantial civil penalty exposures, HIPAA’s potential criminal penalties make HIPAA compliance a required element of the Federal Sentencing Guideline Compliance programs Covered Entities and their leaders need to mitigate their exposures to organizational liability under the Guidelines.

HIPAA breaches also generally expose HIPAA Entities and their leaders to potential liability for breach liability under federal and state electronic crimes and other data breach and security laws; Federal Trade Commission and other federal and state fraud and deceptive business laws; securities laws; Federal Sentencing Guideline and other liability for health care or other fraud and other crimes enabled by inadequate compliance or response; create licensing or ethical sanctions; create shareholder, tort or contractual liabilities; trigger public company disclosure and executive compensation clawback responsibilities; and a host of other legal, operational and business partner and public relations headaches.

Warby Parker’s Hard Lesson

Warby Parker is the latest in a fast-mounting list of HIPAA Entities nailed for hacking-related HIPAA breaches

The $1.5 million Warby Parker civil money penalty announced February 20, 2025 resulted from an OCR investigation of a December 2018 breach report of a hacking incident involving customer accounts filed by Warby Parker. The report stated that in November 2018, Warby Parker became aware of unusual, attempted log-in activity on its website. Warby Parker reported that between September 25, 2018, and November 30, 2018, unauthorized third parties gained access to Warby Parker customer accounts by using “credential stuffing.” Hackers used usernames and passwords obtained from other, unrelated websites that were presumably breached to access the Warby Parker data.

In September 2020, Warby Parker filed an addendum to its December 2018 breach report, updating the number of individuals affected by the breach to 197,986.

The compromised ePHI included customer names, mailing addresses, email addresses, certain payment card information, and eyewear prescription information.

Warby Parker also filed subsequent breach reports (each breach report affecting fewer than 500 persons) in April 2020, and June 2022, following similar attacks.

OCR’s investigation of the breach reports found evidence of three violations of the HIPAA Security Rule. These included:

Failure to conduct an accurate and thorough risk analysis to identify the potential risks and vulnerabilities to ePHI in Warby Parker’s systems;
Failure to implement security measures sufficient to reduce the risks and vulnerabilities to ePHI to a reasonable and appropriate level; and
Failure to implement procedures to regularly review records of information system activity.

Based on these findings, OCR’s Notice of Final Determination imposed a $1,500,000 civil money penalty.

Ransomware & Other Hacking Now OCR #1 HIPAA Enforcement Priority

All HIPAA Entities should learn from the costly lessons of Warby Parker and the many other HIPAA Entities sanctioned or awaiting their consequences for hacking incidents and consult with qualified legal counsel for assistance in conducting an assessment of the adequacy of their current compliance.

Hacking, ransomware and other cyberattacks collectively and individually account for the breaches of ePHI affecting the largest number of individuals by far and away.

OCR announced various other hacking or other cyberattack related large breaches intermittently across the years.

Hacking-related HIPAA investigations and enforcement actions date back to the 2015 hacking breach at Premera Blue Cross that impacted more than 10.4 million individuals’ records and led to Premera paying OCR $6.85 million to settle resulting OCR HIPAA charges.

After periodically warning HIPAA Entities to address ransomware and hacking through its announcement of occasional hacking-related breach enforcement actions and other guidance, epidemic ransomware and other large scale cyber breaches targeting UnitedHealthcare subsidiary Change Health, Ascension Health, and many other large health care and health insurance organizations prompted OCR to identify HIPAA Security Rule breaches involving ransomware and other cyberattacks a top prevention, investigation and enforcement priority. Since then, the list of HIPAA entities paying OCR civil monetary penalties or settlements to resolve cyberattack related HIPAA charges has quickly and steadily grown. with the number of cyber attacks, impacting HIPAA entities accelerating, the number and magnitude of penalties assessed will only grow.

OCR has published a long list of guidance and alerts to help HIPAA Entities fulfill their HIPAA duties to safeguard their ePHI from ransomware and other cyberattacks and resulting HIPAA liabilities.

Among other things, OCR recommends that HIPAA Entities take the following steps to mitigate or prevent cyber-threats:

Identify where ePHI is located in the organization, including how ePHI enters, flows through, and leaves the organization’s information systems;
Integrate risk analysis and risk management into the organization’s business processes;
Ensure that audit controls are in place to record and examine information system activity;
Implement regular reviews of information system activity;
Utilize mechanisms to authenticate information to ensure only authorized users are accessing ePHI;
Encrypt ePHI in transit and at rest to guard against unauthorized access to ePHI when appropriate;
Incorporate lessons learned from incidents into the organization’s overall security management process; and
Provide workforce members with regular HIPAA training that is specific to the organization and to the workforce members’ respective job duties.

OCR regulations, resolution agreements, civil monetary penalty, assessments, also make clear HIPAA Entities must carefully document their original risk assessments, their timely monitoring and response to new threats, the analysis underlying their risk assessments and response, and other critical details and be prepared to produce that risk assessment in the event of an OCR investigation or audit.

This guidance also reflects HIPAA Entities should capture their ongoing use of appropriate procedures to monitor and respond to signs of threat or compromise to their own systems as well as OCR and other agency and industry alerts about emerging threats and susceptibilities as part of their ongoing risk assessment and response process.

Given the high threat environment and the growing HIPAA and other liabilities that commonly follow a cyberattack breach, HIPAA entities and their leaders should consider the advisability of conducting these assessments and any known or suspected breach investigation and response with the benefit of guidance from HIPAA experienced legal counsel within the scope of attorney-client privilege

HIPAA entities also should ensure appropriate plans and resources to investigate and respond to any breach that might occur promptly. Most entities will want to secure liability insurance coverage as well as require suitable credential information, indemnification, insurance and other assurances from their business associates and other vendors with access to systems or data that includes electronic PHI.

The author of this update, Cynthia Marcotte Stamer is an American College of Employee Benefits Counsel Fellow and attorney board certified in Labor and Employment Law by the Texas Board of Legal Specialization, who has decades of experience advising health care providers, health plans and insurers, third party administrators, managed care and other health care payers and providers, technology, and other businesses about crisis preparedness and response and other compliance, risk management and operational matters. If you have questions or need advice or help evaluating or addressing these or other compliance, risk management, or other concerns, contact her.

For HIPAA Help or Information

We hope this update is helpful. For more information about these or other health or other employee benefits, human resources, or health care developments, please contact the author, Cynthia Marcotte Stamer, via e-mail or telephone at (214) 452-8297.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for her more than 35 years of health, insurance, employment and employee benefits and other industry management work, public policy leadership and advocacy, coaching, teachings, and publications including leading-edge work on crisis preparedness, response and recovery.

Author of many highly regarded compliance and risk management tools, training and other resources on health and other employee benefits, health care, insurance, workforce and other risk management and compliance, Ms. Stamer is widely recognized for her thought leadership and advocacy on these matters.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides health care, insurance, human resources and employee benefit, data and technology, regulatory and operational performance, and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education. These include extensive resources on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources.

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often rapidly evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. The author and Solutions Law Press, Inc. disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Leave a Comment » | Academic medicine, ambulance, business associate, Childrens Health Insurance Program, Conditions of Participation, Cyber crime, data security, Electronic Health Records, Emergency Care, Employee Benefits, GINA, Health Care, Health Care, Health Care Finance, Health Care Provider, Health Insurance Exchange, Health IT, Health Plan, Health Plans, healthcare, HIPAA, HIPAA Cyber Crime, HITECH Act, home health, Hospital, Medicaid, NIST, Physician, Physician Licensing | Permalink
Posted by Cynthia Marcotte Stamer

OCR Updated Guidance Reminds HIPAA Entities Of HIPAA Online Tracking Duties

March 19, 2024

Health care providers, heath plans, health care clearinghouses and their business associates (covered entities) should verify that any online tracking technology used in their or their business partner websites or mobile applications comply with the Department of Health and Human Services, Office of Civil Rights (OCR) updated guidance on “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates” published March 18, 2024.

The Guidance reminds covered entities that the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules (HIPAA Rules) apply to their use of online tracking technologies like Google Analytics or Meta Pixel, collect and analyze information about how users are interacting with a regulated entity’s website or mobile application.

The HIPAA Rules apply when the information that regulated entities collect through tracking technologies or disclose to tracking technology vendors includes electronic protected health information (ePHI).

OCR’s information bulletin reminds covered entities that they can only use online tracking technologies provided that the entities comply with their obligations under the HIPAA Rules. Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of ePHI to tracking technology vendors or any other violations of the HIPAA Rules.

OCR’s Bulletin provides a general overview of how the HIPAA Rules apply to covered entities use of tracking technologies. It also updates to the Bulletin include:

Additional examples of when visits to an unauthenticated webpage may or may not involve the disclosure of ePHI.
Additional tips for complying with the HIPAA Rules when using online tracking technologies.
Guidance about OCR’s enforcement priorities in investigations involving regulated entities’ use of online tracking technologies.

Covered entities need to understand that online tracking technologies commonly are included in Website, mobile application, and other Internet based tools. These tools frequently include online tracking even if not specifically requested by the covered entity.

Covered entities should conduct a documented inventory of all website, mobile app, and other Internet, based tools that they or their business associates use, which includes an assessment of whether those tools include online tracking, or other technologies, covered by the guidance. For any online tools using tracking capability, cupboard entities, must ensure that the tool is designed and administered to comply with the HIPAA requirements. Overed entities also should adopt a process for regularly reevaluating and monitoring compliance with this and other HIPAA security requirements in their Internet based in other electronic applications that collect, use, store, access, or disclose electronic, protected health information.

Along with specifically evaluating the existence and compliance of any online tracking technologies, covered entities, also should reevaluate and reconfirm the adequacy of their electronic security overall. The HIPAA Rules require healthcare providers and other covered entities to regularly conduct documented risk assessments to verify the adequacy of their security safeguards, and to make updates to guard against emerging threats based on these recurrent assessments. The importance of compliance with this ongoing recurrent risk assessment obligation is repeatedly reinforced in each HIPAA settlement announced by OCR. See, e.g., OCR Nails Second HIPAA Covered For Allowing Ransomware Breach.

Covered entities should ensure that they and their business associates maintain compliance with these other HIPAA obligations.

For More Information

We hope this update is helpful. For more information about these or other health or other legal, management, or public policy developments, please get in touch with the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

A Fellow in the American College of Employee Benefit Counsel, Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee and Vice-Chair Elect of its International Employment Law Committee, Chair-Elect of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership on heath benefit and other healthcare and life science, managed care and insurance and other workforce and staffing, employee benefits, safety, contracting, quality assurance, compliance and risk management, and other legal, public policy and operational concerns in the healthcare and life sciences, employee benefits, managed care and insurance, technology and other related industries. She speaks and publishes extensively on these and other related compliance issues.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Author of a multitude of highly regarded publications on HIPAA and other medical record and data privacy and scribe for the ABA JCEB Annual Meeting with the HHS Office of Civil Rights, her experience includes extensive involvement throughout her career in advising health care and life sciences and other clients about preventing, investigating and defending EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state discrimination investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state equal opportunity, equity and other laws.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Laws Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here, such as:

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

NOTICE: These statements and materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstances at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules make it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access to this publication.

Leave a Comment » | Academic medicine, air ambulance, ASC, business associate, Childrens Health Insurance Program, Conditions of Participation, Electronic Medical Records, Emergency Care, Health Care, Health Care, Health Care Provider, Health IT, Health Plan, Health Plans, healthcare, HHS, HIPAA, HIPAA Cyber Crime, HITECH Act, home health, Hospital | Permalink
Posted by Cynthia Marcotte Stamer

OCR Nails Second HIPAA Covered For Allowing Ransomware Breach

February 23, 2024

Health care providers, health plans, health care clearinghouses and their business associates (covered entities) that fail to appropriately safeguard their protected health information and systems against randomware and other malware threats as required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) should expect to pay hefty amounts to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) if an attack occurs. That is the clear message sent by OCR’s February 22, 2022 announcement of its second ransomware settlement since October, 2023.

Duty To Guard Against Malware

OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which sets forth the requirements that HIPAA covered entities (most health care providers, health plans, and health care clearinghouses) and their business associates must follow to protect the privacy and security of protected health information.

Ransomware and hacking are the primary cyber-threats in health care. A type of malware (malicious software) designed to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker who deployed the malware, until a ransom is paid, OCR has seen large breaches affecting more than 500 individuals reported to OCR involving hacking increase 256% and those from ransomware increase 264% increase over the past five years,

In 2023, hacking accounted for 79% of the large breaches reported to OCR. The large breaches reported in 2023 affected over 134 million individuals, a 141% increase from 2022.

In light of the growing threat, OCR is prioritizing enforcement, education and compliance outreach to HIPAA covered entities.

OCR’s February 22, 2024 announcement of its second ever and second settlement of a malware related enforcement action in less than five months demonstrates OCR’s readiness to hold covered entities accountable for failing to fulfill this responsibility.

Green Ridge Ransomeware Breach

OCR’s February 22, 2022 announcement of its second ever ransomware related resolution agreement and corrective action plan reaffirms OCR’s readiness to hold covered entities accountable for failing to guard against ransomware and other cyber risks.

Green Ridge Behavioral Health, LLC, (Green Ridge), a Maryland-based practice that provides psychiatric evaluations, medication management, and psychotherapy. This marks the second settlement that OCR has reached with a HIPAA regulated entity for potential violations identified during an investigation following a ransomware attack.

The settlement resolves an investigation following a ransomware attack that affected the protected health information of more than 14,000 individuals.

OCR learned of the breach after Green Ridge filed a breach report with OCR in February 2019 that stated that its network server had been infected with ransomware resulting in the encryption of company files and the electronic health records of all patients.

In keeping with its policy of investigating all breaches affecting more that 500 individuals (large breaches), OCR opened an investigation in April, 2019.

OCR’s investigation of the breach found evidence of potential violations of the HIPAA Privacy and Security Rules leading up to and at the time of the breach. Other findings included that Green Ridge Behavioral Health failed to:

Have in place an accurate and through analysis to determine the potential risks and vulnerabilities to electronic protected health information;
Implement security measures to reduce risks and vulnerabilities to a reasonable and appropriate level; and
Have sufficient monitoring of its health information systems’ activity to protect against a cyber-attack.

Under the terms of the settlement, Green Ridge agreed to pay $40,000 and implement a corrective action plan that will be monitored by OCR for three years to avoid exposure to potentially much greater HIPAA monetary penalties.

The plan also requires Green Ridge to take many actions to resolve potential HIPAA violations and to protect electronic protected health information, including:

Conducting a comprehensive and thorough analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information;
Designing a Risk Management Plan to address and mitigate security risks and vulnerabilities found in the Risk Analysis;
Reviewing, and as necessary, developing, or revising its written policies and procedures to comply with the HIPAA Rules;
Providing workforce training on HIPAA policies and procedures;
Conducting an audit of all third-party arrangements to ensure appropriate business associate agreements are in place, where applicable; and
Reporting to OCR when workforce members fail to comply with HIPAA.

First Malware Settlement

Prior to this week’s announcement of the Green Ridge resolution agreement, OCR already had announced its first ever malware related resolution agreement on October 31, 2023.

That $100,000 settlement resolved a potentially much greater HIPAA liability business associate Doctors’ Management Services (DMS) could have faced for alleged HIPAA violations OCR found investigating a large breach report DMS filed on April 22, 2019.

The DMS breach report disclosed that a ransomware attack affected DMS’ network server with GandCrab ransomware beginning with an initial unauthorized access to the network that occurred on April 1, 2017; however, DMS did not detect the intrusion until December 24, 2018, Once the DNS system was accessed, ransomware was used to encrypt their files. The attack affected the electronic protected health information of 206,695 individuals

OCR’s investigation of the DNS breach found evidence of potential failures by DMS to have in place an analysis to determine the potential risks and vulnerabilities to electronic protected health information across the organization. Other findings included insufficient monitoring of its health information systems’ activity to protect against a cyber-attack, and a lack of policies and procedures in place to implement the requirements of the HIPAA Security Rule to protect the confidentiality, integrity, and availability of electronic protected health information.

Under the terms of the DMS settlement agreement paid $100,000 to OCR and agreed to implement a corrective action plan that requires:

DMS to submit to OCR monitoring for three years to ensure compliance with HIPAA
Review and update its Risk Analysis to identify the potential risks and vulnerabilities to Doctor’s Management Services data to protect the confidentiality, integrity, and availability of electronic protected health information.
Update its enterprise-wide Risk Management Plan (strategy to protect the confidentiality, integrity, and availability of ePHI) to address and mitigate any security risks and vulnerabilities found in the updated Risk Analysis.
Review and revise, if necessary, its written policies and procedures to comply with the Privacy and Security Rules.
Provide workforce training on HIPAA policies and procedures.

Warning To All Covered Entities

Along with announcing the two recent resolution agreements, OCR also is warning all covered entities to tighten their malware and ransomware safeguards.

OCR’s announcement of the Green Ridge resolution agreement, for instance, quotes OCR Director Melanie Fontes Rainer as stating, “Health care providers need to understand the seriousness of these attacks and must have practices in place to ensure patients’ protected health information is not subjected to cyber-attacks such as ransomware.”

To assist covered entities to meet this responsibility, OCR has developed Fact Sheet guidance that recommends covered entities to take at least the following steps to guard against breaches from ransomware and other malware attacks:

Review all vendor and contractor relationships to ensure business associate agreements are in place as appropriate and address breach/security incident obligations.
Risk analysis and risk management should be integrated into business processes; conducted regularly and when new technologies and business operations are planned.
Ensure audit controls are in place to record and examine information system activity.
Implement regular review of information system activity.
Utilize multi-factor authentication to ensure only authorized users are accessing ePHI.
Encrypt ePHI to guard against unauthorized access to ePHI.
Incorporate lessons learned from incidents into the overall security management process.
Provide training specific to organization and job responsibilities and on regular basis; reinforce workforce members’ critical role in protecting privacy and security.
two recent resolutions agreements and other guidance and enforcement actions make clear that all covered entities should ensure their ability to demonstrate their completion of these and other actions a risk analysis shows are needed to defend against a ransomware or other malware threats. This guidance also alerts covered entities to stay vigilant and update risk assessments and safeguards in response as to evolving threats.

Covered entities should not assume the relatively modest settlement amounts collected in the two new ransomware settlements compared to exponentially greater resolution settlements like the $4.75 million settlement payment New York based Montefiore Medical Center made last year reflect greater tolerance for ransomware related threats versus internal or external hacking. To the contrary, the Montefiore Medical Center resolution makes clear the randomware threat is one of a multitude of internal and external threats covered entities must defend their protected health information against to comply with HIPAA.

Moreover, covered entities and their leaders also should take steps to understand and fully address all other statutory, ethical, contractual or other privacy or confidentiality requirements beyond those imposed by HIPAA. For example, health care providers, health plans and their fiduciaries, brokers, administrators and insurers also may bear responsibilities under the Employee Retirement Income Security Act fiduciary responsibility rules, the Fair and Accurate Credit Transactions Act, federal and state electronic crimes, privacy data security, artificial intelligence, workforce, tax, and other laws.

Publicly traded organizations and their leaders also may face responsibilities and liability under new Securities and Exchange Commission regulations, clawback rules and other laws arising from the occurrence or bungled response to a breach.

Likewise, got businesses sponsoring or administering employment-based health plans, Employee Benefit Security Administration considers managing cybersecurity risks a part of the fiduciary obligations of fiduciaries of employment-based health plans. Meanwhile, health care providers, insurance organizations and brokers, third party administrators, government contractors, attorneys and other advisors and others also may be subject to medical confidentiality and other data privacy and security obligations under federal and state electronic crimes, identity theft, ethics, professional licensure, contractual, common law privacy and other statutory and common laws. Since HIPAA and many of these other laws involve potential criminal as well as civil liability, organizations and leaders in covered entities generally should ensure their HIPAA and other cybersecurity compliance efforts are included in and administered according to their Federal Sentencing Guidelines Compliance program.

While it commonly is necessary or advisable to involve consulting or other technical support in the conduct of these activities, HIPAA entities should keep in mind the likelihood that their analysis and review is likely to uncover and prompt discussion of potentially legally or politically sensitive information. For this reason, HIPAA entities and their leaders generally will want to engage experienced legal counsel for assistance in structuring and executing these activities to maximize their ability to claim attorney-client privilege or other evidentiary protections against discovery or disclosure of certain aspects of these activities.

In planning for an implementing these procedures, Covered Entities also are reminded that the effectiveness of these efforts requires that the Covered Entities incorporate appropriate processes and policies for monitoring and investigating compliance with the policies and procedures implemented to comply with HIPAA. Conducting this monitoring and investigation by necessity is likely to involve surveillance, investigation and cooperation of employees, contractors, vendors and others for which Fair Credit Reporting Act background check notification and consent and other procedures are necessary or advisable.

Finally, HIPAA entities should keep in mind that HIPAA and other cybersecurity compliance and risk management is an ongoing process requiring constant awareness and diligence. Consequently, HIPAA entities should both monitor OCR and other regulatory and enforcement developments as well as exercise ongoing vigilance to monitor and maintain compliance within their organizations.

For More Informational

We hope this update is helpful. For more information about these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

A Fellow in the American College of Employee Benefit Counsel, Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee and Vice-Chair Elect of its International Employment Law Committee, Chair-Elect of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership on healthcare and life science, managed care and insurance and other workforce and staffing, employee benefits, safety, contracting, quality assurance, compliance and risk management, and other legal, public policy and operational concerns in the healthcare and life sciences, employee benefits, managed care and insurance, technology and other related industries. She speaks and publishes extensively on these and other related compliance issues.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Scribe for the ABA JCEB Annual Meeting with the HHS Office of Civil Rights, her experience includes extensive involvement throughout her career in advising health care and life sciences and other clients about preventing, investigating and defending EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state discrimination investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state equal opportunity, equity and other laws.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Leave a Comment » | business associate, data breach, data security, Doctor, Electronic Health Records, Electronic Medical Records, Employer, Federal Health Center, Federal Sentencing Guidelines, Fiduciary Responsibility, Genetic Information, GINA, Health Care, Health Care Finance, Health Care Provider, Health Insurance, Health IT, Health Plan, Health Plans, healthcare, HHS, HIPAA, HIPAA Cyber Crime, HITECH Act, Home Health, home health, Hospice, Hospital, hospitals, long-term care, Medical Privacy, Medical Records, NIST, nursing home, occupational health, OCR, Pharmacy, Physician, primary care, Self-Insured Group health Plans, Telemedicine | Tagged: Breach Notification, Data Breach, Data Security, Federal Sentencing Guidelines, Health Care, Health Care Compliance, Health Care Provider, Health Plans, Health Policy, HHS, HIPAA, Hospital, Hospitals, Medical Privacy, OCR, pharmacy, PHI, Physician, Privacy, Security | Permalink
Posted by Cynthia Marcotte Stamer

FDA & CMS Partnering To Promote Accurate and Reliable Diagnostic Tests

January 18, 2024

The Food and Drug Administration (“FDA” and Centers for Medicare and Medicaid Services (“CMS”) are joining forces to heighten scrutiny of diagnostic testing. As part of these efforts, the agencies are working together to expand FDA oversight of testing facilities to increase FDA regulation and oversight of tests run within a single laboratory, known as laboratory, developed tests or LDTs. The agencies claim this will promote more reliable and accurate diagnostic tests.

LDTs Defined

LDTs are in vitro diagnostic products (IVDs) that are intended for clinical use and are designed, manufactured, and used within a single clinical laboratory which meets certain laboratory requirements. Specifically, such laboratory must be certified under the Clinical Laboratory Improvement Amendments of 1988 (CLIA) and meet the regulatory requirements under CLIA to perform high complexity testing.

IVDs are intended for use in the collection, preparation and examination of specimens taken from the human body, such as blood, saliva, or tissue. LDTs, like other IVDs, can be used to measure or detect a wide variety of substances, analytes, or markers in the human body, such as proteins, glucose, cholesterol, or DNA, to provide information about a patient’s health, including to diagnose, monitor, or determine treatment for diseases and conditions.

FDA Steps Up LDT Oversight

While LDTs generally are covered by the Clinical Laboratory Improvement Amendments of 1988 (CLIA) and required to meet the regulatory requirements under CLIA to perform high complexity testing, the FDA since the 1970s has not enforced applicable requirements with respect to most LDTs.

The FDA now is making clear LDTs are covered by the CLiA and the FDA now will require LDT CLIA compliance in response to their increasing use and the greater risks associated with most modern LDTs compared to those associated with LDTs used decades ago.

In furtherance of this effort, on September 29, 2023, the FDA announced a proposed rule aimed at helping to ensure the safety and effectiveness of these tests. The proposed rule seeks to amend the FDA’s regulations to make explicit that IVDs are devices under the Federal Food, Drug, and Cosmetic Act, including when the manufacturer of the IVD is a laboratory. Along with this amendment, the FDA is proposing a policy under which the FDA intends to provide greater oversight of LDTs through a phaseout of its general enforcement discretion approach for most LDTs.

Today, the FDA announced it is moving forward to phase out its CLIA non enforcement policy for LDTs to provide increased FDA oversight of LDTs on January 18, 2024. See Laboratory Developed Tests (January 18, 2024).

Along with this announcement, the FDA and CNS also released the following joint statement released on January 18, 2024, attributed to Jeff Shuren, M.D., J.D., director of the FDA’s Center for Devices and Radiological Health (CDRH) and Dora Hughes, M.D., M.P.H., acting chief medical officer and acting director of the Center for Clinical Standards and Quality, Centers for Medicare & Medicaid Services (CMS)

Physicians heavily rely on laboratory tests to make critical decisions about their patients’ care—roughly 70% of healthcare decisions depend on laboratory test results according to the Centers for Disease Control and Prevention (CDC). For example, results from laboratory tests can be the sole determinant of whether a patient with cancer gets a particular therapy, potentially risking the patient’s life with an inaccurate test result. Because of the important role of laboratory tests in healthcare decisions, it is essential to ensure these tests work.

While the U.S Food and Drug Administration (FDA) actively oversees tests made outside laboratories by test manufacturers, tests m and run within a single laboratory, known as laboratory, developed tests or LDTs, are often used without such oversight. The FDA’s approach was developed half a century ago when tests made and used in single labs were generally simple, often made to address local individual needs, and mostly manufactured in small volumes. Therefore, the FDA, as a policy approach, generally did not enforce requirements for LDTs. However, since then, LDTs have evolved. Due to the increased risk to patients, it is time to reconsider this approach.

In recent decades, the FDA has identified concerns with a number of LDTs. For example, the FDA is aware of tests offered as LDTs that could have led to patients being over- or under-treated for heart disease; patients with cancer being exposed to inappropriate therapies or not getting effective therapies; and incorrect diagnoses of rare diseases, autism and Alzheimer’s Disease.^1,2Other evidence, including published literature^3,4,5,6,7,8 and the FDA’s experience with tests to diagnose COVID-19,⁹ suggests that the situation is getting worse. Therefore, in October of this year, the FDA issued a notice of proposed rulemaking to help ensure the safety and effectiveness of LDTs by phasing out the FDA’s current approach to LDTs. If finalized, LDTs would generally fall under the same enforcement approach as other tests. The Centers for Medicare & Medicaid Services (CMS) supports the FDA’s proposal.

Both CMS and the FDA believe that patients and their doctors need to know that LDTs are valid. The FDA and CMS both provide oversight to help assure the accuracy of test results, however, they have different roles. CMS regulates laboratories that perform testing on individuals in the U.S. through the Clinical Laboratory Improvement Amendments of 1988 (CLIA) by establishing quality standards for all laboratory testing to help ensure the accuracy, reliability and timeliness of patient test results. In 2013, CMS published a fact sheet on LDTs, outlining each agency’s authority and the complementary roles of the two regulatory schemes. That said, a decade later, in connection with the FDA’s notice of proposed rulemaking, we are – together – reiterating that CMS’s CLIA program is separate in scope and purpose from FDA oversight.

Some have suggested that concerns with LDTs should be addressed through expansion of CLIA. This is not the answer. As was stated in our 2015 testimony, CMS does not have the expertise to assure that tests work; the FDA does. Moreover, establishing a duplicative system for the oversight of tests by expanding CLIA would create more government bureaucracy and inconsistencies. That makes no sense.

The FDA and CMS have long stood together in mutual support of FDA oversight of the analytical and clinical validity of LDTs. LDTs play an important role in healthcare, but when they perform poorly or are not supported by science, they put patients at risk. The current approach has enabled some tests to enter the market with unfounded claims of innovation. These claims can mislead the public, undermine legitimate competition and disincentivize responsible, science-based innovation. Applying the same oversight approach to laboratories and non-laboratories that manufacture tests would better assure the safety and effectiveness of LDTs and would remove a disincentive for non-laboratory manufacturers to develop novel tests that can be available to and used by many laboratories for many patients.

We are now emerging from a global pandemic that has underscored the importance of accurate and reliable tests. Patients and providers need to have confidence that laboratory tests work. We believe the complementary FDA and CMS frameworks are both critical to assuring patients can rely on the clinical accuracy of their test results. “
See: Americans Deserve Accurate and Reliable Diagnostic Tests, Wherever They Are Made (January 18, 2024).

Affected LDT facilities and other interested parties should follow these efforts closely for relevant developments and opportunities for comment and other input. Additionally, LDTs should move quickly to come into compliance with all applicable CLIA requirements.

For More Information

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

¹ See pages 68010- 68012 of FDA’s Notice of Proposed Rulemaking.

² See “Memorandum to File – Examples of IVDs Offered as LDTs that Raise Public Health Concerns RE: Medical Devices; Laboratory Developed Tests”

³ Pfeifer, J.D., R. Loberg, C. Lofton-Day, et al., “Reference Samples to Compare Next-Generation Sequencing Test Performance for Oncology Therapeutics and Diagnostics,” American Journal of Clinical Pathology, 157(4):628-638, 2022 External Link Disclaimer.

⁴Quy, P.N., K. Fukuyama, M. Kanai, et al., “Inter-Assay Variability of Next-Generation Sequencing-Based Gene Panels,” BMC Medical Genomics, 15: 86, 2022 External Link Disclaimer.

⁵ Vega, D.M., L.M. Yee, L.M. McShane, et al., “Aligning Tumor Mutational Burden (TMB) Quantification Across Diagnostic Platforms: Phase II of the Friends of Cancer Research TMB Harmonization Project,” Annals of Oncology, 32(12):1626-1636, 2021 External Link Disclaimer.

⁶ Offit, K., C.M. Sharkey, D. Green, et al., “Regulation of Laboratory-Developed Tests in Preventive Oncology: Emerging Needs and Opportunities,” Journal of Clinical Oncology, 41(1): 11-21, 2023 External Link Disclaimer.

⁷Coffey, D., “Blood Test Positive for Cancer, but Is There Really a Tumor?” Medscape, February 17, 2023 External Link Disclaimer.

⁸ Manrai, A.K., B.H. Funke, H.L. Rehm, et al., “Genetic Misdiagnoses and the Potential for Health Disparities,” New England Journal of Medicine, 375(7):655-665, 2016 External Link Disclaimer.

⁹ See “Memorandum from Elizabeth Hillebrenner to FDA CDRH”

Leave a Comment » | Academic medicine, Centers For Disease Control, CLIA, diagnostic testing, drug treatment, FDA, Health Care, laboratory testing, Laboratory tests, Life Sciences, Medicaid, Medicare | Tagged: CLIA, Compliance, Credentialing, Doctor, FDA, Health Care Compliance, Health Care Provider, health care quality, Health Plans, healthcare, Hospital, Hospitals, lab tests, LDTs, licensure, Medical Licensure, Pandemic, Pharmaceudical, pharmacist, pharmacy, Physicians, public health | Permalink
Posted by Cynthia Marcotte Stamer

46th OCR HIPAA Right of Access Settlement With Optum Medical Care Warns All HIPAA Entities To Timely Deliver Required Medical Record Access

January 5, 2024

Health care providers, health plans, and health care clearinghouses (“Covered Entities”) should ensure their compliance with the Health Insurance Portability and Accountability Act (“HIPAA”) Right of Access Rule in light of the announcement by the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) that Optum Medical Care of New Jersey (“Optum”) has agreed to pay $160,000 to OCR and take other steps to settle OCR’s forty-sixth enforcement action under its Right of Access Rule enforcement initiative.

HIPAA Right of Access Rule

The HIPAA Right of Access Rule guarantees individuals the right to access a broad array of health information about themselves maintained by or for health care providers and other Covered Entities. Under the Right of Access Rule, Covered Entities generally must provide individuals or their personal representatives copies or other acceptable access to the individual’s protected health information in a Covered Entity’s “designated record set” for a reasonable cost as soon as possible and within 30 days of receiving a request for a reasonable cost. However, the Right of Access Rule does not grant any right for an individual to access protected health information that is not part of a designated record set because the information is not used to make decisions about individuals.

The request for protected health information triggering the duty for a Covered Entity to provide access to the protected health information may come from the individual who is the subject of the protected health information or from the “personal representative” of that individual. When considering a request for protected health information from an individual other than the subject of the protected health information, health care providers and other Covered Entities also must use care to verify that the requesting party, in fact, qualifies as the individual’s “personal representative” as defined for purposes of HIPAA.

Once a health care provider or other Covered Entity receives a request protected health information from the individual or his personal representative, the Right of Access Rule requires the Covered Entity to provide access to all requested protected health information that is included within any “designated record set” within 30 days unless the requested information falls within one of two exceptions to the Rule. For this purpose, a “designated record set” generally is defined at 45 CFR 164.501 as any item, collection, or grouping of information that includes protected health information that is maintained, collected, used, or disseminated by or for a Covered Entity that comprises the:

Medical records and billing records about individuals maintained by or for a covered health care provider;
Enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
Other records that are used, in whole or in part, by or for the covered entity to make decisions about individuals. This last category includes records that are used to make decisions about any individuals, whether or not the records have been used to make a decision about the particular individual requesting access.

However, information is not considered part of the designated record set if it is not used by or for the Covered Entity to make decisions about the individual. Examples of such records might include certain quality assessment or improvement records, patient safety activity records, or business planning, development, and management records that are used for business decisions more generally rather than to make decisions about individuals.

Even where the information falls within the definition of a designated record set, however, HIPAA expressly excludes two categories of information from the Right of Access right:

Psychotherapy notes, which are the personal notes of a mental health care provider documenting or analyzing the contents of a counseling session maintained separately from the rest of the patient’s medical record as described in 45 CFR 164.524(a)(1)(i) and 164.501.
Information complied in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding described under 45 CFR 164.524(a)(1)(ii).

However, it is critical that Covered Entities not overestimate the reach of either of these two exceptions. The exception only applies to the narrow range of records meeting the requirements of the exception. The underlying protected health information from the individual’s medical or payment records or other records used to generate the above types of excluded records or information remains part of the designated record set and is subject to access by the individual under the Right of Access Rule. Providers and other Covered Entities should use care to comply with the Right of Access Rule without providing more information than allowed as HIPAA liability can arise from failing to timely deliver access to all protected health information required by the Right of Access Rule or from sharing protected health information with an individual who is not either the individual or personal representative when the disclosure otherwise is not allowed by HIPAA To help negotiate these requirements, Covered Entities should become familiar with and process all requests for protected health information following the latest Right of Access Rule guidance. When in doubt, Covered Entities should seek the advice of experienced legal counsel within the scope of attorney-client privilege about proper fulfillment of their obligations under the Right of Access Rule in coordination with any other applicable responsibilities the Covered Entities has to provide access, disclose, or prevent disclosure of the requested information under otherwise applicable federal or states laws and regulations, ethical or other professional standards, contractual or other medical, insurance, financial, employee benefit or other rules relating to the requested records.

Optum Settlement 46^th Right Of Access Enforcement Settlement

The Optum settlement resulted from OCR’s investigation of six complaints in the Fall of 2021 that Optum violated the Right of Access Rule by failing to provide timely access to medical records when requested by an adult patient or by the parents of minor patients.

In February 2022, OCR initiated investigations of these Right of Access complaints. The investigation revealed that patients received their requested records between 84 and 231 days after submitting their respective requests. Since the Right of Access Rule requires that Covered Entities deliver the records no later than 30 days from receiving the individual’s requests, those timeframes fell well outside of the deadline for delivery required by the HIPAA Right of Access Rule. Accordingly, OCR concluded that Optum’s failure to provide timely access to the requested medical records was a potential violation of HIPAA.

Under the Resolution Agreement reached with Optum, Optum agreed to pay $160,000 to OCR as well as implement a corrective action plan that requires workforce training, reporting records requests to OCR, and reviewing and revising as necessary its right of access policies and procedures to provide timely responses to requests. Under the plan, OCR will monitor Optum Medical Care for one year.

Right Of Access Remains OCR Investigation & Enforcement Priority

The Optum enforcement action and settlement is the latest reminder to all Covered Entities that investigation and enforcement remains a top OCR priority. See e.g. OCR Sanction Of 44th Health Care Provider For Violating HIPAA Right of Access Rules Warning To Other Covered Entities. Because access to medical records empowers patients and their families to make decisions about their health care and improve their health overall, OCR views access to medical records “a fundamental right under HIPAA. For this reason, OCR believes it “critical that providers follow the law.” Accordingly, OCR Director Melanie Fontes Rainer has warned that health care providers “must proactively respond to record requests and ensure timely access” and “make responding to parents’ or patients’ request for access to their medical records in a timely manner a priority.” See e.g., HHS’ Office for Civil Rights Settles Multiple HIPAA Complaints with Optum Medical Care Over Patient Access to Records (January 4, 2024).

Despite the importance OCR has placed on compliance with the Right of Access Rule, OCR has and continues to receive thousands of Right of Access Rule complaints each year. In response to these persistent compliance issues, OCR continues to make enforcement of the Right of Access Rule a key enforcement priority through its Right Of Access Initiative.

In light of OCR’s commitment to continue to investigate and enforce compliance with the Right of Access Rule, health care providers and other Covered Entities and their business associates are urged to review their existing practices for receiving and processing patient record requests to confirm their own compliance with the Right of Access Rule and other applicable federal and state statutory regulatory and contractual requirements. To reduce risks of violations, all health care providers and other Covered Entities should seek assistance from experienced legal counsel within the scope of attorney-client privilege with auditing their past and current Right of Access Rule compliance for any necessary or advisable steps to prevent future violations and mitigate potential liabilities arising from potential past or future violations of the Right of Access Rule. Aside from confirming documented timely response to past requests for protected health information, among other things, most Covered Entities will want to consider:

Verifying that their current policies, privacy practices notices, training and other materials are updated to comply with all applicable policies and properly identify and provide current contact information for the Privacy Officer or other party responsible for receiving and responding to protected health information requests;
Appropriate procedures are in place to ensure that the Covered Entity can produce required documentation showing the individuals are appropriately notified of the Right of Access and other HIPAA rules, and that the Covered Entity captures the necessary documentation to show its receipt of all requests, and timely investigation and response to such requests;
Appropriate and documented processes for collecting, investigating or resolving any potential concerns, complaints, or other issues, their evaluation and resolution;
Appropriate workforce, business associates and other policies, training, oversight and enforcement to require and enforce compliance with applicable laws and policies; and
Appropriate processes, procedures, and training to ensure that staff fully understands and complies with both the specific processes and procedures of the Covered Entity for complying with the Right of Access Rule, as well as related procedures necessary to manage risks and responsibilities arising under verification of identity, personal representative, disclosure, recordkeeping or other HIPAA’ rules; medical, insurance, financial, or other data or privacy; licensure and market conduct; civil rights and nondiscrimination; fiduciary; licensure; marketing or other rules.

While involving outside consultants or other service providers generally is valuable if not required to conduct some of these tasks, Covered Entities are encouraged to use experienced outside legal counsel to help plan, conduct, evaluate and decide and implement responses to findings from these compliance and risk management activities both to benefit from legal counsel’s substantive legal expertise and experience and to take advantage of the opportunity to conduct sensitive discussions within the protection of attorney-client privilege or other evidentiary rules. Experienced outside legal counsel can guide Covered Entities about the best way to work with consulting and other vendors to maximize these benefits.

For More Information

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Leave a Comment » | business associate, Electronic Medical Records, Health Care, Health Care Finance, Health Care Provider, Health Plan, Health Plans, HIPAA, HIPAA Cyber Crime, Hospital, hospitals, Inpatient Rehabilitation, Inpatient Rehabilitation Facility, Medical Records, OCR, Patient Empowerment, Patients, Physician, Physician Licensing, Right of Access, Self-Insured Group health Plans | Permalink
Posted by Cynthia Marcotte Stamer

Accommodating Patient Preferences No Defense To Prohibited Employment Discrimination

July 31, 2023

A new federal Equal Employment Opportunity Commission (“EEOC”) lawsuit reminds health industry and other employers that patient or other customer preferences do not justify or excuse an employer’s discrimination against employees in violation of the Civil Rights Act or other federal employment discrimination laws.

Brooklyn-based home health company ACARE HHC Inc., doing business as Four Seasons Licensed Home Health Care Agency (“Four Seasons”) faces a race discrimination suit for allegedly removing home health aides from their work assignments due to their race and national origin to accommodate client preferences.

According to a lawsuit (EEOC v. ACARE HHC d/b/a Four Seasons Licensed Home Health Care, 23-cv-5760), filed by the EEOC in the U.S. District Court for Eastern District of New York on July 31, 2023, Four Seasons violated the Title VII of the Civil Rights Act of 1964 (“Civil Rights Act”) by routinely acceding to racial preferences of patients in making home health aide assignments. The EEOC claims Four Seasons routinely removed Black and Hispanic home health aides based on clients’ race and national origin-based requests. Four Seasons would transfer aides to a new assignment or, if no other assignment was available, the aides lost their employment completely. The EEOC charges this alleged conduct violates the Civil Rights Act, which among other things prohibits employers from discriminating against employees on the basis of race and national origin. The EEOC seeks compensatory damages and punitive damages for the affected employees, and injunctive relief to remedy and prevent future discrimination based on employees’ race and national origin.

The lawsuit, warns employers against resigning or assigning workers to accommodate racial or other prohibited discriminatory preferences of customers, or business partners. “Making work assignment decisions based on an employee’s race or national origin is against the law, including when these decisions are grounded in preferences of the employer’s clients,” said Jeffrey Burstein, regional attorney for the EEOC’s New York District Office.

The lawsuit is one of a plethora of enforcement Civil Rights and other federal discrimination law actions by EEOC, the Department of Health and Human Services Office of Civil Rights, and other federal agencies under the Biden Administration’s prioritization of expansion and enforcement of discrimination and other discrimination and equal opportunity laws.

In light of these efforts, employers should take immediate steps to update policies, postings, training, and practices to ensure their ability to defend their compliance with race and other federal nondiscrimination laws.

For More Information

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

A Fellow in the American College of Employee Benefit Counsel, Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee and VIce-Chair Elect of its International Employment Law Committee, Chair-Elect of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership on healthcare and life science, managed care and insurance and other workforce and staffing, employee benefits, safety, contracting, quality assurance, compliance and risk management, and other legal, public policy and operational concerns in the healthcare and life sciences, employee benefits, managed care and insurance, technology and other related industries. She speaks and publishes extensively on these and other related compliance issues.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Scribe for the ABA JCEB Annual Meeting with the HHS Office of Civil Rights, her experience includes extensive involvement throughout her career in advising health care and life sciences and other clients about preventing, investigating and defending EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state discrimination investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state equal opportunity, equity and other laws.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Leave a Comment » | Abortion, Academic medicine, air ambulance, Child Care, Childcare, Childrens Health Insurance Program, Civil Rights, Conditions of Participation, Corporate Compliance, Direct Primary Care, Discrimination, DME, Doctor, drug treatment, early childhood education, Emergency Care, Employer, exchange plans, Federal Health Center, Health Care, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Quality, Health Insurance, Health Plan, HHS, Home Health, home health, Hospice, Hospital, Hospital, hospitals, Indian Health, Inpatient Rehabilitation, Inpatient Rehabilitation Facility, Life Sciences, long-term care, Medicare Prescription Drug Program, Mental Health, Nonprofits, nursing home, OCR, OIG, Physician, Prescription Drugs, Provider contracting, Rehabilitation Act, Reproductive Rights, Section 1557, Sexual Abuse, Sexual Assault, Sexual Harassment | Permalink
Posted by Cynthia Marcotte Stamer

HHS Recommits To LGBTQ Nondiscrimination Protections In Newly Proposed Rules; Religious Exemption Likely Limited By Pending HHS Changes In Religious Freedom Protections

July 11, 2023

Health care providers, health insurance issuers, health care professional associations, state and local government entities and other organizations and providers participating or receiving funds from the Department of Health and Human Services (“HHS”) funded programs should evaluate their likely responsibilities and exposures for preventing discrimination on the basis of sexual orientation and gender under the Notice of Proposed Rule Making (“NPRM”) to the Health and Human Services Grants Regulation (the “Proposed HHS Grants Rule”) the HHS Office for Civil Rights (“OCR”) and the Assistant Secretary for Financial Resources (“ASFR”) released to the public today (July 11, 2023) and scheduled for joint publication the Federal Register on July 13, 2023.

Proposed HHS Grants Rule Overview

The NPRM builds on HHS’ efforts to ensure access to health and human services for Lesbian, Gay, Bisexual, Transgender, Queer, and Intersex (“LGBTQI”) individuals in furtherance of President Biden’s Executive Orders on Preventing and Combating Discrimination on the Basis of Gender Identity and Sexual Orientation and Advancing Equality for Lesbian, Gay, Bisexual, Transgender, Queer, and Intersex Individuals by reaffirming the prohibition against discrimination on the basis of sexual orientation and gender identity in federal statutes administered by HHS while defining procedures through which HHS would permit organization with religious objections to seek an exemption from or modification of the otherwise applicable requirements.

The Proposed HHS Grants Rule clarifies and reaffirms HHS’ prohibition against LGBTQI discrimination by stating, “In statutes that HHS administers which prohibit discrimination on the basis of sex, the Department interprets those provisions to include a prohibition against discrimination on the basis of sexual orientation and gender identity, consistent with the Supreme Court’s decision in Bostock v. Clayton County, 140 S. Ct. 1731 (2020), and other federal court precedent applying Bostock’s reasoning that sex discrimination includes discrimination based on sexual orientation and gender identity.”

The Proposed HHS Grants Rule represents the latest effort of HHS to finalize and implement prohibition against LGBTQI individuals in HHS first undertaken in 2016. Since HHS originally adding the prohibition against LGBTQI discrimination to its HHS Grants Rule, HHS faced various court challenges to its LGBTQI nondiscrimination provisions. These challenges included lawsuits challenging HHS’ interpretation of the sex discrimination prohibitions of Title VII of the Civil Rights Act of 1964, 42 U.S.C. 2000e-2(a)(1) (“Title VII”) as prohibiting discrimination based on sexual orientation and identity, First Amendment religious freedom challenges and challenges based on alleged violations of the Administrative Procedures Act.

In the intervening years, HHS originally granted various waivers, then subsequently adopted a blanket non-enforcement policy to address First Amendment religious freedom concerns about the LGBTQI discrimination prohibition and attempted to resolve Administrative Procedures Act challenges in subsequently published versions of the rules. Meanwhile, the U.S. Supreme Court resolved objections to HHS’ expansive interpretation of Title VII as extending to LGBTQI when it affirmed Title VII’s prohibition against discrimination on the basis of sex includes discrimination based on sexual orientation and gender identity in Bostock v. Clayton County, 140 S. Ct. 1731 (2020).

As currently proposed, the HHS Grants Rule has a sweeping reach. In the Proposed HHS Grant Rule, HHS reaffirms that discrimination against LGBTQI individuals is prohibited in virtually all HHS-funded and administered programs while revising the existing HHS Grants Rule to address when and how a provider with faith-based objections to the rules can seek exemption or other religious accommodations from HHS.

As currently proposed the Proposed HHS Grants Rule would treat LGBTQI discrimination as prohibited discrimination on the basis of sex in most HHS regulated or funded programs. The LGBTQI discrimination prohibition would apply to authorizations for domestic resettlement of and assistance to refugees; assistance in transition from homelessness; Children with Serious Emotional Disturbances; Title VII Health Workforce Programs; Nursing Workforce Development; Preventive Health Services Block Grant; Substance Abuse Treatment and Prevention Block Grant; Community Mental Health Services Block Grant; Maternal and Child Health Block Grant; Disaster relief; Low-Income Home Energy Assistance Program; Head Start; Community Services Block Grant Program; and Family Violence Prevention and Services programs.

HHS’ announcement of its plans to reaffirm its LGBTQI equal protection requirements in the HHS Grants Rule likely will prompt new attention and scrutiny from organizations and individuals with faith-based objections to its mandates, particularly given HHS’ release of the rule comes less than two weeks after the Supreme Court’s June 30, 2023 landmark ruling in 303 Creative LLC . v. Elenis, 600 U. S. ____ (2023), upholding the right of a website designer, who believes same-sex marriage contravenes her faith, to exemption from enforcement of a state law that prohibited a public business from communicating to patrons that service would be refused based on sexual orientation.

The Proposed HHS Grants Rule includes provisions requiring HHS to accommodate the religious rights of organizations or individuals with faith-based objections protected by the Religious Freedom Restoration Act (“RFRA”) or the First Amendment when administering and enforcing its provisions without specifically detailing the procedures for raising such objections or the standards HHS will apply to decide whether to approve a request for religious exemption or accommodation.

In this respect, the Proposed HHS Grants Rule provides that a recipient at any time may notify the HHS awarding agency, ASFR, or the Office for Civil Rights (OCR) of the recipient’s view that it is exempt from, or requires modified application of, certain provisions of the Rule due to the RFRA, the First Amendment or another religious freedom law. The Proposed HHS Grants Rule also directs that once the awarding agency receives notice of religious objection from a particular recipient, “any relevant ongoing compliance activity regarding the recipient shall be held in abeyance” until the applicable agencies in legal consultation with the HHS Office of the General Counsel determine whether the recipient is exempt from the application of certain provisions or entitled to modified application of the rules based on a federal religious freedom law.

While the Proposed HHS Grants Rule does not detail the procedures for requesting religious accommodation or the standards HHS will use to decide whether to approve requests, HHS does address those standards and procedures in other guidance, the current provision of which are highlighted on the HHS Conscience and Religious Freedom Webpage. It bears noting, however, that along with the Proposed HHS Grants Rule, HHS also currently is considering a separate proposal to narrow the availability of religious and conscience objections to its rules it announced in a January 5, 2023 Notice of Proposed Rule Making titled “Safeguarding the Rights of Conscience as Protected by Federal Statutes” (“Proposed Religion Rule”). While the official comment period for the Proposed Religion Rule closed on March 6, 2023, its provisions, if adopted as proposed, could materially affect the interpretation and enforcement of the HHS Grants Rule. Accordingly, organizations and other parties concerned about the likely interpretation and enforcement of the HHS Grants Rule with respect to parties claiming religious freedom objections should consider the likely implications of the Proposed Religion Rule in their evaluation of the HHS Grants Rule.

In response to the HHS Grants Rule, all health care providers, health plans and others expected to be impacted by the Proposed HHS Grants Rule should both begin preparing to adjust their existing policies and practices in anticipation of the finalization of the Proposed HHS Grants Rule as well as submit relevant concerns and other feedback on the Proposed Rule by the September 11, 2023 comment deadline established in the NPRM. Providers and other stakeholders with potential faith-based concerns about any of the requirements of the Proposed HHS Grants Rule should take particular note of the Rule’s proposed provisions regarding religious accommodation, taking into account the Proposed Religion Rule purposes of this planning as well as their timely submission of any comments by the applicable September 11, 2023 comment deadline.

For More Information

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

A Fellow in the American College of Employee Benefit Counsel, Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee, Chair-Elect of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership on health and managed care and employer benefits legal, public policy and operational concerns in the healthcare, employer benefits, and insurance and financial services industries. She speaks and publishes extensively on HIPAA and other related compliance issues.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

FY 2022 Medicaid Fraud Conviction Increase, Other Data Shows Continued Robustness of Federal Medicaid Enforcement

March 10, 2023

Department of Health & Human Services Office of Inspector General (“OIG”) data showing a rise in Medicaid criminal convictions arising from fraud and patient abuse or neglect investigations and prosecutions during the 2022 fiscal year (“FY”) confirms the continued robustness of its Medicaid Fraud Control Units (MFCUs).

According to the just-released Medicaid Fraud Control Units Fiscal Year 2022 Annual Report convictions both for fraud and for patient abuse or neglect increased since FY 2020. In FY 2022, MFCUs achieved:

1,327 criminal convictions, an increase over the previous 2 years, but resulted in criminal recoveries of only $416 million; and
553 civil settlements and judgments resulting in civil recoveries of $641 million.

A Statistical Chart included in the Report provides a breakdown by state of the civil and criminal convictions and recoveries by nature of the offense.

While the Report reveals that civil and criminal recoveries from Medicaid criminal and civil enforcement dropped in FY 2022, the increase in convictions and other data sends a clear warning to health care providers and others that Medicaid fraud investigation and enforcement remains a key priority of the OIG and federal prosecutors.

Criminal Convictions

Total convictions resulting from MFCU cases continued to increase from the FY 2020 level but remained lower than in FY 2019. In FY 2022, MFCU cases resulted in 946 convictions for fraud and 381 convictions for patient abuse or neglect.
Exhibit 2 shows the total number of convictions during FYs 2018 through 2022. Although the proportion of patient abuse or neglect convictions to fraud convictions was similar to that in previous years, the total number of patient abuse or neglect
convictions also continued to increase from the FY 2020 level.

As in previous years, significantly more convictions for fraud involved Personal Care Services (PCS) attendants than any other provider type with fraud convictions of PCS attendants, accounting for 44 percent of the fraud convictions.

MFCU convictions related to the fraudulent billing of Medicaid, fraudulent activities of Medicaid providers involving drugs diverted from legal and medically necessary uses, regardless of whether Medicaid itself was billed and other “drug diversion” cases continued to increase from the FY 2020 level. Associated criminal recoveries from drug diversion cases totaled $18 million in FY 2022. Two States, Pennsylvania and Kentucky, accounted for 79 percent of the total convictions.

In FY 2022, convictions of nurse’s aides and of nurses or physician assistants accounted for 39 percent of the total 381 convictions for patient abuse or neglect.

Criminal and Civil Recoveries

While convictions rose, criminal recoveries decreased from $857 million in FY 2021 to $416 million in FY 2022. The Report attributes the drop in atypically large criminal recovery amounts realized in FY 2021 that resulted primarily from cases prosecuted by MFCUs in Virginia and Texas that produced a combined $714 million in criminal recoveries, 83 percent of the total reported criminal recoveries in FY 2021.

The Report points out that a single Texas criminal prosecution also significantly contributed to the total criminal recoveries in FY 2022. According to the Report, $82 million of the FY 2022 criminal recoveries resulted from the prosecution and conviction of the former head of Novus and Optimum Health Services, Bradley J. Harris and other defendants by the U.S. Attorney’s Office for the Northern District of Texas for defrauding the Medicare and Medicaid programs by among other actions:

Billing Medicare and Medicaid for hospice services that were (1) not provided, (2) not directed by a medical professional, and (3) provided to patients not eligible for hospice care; and
Using blank, pre-signed controlled substance prescriptions to distribute drugs without
physician input.

Recoveries from civil settlements and judgments also decreased in FY 2022, as did the total number of civil settlements and judgments associated with pharmaceutical manufacturers. In FY 2022, $395 million (62 percent) of the $641 million in civil recoveries derived from nonglobal cases. The remaining $246 million derived from global cases.

Appendixes to the report include a list of “beneficial” practices implemented by the MFCUs to prevent and discover these and other Medicaid abuses in various regions. Reviewing the granular statistics and these findings set forth in the Report provide valuable insights for health care providers, their leaders and advisors about these and other enforcement priorities and practices.

More Information

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely-known for 35 plus years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Leave a Comment » | Anti-KickBack, ASC, Health Care, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, home health, Hospital, Medicaid, Medical Licensure, OIG | Permalink
Posted by Cynthia Marcotte Stamer

Lab Nailed For HIPAA Right Of Access Violation; Other Covered Entities Warned

January 3, 2023

A medical laboratory is the latest health care provider nailed under the U.S. Department of Health and Human Services Office for Civil Rights (OCR) Right of Access Initiative for violating the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule’s right of access requirements.

OCR announced the 43rd access rule settlement with Life Hope Labs, LLC (“Life Hope Labs”), a full-service diagnostic laboratory in Sandy Springs, Georgia Tuesday.

In August 2021, a complaint was filed with OCR alleging that Life Hope Labs would not provide a personal representative with a copy of her deceased father’s medical records. The personal representative first requested access to her father’s records on July 7, 2021, but did not receive them until February 16, 2022, over seven months later. OCR’s investigation determined that Life Hope Labs’ failure to provide timely access to the requested medical records was a potential violation of the HIPAA right of access provision.

The access rule requires that patients be able to access their health information in a timely manner.

In its Resolution Agreement, Life Hope Labs agreed to pay $16,500 to resolve this investigation. In addition to the monetary settlement, Life Hope Labs also agreed to implement a corrective action plan that includes two years of monitoring by OCR.

In announcing its filing of the settlement, OCR warned other labs and health care providers to ensure their right of access compliance.

“Access to medical records, including lab results, empowers patients to better manage their health, communicate with their treatment teams, and adhere to their treatment plans. The HIPAA Privacy Rule gives individuals and personal representatives a right to timely access their medical records from all covered entities, including laboratories,” said OCR Director Melanie Fontes Rainer in OCR’s announcement of the settlement. “Laboratories covered by HIPAA must follow the law and ensure that they are responding timely to records access requests.”

More Information

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely-known for 35 plus years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Leave a Comment » | ambulance, DME, Doctor, drug treatment, Electronic Health Records, Emergency Care, EMTALA, English as A Second Language, Health Care, Health Care, Health IT, Health Plan, Health Plans, HIPAA, home health, Hospice, Hospital, Hospital, hospitals, Indian Health, medical devices, Pharmaceudical, Pharmacy, Physician, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

Chiropractor, Modern Vascular Office-Based Labs and Modern Vascular Corporate Entities Face False Claims Act Prosecution

December 19, 2022

Three consolidated False Claims Act (“FCA”) lawsuits against chiropractor Yury Gampel (“Gampel”), 15 Modern Vascular office-based labs owned primarily by Gampel located across the United States, and five Modern Vascular-affiliated companies owned by Gampel alert other chiropractic, physician and other medical providers using office-based labs send a clear warning to other health care providers and suppliers for services covered or billed to Medicare, Medicaid, TRICARE or other federal health care programs about the necessity to ensure their arrangements don’t involve illegal financial relationships or transactions.

False Claims Act Liability Arising From Participation In Or Filing Claims Involving Improper Inducements

The Justice Department suit against the defendants alleges the defendants both arose from the defendants participation in arrangements involving the offering and payment of illegal remuneration in violation of the federal Anti-Kickback Statute (“AKS”) and that the claims for benefits made to Medicare and other federal programs for care provided involving the arrangement violated the FCA.

The AKS generally prohibits any person or entity from soliciting, receiving, offering, or paying any direct or indirect prohibited remuneration as an inducement or reward for referring, recommending, ordering, or arranging for the purchase of any item or service for which payment may be made in whole or in part by a federal health care program. Parties violating the AKS commit a felony punishable with a fine of up to $100,000, imprisonment for up to 10 years or both.

In addition to any criminal liability arising under the AKS, filing claims derived or involving transactions prohibited by the AKS also can trigger liability for violation of the FCA. The FCA makes it unlawful for any person to submit, directly or indirectly, false or fraudulent claims for payment to the Government by among other things:

Knowingly presenting, or causing to be presented, a false or fraudulent claim for payment or approval in violation of 31 U.S.C. § 3729(a)(1)(A) (the “presentment provision”); or
Knowingly making, using, or causing to be made or used, a false record or statement material to a false or fraudulent claim in violation of 31 U.S.C. § 3729(a)(1)(B).

The FCA defines the term “knowingly” under the FCA very broadly. As defined, “knowingly” means that a person, with respect to information, (i) has actual knowledge of the information, (ii) acts in deliberate ignorance of the truth or falsity of the information, or (iii) acts in reckless disregard of the truth or falsity of the information. 31 U.S.C. § 3729(b). No proof of specific intent to defraud is required to show that a person acted knowingly under the FCA.

Violations of the FCA subject the defendant to mandatory civil penalties per FCA violation, plus three times the amount of damages that the Government sustains as a result of the defendant’s actions. 31 U.S.C. § 3729(a). Under 42 U.S.C. § 1320a-7(b)(7), health care providers submitting claims to Medicare or other federal health care programs also can face exclusion from participation in federal health care programs for FCA violations.

Health care providers filing claims for Medicare or other federal health plans can violate the FCA by knowingly presenting or causing to be presented claims for items or services that the person knew or should have known were not medically necessary, or were false or fraudulent. 42 U.S.C. §§ 1320a-7a(a)(1).

Moreover, health care providers under the Medicare statute have an affirmative duty to familiarize themselves with the statutes, regulations, and guidelines regarding coverage for the Medicare services. As a condition of program participation, Medicare regulations require providers and suppliers to certify that:

The provider or supplier meets, and will continue to meet, the requirements of the Medicare statute and regulations, 42 C.F.R. § 424.516(a)(1), including that any claims and underlying transactions made in a claim for Medicare comply with the Federal anti-kickback statute and the Stark law), and on the supplier’s compliance with all otherwise applicable conditions of participation in Medicare; and
The provider or supplier will not knowingly to present or cause to be presented a false or fraudulent claim for payment by Medicare, or to submit claims with deliberate ignorance or reckless disregard of their truth or falsity.

Additional certifications of continued compliance with these requirements also are required when claims are filed. Accordingly, since health care providers and suppliers are responsible for taking appropriate steps to familiarize themselves with the rules and regulations applicable to their claim and the transactions underlying it and certify in connection with the filing of the claim that the claim and its underlying transactions comply with the law, health care providers filing claims involving prohibited financial incentives or other transactions prohibited by law risk FCA liability.

Gampel, Modern Vascular FCA Complaint

Derived from the Justice Department’s assumption and consolidation of various qui tam lawsuits separately brought by various physicians, the United States filed its complaint in three consolidated lawsuits pending in the United States District Court for the District of Arizona under the qui tam, or whistleblower, provisions of the False Claims Act, 31 U.S.C. §§ 3729-3733 (“FCA”) which allow a private citizen to sue on behalf of the government and share in any recovery. The United States is also entitled to intervene in the lawsuits, as it did in these cases.

The resulting consolidated three consolidated Justice Department lawsuits seek to recover treble damages and civil penalties, and under common law and equitable theories of recovery from defendants for their billing of Medicare, TRICARE and other federal health care programs for claims resulting from transactions involving prohibited remuneration offered and provided in violation of the AKS under Gampel’s alleged schemes Nobility Management LLC; Modern Vascular LLC; Modern Vascular of South Florida LLC; Modern Vascular Management LLC; Modern Vascular Management – East LLC; Modern Vascular Management – West LLC; Modern Vascular Institute LLC; Modern Vascular of Mesa LLC; Modern Vascular of Glendale LLC; Modern Vascular of Sun City LLC; Modern Vascular of Tucson LLC; San Antonio Vascular Specialists Corp. dba Modern Vascular; Fort Worth Vascular Specialists Corp. dba Modern Vascular; Modern Vascular of Denver LLC; Modern Vascular – Navajo LLC; Modern Vascular of Fairfax LLC; Modern Vascular of Houston LLC; Modern Vascular of Indianapolis LLC; Modern Vascular of Southaven LLC; Modern Vascular of St. Louis LLC; and Modern Vascular of Kansas LLC.

The Justice Department complaint alleges Defendant Yury Gampel, a chiropractor, is the founder and former Chief Executive Officer (“CEO”) of a franchise of office-based labs (“OBL”) located in Arizona, New Mexico, Colorado, Texas, Indiana, Kansas, Mississippi, Missouri, Tennessee, and Virginia operating under the name Modern Vascular (collectively, the “Modern Vascular OBLs”). The Modern Vascular OBLs – each its own separate legal entity – focus on the treatment of peripheral arterial disease (“PAD”), particularly through an aggressive use of vascular intervention procedures, such as angioplasty and atherectomy. The complaint claims Gampel and the Modern Vascular defendants designed and promoted the franchises that incorporated a package of management and other services provided by various Modern Vascular defendant companies.

Defendant Nobility Management, LLC, provides management services to the Modern Vascular OBLs. Defendants Modern Vascular Management, LLC; Modern Vascular Management – East, LLC; and Modern Vascular Management – West, LLC, offer
IT and management support to Modern Vascular OBLs. Defendants Modern Vascular, LLC, and Modern Vascular of South Florida, LLC, are corporations controlled by Gampel that have various ownership interests in Modern Vascular OBLs. Through Modern Vascular, LLC, and Modern Vascular of South Florida, LLC, and in his own capacity, Gampel is the majority owner of the Modern Vascular OBLs. (These entities that own and manage the Modern Vascular OBLs are referred to collectively below as “Modern Vascular Corporate.”)

The complaint alleges that Gampel and Modern Vascular Corporate designed and implemented a fraud scheme at Modern Vascular OBLs at the expense of patients and federal payors from at least January 1, 2018 through June 30, 2022. Among other things, the complaint charges Gampel and the Modern Vascular defendants offered physicians the opportunity to invest in Modern Vascular office-based labs to induce them to refer their Medicare and TRICARE patients to Modern Vascular for the treatment of peripheral arterial disease. More specifically, Gampel and Modern Vascular Corporate opened Modern Vascular OBLs in new markets where referring physicians and vascular surgeons had established relationships. Prior to opening an OBL in a particular location, Gampel sought out up to 20 local physicians – usually podiatrists and pain management physicians – who traditionally referred to vascular surgeons and offered each up to a two percent ownership interest in the OBL in order to induce the physicians to refer to the OBL. Gampel and Modern Vascular Corporate selected these particular physicians (hereinafter “physician investors”) to offer ownership investment because Gampel and Modern Vascular Corporate identified them as potential high-referral sources. Once they invested in an OBL, Gampel and Modern Vascular Corporate further required the physician-investors to make referrals to Modern Vascular OBLs as a condition for remaining as a physician-investor. The complaint also alleges that Gampel pressured vascular surgeons and interventional radiologists employed at the Modern Vascular office-based labs to increase the number of invasive surgical procedures performed by tracking procedures and setting aggressive weekly and monthly goals for such procedures. In particular, Gampel and Modern Vascular Corporate provided remuneration to physician investors in Modern Vascular OBLs to induce those investors to refer patients to the Modern Vascular OBL.

The Justice Department charges that using this scheme, Defendants between January 1, 2018 and June 30, 2022 submitted, and caused to be submitted, tens of millions of dollars in false or fraudulent claims to Medicare, TRICARE and other federal health care programs by offering and providing illegal remuneration to health care providers to induce referrals to the Modern Vascular OBLs in violation of the Anti-Kickback Statute (“AKS”), 42 U.S.C. § 1320a-7b. To induce referrals, Gampel and Modern Vascular Corporate provided remuneration to physician-investors in the form of equity ownership interests in an OBL, which also included distributions, the prospect of future distributions, and/or the prospect of a cash-out of the equity ownership amounts when
the Modern Vascular OBLs were sold. During the relevant time period, the Justice Department also claims Modern Vascular
OBLs received over $50 million from Medicare Part B alone for claims submitted for patients referred by physician-investors in violation of the FCA.

Warning To Other Heath Care Providers & Suppliers

In announcing its filing of the Gambrel FCA lawsuit, the Justice Department warned other federal health program providers and suppliers and their business partners, investors, employees and agents from violating the AKS, FCA or both in the provision of or billing of health care services or supplies. “As part of our mission to protect the American people, the FBI remains committed to safeguarding patients who rely on our healthcare systems,” said Deputy Assistant Director Aaron Tapp of the FBI’s Criminal Investigative Division. “The FBI and our law enforcement partners will continue to investigate those who abuse our healthcare systems, place patients at risk, and waste taxpayer dollars.”

This warning, along with the ever-lengthening list of federal criminal and civil prosecutions, convictions and settlements by the Justice Department, the Department of Health & Human Services Office of Inspector General and other agencies provide a strong warning to health care providers, suppliers and others involved in creating or administering transactions and other arrangements for the delivery and billing for health are to be billed to Medicare, Medicaid, TRICARE and other health care arrangements covered by the AKS, the FCA or other federal or state health care fraud laws to take well documented care to ensure the care delivery arrangement does not involve transactions prohibited under the AKS or other federal or state health care fraud transactions and the care billed qualifies for reimbursement before submitting the claim. Parties who know or suspect that they may have participated in an arrangement prohibited under these laws or submitted prohibited claims should contact experienced legal counsel within the scope of attorney-client privilege for assistance in reviewing those concerns and exploring options for correction or mitigation.

For More Information

If your organization would like to learn more about the concerns discussed in this update or seeks assistance auditing, updating, administering or defending its human resources, compensation, benefits, corporate ethics and compliance practices, or other performance related concerns, contact management attorney and consultant Cynthia Marcotte Stamer.

An attorney Board Certified in Labor & Employment Law by Texas Board of Legal Specialization, Ms. Stamer is recognized for work helping organizations management people, operations and risk as a Fellow in the American College of Employee Benefit Counsel, a “Top Woman Lawyer,” “Top Rated Lawyer,” and “LEGAL LEADER™” in Labor and Employment Law and Health Care Law; a “Best Lawyers” in “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law.”

For 35 years, Ms. Stamer’s work has focused on advising and assisting businesses and business leaders with these and other employment and other staffing, employee benefit, compensation, risk, performance and compliance management and other operational solutions and concerns. Her experience includes helping management both manage performance and manage legal risk and compliance. While helping businesses define and manage the conduct and performance of their employees, contractors and vendors, she also assists employers and others about compliance with federal and state equal employment opportunity, compensation, health and other employee benefit, workplace safety, leave, and other labor and employment laws, advises and defends businesses against labor and employment, employee benefit, compensation, fraud and other regulatory compliance and other related audits, investigations and litigation, charges, audits, claims and investigations by the IRS, Department of Labor, Department of Justice, SEC, Federal Trade Commission, HUD, HHS, DOD, Departments of Insurance, and other federal and state regulators. Ms. Stamer also speaks, coaches management and publishes extensively on these and other related matters. For additional information about Ms. Stamer and her experience or to access other publications by Ms. Stamer see hereor contact Ms. Stamer directly.

Other Helpful Resources & Information

If you found this article of interest, you also may be interested in reviewing other Breaking News, articles and other resources available including:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here. For important information concerning this communication click here. If you do not wish to receive these updates in the future, unsubscribe by updating your profile here.

NOTICE: Terms. These materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice, a substitute for legal advice, an offer or commitment to provide legal advice or an admission. The information and statements in these materials may not address all relevant issues or apply to any situation or circumstances. The author reserves the right to qualify or retract any of these statements at any time. and does not necessarily address all relevant issues. Because the law evolves and in ways that subsequent developments could impact the currency and completeness of this discussion. The author disclaims and has no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstance at any time. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access of this publication. Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein. ©2022 Cynthia Marcotte Stamer. Nonexclusive right to republish granted to Solutions Law Press, Inc. All other rights reserved.

Leave a Comment » | Academic medicine, Anti-KickBack, ASC, billing, compensation, Conditions of Participation, Corporate Compliance, DME, Doctor, Durable Medical Equipment, Federal Health Center, Federal Sentencing Guidelines, Health Care, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Quality, health care reimbursement, Health IT, Home Health, Hospice, Hospital, Hospital, Indian Health, Inpatient Rehabilitation Facility, Laboratory tests, Laws, long-term care, Medicaid, Medicaid Advantage, Medicare, Mergers and Acquisitions, nursing home, Outpatient, pain management, Pharmaceudical, Physician, Physician Licensing, Prescription Drugs, Reimbursement | Tagged: Anti-Kickback, Health Care Fraud, Health Care Reimbursement, Medicaid, Medicare, Office-based labs | Permalink
Posted by Cynthia Marcotte Stamer

FTC-HHS Seek To Help Mobile Health App Developers Assess When Certain Federal Rules Apply

December 8, 2022

Developers of mobile applications for healthcare and fitness must identify and negotiate a diverse array of federal and state laws, regulations and rulings when designing and deploying their apps.

Since figuring out which federal rules apply often proves challenging, the Federal Trade Commission (FTC) in conjunction with the HHS Office for Civil Rights (OCR), the HHS Office of the National Coordinator for Health Information Technology (ONC), and the Food and Drug Administration (FDA) maintain and have just updated the Mobile Health App Interactive Tool intended to help developers of health-related mobile apps understand when and federal laws and regulations might apply.

While not covering all relevant legal risks, the guidance tool does highlight certain key regulatory concerns by asking developers a series of high-level questions about the nature of their app, including about its function, the data it collects, and the services it provides to users. Based on the developer’s answers to those questions, the guidance tool points the app developer toward detailed information about certain federal laws that might apply to the app. These include the FTC Act, the FTC’s Health Breach Notification Rule, the Children’s Online Privacy Protection Act (COPPA), the Health Insurance Portability and Accountability Act (HIPAA), the Federal Food, Drug and Cosmetics Act (FD&C Act), and the 21st Century Cures Act and ONC Information Blocking Regulations.

Using the tool can help to clarify the potential applicability of these rules to a proposed app and help focus the developer on issues to consider regarding these laws as they design in administer their apps. Running through the tool also could help reduce legal fees and other consulting anniversary costs by helping developers of these apps gather helpful information and be more prepared to participate in informed manner when working with the legal team on their compliance. Additionally documented use of the tool could prove helpful in the event of a compliance audit or investigation by capturing evidence helpful to establish a culture of compliance or mitigate other potential liability concerns.

Of course app developers using these tools need to keep in mind that they are not legal advice or a substitute for legal advice. The tools only are intended to provide guidance regarding the potential likely application of the rules covered by the tool. They do not cover broad range of other federal and state Laws, regulations, rulings, and contractual commitments that also can impact the use and design of these apps and their defensibility and a broad range of circumstances. Moreover developers also should keep in mind that the use of the tools and their discussion may uncover existing or past compliance concerns, which might best be conducted within the protection of attorney-client privilege. Consequently, developers and users should consult and closely worked with experienced, qualified legal counsel to address these and other legal risks and compliance.

For Help With Comments, Investigations Or Other Needs

Other Helpful Resources & Information

If you found this article of interest, you also may be interested in reviewing other Breaking News, articles and other resources available including:

Leave a Comment » | Health Care, HIPAA, Medical Privacy, Mental Health, Privacy, Substance Abuse, substance abuse treatment | Tagged: fitness pp, Health Care, Health IT, mobile health app, Wellness | Permalink
Posted by Cynthia Marcotte Stamer

HHS’ Proposed Changes Broadening Substance Use Confidentiality Rules, Consistency With HIPAA Requirements Raise Compliance Concerns For Health Care, Insurance & Other Businesses

November 28, 2022

Mental health and other healthcare providers, health plans and issuers, employers, health care professional associations, consumer advocates, community organizations, state and local government entities, patients and caregivers and others concerned with mental health and substance abuse treatment and management should review and comment by January 30, 2023 on proposed changes to rules on unauthorized disclosures the Confidentiality of Substance Use Disorder (SUD) Patient Records under 42 CFR part 2 (“Part 2”) proposed by the U.S. Health and Human Services Department Office for Civil Rights (OCR) and the Substance Abuse and Mental Health Services Administration (SAMHSA) in a Notice of Proposed Rulemaking (NPRM) made public November 28, 2022 here and scheduled for publication in the December 2, 2022 Federal Register. If adopted as proposed, mental health and substance abuse providers, as well as other health care providers and insurers should prepare to meet new responsibilities and manage new liabilities under the revised rules.

On November 28, 2022, OCR and SAMHSA issued the NPRM to revise the Confidentiality of Substance Use Disorder Patient Records regulations at 42 CFR part 2 (“Part 2”), which seek to address concerns that concerns about discrimination or prosecution might deter people from entering treatment for SUD by protecting “records of the identity, diagnosis, prognosis, or treatment of any patient which are maintained in connection with the performance of any program or activity relating to substance abuse education prevention, training, treatment, rehabilitation, or research, which is conducted, regulated, or directly or indirectly assisted by any department or agency of the United States.”(“SUD Records”).

Currently, the Part 2 protections of patient privacy and records concerning treatment related to substance use challenges from unauthorized disclosures differ from the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Breach Notification, and Enforcement Rules (“HIPAA”) rules. These distinctions create barriers to information sharing by patients and among health care providers and create dual obligations and compliance challenges for regulated entities. To address this concern, Congress mandated in Section 3221 of the Coronavirus Aid, Relief, and Economic Security Act (CARES Act) that HHS to bring Part 2 into greater alignment with certain aspects of the HIPAA Privacy rule.

The NPRM seeks to address the CARES Act mandate as Americans and their leaders struggle to continue to provide pathways for victims of substance abuse and other mental health challenges to pursue treatment and maximize their participation and enjoyment in our communities while addressing safety concerns about a growing series of rare but notorious acts of violence committed by certain inadequately diagnosed or managed victims of mental health or substance abuse. See, e.g., Fact Sheet: President Biden To Announce Strategy To Address Our National Mental Health Crisis, As Part Of Unity Agenda In His First State Of The Union; President Biden Releases National Drug Control Strategy to Save Lives, Expand Treatment, and Disrupt Trafficking; Actions Taken by the Biden-⁠Harris Administration to Address Addiction and the Overdose Epidemic; Colorado Springs LGBT Nightclub Shooting Leaves Five Dead and 25 Injured; Virginia Walmart Shooting Gunman “Was Picking People Out,” Witness Says; Opinion: Leaders Blamed the Uvalde Shooting on a Mental Health Crisis. Gun Violence Is Making That Crisis Worse; Nancy Pelosi Husband Attack Suspect David Depape Pleads Not Guilty To Federal Charges.

Amid these challenges, the NPRM proposes to implement this CARES Act mandate through the following changes to Part 2 that HHS says will help safeguard the health and outcomes of individuals with SUD while creating greater flexibility for information sharing envisioned by Congress in its passage of Section 3221 of the CARES Act:

Permit Part 2 programs to use and disclose Part 2 records based on a single prior consent signed by the patient for all future uses and disclosures for treatment, payment, and health care operations;
Permit the redisclosure of Part 2 records as permitted by the HIPAA Privacy Rule by recipients that are Part 2 programs, HIPAA covered entities, and business associates, with certain exceptions;
Expand prohibitions on the use and disclosure of Part 2 records in civil, criminal, administrative, or legislative proceedings conducted by a federal, state, or local authority against a patient, absent a court order or the consent of the patient;
Create two patient rights under Part 2 that align with individual rights under the HIPAA Privacy Rule:
- Right to an accounting of disclosures; and
- Right to request restrictions on disclosures for treatment, payment, and health care operations;
Require disclosures to the Secretary for enforcement;
Apply HIPAA and HITECH Act civil and criminal penalties to Part 2 violations;
Require Part 2 programs to establish a process to receive complaints of Part 2 violations;
Prohibit Part 2 programs from taking adverse action against patients who file complaints;
Prohibit Part 2 programs from requiring patients to waive the right to file a complaint as a condition of providing treatment, enrollment, payment, or eligibility for services;
Apply the standards in the HITECH Act and the HIPAA Breach Notification Rule to breaches of Part 2 records by Part 2 programs;
Modify the Part 2 confidentiality notice requirements (“Patient Notice”) to align with the HIPAA Notice of Privacy Practices;
Modify the HIPAA Notice of Privacy Practices requirements for covered entities who receive or maintain Part 2 records to include a provision limiting redisclosure of Part 2 records for legal proceedings according to the Part 2 standards; and
Permit investigative agencies to apply for a court order to use or disclose Part 2 records after they unknowingly receive Part 2 records while investigating or prosecuting a Part 2 program, when certain preconditions are met.

While the Department is undertaking this rulemaking, the current Part 2 regulations remain in effect. However, once the comment period ends, the Biden Administration-led HHS is expected to finalize the proposed changes quickly. Consequently, in addition to sharing any concerns or other input about the proposed changes during the comment period, health care providers, health plans, health care clearinghouses, employers, community agencies, state and local governments, patients and other caregivers and other concerned parties also should begin planning and preparing to respond to the anticipated changes in the requirements.

Implications For Health Care Providers, Health Insurers & Other Businesses

The NPRM’s extension of HIPAA and HIPAA-like requirements to the Part 2 substance abuse confidentiality provides clarification by adding new obligations for health care providers and others involved in substance abuse treatment or recordkeeping. Health care providers, health insurance, and others involved with these activities will need to assess and plan to meet these new responsibilities and the steps they can be expected to take to fulfill them.

Beyond these more obvious burdens, mental health and substance abuse and other health care providers and businesses also should carefully assess the potential implications of the proposed changes on their worker and vendor credentialing and workplace safety practices as well as their health and other benefit programs. Assuming the changes are adopted in their current form, businesses sponsoring health benefit programs, and health care organizations and providers specifically should prepare to modify their HIPAA required notices of privacy practices and associated practices to comply with the proposed updates.

Businesses required to comply with Department of Transportation Drug Free Workplace or other alcohol and substance abuse requirements also should consider the potential implications of the proposed changes on their ability to secure relevant substance abuse treatment and related history. In assessing these implications, businesses also should be cognizant of a new proactivity on behalf of certain uses of drugs by workers in the workplace under the Americans With Disabilities Act (“ADA”). For instance, the EEOC recently has sued Eagle Marine Services Electrical & Refrigeration, LLC for allegedly violating the ADA by refusing to hire or accommodate a worker because he used medication prescribed by his doctor to treat attention deficit hyperactivity disorder (“ADHD”) without making any individual assessment of the worker’s medication use or whether it would affect his ability to safely perform the marine electrician position, and instead relied on general stereotypes about disability and medication use to justify its decision not to hire him. Businesses seeking to investigate or deny employment opportunities to workers based on the worker’s past or current medication use will want to use care to ensure that their practices are tailored to defend against similar challenges.

Health plan sponsors and insurers also should assure their mental health and substance abuse treatment coverage documents and practices are defensible under the latest mental health and substance abuse parity mandates of the Mental Health Parity and Addiction Equity Act (MHPAEA) and coverage requirements of the Patient Protection and Affordable Care Act (“ACA”). Along with a host of statutory changes since the original parity mandates took effect, implementing regulations and guidance about non-qualitative limitations and exclusions and heightened agency enforcement are ramping up enforcement and liability risks. In addition to exposing the health plan administrators and other fiduciaries to potential claims denial or fiduciary responsibility claims brought by participants or beneficiaries, the Department of Labor or both, administrative penalties by the EBSA, or both, the MHPAEA mental health and substance abuse parity rules are among 40 federal mandates that when violated can trigger the automatic $100 per violation per day employer excise tax penalty under Internal Revenue Code Section 6039D. Consequently, violations of the MHPAEA are particularly risky and potentially expensive for private employers, their health plans and the plan administrators and fiduciaries that administer it.

For Help With Comments, Investigations Or Other Needs

If your organization would like to learn more about the concerns discussed in this update or seeks assistance auditing, updating, administering or defending its human resources, compensation, benefits, corporate ethics and compliance practices, or other performance related concerns, please contact management attorney and consultant Cynthia Marcotte Stamer.

Other Helpful Resources & Information

If you found this article of interest, you also may be interested in reviewing other Breaking News, articles and other resources available including:

Leave a Comment » | Health Care, Health Care, HIPAA, Medical Privacy, Mental Health, Privacy, Substance Abuse, Substance Abuse, substance abuse treatment | Permalink
Posted by Cynthia Marcotte Stamer

More Information

About the Author

About Solutions Law Press, Inc.™

Share this:

Trump Merit-Based Civil Rights Executive Orders Heighten Public & Private Civil Rights & Other Discrimination Risks

Announced OCR Investigations Since February Show HHS Enforcement Risks

Dear Colleague Letter Advises Academic Medicine & Other HHS-Funded Organizations On Implementing Merit Based Decisionmaking

Act Now To Mitigate Risks From Past, Current & Future Non-Merit Based Decisions & Other Prohibited Discrimination

For More Information

About the Author

About Solutions Law Press, Inc.™

Share this:

For More Information

Share this:

Federal Statutes Protect “Right of Conscience” In Health Care

Church Amendment

Coats-Snow Amendment

Weldon Amendment.

Trump Policy Directives Drive New Risks By Changing Prior Religion & Other Discrimination Interpretations & Prioritizing New Rule Enforcement For Past, Current & Future Actions

New HIPAA Whistleblower Guidance

2 New Right Of Conscience Investigations Signal Growing Enforcement Risks

For More Information

About the Author

About Solutions Law Press, Inc.™

Share this:

HIPAA Hacking Responsibilities & Risks

Warby Parker’s Hard Lesson

Ransomware & Other Hacking Now OCR #1 HIPAA Enforcement Priority

For HIPAA Help or Information

About the Author

About Solutions Law Press, Inc.™

Share this:

For More Information

About the Author

About Solutions Laws Press, Inc.™

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Share this:

Duty To Guard Against Malware

Green Ridge Ransomeware Breach

First Malware Settlement

Warning To All Covered Entities

For More Informational

About the Author

About Solutions Law Press, Inc.™

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Share this:

LDTs Defined

FDA Steps Up LDT Oversight

For More Information

About the Author

About Solutions Law Press, Inc.™

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Share this:

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Share this:

For More Information

About the Author

About Solutions Law Press, Inc.™

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Share this:

Proposed HHS Grants Rule Overview

For More Information

About the Author

About Solutions Law Press, Inc.™

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Share this:

Criminal Convictions

Criminal and Civil Recoveries

More Information

About the Author

About Solutions Law Press, Inc.™

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Share this:

More Information

About the Author

About Solutions Law Press, Inc.™

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Share this:

False Claims Act Liability Arising From Participation In Or Filing Claims Involving Improper Inducements

Gampel, Modern Vascular FCA Complaint