Health IT | | Page 3

Hospitals Urged To Tighten Inpatient & Outpatient Admission Records As OIG Audits Hospitals for New vs. Established Patients,

November 29, 2012

Hospitals should act quickly to adopt appropriate compliance policies and tighten outpatient and inpatient admissions recordkeeping and associated billing activities to minimize exposures signaled by audits announced by the Department of Health & Human Services (HHS) Office of Inspector General (OIG).

OIG reportedly is auditing inpatient and outpatient hospital claims for new and established patients to identify potential overcharges by some hospital-based outpatient clinics that may have resulted from treating established patients as if they were new patients. OIG’s Office of Audit Services reportedly sent letters to some hospitals in October, asking about a handful of claims for new patient visits that OIG suspects the hospital should have billed as established patient visits. In addition to requesting specific information about line items on the claims and their internal controls for billing new versus established patients and provide descriptions of written policies and procedures governing the facilities classification of new versus established patients and internal controls for detecting errors.

Medicare typically pays more for new versus established patients since CMS implemented the outpatient prospective payment system in 2000. Since 2008, CMS rules have specified that patients who visit the hospital outpatient clinic within three years are established patients, and after that they are new, with Medicare paying more for the latter. See(73 Fed. Reg. 68502, 68679 (November 18, 2009). Data mining technology increasingly used by CMS and other federal fraud investigators facilities the ability of Medicare and others to identify errors in coding and billing resulting from misclassication of existing patients as new.

Many hospitals may be exposed under this requirement for a variety of reasons including failure to appropriately track and coordinate inpatient and outpatient admission data, defaults built into recordkeeping systems and omissions to timely update practices or training. In contrast to the risk of overbilling from incorrectly treating patients as new, hospitals that bill all patients as established to overcome inadequacies in their ability to track new versus established patients often leave money on the table unnecessarily by foregoing added reimbursement that the facility otherwise would qualify for it could reliably identify new patients.

While strengthening coding and billing to ward of risks, may debate the appropriateness of CMS’ new versus existing patient distinction outside the physician office context. Critics contend that unlike in the physician office context, the level of care or resources delivered for a new patient compared to a patient who previously visited the hospital doesn’t generally differ. Parties with these concerns should continue to ensure appropriate compliance with existing rules while providing input and feedback to CMS and other regulators about their concerns with the policy’s suitability.

For Help With Monitoring Developments, Compliance, Investigations Or Other Needs

If you need help reviewing or commenting on the Tests Procedures or monitoring or responding to these or other health care or health IT related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, can help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, and A Fellow in the American Bar Association, State Bar of Texas and other prominent organizations, Ms. Stamer has more than 24 years experience advising health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers, health plans, their business associates and other health industry clients to set up and administer medical privacy, EHR and other technology and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. She regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others.

You can get more information about her experience here.

Other Recent Updates & Resources

If you found this information of interest, you also may be interested in the following recent updates on health care, health plan and employee benefits, human resources and other risk management and compliance matters. Recent examples on health care compliance and risk management matters include:

OIG Recommends CMS, ONC Tighten EMR Incentive Program Rules To Improve Oversight

Congress Sends Bill Amending Lab Testing Rule Violation Sanctions

Learn Latest On OCR New HIPAA De-Identification Guidance & Other HIPAA Developments In 12/12 HIPAA Update Workshop!

$12M+ Settlement Recoveries In 2 Health Care Fraud Whistleblower Claims Shows Providers, Owners, Management & Staff Must Manage Compliance & Risks

Feds Health Fraud Suit Against Psychiatrists Shows Risks Providers Run From Aggressive Referral or Billing Activities

ONC Releases Next Wave of 2014 Draft Test Methods For Public Review and Comment; Plans 11/13 Virtual Workshop

Recent OIG Audit Reports Provide Insights Where Fraud Audits Likely To Look Next

Hospital Chain HCA Inc. Pays $16.5 Million to Settle False Claims Act Allegations That Hospital

Detroit-Area Doctor Charged for Role in Alleged $40 Million Medicare Fraud Scheme

Five More Individuals Charged in Detroit for Alleged Roles in $24.7 Million Medicare Fraud Scheme

Massachusetts Ear Group To Pay $1.5 Million To Resolve HIPAA Charges

Personal Consumer Information Protection In Health Care Operations Topic of Stamer’s 11/1 Speech

ONC Releases First Wave of EHR Test Procedures; More To Come

OCR Releases HIPAA Compliance Training Tool As Enforcement Risks Rise

Health Care Orgs Disability Exposure High As $475K Paid To Settle Justice Department Charges Medical Fitness Screenings of EMTs, Others Violated ADA

HHS/DOJ Partner With Private Health Plans To Further Ramp Up Health Care Fraud Heat!

AHRQ Issues New Guide for Use of Interactive Preventive Care Record

Nextcare Inc. $10 Million False Claims Act Settlement Shows Qui Tam Role In False Claims Act Prosecutions

For more resources and publications training materials by Ms. Stamer, see here.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here. For important information concerning this communication click here. If you do not wish to receive these updates in the future, send an e-mail with the word “Remove” in the Subject to here.

Leave a Comment » | Academic medicine, ARRA, Disease Management, DME, Doctor, Durable Medical Equipment, Electronic Health Records, Electronic Medical Records, Employee Benefits, Employer, Health Care, Health Care Provider, Health Insurance Exchange, Health IT, Health Plan, Health Plans, HIPAA, HITECH Act, Home Health, Hospital, Hospital, Indian Health, Meaningful Use, Mental Heatlh, Pharmacy, Physician, Privacy | Tagged: CMS, Health Care Fraud, Health Care Fraud Task Force, Health Care Reimbursement, HHS, Hospitals, Inpatient, Medicare, OIG, outpatient, Physicians | Permalink
Posted by Cynthia Marcotte Stamer

OIG Recommends CMS, ONC Tighten EMR Incentive Program Rules To Improve Oversight

November 29, 2012

The Department of Health & Human Services Office of Inspector General is recommending the Centers for Medicare & Medicaid Services (CMS) and the Office of the National Coordinator for Health IT (ONC) act to improve the effectiveness of its oversight and management of the Medicare electronic health record (EHR) incentive program. The recommendations are likely to impact on the requirements that hospitals and other professionals will be required to meet to get and keep EHR program incentive payments. Consequently, hospitals, physicians and other providers and their technology and other systems advisors and vendors should carefully watch and respond to changes that these two agencies implement in response to the OIG feedback.

According to an OIG study reported here, the CMS estimates that it will pay $6.6 billion in EHR incentive payments to providers under the program between 2011 and 2016. Many hospitals, physician organizations and other providers are making substantial investments in EHR and related technologies in reliance of expectation of receiving program incentive payments. Accordingly, parties hoping to qualify for incentive programs need to watch closely the actions that the agencies take in response to this OIG input or otherwise that impacts on qualification and audits.

OIG Study & Findings

OIG’s early assessment of CMS’s oversight of the Program found that because professionals and hospitals self-report data to prove fulfillment of program requirements, CMS’s efforts to verify these data will help make sure the integrity of Medicare EHR incentive payments.

The recommendation comes from an OIG study reviewing CMS’s oversight of professionals’ and hospitals’ self-reported meaningful use of certified EHR technology in 2011, the first year of the program. OIG evaluated self-reported information against program requirements. It also looked at CMS’s audit planning documents, regulations and guidance for the program and conducted structured interviews with CMS staff on CMS’s oversight.

Based on this evaluation, OIG foundCMS faces obstacles to overseeing the Medicare EHR incentive program that leave the program vulnerable to paying incentives to professionals and hospitals that do not fully meet the meaningful use requirements. OIG says CMS has not yet implemented strong prepayment safeguards, and has limited ability to safeguard incentive payments postpayment. OIG also reports that the ONC requirements for EHR reports may contribute to CMS’s oversight obstacles.

OIG Recommended Corrective Action

Based on its study, OIG is recommending that CMS take the following actions.

Obtain and review supporting documentation from selected professionals and hospitals prior to payment to verify the accuracy of their self‑reported information and
Issue guidance with specific examples of documentation that professionals and hospitals should maintain to support their compliance.

CMS did not agree with our first recommendation, stating that prepayment reviews would increase the burden on practitioners and hospitals and could delay incentive payments. Despite this CMS feedback, OIG nevertheless is continuing to recommend that CMS conduct prepayment reviews to improve program oversight. CMS concurred with our second recommendation.

OIG also recommended that ONC take the following actions:

Require that certified EHR technology be capable of producing reports for yes/no meaningful use measures where possible and
Improve the certification process for EHR technology to make sure applicants provide accurate EHR reports.

ONC concurred with both recommendations.

Recommended Provider Action

Hospitals and providers looking to take advantage of the HER incentive payments should carefully monitor the developments resulting from these recommendations and take proper actions to stay compliant with evolving requirements as they move forward.

Along with monitoring these responses, providers participating in the incentive program also need to stay abreast of other developments. For instance, last month, ONC announced the release of the Wave 7 2014 Edition Draft Test Methods (test procedures, tools, and applicable test data and files). See 2014 Edition Draft Test Procedures webpage. Additional waves of test methods are impending. ONC says it expects the final set of Test Methods to be available for use in early 2013.

For Help With Monitoring Developments, Compliance, Investigations Or Other Needs

You can get more information about her experience here.

Other Recent Updates & Resources

Congress Sends Bill Amending Lab Testing Rule Violation Sanctions

Learn Latest On OCR New HIPAA De-Identification Guidance & Other HIPAA Developments In 12/12 HIPAA Update Workshop!

$12M+ Settlement Recoveries In 2 Health Care Fraud Whistleblower Claims Shows Providers, Owners, Management & Staff Must Manage Compliance & Risks

Feds Health Fraud Suit Against Psychiatrists Shows Risks Providers Run From Aggressive Referral or Billing Activities

ONC Releases Next Wave of 2014 Draft Test Methods For Public Review and Comment; Plans 11/13 Virtual Workshop

Recent OIG Audit Reports Provide Insights Where Fraud Audits Likely To Look Next

Hospital Chain HCA Inc. Pays $16.5 Million to Settle False Claims Act Allegations That Hospital

Detroit-Area Doctor Charged for Role in Alleged $40 Million Medicare Fraud Scheme

Five More Individuals Charged in Detroit for Alleged Roles in $24.7 Million Medicare Fraud Scheme

Massachusetts Ear Group To Pay $1.5 Million To Resolve HIPAA Charges

Personal Consumer Information Protection In Health Care Operations Topic of Stamer’s 11/1 Speech

ONC Releases First Wave of EHR Test Procedures; More To Come

OCR Releases HIPAA Compliance Training Tool As Enforcement Risks Rise

Health Care Orgs Disability Exposure High As $475K Paid To Settle Justice Department Charges Medical Fitness Screenings of EMTs, Others Violated ADA

HHS/DOJ Partner With Private Health Plans To Further Ramp Up Health Care Fraud Heat!

AHRQ Issues New Guide for Use of Interactive Preventive Care Record

Nextcare Inc. $10 Million False Claims Act Settlement Shows Qui Tam Role In False Claims Act Prosecutions

For more resources and publications training materials by Ms. Stamer, see here.

Leave a Comment » | Academic medicine, ARRA, Disease Management, DME, Doctor, Durable Medical Equipment, Electronic Health Records, Electronic Medical Records, Employee Benefits, Employer, Health Care, Health Care Provider, Health Insurance Exchange, Health IT, Health Plan, Health Plans, HIPAA, HITECH Act, Home Health, Hospital, Hospital, Indian Health, Meaningful Use, Mental Heatlh, Pharmacy, Physician, Privacy | Tagged: Affordable Care Act, CMS, EHR, Electronic Health Records, Health Care, health care IT, Health Care Provider, Health Plans, HIPAA, OIG, ONC, PHI, Physicians, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

ONC Changes Start Time, Releases Agenda For 11/13 Virtual Workshop On Health IT Test Standards

November 9, 2012

The Office of the National Coordinator for Health IT (ONC) today (November 9, 2012) announced a preliminary agenda of topics and the procedures that health care providers and other interested parties wishing to participate in a public virtual workshop on the ONC Health Information Technology (IT) Certification Program and 2014 Edition Test Methods that ONC plans to host on Tuesday, November 13, 2012 from 8:15 AM-4:30PM EST.

The announced commencement time is 45 minutes earlier than the originally announced 9:00 AM start time that ONC had announced as the start time for the workshop in November 8 announcements.

To review the preliminary agenda for the workshop, see http://www.healthit.gov/policy-researchers-implementers/2014-edition-draft-test-methods.

According to today’s ONC announcement, parties wishing to participate in the virtual workshop should register for ONC Certification Technical Workshop on Nov 13, 2012 8:15 AM EST at https://attendee.gotowebinar.com/register/2114316126469925632 . ONC says that successful registrants will receive a confirmation email containing information about joining the webinar.

The planned workshop follows ONC’s anno0uncement of the release for review of the latest in a series of electronic medical records Test Standards that ONC has issued recently in its march to implement its mandate. ONC says all Test Methods will undergo public review and comment before being finalized and approved by ONC for use in testing and certification. ONC typically allows a two week period of public review and comment from the date posted for public review and comment on each Wave.

In keeping with this process, ONC is inviting interested persons to submit comments and suggestions to ONC.Certification@hhs.gov. All submissions should include “2014 Test Methods” in the subject line. ONC asks that parties submitting input to be as specific as possible in their comment submissions.

ONC says it expects the final set of Test Methods to be available for use in early 2013.

For Help With Monitoring Developments, Compliance, Investigations Or Other Needs

If you need help reviewing or commenting on the Tests Procedures or monitoring or responding to these or other health care or health IT related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, can help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 24 years experience advising health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical privacy and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. She regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others.

You can get more information about her HIPAA and other experience here.

Other Recent Updates & Resources

For additional resources and publications training materials by Ms. Stamer, see here.

Leave a Comment » | Academic medicine, ARRA, Disease Management, DME, Doctor, Durable Medical Equipment, Electronic Health Records, Electronic Medical Records, Employee Benefits, Employer, Health Care, Health Care Provider, Health Insurance Exchange, Health IT, Health Plan, Health Plans, HIPAA, HITECH Act, Home Health, Hospital, Hospital, Indian Health, Meaningful Use, Mental Heatlh, Pharmacy, Physician, Privacy | Tagged: Affordable Care Act, EHR, Electronic Health Records, Health Care, health care IT, Health Care Provider, Health Plans, HIPAA, ONC, PHI, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

ONC Releases Next Wave of 2014 Draft Test Methods For Public Review and Comment; Plans 11/13 Virtual Workshop

November 8, 2012

The Office of the National Coordinator for Health IT (ONC) today (November 8, 2012) announced the release of the Wave 7 2014 Edition Draft Test Methods (test procedures, tools, and applicable test data and files). To review the 2014 Edition draft Test Methods, visit the 2014 Edition Draft Test Procedures webpage. As a follow up to this announcement, ONC is inviting interested parties to participate in a public workshop on the ONC HIT Certification Program and 2014 Edition Test Methods on Tuesday, November 13^th, 9AM-4:30PM EST.

The Test Procedures announced today are the latest in a series ONC has issued recently. ONC says all Test Methods will undergo public review and comment before being finalized and approved by ONC for use in testing and certification. ONC typically allows a two week period of public review and comment from the date posted for public review and comment on each Wave.

ONC says it expects the final set of Test Methods to be available for use in early 2013.

To help interested parties stay informed about the Test Messages, ONC also announced today it will host a virtual public workshop on the ONC HIT Certification Program and 2014 Edition Test Methods on Tuesday, November 13^th, 9AM-4:30PM EST. According to ONC, the topics to be covered include 2014 Test Procedures, Test Tools, Test Data, ONC Timeline, and the Certified Health IT Product List (CHPL). ONC says additional details regarding access and agenda will be forthcoming. Watch the ONC website.

For Help With Monitoring Developments, Compliance, Investigations Or Other Needs

If you need help reviewing or commenting on the Tests Procedures or monitoring or responding to these or other health care or health IT related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, can help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 24 years experience advising health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical privacy and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. She regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others.

You can get more information about her HIPAA and other experience here.

Other Recent Updates & Resources

For additional resources and publications training materials by Ms. Stamer, see here.

Leave a Comment » | Academic medicine, ARRA, Disease Management, DME, Doctor, Durable Medical Equipment, Electronic Health Records, Electronic Medical Records, Employee Benefits, Employer, Health Care, Health Care Provider, Health Insurance Exchange, Health IT, Health Plan, Health Plans, HIPAA, HITECH Act, Home Health, Hospital, Hospital, Indian Health, Meaningful Use, Mental Heatlh, Pharmacy, Physician, Privacy | Tagged: Affordable Care Act, EHR, Electronic Health Records, Health Care, health care IT, Health Care Provider, Health Plans, HIPAA, ONC, PHI, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

Massachusetts Ear Group To Pay $1.5 Million To Resolve HIPAA Charges

September 17, 2012

Physician practices and other health care providers, health plans, health care clearinghouses and their business associates have yet another $1 million plus reminder of the importance of taking proper steps to secure electronic protected health information and take other steps required to comply with the Health Insurance Portability & Accountability Act of 1996 (HIPAA).

Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (collectively referred to as “MEEI”) will pay the U.S. Department of Health and Human Services’ (HHS) $1.5 million and take a series of corrective actions to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule under the resolution agreement available here (“Resolution Agreement”) announced by the Department of Health & Human Services (HHS) Office of Civil Rights (OCR) on September 17, 2012.

MEEI Resolution Agreement

The Resolution Agreement settles charges that resulted from an OCR investigation commenced in response to a HIPAA breach report submitted by MEEI reporting the theft of an unencrypted personal laptop containing the electronic protected health information (ePHI) of MEEI patients and research subjects. The laptop information included patient prescriptions and clinical information.

OCR’s investigation indicated that MEEI failed to take necessary steps to comply with certain requirements of the HIPAA Security Rule, such as conducting a thorough analysis of the risk to the confidentiality of ePHI maintained on portable devices, implementing security measures sufficient to ensure the confidentiality of ePHI that MEEI created, maintained, and transmitted using portable devices, adopting and implementing policies and procedures to restrict access to ePHI to authorized users of portable devices , and adopting and implementing policies and procedures to address security incident identification, reporting, and response. OCR’s investigation indicated that these failures continued over an extended period of time, demonstrating a long-term organizational disregard for the requirements of the Security Rule.

To settle the charges, MEEI will pay a $1.5 million settlement to OCR. In addition, the Resolution Agreement also requires MEEI to adhere to a corrective action plan which includes reviewing, revising and maintaining policies and procedures to ensure compliance with the Security Rule, and retaining an independent monitor who will conduct assessments of MEEI’s compliance with the corrective action plan and render semi-annual reports to HHS for a 3-year period.

High Dollar Resolution Agreements Increasingly Common

The MEEI Resolution Agreement follows on the resolution agreement previously announced this year with Arizona-based Phoenix Cardiac Surgery, P.C. (PCS). That resolution agreement required PCS to pay $100,000 and take corrective action to implement policies and procedures to safeguard the protected health information of its patients to settle OCR charges PCS violated HIPAA.

Health care providers and other HIPAA-covered entities should heed the MEEI, PSC and other recent settlements as the latest signal of the risks that health care providers and other covered entities run by failing to adequately implement and administer appropriate HIPAA compliance practices.

Following the announcement by OCR last month that Blue Cross Blue Shield of Tennessee (BCBST) would pay $1,500,000 to resolve HIPAA violations charges, and the latest in a series of Resolution Agreements announced by OCR in recent years, the PCS highlights the willingness to sanction health care providers and other covered entities of all sizes. “The case is significant because it highlights a multi-year, continuing failure on the part of this provider to comply with the requirements of the Privacy and Security Rules,” said Leon Rodriguez, director of OCR. “We hope that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.”

Enforcement Actions Highlight Growing HIPAA Exposures For Covered Entities

Like the PCS, BCBST and other announced resolution agreements, the MEEI Resolution Agreement provides more evidence of the growing exposures that health care providers, health plans, health care clearinghouses and their business associates need to carefully and appropriately manage their HIPAA responsibilities. See HIPAA Heats Up: HITECH Act Changes Take Effect & OCR Begins Posting Names, Other Details Of Unsecured PHI Breach Reports On Website. Covered entities are urged to heed these warning by strengthening their HIPAA compliance and adopting other suitable safeguards to minimize HIPAA exposures. For tips, see here.

For Help With Monitoring Developments, Compliance, Investigations Or Other Needs

You can get more information about her HIPAA and other experience here or contact Ms Stamer here or at (469) 767-8872.

[1] The Breach Notification Rule also requires that covered entities report smaller breaches annually to OCR as part of a consolidated disclosure.

For more tips, see here.

Other Recent Updates & Resources

For additional resources and publications training materials by Ms. Stamer, see here.

[*] The Breach Notification Rule also requires that covered entities report smaller breaches annually to OCR as part of a consolidated disclosure.

Leave a Comment » | Academic medicine, ARRA, Disease Management, DME, Doctor, Durable Medical Equipment, Electronic Health Records, Electronic Medical Records, Employee Benefits, Employer, Health Care, Health Care Provider, Health Insurance Exchange, Health IT, Health Plan, Health Plans, HIPAA, HITECH Act, Home Health, Hospital, Hospital, Indian Health, Meaningful Use, Mental Heatlh, Pharmacy, Physician, Privacy | Tagged: Breach Notification, Health Care, Health Insurance Portability & Accountability Act, HIPAA, OCR, Office of Civil Rights, PHI, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

ONC Releases First Wave of EHR Test Procedures; More To Come

September 14, 2012

On September 7th the ONC published the first wave of draft Test Procedures and applicable test data files for the 2014 Edition Elelctronic Health Record (EHR) certification criteria for public review and comment. ONC will release additional Test Procedures in waves on a weekly or bi-weekly basis. Each set of draft test procedures will undergo a two week period of public review and comment from the date posted. You can now provide input on Wave One 2014 draft Test Procedures. Visit the site for detailed information on the 2014 Test Procedure development process at http://www.healthit.gov/policy-researchers-implementers/2014-edition-draft-test-procedures.

For Help With Monitoring Developments, Compliance, Investigations Or Other Needs

If you need help monitoring federal health reform, policy or enforcement developments, or to review or respond to these or other health care or health IT related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, can help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 24 years experience advising health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical privacy and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. She regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others.

You can get more information about her HIPAA and other experience here.

Other Recent Updates & Resources

For additional resources and publications training materials by Ms. Stamer, see here.

Leave a Comment » | Academic medicine, ARRA, Disease Management, DME, Doctor, Durable Medical Equipment, Electronic Health Records, Electronic Medical Records, Employee Benefits, Employer, Health Care, Health Care Provider, Health Insurance Exchange, Health IT, Health Plan, Health Plans, HIPAA, HITECH Act, Home Health, Hospital, Hospital, Indian Health, Meaningful Use, Mental Heatlh, Pharmacy, Physician, Privacy | Tagged: Affordable Care Act, EHR, Electronic Health Records, Health Care, health care IT, Health Care Provider, Health Plans, HIPAA, ONC, PHI, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

OCR Releases HIPAA Compliance Training Tool As Enforcement Risks Rise

September 14, 2012

Along with its stepped up enforcement and new audit programs, the Department of Health & Human Services (HHS) Office of Civil Rights (OCR) is working to promote and encourage better voluntary compliance by physician and other health care providers by releasing a new interactive security and privacy training game to help educate healthcare providers and their staffs to make more informed decisions regarding privacy and security of health information. Using a game format, the game asks users to respond to privacy and security challenges often faced in a typical medical practice.

With the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) stepping up enforcement and sanctions for health care providers, health plans, health care providers and their businesses associates (covered entities) that violate the Health Insurance Portability & Accountability Act (HIPAA) Privacy, Security and Breach Notification Rules and OCR now auditing HIPAA compliance, covered entities should self-audit within the scope of attorney-client privilege and tighten as necessary existing policies, practices and documentation to comply with evolving requirements of HIPAA and other laws requiring the protection of protected health information (PHI), personal financial information and sensitive data.

As the HIPAA Privacy, Security and Breach Rules include mandates that covered entities train members of their workforce, the new game could be a helpful component for health care providers as part of their organization’s training efforts.

The mounting list of settlement agreements – most of which have required settlement payments of more than $1 million – that OCR has announced show the growing exposures that covered entities face when violating HIPAA. See HIPAA Heats Up: HITECH Act Changes Take Effect & OCR Begins Posting Names, Other Details Of Unsecured PHI Breach Reports On Website. These settlements and sanctions prove the importance of covered entities strengthening their HIPAA compliance and adopting other suitable safeguards to keep up HIPAA compliance and minimize HIPAA and other exposures that can arise if PHI, personal financial information and other sensitive data. For tips, see here.

For Help With Monitoring Developments, Compliance, Investigations Or Other Needs

You can get more information about her HIPAA and other experience here.

Other Recent Updates & Resources

For additional resources and publications training materials by Ms. Stamer, see here.

Leave a Comment » | Academic medicine, ARRA, Disease Management, DME, Doctor, Durable Medical Equipment, Electronic Health Records, Electronic Medical Records, Employee Benefits, Employer, Health Care, Health Care Provider, Health Insurance Exchange, Health IT, Health Plan, Health Plans, HIPAA, HITECH Act, Home Health, Hospital, Hospital, Indian Health, Meaningful Use, Mental Heatlh, Pharmacy, Physician, Privacy | Tagged: Health Care, Health Plans, HIPAA, PHI, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

HHS/DOJ Partner With Private Health Plans To Further Ramp Up Health Care Fraud Heat!

July 30, 2012

Health care providers and payers should ensure that practices for billing private payers can withstand the scrutiny of federal and state health care fraud enforcers after the July 26, 2012 announcement of a ground-breaking new public-private antifraud initiative between federal and state health care fraud fighters and a private insurers under which private insurers will share an unprecedented amount of private health claims data, fraud detection practices, and other coöperation with federal and state official fraud prevention and prosecution efforts.

Government Health Care Fraud Fighters Partner With Private Insurers

The Federal health care fraud fighting departmental duo of the Departments of Health and Human Services (HHS) Justice (DOJ) last week expanded their network of fraud fighting resources by launching a “ground-breaking” partnership among the federal government, State officials, several leading private health insurance organizations, and other health care anti-fraud groups to prevent health care fraud. HHS and DOJ say the following organizations and government agencies are among the first to join this partnership:

America’s Health Insurance Plans
Amerigroup Corporation
Blue Cross and Blue Shield Association
Blue Cross and Blue Shield of Louisiana
Centers for Medicare & Medicaid Services
Coalition Against Insurance Fraud
Federal Bureau of Investigations
Health and Human Services Office of Inspector General
Humana Inc.
Independence Blue Cross
National Association of Insurance Commissioners
National Association of Medicaid Fraud Control Units
National Health Care Anti-Fraud Association
National Insurance Crime Bureau
New York Office of Medicaid Inspector General
Travelers
Tufts Health Plan
UnitedHealth Group
U.S. Department of Health and Human Services
U.S. Department of Justice
WellPoint, Inc.

HHS & DOJ Say Partnering With Private Insurers Will Give Ongoing Anti-Fraud Efforts Even More Punch

In announcing the new partnership on July 26, 2012, HHS Secretary Kathleen Sebelius and Attorney General Eric Holder touted this new voluntary, collaborative public-private arrangement as the “next step” in the Obama administration’s efforts to combat health care fraud.

“This partnership is a critical step forward in strengthening our nation’s fight against health care fraud,” said Attorney General Holder. “This Administration has established a record of success in combating devastating fraud crimes, but there is more we can and must do to protect patients, consumers, essential health care programs, and precious taxpayer dollars. Bringing additional health care industry leaders and experts into this work will allow us to act more quickly and effectively in identifying and stopping fraud schemes, seeking justice for victims, and safeguarding our health care system.”

“This partnership puts criminals on notice that we will find them and stop them before they steal health care dollars,” Secretary Sebelius said. “Thanks to this initiative today and the anti-fraud tools that were made available by the health care law, we are working to stamp out these crimes and abuse in our health care system.”

Partnership Allows Feds To Use Private Payer Claims Data, Knowledge & Other Fraud Detection Resources

According to HHS and DOJ, the new partnership is designed to share information and best practices in order to improve detection and prevent payment of fraudulent health care billings. Its goal is to reveal and halt scams that cut across a number of public and private payers. HHS and DOJ say the partnership will private insurers to share their anti-fraud insights more easily with investigators, prosecutors, policymakers and other stakeholders and law enforcement officials more effectively to identify and prevent suspicious activities, better protect patients’ confidential information and use the full range of tools and authorities provided by the Patient Protection & Affordable Care Act (Affordable Care Act) and other statutes to combat and prosecute illegal actions.

One unprecedented element of this partnership will involve the sharing of information on specific schemes, utilized billing codes and geographical fraud hotspots between the public and private partners. The partners say the planned sharing of claims data and other information will help partners prevent, detect and respond to potential health care billing fraud by:

Helping partners to take action, to prevent losses to both government and private health plans before they occur;
Improving their ability to spot and stop payments billed to different insurers for care delivered to the same patient on the same day in two different cities;
In the future to use sophisticated technology and analytics on industry-wide healthcare data to predict and detect health care fraud schemes.

Presumably, this will involve the extension of the use of state-of-the-art technology and data mining practices like those the Centers for Medicare & Medicaid Services (CMS) already uses to review claims, to track suspected fraud trends and flag suspected fraudulent activity.

Partnership Expands Use & Reach of New Affordable Care Act & Other Health Care Fraud Detection & Enforcement Tools & Collaboration

The partnership builds upon and extends the reach and use of expanded legal tools created by the Affordable Care Act and other laws that Federal and state officials are using in their highly publicized war against health care fraud, waste and abuse in Medicare, Medicaid, the Children’s Health Insurance Program (CHIP) and, increasingly, private insurance plans. Using these and other new tools, convictions under the Health Care Fraud and Abuse Control Program increased by over 27% (583 to 743) between 2009 and 2011, and the number of defendants facing criminal charges filed by federal prosecutors in 2011 increased by 74% compared with 2008 (1,430 vs. 821).

The Affordable Care Act and other legislative changes and related programs have significantly strengthened the powers of HHS, DOJ and other federal and state agencies to investigate and prosecute health care fraud. Among other things, these amendments and programs included :

Qui tam and other whistleblower incentives and programs that encourage employees, patients, competitors and others to report suspicious behavior;
Require providers, plans to self-identify, self-report and self-correct false claims and certain other non-compliance;
Increase the federal sentencing guidelines for health care fraud offenses by 20-50% for crimes that involve more than $1 million in losses;
Create penalties for obstructing a fraud investigation or audit;
Make it easier for the government to recapture any funds acquired through fraudulent practices;
Make it easier for the Department of Justice (DOJ) to investigate potential fraud or wrongdoing at facilities like nursing homes;
Under the risk-based provider enrollment rules, providers and suppliers wishing to take part in Medicare, Medicaid, and CHIP who federal officials view as posing a higher risk of fraud or abuse now must undergo licensure checks, site visits and other heightened scrutiny including ongoing monitoring as part of the new Automated Provider Screening (APS) system CMS implemented in December 2011. The APS uses existing information from public and private sources to automatically and continuously verify information submitted on a provider’s Medicare enrollment application including licensure status Secretary to impose a temporary moratorium on newly enrolling providers or suppliers of a particular type or in certain geographic areas if necessary to prevent or combat fraud, waste, and abuse.
Increased information sharing and coördination of investigations and enforcement among states, CMS, and its law enforcement partners at the Office of the Inspector General (OIG) and DOJ including the highly publicized activities of the Health Care Fraud Prevention and Enforcement Action Team (HEAT), a joint effort between HHS and DOJ to fight health care fraud.
The power of CMS, in consultation with OIG, to suspend Medicare payments and require States to suspend Medicaid and SCHIP payments to providers or suppliers during the investigation of a credible allegation of fraud;
The deployment and use of the sophisticated data collection and mining technologies of CMS’ new Fraud Prevention System, which since June 30, 2011 has used advanced predictive modeling technology to screen all Medicare fee-for-service claims before payment and target investigative resources on areas that this profile identifies as reflecting heightened risks of health care fraud vulnerability to allow regulators and prosecutors to more efficiently identify and respond to suspected fraudulent claims and emerging trends;
Focused fraud prevention, detection and enforcement activities on Home Health agencies, Durable Medical Equipment, Prosthetics, Orthotics, and Supplies (DMEPOS) suppliers and certain other categories of providers and suppliers that federal officials view as historically presenting heightened concerns;
Expansion of the overpayment detection and recovery activities ofthe Recovery Audit Contractor (RAC) program to Medicaid, Medicare Advantage, and Medicare Part D programs; and
Various other tools.

Health Plan Partnership Latest Wrinkle In Fed’s Efforts To Use Private Whistleblower & Other Resources To Find Fraud

The partnership with the health plans is the latest wrinkle in a growing network of private relationships and outreach that HHS and DOJ use to discover health care fraud. By partnering with health plans, HHS and DOJ have recruited the health plans to help federal officials find and redress potential fraud in public and private health plans.

HHS and DOJ already know the value of getting private citizens to watch for and report suspected illegal behavior. Indeed, expended qui tam and other whistleblower activities already are paying off big for federal officials. For example, a former executive’s qui tam claim helped bring about the settlement announced in June, 2012 under which Christus Spohn Health System Corporation recently paid more than $5 million to settle Justice Departmentclaims that it profited from violations of the False Claims Act by inappropriately admitted patients to inpatient status for outpatient procedures. The investigation leading to the settlement began in March 2008 after Christus – Shoreline’s former director of case management filed a lawsuit under seal under the qui tam provisions of the False Claims Act alleging the six hospitals were submitting false claims to the Medicare program by billing for services that should have been performed on an outpatient basis as if they were more expensive inpatient services. The allegations stated that these hospitals were routinely billing outpatient surgical procedures as if they required an inpatient level of care even though the patients often were discharged from the hospital in less than 24 hours. The federal False Claims Act empowers private citizens with knowledge of fraud against the United States to present those allegations to the United States by bringing a lawsuit on behalf of the United States under seal. If the government’s investigation substantiates those allegations, then the private citizen is entitled to share in any recovery. In this case, that person will receive 20% of the $5,100,481.74 recovery.

With qui tam and other reports of suspected fraud an increasingly frequent and valuable tool in the federal and state wars on health care fraud, officials have added a wide range of programs encouraging and in some cases financially rewarding individuals and businesses that report circumstances leading to fraud convictions. The partnership with health plans reflects the latest wrinkle in these efforts.

Health Care Providers & Health Plans Must Act To Manage Risks

In response to the growing emphasis and effectiveness of Federal officials in investigating and taking action against health care providers and organizations, health care providers covered by federal false claims, referral, kickback and other health care fraud laws should consider auditing the adequacy of existing practices, tightening training, oversight and controls on billing and other regulated conduct, reaffirming their commitment to compliance to workforce members and constituents and taking other appropriate steps to help prevent, detect and timely redress health care fraud exposures within their organization and to position their organization to respond and defend against potential investigations or charges. In light of the growing qui tam risks, health care providers also should tighten internal investigation, exit interview and other human resources and business partner oversight, reporting and investigation policies and practices to help find and redress potential fraud or other qui tam, retaliation and similar exposures early and more effectively.

For More Information Or Assistance

If you need help reviewing or responding to these or other health care related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, may be able to help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 24 years experience advising health industry clients about these and other matters. Her experience includes advising hospitals, nursing home, home health, rehabilitation and other health care providers and health industry clients to establish and administer compliance and risk management policies; prevent, conduct and investigate, and respond to peer review and other quality concerns; and to respond to Board of Medicine, Department of Aging & Disability, Drug Enforcement Agency, OCR Privacy and Civil Rights, HHS, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns.

A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. You can get more information about her health industry experience here. If you need help responding to concerns about the matters discussed in this publication or other health care concerns, wish to obtain information about arranging for training or presentations by Ms. Stamer, wish to suggest a topic for a future program or update, or wish to request other information or materials, please contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

If you or someone else you know would like to receive future updates about developments on these and other concerns from Ms. Stamer, see here.

About Solutions Law Press

THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS. ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

Leave a Comment » | Academic medicine, Anti-KickBack, ASC, DME, Doctor, Durable Medical Equipment, Electronic Health Records, Electronic Medical Records, Employee Benefits, false claims act, Federal Sentencing Guidelines, Grants, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, Health IT, Medicaid, Medical Malpractice, Medicare, Medicare Advantage, Mental Heatlh, Money Laundering, OIG, Outpatient, Physician, Prescription Drugs, Rural Health Care, Stark, Uncategorized | Tagged: CMS, DOJ, false claims act, Health Care, health care feraud, Health claims, Health Plans, HHS, Hospitals, Justice Department, OIG, qui tam, Whistleblower | Permalink
Posted by Cynthia Marcotte Stamer

OCR’s Shares HIPAA Audit Program Protocols As Announces $1.7M Resolution Agreement Against Alaska Medicaid

June 27, 2012

Health care providers, health plans, health care clearinghouses and their business associates should review the Department of Heath & Human Services (HHS) Office of Civil Rights (OCR) HIPAA audit protocol used by OCR to conduct the audits required by the HITECH Act to identify potential areas where they may need to tighten existing practices to withstand a possible audit and reduce exposures under the Privacy, Security and Breach Notification rules of the Health Insurance Portability & Accountability Act. OCR posted the audit protocols on its on its website on June 26, 2012, the same day it announced that the Alaska Medicaid program would pay more than $1.7 million to settle potential HIPAA liabilities arising from OCR’s investigation of circumstances resulting a large data breach reported under the HITECH Act breach notification rules. Covered entities should use these resources both to prepare for potential audits and to review and adjust their practices to help prevent violations and defend against potential HIPAA enforcement actionsl.

HIPAA Audit Protoco

The OCR HIPAA Audit program analyzes key processes, controls, and policies of selected covered entities pursuant to the HITECH Act audit requirement. OCR established a comprehensive audit protocol that contains the requirements to be assessed through these performance audits. The entire audit protocol is organized around modules, representing separate elements of privacy, security, and breach notification. The combination of these multiple requirements may vary based on the type of covered entity selected for review. These include:

Privacy Rule requirements for (1) notice of privacy practices for PHI, (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures
Security Rule requirements for administrative, physical, and technical safeguards;
Requirements for the Breach Notification Rule.

Presently OCR says that HIPAA audits primarily seek to tighten compliance and aid OCR to identify areas where guidance should be revised or supplemented to enhance compliance. Where an audit identifies a significant compliance concern, however, OCR officials say OCR officials may open an enforcement investigation in response to evidence uncovered in connection with an audit. Beyond this risk, however, the audit protocols also provide additional guidance for covered entities about expected practices and procedures that could help mitigate risks to enforcement under the OCR’s ongoing investigation and enforcement activities of HIPAA. As reflected by a growing series of resolution agreements, these enforcement risks and their associated liability exposures are significant and growing. OCR’s announcement of its latest Resolution Agreement with Alaska Medicaid concurrent the posting of the audit protocol.

Alaska 1.7 Million Resolution Agreement

OCR also announced June 26 that the Alaska State Medicaid Agency, the Alaska Department of Health and Social Services (DHSS) will pay the $1,700,000 to settle possible violations of the HIPAA Security Rule. Alaska DHSS also has agreed to take corrective action to properly safeguard the electronic protected health information (ePHI) of their Medicaid beneficiaries.

The first HIPAA Resolution Agreement that the HHS Office for Civil Rights (OCR) has reached a state agency, the Alaska Medicaid Resolution Agreement second announced Resolution Agreement stemming from a unsecured protected health information breach report filed in response to the breach notification rules of the Health Information Technology for Economic and Clinical Health (HITECH) Act. Earlier this year, OCR announced its first Resolution Agreement involving a health plan resulted from a breach notification report it had filed under the HITECH Act. See $1.5 Million HIPAA Settlement Reached To Resolve 1st OCR Enforcement Action Prompted By HITECH Act Breach Report.

OCR opened the investigation leading to the Resolution Agreement after Alaska DHSS filed a breach report that indicated that a portable electronic storage device (USB hard drive) possibly containing ePHI was stolen from the vehicle of a DHSS employee. Over the course of the investigation, OCR found evidence that DHSS did not have adequate policies and procedures in place to safeguard ePHI. Further, the evidence indicated that DHSS had not completed a risk analysis, implemented sufficient risk management measures, completed security training for its workforce members, implemented device and media controls, or addressed device and media encryption as required by the HIPAA Security Rule. Inadequacies by covered entities in safeguarding protected health information and laptops and other devices containing ePHI is a common compliance concern according to OCR statistics.

In addition to the $1,700,000 settlement, the agreement includes a corrective action plan that requires Alaska DHSS to review, revise, and maintain policies and procedures to ensure compliance with the HIPAA Security Rule. A monitor will report back to OCR regularly on the state’s ongoing compliance efforts.

OCR’s announcement highlights the need for covered entities not only to take proper steps to establish and administer appropriate policies and safeguards to protect protected health information and EHI, but also to prepare, update as needed and be prepared to produce documentation showing their oganizations actions to evaluate, monitor and maintain appropriate safeguards of ePHI and the operating systems and devices that contain this information.

“Covered entities must perform a full and comprehensive risk assessment and have in place meaningful access controls to safeguard hardware and portable devices,” said OCR Director Leon Rodriguez. “This is OCR’s first HIPAA enforcement action against a state agency and we expect organizations to comply with their obligations under these rules regardless of whether they are private or public entities.”

The HHS Resolution Agreement can be viewed here.

Enforcement Actions Highlight Growing HIPAA Exposures For Covered Entities

The Alaska Medicaid Resolution Agreement is the latest in a growing list of Resolutions Agreements highlighting the mounting exposures that health care providers, health plans, health care clearinghousesand their business associates face if required to file a large breach notification or otherwise charged with failing to appropriately manage their HIPAA responsibilities. See Arizona Physician Group Pays $100K To Settle HIPAA Charges; $1.5 Million HIPAA Settlement Reached To Resolve 1st OCR Enforcement Action Prompted By HITECH Act Breach Report; HIPAA Heats Up: HITECH Act Changes Take Effect & OCR Begins Posting Names, Other Details Of Unsecured PHI Breach Reports On Website. As OCR leaders have indicated that OCR investigates all large breach notification filings made under the HITECH Act Breach Notification Rules and with more than 450 large breach notifications reported on its website, additional Resolution Agreements are expected in coming months even as covered entities and their business associates are awaiting the impending issuance of updated HIPAA regulations.

In light of these and other developments and risks, covered entities and their business associates should move to audit and strengthen their HIPAA compliance and documentaiton and adopt other suitable safeguards to minimize HIPAA exposures.

In the face of rising enforcement and fines, OCR’s initiation of HIPAA audits and other recent developments, covered entities and their business associates should tighten privacy policies, breach and other monitoring, training and other practices to reduce potential HIPAA exposures in light of recently tightened requirements and new enforcement risks.

In response to these expanding exposures, all covered entities and their business associates should review critically and carefully the adequacy of their current HIPAA Privacy and Security compliance policies, monitoring, training, breach notification and other practices taking into consideration OCR’s investigation and enforcement actions, emerging litigation and other enforcement data; their own and reports of other security and privacy breaches and near misses, and other developments to determine if additional steps are necessary or advisable.

For more information about the PCS Resolution Agreement and HIPAA compliance and risk management tips, see here.

For Representation, Training & Other Resources

If you need assistance monitoring HIPAA and other health and health plan related regulatory policy or enforcement developments, or to review or respond to these or other health care or health IT related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.

Scheduled to serve as the scribe for the ABA Joint Committee on Employee Benefits agency meeting with OCR, Ms. Stamer also regularly works with OCR and other agencies, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. For instance, Ms. Stamer for the second year will serve as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR. Her insights on HIPAA risk management and compliance frequently appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.

You can get more information about her HIPAA and other experience here.

If you need assistance with these or other compliance concerns, wish to inquire about arranging for compliance audit or training, or need legal representation on other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here.

You can review other recent publications and resources and additional information about the other experience of Ms. Stamer here. Examples of some recent publications that may be of interest include:

If you need help investigating or responding to a known or suspected compliance, litigation or enforcement or other risk management concern, assistance with reviewing, updating, administering or defending a current or proposed employment, employee benefit, compensation or other management practice, wish to inquire about federal or state regulatory compliance audits, risk management or training, or need legal representation on other matters please contact Ms Stamer here or at (469) 767-8872.

Leave a Comment » | Academic medicine, Electronic Health Records, Employee Benefits, Employment, Health Care, Health IT, HIPAA, HITECH Act, Hospital, OCR, Physician | Tagged: Health Care, HIPAA, OCR, Physician, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

OCR Nails Alaska Medicaid For $1,700,000 To Settle HIPAA Security Charges

June 26, 2012

The Alaska State Medicaid Agency, the Alaska Department of Health and Social Services (DHSS) will pay the U.S. Department of Health and Human Services’ (HHS) $1,700,000 to settle possible violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. Alaska DHSS also has agreed to take corrective action to properly safeguard the electronic protected health information (ePHI) of their Medicaid beneficiaries.

The first HIPAA Resolution Agreement that the HHS Office for Civil Rights (OCR) has reached a state agency, the Resolution Agreement second announced Resolution Agreement stemming from a unsecured protected health information breach report filed in response to the breach notification rules of the Health Information Technology for Economic and Clinical Health (HITECH) Act. Earlier this year, OCR announced its first Resolution Agreement involving a health plan resulted from a breach notification report it had filed under the HITECH Act. See $1.5 Million HIPAA Settlement Reached To Resolve 1st OCR Enforcement Action Prompted By HITECH Act Breach Report.

The HHS Resolution Agreement can be viewed here.

Enforcement Actions Highlight Growing HIPAA Exposures For Covered Entities

For more information about the PCS Resolution Agreement and HIPAA compliance and risk management tips, see here.

For Representation, Training & Other Resources

You can get more information about her HIPAA and other experience here.

Arizona Physician Group Pays $100K To Settle HIPAA Charges

April 17, 2012

The $100,000 settlement with an Arizona-based physician group announced today by the Department of Health & Human Services (HHS) Office of Civil Rights (OCR) under the Health Insurance Portability & Accountability Act of 1996 (HIPAA) demonstrates the need for all health care providers, health plans, health care clearinghouses (covered entities) and their business associates to maintain appropriate HIPAA compliance and risk management procedures and documentation.

Arizona-based Phoenix Cardiac Surgery, P.C. (PCS) will pay the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) a $100,000 settlement and take corrective action to implement policies and procedures to safeguard the protected health information of its patients to settle OCR charges PCS violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. Health care providers and other HIPAA-covered entities should heed the PSC and other recent settlements as the latest signal of the risks that health care providers and other covered entities run by failing to adequately implement and administer proper HIPAA compliance practices.

The PCS settlement follows an extensive OCR investigation of a report that PCS posted clinical and surgical appointments for its patients on a publically accessible Internet-based calendar. Among other things, the Resolution Agreement documenting the PCS settlement states that OCR’s investigation found that the persistent failure by PCS to adopt HIPAA required policies and safeguards, maintain required business associate agreements, and conduct necessary workforce training resulted in the prohibited posting of more than 1,000 separate entries of ePHI on a publicly accessible, Internet-based calendar and business associates improperly receiving and maintaining PHI and ePHI without the protection of required business associate agreements.

Under the PCS HHS Resolution Agreement available here, PCS will pay a $100,000 settlement amount and a corrective action plan that includes a review of recently developed policies and other actions taken to come into full compliance with the Privacy and Security Rules. Like the $1,500,000 Blue Cross Blue Shield of Tennessee (BCBST) Resolution Agreement announced last month, the PCS shows OCR’s readiness to sanction health care providers and other covered entities of all sizes for violations of HIPAA.

Enforcement Actions Highlight Growing HIPAA Exposures For Covered Entities

Like the BCBST Resolution Agreement and other previously announced OCR Resolution Agreements, the PCS provides more evidence of the growing exposures that health care providers, health plans, health care clearinghouses and their business associates need to carefully and appropriately manage their HIPAA responsibilities. See $1.5 Million HIPAA Settlement Reached To Resolve 1st OCR Enforcement Action Prompted By HITECH Act Breach Report; HIPAA Heats Up: HITECH Act Changes Take Effect & OCR Begins Posting Names, Other Details Of Unsecured PHI Breach Reports On Website. Covered entities are urged to heed these warning by strengthening their HIPAA compliance and adopting other suitable safeguards to minimize HIPAA exposures.

For more information about the PCS Resolution Agreement and HIPAA compliance and risk management tips, see here.

For Representation, Training & Other Resources

You can get more information about her HIPAA and other experience here.

DC Court Enjoins Implementation of NLRB Poster Rule

Director of Texas Office of e-Health Coodination To Discuss Texas HIE Strategy in 3/14 HHS Sponsored Teleconference

March 14, 2012

On Wednesday, March 14, 2012 at 1 p.m. EDT, National eHealth Collaborative’s NeHC University will host Stephen Palmer, Director of the Office of e-Health Coordination at the Texas Health and Human Services Commission, to describe the HIE strategy being pursued by the state of Texas. Palmer will be joined by Kem McClelland of the Integrated Care Collaboration, Tony Gilman of the Texas Health Services Authority, and Bryan White of the North Texas Accountable Healthcare Partnership to showcase the Texas strategy in action and detail the progress that has been made on the ground.

To participate register and join NeHC University’s Spotlight on the Texas Statewide HIE Strategy.

For Help With Monitoring Developments, Compliance, Investigations Or Other Needs

You can get more information about her HIPAA and other experience here.

[1] The Breach Notification Rule also requires that covered entities report smaller breaches annually to OCR as part of a consolidated disclosure.

For more tips, see here.

For Help With Monitoring Developments, Compliance, Investigations Or Other Needs

You can get more information about her HIPAA and other experience here.

Other Recent Updates & Resources

For additional resources and publications training materials by Ms. Stamer, see here.

[*] The Breach Notification Rule also requires that covered entities report smaller breaches annually to OCR as part of a consolidated disclosure.

Leave a Comment » | Academic medicine, ARRA, Disease Management, DME, Doctor, Durable Medical Equipment, Electronic Health Records, Electronic Medical Records, Employee Benefits, Employer, Health Care, Health Care Provider, Health Insurance Exchange, Health IT, Health Plan, Health Plans, HIPAA, HITECH Act, Home Health, Hospital, Hospital, Indian Health, Meaningful Use, Mental Heatlh, Pharmacy, Physician, Privacy | Tagged: Breach Notification, business associate, Health Care, Health Plan, HIPAA, HITECH Act, OCR | Permalink
Posted by Cynthia Marcotte Stamer

$1.5 Million HIPAA Settlement Reached To Resolve 1st OCR Enforcement Action Prompted By HITECH Act Breach Report

March 13, 2012

Resolution Agreement Also 1^st Announced With Health Plan

Health care providers, health plans and other covered entities beware and prepare! Reporting a large breach under the HITECH Act breach notification rules will trigger a Department of Health & Human Services (HHS) Office of Civil Rights (OCR) investigation into whether OCR should impose civil monetary penalties against the reporting covered entity under the Privacy and Security Rules of the Health Insurance Portability & Accountability Act of 1996 (HIPAA).

Blue Cross Blue Shield of Tennessee (BCBST) has agreed to pay OCR $1,500,000 and to take certain other actions specified in a corrective action plan to avoid civil monetary penalties for charges of HIPAA violations. The BCBST Resolution Agreement is particularly significant, both as:

The first reported enforcement action directly resulting from the filing by a covered entity of a breach report required by the Health Information Technology for Economic and Clinical Health (HITECH) Act Breach Notification Rule; and
The first reported resolution agreement reached with a covered entity that is a health plan.

These notable enforcement firsts show the HITECH Breach Notification Rule’s significance as an OCR HIPAA enforcement tool, the heightened exposure to an OCR opening a HIPAA civil monetary penalty (CMP) investigation following a report, as well as the willingness of OCR to sanction health plans as well as other covered entities that breach HIPAA’s Privacy or Security Rules.

BCBST Investigation Began In Response to HITECH Act Breach Notification Rule Report

The OCR investigation that lead to the BCBST settlement began in response to BCBST making a report required under the Breach Notification Rule of the theft of 57 unencrypted computer hard drives from a leased facility in Tennessee, which contained the protected health information (PHI) of over 1 million individuals. Read more details here.

The Breach Notification Rule enacted as part of amendments to HIPAA under the HITECH Act requires covered entities to report an impermissible use or disclosure of protected health information, or a “breach,” of 500 individuals or more to HHS and the media as well as an annual consolidated report of smaller breaches to HHS.[1] Along with the Breach Notification Rules, the HITECH Act also increased the civil monetary penalties (CMPs) that covered entities like BCBST can incur for HIPAA violations. When it imposed its first ever CMP last year, OCR imposed a $4.3 million CMP against Cignet Health of Prince George’s County, Md. (Cignet).

In an apparent effort to impose a potentially larger CMP assessment arising from the investigation of its breach report, BCBST greed to pay $1,500,000 and adopt other corrective actions detailed in a corrective action plan.

Enforcement Actions Highlight Growing HIPAA Exposures For Covered Entities

The BCBST Resolution Agreements, like the Cignet CMP and other high dollar Resolution Agreements OCR has announced against various health care providers highlight the significance of the HITECH Act amendments to HIPAA’s enforcement and CMP rules, as well as the significance of its Breach Notification Rule as a tool in OCR’s investigation and enforcement efforts.

“This settlement sends an important message that OCR expects health plans and health care providers to have in place a carefully designed, delivered, and monitored HIPAA compliance program,” said OCR Director Leon Rodriguez. “The HITECH Breach Notification Rule is an important enforcement tool and OCR will continue to vigorously protect patients’ right to private and secure health information.”

The BCBST Resolution Agreement provides yet another reminder to covered entities and their business associates of the need to carefully and appropriately manage their HIPAA responsibilities. See HIPAA Heats Up: HITECH Act Changes Take Effect & OCR Begins Posting Names, Other Details Of Unsecured PHI Breach Reports On Website. Covered entities are urged to heed these warning by strengthening their HIPAA compliance and adopting other suitable safeguards to minimize HIPAA exposures. Fortips, see here.

For Help With Monitoring Developments, Compliance, Investigations Or Other Needs

You can get more information about her HIPAA and other experience here.

[1] The Breach Notification Rule also requires that covered entities report smaller breaches annually to OCR as part of a consolidated disclosure.

For more tips, see here.

For Help With Monitoring Developments, Compliance, Investigations Or Other Needs

You can get more information about her HIPAA and other experience here.

Other Recent Updates & Resources

For additional resources and publications training materials by Ms. Stamer, see here.

[*] The Breach Notification Rule also requires that covered entities report smaller breaches annually to OCR as part of a consolidated disclosure.

Leave a Comment » | Academic medicine, ARRA, Disease Management, DME, Doctor, Durable Medical Equipment, Electronic Health Records, Electronic Medical Records, Employee Benefits, Employer, Health Care, Health Care Provider, Health Insurance Exchange, Health IT, Health Plan, Health Plans, HIPAA, HITECH Act, Home Health, Hospital, Hospital, Indian Health, Meaningful Use, Mental Heatlh, Pharmacy, Physician, Privacy | Tagged: Breach Notification, business associate, Health Care, Health Plan, HIPAA, HITECH Act, OCR | Permalink
Posted by Cynthia Marcotte Stamer

ONC Releases Proposed Rules For Meaningful Use Stage 2

February 23, 2012

The Office of the National Coordinator for Health Information Technology (ONC) published its Notice of Proposed Rulemaking for Stage 2 Meaningful Use (Proposed Rule) in the Federal Register today (February 23).

The Proposed Rule available here outlines the next stage of meaningful use for the Electronic Health Record (EHR) Incentive Programs administered by CMS.

CMS has developed a fact sheet to give providers an overview of the rule and how Stage 2 expands upon Stage 1 of meaningful use. The fact sheet can be found here.

For More Information Or Assistance

If you need assistance reviewing or responding to these or other health care related technology, risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, may be able to help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 24 years experience advising health industry clients about these and other matters. Her experience includes advising hospitals, nursing home, home health, rehabilitation and other health care providers, health care technology and other health industry clients to set up and administer privacy and technology; workforce and staffing; operations; compliance and risk management policies; prevent, conduct and investigate, and respond to peer review and other quality concerns; and to respond to Board of Medicine, Department of Aging & Disability, Drug Enforcement Agency, OCR Privacy and Civil Rights, HHS, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns.

Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. You can get more information about her health industry experience here. If you need assistance responding to concerns about the matters discussed in this publication or other health care concerns, wish to obtain information about arranging for training or presentations by Ms. Stamer, wish to suggest a topic for a future program or update, or wish to request other information or materials, please contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

If you or someone else you know would like to receive future updates about developments on these and other concerns from Ms. Stamer, see here.

About Solutions Law Press

Leave a Comment » | Academic medicine, Affordable Care Act, ASC, Corporate Compliance, Doctor, E-Prescribing, Electronic Health Records, Electronic Medical Records, FDA, Federal Health Center, Grants, Health Care, Health Care Provider, Health Care Quality, Health Care Reform, Health IT, HIPAA, HITECH Act, Home Health, Hospital, Hospital, Licensing, Meaningful Use, Medicaid, Medicare Fee Schedule, OCR, OIG, Outcomes Data, Physician, Physician Licensing, Public Policy, Reimbursement, Rural Health Care, Substance Abuse | Tagged: EMR, Health Care, health care IT, health care technology, HIPAA, HITECH Act, Hospitals, Meaningful Use, Physicians, Privacy, Technology | Permalink
Posted by Cynthia Marcotte Stamer

Medical Identity Theft/Fraud Convictions Highlight Need For Health Care Providers To Safeguard Health Information, Guard Against Fraud Schemes

November 27, 2011

Convictions Highlight Health Care Data Bases Attractive, Vulnerable Target For Medicare Fraud Schemers

A Federal judge sentenced 25 year old Miami resident Yenky Sanchez, 25 to serve more than 5 years in Federal prison for his role in the theft of Medicare numbers and other information of elderly and disabled Florida residents as part of a plan to defraud Medicare, Medicaid and other federal programs. Coming on the heels of a November 3 conviction in West Virginia of Sargis Tadevosyan in a separate identity theft for Medicare fraud scheme, the convictions highlight the growing commitment and effectiveness of Federal and state investigators in investigating and prosecuting individuals who seek to use identity theft schemes to defraud Medicare or other federal programs.

Sanchez Conviction & Sentencing

The sentence arises from criminal charges brought by the U.S. Department of Justice (DOJ) in conjunction with other federal and state agencies, which charged Sanchez considered to commit health care fraud, authentication feature fraud and aggravated identity theft. According to DOJ documents, Sanchez, participated in a scheme with Raul Diaz-Perera, to steal and sell Medicare numbers and other data about clients of their employer, the Florida Department of Children and Families’ (DCF). Diaz-Perera previously was employed with DCF. According to the evidence at trial against Sanchez and a factual proffer filed with the court during the plea hearing for co-defendant Diaz-Perera, Sanchez used his position as employees at a DCF call center in downtown Miami to steal Medicare numbers and other personal information for purposes of committing health care fraud and identity theft. The intent of Sanchez and his co-conspirator was for those numbers to be used to fraudulently bill Medicare for services that were never provided to the DCF beneficiaries. Sanchez was convicted of conspiring to commit health care fraud, in violation of Title 18, United States Code, Section 1349; conspiring to commit authentication feature fraud, in violation of Title 18, United States Code, Sections 1028(a)(3) and (f); and aggravated identity theft, in violation of Title 18, United States Code, Section 1028A(a)(1). Based on these convictions, U.S. District Judge Cecilia M. Altonaga sentenced Sanchez on November 21, 2011 to 65 months in prison, followed by three years of supervised release. Judge Altonaga also imposed a $5,000.00 fine on Sanchez.

Tadevosyan Conviction

Federal officials previously also had scored another Medicare fraud/identity theft prosecution victory just a few short weeks earlier in West Virginia. On November 3, 2011, a federal jury convicted Armenia citizen Sargis Tadevosyan in connection with a health care fraud scheme that intended to defraud millions of dollars from Medicare. Tadevosyan was found guilty of two felony counts: conspiracy to commit health care fraud and wire fraud and aggravated identity theft. Tadevosyan faces up to 20 years in prison for the conspiracy conviction and a mandatory consecutive sentence of two years for aggravated identity theft and a $250,000 fine when he is sentenced on January 26, 2012.

In contrast to the small scale conspiracy that apparently occurred in the Sanchez case, the Tadovosyn scheme apparently was orchestrated by organized crime. Department of Health and Human Resources Office of Inspector General (HHS-OIG) uncovered the activities of Tadovosyn as part of its investigation of fraud schemes involving false front providers, whereby a company posed as a Medicare health care provider, and unlawfully billed Medicare as if they were providing legitimate services. Ultimately, investigators discovered that Tadevosyn and others were involved in defrauding Medicare and other health care payers as part of a scheme that used false front provider companies. In total, more than $4 million in Medicare claims were submitted by the false front providers. To co-conspirators of Tadevosyn pleaded guilty in September to aiding and abetting aggravated identity theft in connection to the health care fraud plot. Those two co-defendants are scheduled to be sentenced on December 1, 2011.

In announcing the Tadevosyan conviction, federal officials affirmed their commitment to finding and prosecuting identity theft targeting Medicare and other health insurance programs. “This investigation revealed that organized criminal groups are still brazenly attempting to steal taxpayer money from our national health insurance programs,” said Nicholas DiGiulio, Special Agent in Charge for the Inspector General’s Office of the United States Department of Health and Human Services. “Today’s results demonstrate that we will do whatever it takes to catch these individuals in the act before they receive a penny of taxpayers’ money.”

Federal Laws, Investigations & Prosecutions of Medical Identity Theft Schemes Tightening

Whether from deliberate schemes to misappropriate data or other less sinister compromises of personal health information or other sensitive data, health care providers, health plans and other businesses face rising responsibilities to protect data and increasing exposures for failing to do so.

Federal law imposes stiff sanctions against organizations and individuals that engage in theft of personal or other sensitive information, health or other federal program fraud or both. In an effort to stem the tide of health care and identity theft fraud, federal and state legislators and regulators have tightened federal and state laws to strengthen laws prohibiting health care fraud and identity theft, to require that health care providers, health plans, federal and state agencies and others that collect, possess or access sensitive personal health information, personal financial information or other sensitive date safeguard and protect sensitive information against improper access or misuse, to increase the penalties for violation of these federal and state laws and to provide law enforcement with expanded tools to investigate and prosecute violations of these laws. See e.g., Cybercrime and Identity Theft: Health Information Security Beyond HIPAA.

As a result of these new and expanded mandates, health care providers, health plans, financial organizations and a broad range of other businesses and governmental agencies face a host of complicated mandates to protect personal health information, personal financial information and other sensitive data under laws such as the Health Information Portability & Accountability Act (HIPAA), the Fair & Accurate Credit Transactions Act (FACTA), state and federal identity theft and data security and other laws and significant liability for failing to fulfill these responsibilities.

Health care providers, health insurers and others handling protected health information are particularly at risk when their data is compromised. Recent amendments to HIPAA require these entities and their business associates to tighten their data privacy and security safeguards and to monitor and timely report data breaches, as well as significantly expand their potential liability exposure for failing to comply with HIPAA’s requirements. See e.g., UCLA Health Systems Payment of $865,500 To Settle HIPAA Charges Shows Rising HIPAA Risk; CVS Settles Privacy Charges; Rite Aid Agrees to Pay $1 Million to Settle HIPAA Privacy Case As Office of Civil Rights Proposes Tighter HIPAA Privacy & Security Regulations; 2 New HIPAA Criminal Actions Highlight Risks From Wrongful Use/Access of Health Information; President Signs Long-Sought Red Flag Rule Exemption Into Law. As part of its ongoing implementation of stepped up enforcement responsibility and powers enacted as part of these recent amendments, the HHS Office of Civil Rights (OCR) announced on November 8, 2011 its kickoff of a new compliance audit effort. These developments send a forceful message that all businesses generally and health care providers, health plans, healthcare clearinghouses and their business associates specifically must get serious about compliance with the privacy, security and data breach requirements of HIPAA and other applicable law by implementing and administering the policies, procedures, training and oversight necessary to comply with these and other federal and state mandates regarding the protection of personal health information and other sensitive data. Learn more about the recent convictions and related data breach exposures here.

For Help With Compliance, Investigations Or Other Needs

If you need assistance providing compliance or other training, reviewing or responding to these or other health care related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, may be able to help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 24 years experience advising health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers and other health industry clients to establish and administer medical privacy and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns/ She also regularly designs and presents risk management, compliance and other training for health care providers, professional associations and others. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. You can get more information about her health industry experience here. If you need assistance with these or other compliance concerns, wish to inquire about arranging for compliance audit or training, or need legal representation on other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here.

About Solutions Law Press

Leave a Comment » | ARRA, Childrens Health Insurance Program, Doctor, Durable Medical Equipment, E-Prescribing, Electronic Health Records, Electronic Medical Records, Employer, FACTA, false claims act, Federal Sentencing Guidelines, Genetic Information, GINA, Health Care, Health Care Fraud, Health Care Provider, Health Care Quality, Health IT, Health Plan, Health Plans, HIPAA, HITECH Act, Home Health, Hospital, Hospital, Indian Health, Meaningful Use, Medicaid, Medicare, Medicare Advantage, Mental Heatlh, Money Laundering, OCR, Reimbursement, Technology, Telemarketing, Telemedicine, Veterans Health Administration | Tagged: Data Security, FACTA, Health Care Fraud, HIPAA, Identity Theft, Justice Department, Medicaid, Medicare, OCR, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

OCR Audit Program Kickoff Further Heats HIPAA Privacy Risks

November 9, 2011

The kickoff of a new compliance audit pilot program provides another reason for health care providers, health plans, healthcare clearinghouses and their business associates to get serious about compliance with the privacy, security and data breach requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

OCR Pilot Audit Program Begins

On November 8, 2011, the Office of Civil Rights (OCR) of the Department of Health & Human Services (HHS) announced that it will begin auditing HIPAA compliance this month under a new pilot program.

As amended by the American Recovery and Reinvestment Act of 2009 in Section 13411 of the HITECH Act, requires HHS to provide for periodic audits to make sure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards. To carry out this mandate, OCR is piloting a program to perform up to 150 audits of covered entities to assess privacy and security compliance between November 2011 and December 2012.

The commencement of OCR HIPAA compliance audits is yet another sign that covered entities and their business associates should get serious about HIPAA compliance. The audit program serves as a new part of OCR’s health information privacy and security compliance program. While OCR says that it presently views the pilot audits as primarily a compliance improvement tool, this does not mean violators should expect a free walk.

Even before the impending audits, HIPAA Privacy exposures of covered entities for failing to comply with HIPAA already had risen significantly. Earlier this year, OCR imposed a $4.3 Million Civil Money Penalty (CMP) against Cignet Health of Prince George’s County (Cignet) for violating HIPAA. Meanwhile, the Department of Justice has secured several criminal convictions or pleas under HIPAA’s criminal provisions. Under amendments made by the HITECH Act, state attorneys general also now are empowered to bring civil lawsuits against covered entities and business associates that commit HIPAA violations that injure citizens in their state under certain circumstances. Eventually, individuals injured by HIPAA violations also will get the right to share in a portion of certain HIPAA recoveries.

These and other audit and enforcement activities send a strong message that covered entities and their business associates need to get serious about HIPAA compliance. As stated by OCR Director Georgina Verdugo when announcing the Mass General Resolution Agreement, “To avoid enforcement penalties, covered entities must ensure they are always in compliance with the HIPAA Privacy and Security Rules,” Verdugo added, “A robust compliance program includes employee training, vigilant implementation of policies and procedures, regular internal audits, and a prompt action plan to respond to incidents.” Learn more here.

For Help With Monitoring Developments, Compliance, Investigations Or Other Needs

Vice President of the North Texas Health Care Compliance Professionals Association, a member of the American College of Employee Benefit Counsel, Past Chair of the ABA RPTE Employee Benefits & Other Compensation Arrangements Group, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has extensive experience advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical privacy and other compliance and risk management policies. Ms. Stamer also regularly helps clients deal with OCR and other agencies, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. Her insights on the required “culture of compliance” with HIPAA are frequently included in medical privacy related publications of the Atlantic Information Service, Modern Health Care, HealthLeaders and many others. Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, employee benefit and other clients, trade and professional associations and others. You can get more information about her HIPAA and other experience here or may contact her at (469) 767-8872 or via e-mail here.

You can review other selected publications and resources and additional information about the employment, employee benefits and other experience of Ms. Stamer here.

About Solutions Law Press

Leave a Comment » | Academic medicine, ASC, Centers For Disease Control, Childrens Health Insurance Program, DEA, Disease Management, DME, Doctor, Durable Medical Equipment, E-Prescribing, Electronic Medical Records, Employee Benefits, Employer, FACTA, Genetic Information, GINA, Health Care, Health Care Provider, Health IT, Health Plan, Health Plans, HIPAA, HITECH Act, Home Health, Hospital, Hospital, Indian Health, Inpatient Rehabilitation Facility, Medicaid, Medicare, Mental Heatlh, OCR, Outpatient, Pharmacy, Physician, Prescription Drugs, Privacy, Rural Health Care | Tagged: Data Security, Doctor, Health Care Provider, HIPAA, HITECH, home health, Hospital, Physician, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

UCLA Health Systems Payment of $865,500 To Settle HIPAA Charges Shows Rising HIPAA Risk

September 15, 2011

Health care providers, health plans, health care clearinghouses and their business associates got another wake up call about the growing importance of strengthening their policies, practices and safeguards of medical information and records that are “protected health information” under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules with the announcement on July 7 that the University of California at Los Angeles Health System (UCLAHS) has reached an agreement with the U.S. Department of Health & Human Services Office of Civil Rights (OCR) to pay $865,500 and act to strengthen its health information privacy and security practices to settle charges of HIPAA violations.

The latest in a series of recently announced high-dollar Resolution Agreements, the UCLAHS Resolution Agreement highlights the growing risks that covered entities and their business associates run by failing to adequately adopt and administer the policies, systems and other management controls and training necessary to ensure that their organizations and their employees and other members of their workforce actually operationally comply with HIPAA.

Increased penalties, tighter rules and recent enforcement actions by OCR make it more important than ever that covered entities tighten their compliance and risk management policies and procedures.

As a result of amendments enacted as part of the HITECH Act, Congress modified and expanded the HIPAA audit and enforcement obligations of OCR, amended and expanded the potential penalties, made business associates liable for violation of the privacy rules like covered entities, added an obligation for covered entities and business associates to provide notification of breaches of unsecured PHI and tightened other HIPAA obligations. The HITECH Act also gave state attorneys general to bring civil lawsuits against covered entities and business associates that commit HIPAA violations that injure citizens in their state under certain circumstances. Eventually, individuals injured by HIPAA violations will get the right to share in a portion of certain HIPAA recoveries. See HIPAA Heats Up: HITECH Act Changes Take Effect & OCR Begins Posting Names, Other Details Of Unsecured PHI Breach Reports On　Website.

OCR enforcement actions and statistics make clear that OCR is serious about investigation and enforcement of HIPAA violations. This Spring, OCR assessed its first civil monetary penalty (CMP) under HIPAA – a $4.3 million against Cignet Health of Prince George’s County, Md. (Cignet) and entered into a series of Resolution Agreements under which CVS Pharmacy, Inc., General Hospital Corporation and Massachusetts General Physicians Organization Inc., Rite Aid and others paid a million or more dollars as part of the required terms of settlement. See e.g., Rite Aid Pays $1 Million HIPAA Privacy Settlement As OCR Tightens HIPAA Regulations; HIPAA Risks Soar As CVS Agrees To Pay $2.25 Million To Resolve HIPAA Charges & Stimulus Bill Amends HIPAA; Providence To Pay $100,000 & Implement Other Safeguards To Settle HIPAA Penalty Exposures Under HIPAA. Meanwhile, as of January 1, 2011, OCR reported that it had referred more than 484 Privacy Rule breach investigations to the Department of Justice for consideration for potential criminal prosecution and required changes in privacy practices and other corrective actions as part of the requirements for resolution of an additional 12,781 of cases investigated. In addition to these civil enforcement actions by OCR, the Department of Justice has secured several criminal convictions or pleas under HIPAA’s criminal provisions. OCR data confirms that the covered entities involved in these actions included health care providers, health plans, and others. See, e.g., 2 New HIPAA Criminal Actions Highlight Risks From Wrongful Use/Access of Health　Information

Lax HIPAA and other practices for protection of medical and other confidential personal information also increasingly exposes covered entities and other organizations to liability under state laws. State courts allow individual plaintiffs to rely on violations of HIPAA as the basis for bringing state privacy, retaliation or other actions. See, e.g. Sorensen v. Barbuto, 143 P.3d 295 (Utah Ct. App. 2006), Acosta v. Byrum, 638 S.E. 2d 246 (N.C. Ct. App. 2006). Private plaintiffs employed by covered entities also claim HIPAA related misconduct as the basis for their retaliation claims. See, e.g.,　 Retaliation For Filing HIPAA Complaint Recognized As Basis For State Retaliatory Discharge Claim.

HIPAA-specific exposures, wrongful use, access or disclosure of medical information also can expose covered entities, members of their workforce and others improperly using, accessing or disclosing protected health information to liability under other federal or state laws. See, Cybercrime & Identity Theft: Health Information Security Beyond HIPAA; NY AG Cuomo Announcement of 1st Settlement For Violation of NY Security Breach Notification Law; Woman Who Revealed AIDs Info Gets A Year.

These and other developments make clear that covered entities and their business associates must get serious about HIPAA compliance and risk management. These organizations should review and tighten privacy policies, breach and other monitoring, training and other practices to mitigate against exposures in light of recently tightened requirements and new enforcement risks.

For More Details Or Help With HIPAA & Other Risk Management & Compliance Needs

To learn more about the UCLAHS Resolution Agreement and other risk management tips, see UCLA Health Systems Payment of $865,000 To Settle HIPAA Charges Shows Rising HIPAA Risk.

Ms. Stamer also regularly works with OCR and other agencies, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications.　 For instance, On May 3, 2011, Ms. Stamer served as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR and will moderate a teleconference featuring comments by OCR’s Susan McAndrew for the Joint Committee on Employee Benefits scheduled for May 16. Her insights on the required “culture of compliance” with HIPAA also recently were quoted in medical privacy related publications of the Atlantic Information Service. Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, employee benefit and other clients, trade and professional associations and others. You can get more information about her HIPAA and other experience here. To ask for legal help with these or other compliance concerns, inquire about arranging for compliance audit or training, or matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here. You can review other publications and resources and additional information about the employment, employee benefits and other experience of Ms. Stamer here and register to receive future updates about developments on these and other concerns from Ms. Stamer here. For important information concerning this communication click here.Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources available at www.solutionslawpress.com.

Leave a Comment » | Academic medicine, ASC, Disease Management, DME, Doctor, Durable Medical Equipment, E-Prescribing, Electronic Medical Records, Employee Benefits, Genetic Information, GINA, Health Care, Health Care Provider, Health IT, Health Plan, Health Plans, HIPAA, HITECH Act, Home Health, Hospital, Indian Health, Medicare Advantage, Mental Heatlh, OCR, Outpatient, Patient Empowerment, Pharmacy, Prescription Drugs, Rural Health Care | Tagged: business associate, Doctor, Health Care, Health Care Provider, Health Plans, HIPAA, Hospital, Physician | Permalink
Posted by Cynthia Marcotte Stamer

5/18 Deadline to Register For 5/19 CMS Provider Call on Medicare and Medicaid EHR Meaningful Use Incentive Programs

May 17, 2011

Wish you knew more about how to use electronic health records (EHRs) to earn incentive payments from the Centers for Medicare & Medicaid Services (CMS)? CMS plans to host a national provider education call to help you learn more about meaningful use on Thursday, May 19 at 2:30 p.m. EDT. During the call, CMS plans to discuss:

The definition of meaningful use
The requirements for Stage 1 of meaningful use (2011 and 2012)
How to attest to having met meaningful use
Overview of the meaningful use objectives specification sheets
- Stage 1 EHR Meaningful Use Specification Sheets for Eligible Professionals
- Stage 1 EHR Meaningful Use Specification Sheets for Eligible Hospitals
Q&A about meaningful use

In order to receive the call-in information, you must register for the call. It is important to note that if you are planning to sit in with a group, only one person needs to register to receive the call-in data. This registration is solely to reserve a phone line, NOT to allow participation. Registration will close at 2:30 p.m. EDT on May 18, 2011, or when available space has been filled. No exceptions will be made, so please be sure to register prior to this time. In order to register, you should:

Visit the registration page.
Fill in all required information and click “Register.”
You will be taken to the “Thank you for registering” page and will receive a confirmation email shortly thereafter. Please save this page in case your server blocks the confirmation emails. (If you do not receive the confirmation email, check your spam/junk mail filter as it may have been directed there.)
If assistance for hearing impaired services is needed, please email medicare.ttt@palmettogba.com no later than three business days before the call.

Prior to the call, presentation materials will be made available in the “Upcoming Events” section of the Spotlight page on the CMS EHR website.

Want more information about the EHR Incentive Programs?
Make sure to visit the EHR Incentive Programs website for the latest news and updates on the EHR Incentive Programs.

Sixty-two Regional Extension Centers (RECs) across the nation are prepared to offer customized, on-the-ground assistance for eligible professionals and hospitals registering for the CMS EHR Incentive Programs. To locate an REC near you, visit http://www.healthit.

In addition to the May 10 call, recordings of various other recent health information privacy and data security training offered by agencies within the Department of Health and Human Services also now is avaialble on the web. For instance, the National Institute of Standards and Technology (NIST) and the Office for Civil Rights (OCR) are making presentations from the 4th annual conference on “Safeguarding Health Information: Building Assurance through HIPAA Security” co-hosted in Washington, D.C. on May 10 & 11, 2011 available on line for review. The training is part of a series of continuing efforts by the agencies to outreach to various parties on the Privacy and Security Rules of the Health Insurance Portability & Accountability Act of 1996, as amended (HIPAA). Meanwhile, OCR’s Susan McAndrew on Monday shared insights on OCR’s HIPAA regulatory and enforcement agenda at a teleconference to be hosted by the American Bar Association Joint Committee on Employee Benefits at Noon Central on May 16, 2011. Recordings of these presentations are or will be accessible on the sponsoring organizations from their websites. For details about reviewing the May 10-11 presentations, see the 2011 HIPAA Conference website here. For details about the May 16 teleconference, see here.

For Help With Monitoring Developments, Compliance, Investigations Or Other Needs

If you need assistance monitoring federal health reform, policy or enforcement developments, or to review or respond to these or other health care or health IT related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, may be able to help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 23 years experience advising health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers and other health industry clients to establish and administer medical privacy and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, and other risk management and operational matters. On May 3, 2011, Ms. Stamer served as the appointed scribe for the ABA Joint Commitee on Employee Benefits Agency meeting with OCR and will moderate a teleconference featuring comments by OCR’s Susan McAndrew for the Joint Committee on Employee Benefits scheduled for May 16. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns/ She also regularly designs and presents risk management, compliance and other training for health care providers, professional associations and others including highly popular programs on “Sex Drugs & Rock ‘N Role: Managing Personal Misconduct in Health Care,” “Managing Physician Performance” and others.. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. You can get more information about her health industry experience here. If you need assistance with these or other compliance concerns, wish to inquire about arranging for compliance audit or training, or need legal representation on other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here.

About Solutions Law Press

Leave a Comment » | Academic medicine, ASC, DEA, Disease Management, DME, Doctor, Electronic Health Records, Electronic Medical Records, Employer, Genetic Information, GINA, Health Care Provider, Health IT, Health Plan, HIPAA, HITECH Act, Hospital, Medicaid, Medicare, Medicare Advantage, Medicare Fee Schedule, Mental Heatlh, OCR, Physician | Tagged: Health Care, HIPAA, Medical Confidentiality, OCR< Privacy, Security | Permalink
Posted by Cynthia Marcotte Stamer

OCR/NIST Share Training Online, OCR’s McAndrew To Speak On May 16 Teleconference

May 10, 2011

The National Institute of Standards and Technology (NIST) and the Department of Health and Human Services (HHS), Office for Civil Rights (OCR) are making presentations from the 4th annual conference on “Safeguarding Health Information: Building Assurance through HIPAA Security” co-hosted in Washington, D.C. on May 10 & 11, 2011 available on line for review. The training is part of a series of continuing efforts by the agencies to outreach to various parties on the Privacy and Security Rules of the Health Insurance Portability & Accountability Act of 1996, as amended (HIPAA). Meanwhile, OCR’s Susan McAndrew is scheduled to share insights on OCR’s HIPAA regulatory and enforcement agenda at a teleconference to be hosted by the American Bar Association Joint Committee on Employee Benefits at Noon Central on May 16, 2011.

The Security Rule sets federal standards to protect the confidentiality, integrity and availability of electronic protected health information by requiring HIPAA covered entities and their business associates to implement and maintain administrative, physical and technical safeguards. Presentations cover a variety of current topics including updates on HHS health information privacy and security initiatives, OCR’s enforcement of health information privacy and security activities, integrating security safeguards into health IT and security automation, insider threat trends and safeguards, and more.

The conference is designed to explore the current health information technology security landscape and the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, the agencies share their practical strategies, tips and techniques for implementing the HIPAA Security Rule.

For details about reviewing the May 10-11 presentations, see the 2011 HIPAA Conference website here. For details about the May 16 teleconference, see here.

For Help With Monitoring Developments, Compliance, Investigations Or Other Needs

About Solutions Law Press

May 18 NTHCPA Meeting Focuses On Selected HIPAA Compliance Issues

May 10, 2011

NORTH TEXAS HEALTHCARE COMPLIANCE PROFESSIONAL ASSOCIATION

Invites Members and Guests to Join In The May BYO Brown Bag Luncheon

“Selected Legal Issues in HIPAA Compliance”

May 18, 2011
Noon-2:00 p.m.
Dallas Ft Worth Hospital Council

250 Decker Drive, Irving, TX 75062-2706

North Texas Healthcare Compliance Professional Association (NTHCPA) invites members and other interested health care compliance professionals to join other NTHCPA members and guests on Wednesday, May 18, 2011 from Noon to 2:00 p.m. as DFW attorney Scott Chase leads a program on “Selected Legal Issues in HIPAA Compliance.” During the program, Mr. Chase will review selected current legal problems in complying with the security and privacy audit requirements, notification of breaches of security and responses to subpoenas under the HIPAA Privacy and Security Rules. Participants also will enjoy ample opportunity to network with each other and dialogue on these and other HIPAA related challenges.

Scott Chase is a solo practitioner who has represented small business owners (primarily physician groups) for almost 30 years. Prior to his solo practice, he served as General Counsel for 2 public companies, including a large hospital management company. He has chaired the Corporate Counsel Section of the Dallas Bar Association and its Health Law Section and, in 2002, he was among the first 28 Texas lawyers to be Board Certified in Health Law by the Texas Board of Legal Specialization.

The meeting will be held at the offices of the Dallas Ft Worth Hospital Council, 250 Decker Drive, Irving, TX 75062-2706. Under the new brown bag luncheon format, members and guests are encouraged to bring along a lunch of their choosing and participate in this skill building and networking event.

NTHCPA meetings are open to all NTHCPA members and other interested health care compliance professionals. Participation in the meeting is complimentary. Participants are responsible for any parking charges incurred.

Save The Date For June 15 Meeting

Save the date and plan to attend the June meeting featuring a program and dialogue on “Current Government Enforcement Initiatives” to be lead by Jones Day attorney Frank Sheeder at the Dallas Ft Worth Hospital Council offices on June 15, 2011 from Noon to 2 p.m.

RSVP & Register For Invites & Updates

To help us to notify you about upcoming meetings and to arrange for adequate space for this and other meetings, interested persons are encouraged to forward their current contact information including e-mail to Vice-President Cynthia Marcotte Stamer at (469) 767-8872 or by e-mail here. Stay on top of information about upcoming meetings and share and dialogue with other NTHCPA members about health care compliance challenges and developments by joining our Linked In Group here. Please feel free to share this invitation with others who may be interested.

About the NTHCPA

NTHCPA exists to champion ethical practice and compliance standards and to provide the necessary resources for ethics and compliance Professionals and others in North Texas who share these principles. The vision of NTHCPA is to be a pre-eminent compliance and ethics group promoting lasting success and integrity of organizations within North Texas. To register or update your registration or to receive notice of future meetings, e-mail here.

Would you like to get more involved? We encourage persons interested in serving on the steering committee, sponsoring refreshments for an upcoming meeting, wish to suggesting topics or speakers, or seeking more information about membership or involvement with the NTHCPA to contact:

NTHCPA President Erma Lee at (817) 927-1232 or by e-mail here or

Vice-President Cynthia Marcotte Stamer at (469) 767-8872 or by e-mail here

This communication may be considered a marketing communication for certain purposes. If you wish to update your e-mail for purposes of or would prefer not to receive future e-mail concerning meetings or other activities of the North Texas Healthcare Compliance Professionals Association or other marketing and promotional mailings from it, please send an email with the word “unsubscribe” in its subject heading here.

Leave a Comment » | Genetic Information, GINA, Health Care, Health IT, HIPAA, HITECH Act, OCR | Tagged: Health Care, HIPAA | Permalink
Posted by Cynthia Marcotte Stamer

ONC Touts Research On Health IT Benefits In Health Affairs Article

March 20, 2011

Researchers from the Office of the National Coordinator for Health Information Technology (ONC) and other Department of Health & Human Services (HHS) leaders are touting new studies they say show the benefits of investing in health information technology (health IT).

Under the Health Information Technology for Economic and Clinical Health Act (HITECH), part of the American Recovery and Reinvestment Act of 2009, as much as $27 billion Medicare and Medicaid incentive payments will be available to eligible professionals, eligible hospitals, and critical access hospitals when they adopt certified EHR technology and successfully demonstrate “meaningful use” of the technology in ways that improve quality, safety, and effectiveness of patient-centered care.

On March 8, 2011, ONC researches reported results of a comprehensive review of recent studies it says show the effects of health IT on key aspects of health care on the ONC website and in Health Affairs.

According to Donald Berwick, M.D., administrator of the Centers for Medicare & Medicaid Services, the study supports the investments that the HITECH Act makes in health IT. “These new findings are very significant in helping to confirm that our Nation has made the right choice in moving aggressively toward adoption of health information technology,” said Dr. Berwick. “These new findings are very significant in helping to confirm that our Nation has made the right choice in moving aggressively toward adoption of health information technology.”

The review included articles published from July 2007 up to February 2010, following up on earlier reviews of articles from 1995 to 2004 and from 2004 to 2007. This latest review initially surveyed more than 4,000 peer-reviewed articles, of which 154 were found qualified for the parameters of the study, a number similar to the previous efforts. In addition to quality and efficiency of care, the authors categorized additional outcomes including access to care, preventive care, care process, patient safety, and provider or patient satisfaction.

According to the authors, a current review of 154 peer-reviewed studies from July 2007 to February 2010 found:

More than 92 percent reached positive overall conclusions on the effects of health IT;
30 percent found mixed but predominantly positive results; and
Ten articles were found to have negative or mixed-negative results.

ONC reports that the review also reflected a new balance of evidence between HIT “leader” organizations and other entities, especially smaller medical practices. In previous years, much evidence has come from the “leaders.” The current review shows increased evidence of benefits for others as well.

Examples of positive results highlighted by ONC in its reports include:

One study found that at three New York City dialysis centers, patient mortality decreased by as much as 48 percent while nurse staffing decreased by 25 percent in the three years following implementation of electronic health records (EHRs).
In an inpatient study, a clinical decision support tool designed to decrease unnecessary red blood cell transfusions reduced both transfusions and costs, with no increase in patient length-of-stay or mortality.
Another study addressing HIT in 41 Texas hospitals found that hospitals with more advanced HIT had fewer complications, lower mortality and lower costs than hospitals with less advanced HIT.

ONC researchers report that negative findings in the study were most often associated with provider or staff satisfaction related to difficulties in the process of transitioning from paper-based to electronic-based records and care. The researchers conclude these findings “highlight the need for studies that document the challenging aspects of implementing HIT more specifically and how these challenges might be addressed,” such as through strong leadership or staff participation when adopting and implementing HIT.

Reflecting on the findings, Surgeon General Regina Benjamin, M.D., said, “My own personal experience in switching my practice from paper to EHRs showed that the change requires some initial effort; however, it did not interrupt work flow in the clinic. The results are better care for patients and new opportunities for the physician and staff to improve quality outcomes.” Dr. Benjamin switched to EHRs in her Gulf Coast Alabama family practice after two hurricanes and a fire destroyed the clinic’s paper records.

At the Agency for Healthcare Research and Quality, where research into health informatics has been supported since 1968, agency Director Carolyn Clancy, M.D., called attention to the importance of rapid information feedback and current evidence as the Nation pursues HIT implementation. “As we have known, and this new review of the available literature shows, HIT holds tremendous potential to improve health care quality. It is important that we continue to use experience from the field and scientific evidence to guide our efforts to improve the quality and safety of health care for all Americans.”

For Help With Monitoring Developments, Compliance, Investigations Or Other Needs

If you need assistance monitoring federal health reform, policy or enforcement developments, or to review or respond to these or other health care or health IT related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, may be able to help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 23 years experience advising health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers and other health industry clients to establish and administer medical privacy and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns/ She also regularly designs and presents risk management, compliance and other training for health care providers, professional associations and others including highly popular programs on “Sex Drugs & Rock ‘N Role: Managing Personal Misconduct in Health Care,” “Managing Physician Performance” and others.. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. You can get more information about her health industry experience here. If you need assistance with these or other compliance concerns, wish to inquire about arranging for compliance audit or training, or need legal representation on other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here.

About Solutions Law Press

Leave a Comment » | DME, Doctor, E-Prescribing, Electronic Health Records, Electronic Medical Records, Federal Health Center, Health Care, Health Care Fraud, Health Care Provider, Health Care Quality, Health Care Reform, Health IT, Health Plan, Health Plans, HITECH Act, Hospital, Hospital, Laws, Meaningful Use, Medicaid, Medicare, Medicare Advantage, Physician, Public Policy, Reimbursement | Tagged: EHR, Electronic Health Records, Electronic Medical Records, EMR, Health Care, Health IT, Health Technology, Heatlh Care Reform, HITECH Act, ONC | Permalink
Posted by Cynthia Marcotte Stamer

HHS Imposes 1st HIPAA Privacy Civil Penalty of $4.3 million

February 22, 2011

Health Care Providers Should Strengthen HIPAA Compliance & Defenses As Risks Rise

$4.3 million is the amount of the civil monetary penalty (CMP) that the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has ordered Cignet Health of Prince George’s County, Md., (Cignet) to pay for violating the Health Insurance Portability & Accountability Act (HIPAA) Privacy Rule.

The first CMP ever assessed by OCR under the HIPAA Privacy Rule, the Cignet CMP assessment is the latest in a series of developments documenting the rising risks that health care providers, health plans, health care clearinghouses and their business associates (“covered entities”) face for violations of HIPAA. Covered entities and their business associates should tighten privacy policies, breach and other monitoring, training and other practices to mitigate against exposures in light of recently tightened requirements and new enforcement risks. Read more details.

Even before the announcement of the Cignet CMP, the HIPAA Privacy exposures of covered entities for failing to comply with HIPAA already had risen significantly. As of January 1, 2011, OCR reports that 12,781 of the cases it has investigated have been resolved by requiring changes in privacy practices and other corrective actions by the covered entities and has referred more than 484 Privacy Rule breach investigations to the Department of Justice for consideration for potential criminal prosecution.

While OCR had not assessed any civil monetary penalties against any covered entity for violation of HIPAA before Cignet, OCR’s collection of $2.25 million from CVS Pharmacy, Inc. under a 2009 Resolution Agreement and $100,000 from Providence Health & Services under a 2008 Resolution Agreement demonstrated the willingness of OCR to pursue significant civil remedies against covered entities that it determined willfully violated the Privacy Rules.

In response to these expanding exposures, covered entities and their business associates should review the adequacy of their current HIPAA Privacy and Security compliance policies, monitoring, training, breach notification and other practices taking into consideration the Cignet, Provident and CVS enforcement actions, emerging litigation and other enforcement data.; their own and reports of other security and privacy breaches and near misses, and other developments to determine if additional steps are necessary or advisable.

For Help With Compliance, Investigations Or Other Needs

If you need assistance auditing or tightening your existing HIPAA and other confidentiality practices or addressing other health care related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, may be able to help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 23 years experience advising health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers and other health industry clients to establish and administer medical privacy and other compliance and risk management policies and to respond to OCR, FTC, medical board and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns including a number of programs and publications on Medicare quality and other compliance concerns. Her publications and insights on HIPAA and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. You can get more information about her health industry experience here. If you need assistance with these or other compliance concerns, wish to inquire about arranging for compliance audit or training, or need legal representation on other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here.

About Solutions Law Press

Leave a Comment » | Academic medicine, ARRA, ASC, Centers For Disease Control, Disease Management, DME, Doctor, E-Prescribing, Electronic Health Records, Electronic Medical Records, Federal Health Center, Genetic Information, Health Care, Health Care Provider, Health Care Quality, Health IT, Health Plans, HIPAA, HITECH Act, Hospital, Hospital, Indian Health, Medicaid, Medical Licensure, Medicare, Medicare Advantage, Medicare Fee Schedule, Mental Heatlh, OCR, Peer Review, Pharmacy, Physician, Privacy, Reimbursement, Telemedicine | Tagged: covered entity, Health Care, HIPAA, Hospital, Medical Confidentiality, OCR, Physician, Privacy Rule, Security Rule | Permalink
Posted by Cynthia Marcotte Stamer

ONC Giving Small Critical Access And Rural Hospitals Added Electronic Health Records Funds

February 9, 2011

Dr. David Blumenthal, MD, MPP, national coordinator for health information technology in the Office of the National Coordinator for Health Information Technology (ONC) announced that ONC’s Regional Extension Center (REC) program will make available an additional $12 million in new technical support assistance to help critical access hospitals (CAHs) and rural hospitals adopt and become meaningful users of certified health information technology to provide a wide range of support services.

The new funds are intended to help the 1,777 critical access and rural hospitals in 41 states and the nationwide Indian Country, headquartered in the District of Columbia qualify for substantial EHR incentive payments from Medicare and Medicaid. For a listing of the award recipients for the grants announced today, see here. The intent of this supplement is to provide additional technical support to critical access and rural hospitals with fewer than 50 beds in selecting and implementing EHR systems primarily within the outpatient setting. This funding is in addition to the $20 million provided to RECs in September 2010 to provide technical assistance to the CAHs and Rural Hospitals.

The new funding is provided under the Health Information Technology Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009. The HITECH Act created the Medicare and Medicaid EHR incentive programs, which will provide incentive payments to eligible professionals, eligible hospitals, and CAHs that adopt and demonstrate meaningful use of certified EHR technology. Incentives totaling as much as $27.4 billion over 10 years could be expended under the program, which is administered by the Centers for Medicare & Medicaid Services. In addition, the HITECH Act provided $2 billion through ONC to support technical assistance, training, and demonstration projects to assist in the nation’s transition to EHRs.

The additional CAHs and rural hospital funding will be administered through ONC’s Regional Extension Center (REC) program. The RECs are specifically designed to offer a wide range of hands-on technical assistance, guidance, and information on best practices to support and accelerate health care providers’ efforts to become meaningful users of certified EHRs under the Medicare and Medicaid incentives programs. A total of 62 RECs are located throughout the country. This additional funding is being awarded 48 RECs serving CAH and rural hospitals provides in 41 states and the nationwide Indian Country.

Today’s $12 million round of awards will result in a total of approximately $32 million of funding provided to the RECs to support CAH health IT adoption.

A complete listing of REC grant recipients and additional information about the Health Information Technology Regional Extension Centers, see here.

For information about the Medicare and Medicaid EHR Incentive Programs, see here.

For More Information Or Assistance

If you need assistance with meaningful use or other EMR or other health technology, risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, may be able to help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 23 years experience advising health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers and other health industry clients to establish and administer compliance and risk management policies and to respond to DEA and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns including a number of programs and publications on Medicare quality and other compliance concerns. Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. You can get more information about her health industry experience here. If you need assistance with these or other compliance concerns, wish to inquire about arranging for compliance audit or training, or need legal representation on other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here.

About Solutions Law Press

Leave a Comment » | Electronic Health Records, Evidence Based Medicine, Health Care, Health Care Finance, Health Care Quality, Health Care Reform, Health IT, Hospital, Indian Health, Meaningful Use, Medicaid, Medicare, Rural Health Care | Tagged: AARA, Affordable Care Act, Critical Access Hospital, electronic health record, electronic medial record, Health Care Reform, Meaningful Use, ONC, rural hospital | Permalink
Posted by Cynthia Marcotte Stamer

Health Care Employer’s NLRB Settlement Shows Care Necessary When Using Social Networking & Other Policies Restricting Employee Communications

February 7, 2011

Health care and other employers should exercise caution when drafting and applying policies regulating employee Facebook or other social networking site, e-mail, or other communications to avoid violating Federal labor laws protecting worker organization rights, as illustrated by a February 7, 2011 settlement agreement reached between a Connecticut ambulance service operator and the National Labor Relations Board (NLRB).

According to the NLRB, Connecticut ambulance service provider American Medical Response (AMR) and the NLRB have agreed to settle a complaint filed on October 27, 2010 that charged AMI with violating the National Labor Relations Act (NLRA) by firing an employee for making derogatory comments about her supervisor on Facebook.

In its complaint against AMR, the NLRB charged that AMR’s termination of an employee for making derogatory statements about her supervisor on Facebook violated the NLRA because the employee was engaged in protected activity under the NLRA when she posted the comments about her supervisor, and responded to further comments from her co-workers. The NLRB complaint also charged AMR maintained overly-broad rules in its employee handbook regarding blogging, Internet posting, and communications between employees, and that it had illegally denied union representation to the employee during an investigatory interview shortly before the employee posted the negative comments on her Facebook page.

Under the terms of AMI’s settlement with the NLRB[i] approved February 7, 2011, AMI agreed:

To revise its employee handbook rules to avoid improperly restricting employees from discussing their wages, hours and working conditions with co-workers and others while not at work in violation of the NLRA;
Not to discipline or discharge employees for engaging in such discussions; and
Not to deny employee requests for union representation or threaten employees for requesting union representation in the future.

Federal labor law requires that employers tread carefully when dealing with communications by employees concerning terms and conditions of employment and other union or other organizational activity. Existing federal law limits the actions that employers can take to deter or influence employee choices about whether to support or oppose a union certification campaign, to influence the certification of one union representative over another and to deter or penalize employees for communicating about terms and conditions of employment.

Under the NLRA, for instance, employees generally may discuss the terms and conditions of their employment with coworkers. The protections afforded by the NLRB to employee communications about terms and conditions of employment can apply to both unionized and non-unionized employees and workforces. Subject to certain reasonable restrictions on communications within the workplace allowed by the NLRA, the NLRA generally restricts the ability of an employer to prohibit employees from communicating about terms and conditions of employment.

Worker awareness of these protections has grown in many workplaces as a result of a new policy requiring employers that are government contractors to post notification of NLRA rights in the workplace implemented by the Obama Administration in May, 2010, aggressive union organization efforts in the health care and certain other industries and other developments. As a consequence, health industry and other employers need to exercise care to avoid violating the NLRA and other federal labor laws when designing, communicating and applying social networking, e-mail, internet, and other policies that regulate on or off-duty communications by employees.

To minimize liability risks under the NLRA, health industry and other employers should consult with qualified labor and employment counsel before discussing or taking other action in response to these activities to minimize risks of unintentionally running afoul of these requirements. Employers should exercise care even if the communication restraint adopted to comply with legally mandated restrictions on communications such as those required by the privacy and security mandates of laws such as the Health Insurance Portability & Accountability Act (HIPAA). While the NLRA generally permits restrictions on communications required to comply with law, health industry and other employers should be prepared to demonstrate the legitimacy of the legal need and their tailoring of restrictions on employee communications to meet that need.

For Advice or Other Information

If your organization needs advice or assistance in responding to labor and employment issues in your health care organization or other health care matters, consider contacting the author of this article, Cynthia Marcotte Stamer at (469) 767-8872 or via e-mail here.

Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, Ms. Stamer is nationally known for her more work, training and presentations, and publications on health industry and other staffing and employment, compensation, regulatory, and other operations, risk management and compliance matters.

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on health care, human resources, employee benefits, data security and privacy, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources including:

Leave a Comment » | Academic medicine, ASC, Discrimination, DME, Doctor, Durable Medical Equipment, Employer, Employment, Federal Health Center, Health Care, Health Care Provider, Health IT, HIPAA, HITECH Act, Hospital, Hospital, Pharmacy, Physician, Physician Licensing | Tagged: Health Care, HIPAA, Labor, NLRA, unfair labor practice, Union, wrongful discharge | Permalink
Posted by Cynthia Marcotte Stamer

President Signs Long-Sought Red Flag Rule Exemption Into Law

December 9, 2010

Allowing customers or clients to pay for services and supplies over time will not cause doctors, dentists, hospitals, veterinarians, and other health care providers, lawyers, accountants, consultants and other service providers to be required to comply with the burdensome “Red Flag Rules” of the Fair and Accurate Credit Transactions Act of 2003 (FACTA) after all. President Obama earlier today (December 9, 2010) signed into law the “Red Flag Program Clarification Act of 2010 (S. 3987/H.R. 6420) (Act), which exempts businesses engaging in these limited financing transactions from the obligation to comply with the Red Flag Rule’s identity theft monitoring and prevention requirements.

FACTA’s Red Flag Rules generally require “creditors” to comply with burdensome identity theft prevention and monitoring rules issued by the Federal Trade Commission (FTC). Before the Act became law today, FTC regulations set to take effect December 31, 2010 construed health care providers, attorneys, consultants or other service providers as covered creditors simply if they allowed customers finance and pay charges to the service provider over time. Despite widespread outcry over this interpretation, efforts to overturn this interpretation had proven unsuccessful until recent weeks.

The Act intended by Congress to make clear that doctors, dentists, orthodontists, pharmacists, veterinarians, accountants, nurse practitioners, social workers, other types of health care providers, lawyers and other service providers will no longer be classified as ‘creditors’’ for the purposes of the Red Flags Rules just because they do not receive payment in full from their clients at the time they provide their services, when they don’t offer or maintain accounts that pose a reasonably foreseeable risk of identity theft.

As amended by the Act, the Red Flag Rule’s definition of “creditor” generally will continue to apply to a person who obtains or uses consumer reports in connection with a credit transaction, furnishes information to consumer reporting agencies in connection with credit transactions, or advances funds based on the recipients obligation to repay (or permit the funds to be repaid through specific property of the recipient), or otherwise is a creditor that the Federal Trade Commission (FTC) by rule determines should be covered as a creditor that offers or maintains accounts subject to a reasonably foreseeable risk of identity theft. However, a person that only “advances funds on behalf of a person for expenses incidental to a service provided by the creditor to that person” now is expressly excluded from the definition of “creditor” for purposes of the Red Flag Rules.

Congressional action to overturn the interpretation took wings beginning in November. After the Senate passed S. 3987, on November 30, 2010, the House of Representatives acted quickly to send the Act to the President for signature by approving H.R. 6420 on December 7.

The relief provided under the Act is particularly welcomed by health care providers, who already face significant civil and criminal liability exposures under the health-industry specific privacy and data security requirements of the Health Insurance Portability & Accountability Act (HIPAA). See CVS Settles Privacy Charges; Rite Aid Agrees to Pay $1 Million to Settle HIPAA Privacy Case As Office of Civil Rights Proposes Tighter HIPAA Privacy & Security Regulations; 2 New HIPAA Criminal Actions Highlight Risks From Wrongful Use/Access of Health Information.

While the Act exempts these limited transactions from the Red Flag Rules, businesses should avoid underestimating the scope of relief provided. Even with the new exemption, these and other businesses generally face significant responsibilities and risk under other federal electronic crimes, and other federal and state data security, identity theft and other laws and precedent, as well as pursuant to contractual commitments incorporated into a broad range of agreements in response to FACTA, HIPAA and other risk management concerns. Unless they take action to reform contracts and policies, health industry and other services covered by the new exemption generally may face contractual obligations to continue to comply with many of the Red Flag Rule mandates under contractual commitments incorporated into various agreements in anticipation of the effective date of the Red Flag Rule requirements. Health industry and other businesses expecting to enjoy relief from the Red Flag Rules as a result the Act should review contractual and other obligations to properly understand their continuing legal responsibilities and, where warranted, consider revising contracts and policies to remove or adjust provisions incorporated solely in anticipation of Red Flag Rules mandates. Health care providers and other businesses that fail to take these and other appropriate steps to clean up their contracts and procedures risks unnecessarily obligating themselves to continue to comply with rules despite their exemption from these legal mandates.

For More Information or Assistance

If you need assistance evaluating or responding the health industry or other privacy and data security concerns or other technology and process, compliance, risk management, transactional, operational, enforcement or public policy concerns, please contact the author of this update, Cynthia Marcotte Stamer, at (469) 767-8872, cstamer@Solutionslawyer.net.

Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 23 years experience advising physicians, hospitals and other health industry clients about quality assurance, peer review, licensing and discipline, and other medical staff performance matters. She continuously advises health industry clients about the use of technology, process and other mechanisms to promote compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, and other risk management and operational needs. As part of this experience, she has worked extensively with health care providers, payers, health care technology and consulting and other health industry clients, as well as other businesses, on privacy, data security, trade secret and related matters. A popular lecturer and widely published author on health industry concerns, Ms. Stamer also publishes and speaks extensively on health care staffing and human resources, compensation and benefits, technology, medical staff, public policy, reimbursement, privacy, technology, and other health and managed care industry regulatory, and other operations and risk management concerns for medical societies and staffs, hospitals, the HCCA, American Bar Association, American Health Lawyers Association and many other health industry groups and symposia. Her highly popular and information packed programs include many highly regarded publications on HIPAA, FACTA, medical confidentiality, state identity theft and privacy and other many other related matters. Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. To review some of her many publications and presentations, or for additional information about Ms. Stamer, her experience, involvements, programs or publications, see here.

For More Information

We hope that this information is useful to you. You can review other recent health care and internal controls resources and additional information about the health industry and other experience of Ms. Stamer here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile at here or e-mailing this information here.

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources. If you or someone else you know would like to receive future updates and notices about other upcoming Solutions Law Press events, please be sure that we have your current contact information – including your preferred e-mail- by creating or updating your profile here. For important information concerning this communication click here.

Leave a Comment » | Corporate Compliance, Doctor, E-Prescribing, Electronic Health Records, FACTA, Health Care, Health Care Provider, HIPAA, HITECH Act, Hospital, Hospital, Physician | Tagged: Data Security, FACTA, Health Care, Identity Theft, Red Flag Rule | Permalink
Posted by Cynthia Marcotte Stamer

Red Flag Rule Relief For Health Care Providers, Lawyers & Other Service Providers Awaits President’s Signature

December 8, 2010

Congress has approved and sent to the President for signature legislation exempting doctors, dentists, hospitals, veterinarians, and other health care providers, lawyers, accountants, consultants and other service providers that allow customers to pay for their services and supplies over time from the burdensome “Red Flag Rules” of the Fair and Accurate Credit Transactions Act of 2003 (FACTA).

FACTA’s Red Flag Rules generally require “creditors” to comply with burdensome identity theft prevention and monitoring rules issued by the Federal Trade Commission (FTC). Under current FTC regulations set to take effect December 31, 2010, health care providers, attorneys, consultants or other service providers become covered creditors simply by allowing customers finance and pay charges to the service provider over time.

Yesterday (December 7, 2010), the House of Representatives by voice vote passed H.R. 6420, the “Red Flag Program Clarification Act of 2010.: Like the Senate version of the Bill, S. 3987, passed by the Senate on November 30, 2010, the Red Flag Program Clarification Act (“Act”) is intended by Congress to make clear that doctors, dentists, orthodontists, pharmacists, veterinarians, accountants, nurse practitioners, social workers, other types of health care providers, lawyers and other service providers will no longer be classified as ‘creditors’’ for the purposes of the Red Flags Rules just because they do not receive payment in full from their clients when they provide their services, when they don’t offer or maintain accounts that pose a reasonably foreseeable risk of identity theft.

Assuming the President signs the Act into law, the Red Flag Rule’s definition of “creditor” generally would continue to apply to a person who obtains or uses consumer reports in connection with a credit transaction, furnishes information to consumer reporting agencies in connection with credit transactions, or advances funds based on the recipients obligation to repay (or permit the funds to be repaid through specific property of the recipient), or otherwise is a creditor that the Federal Trade Commission (FTC) by rule determines should be covered as a creditor that offers or maintains accounts subject to a reasonably foreseeable risk of identity theft. However, a person that only “advances funds on behalf of a person for expenses incidental to a service provided by the creditor to that person” will be expressly excluded from the definition of “creditor” for purposes of the Red Flag Rules.

The Act’s passage follows a multi-year battle by health care providers and other professional services providers to reverse the FTC’s interpretation of the Red Flag Rules as applicable to service providers that allow customers and clients to pay for services and supplies over time. The outcry about the FTC’s interpretation of the scope of the rules and the perceived cost and complexity of their provisions lead the FTC to delay implementation several times. See e.g., Health Care Red Flag Rule Compliance Deadline Extended To August 1; Prompt Action Still Required. The relief provided under the Act is particularly welcomed by health care providers, who already face significant civil and criminal liability exposures under the health-industry specific privacy and data security requirements of the Health Insurance Portability & Accountability Act (HIPAA). See CVS Settles Privacy Charges; Rite Aid Agrees to Pay $1 Million to Settle HIPAA Privacy Case As Office of Civil Rights Proposes Tighter HIPAA Privacy & Security Regulations; 2 New HIPAA Criminal Actions Highlight Risks From Wrongful Use/Access of Health Information.

While when signed into law the Act will the technical burdens that health care providers and other service industry businesses by exempting them from FACTA’s Red Flag Rules, these and other businesses generally face significant responsibilities and risk under other federal electronic crimes, and other federal and state data security, identity theft and other laws and precedent, as well as pursuant to contractual commitments incorporated into a broad range of agreements in response to FACTA, HIPAA and other risk management concerns. Even after the President signs the Act into law, however, health industry and other businesses still may face contractual obligations to continue to comply with many of its mandates under contractual commitments incorporated into various agreements in anticipation of the effective date of the Red Flag Rule requirements. Health industry and other businesses expecting to enjoy relief from the Red Flag Rules as a result the Act should review contractual and other obligations to properly understand their continuing legal responsibilities and, where warranted, consider seeking the removal of contract amendments to remove provisions incorporated into contracts solely in anticipation of Red Flag Rules mandates to the extent this limited relief permits. Since the relief granted under the terms of the statute is quite narrow and limited, however, organizations should review carefully their operations to verify that their operations do not encompass other activities that would cause them to continue to qualify as creditors for purposes of the Red Flag Rules to avoid compliance exposures from over-estimating the scope of relief.

For More Information or Assistance

For More Information

We hope that this information is useful to you. You can review other recent health care and internal controls resources and additional information about the health industry and other experience of Ms. Stamer here. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources. If you or someone else you know would like to receive future updates and notices about other upcoming Solutions Law Press events, please be sure that we have your current contact information – including your preferred e-mail- by creating or updating your profile here.

About Solutions Law Press

Leave a Comment » | Corporate Compliance, Electronic Health Records, Electronic Medical Records, FACTA, Federal Sentencing Guidelines, Health Care, Health IT, HIPAA, HITECH Act | Tagged: FACTA, H.R. 6420, Health Care, HIPAA, Red Flag Program Clarification Act, Red Flag Rules, S. 3987 | Permalink
Posted by Cynthia Marcotte Stamer

Health Providers, Plans Make Recommendations To ONC Working Group On Governance Mechanisms By 11/3

October 26, 2010

The Office of the National Coordinator for Health Information Technology (ONC) Governance Workgroup (Workgroup) is developing recommendations on governance mechanisms for the nationwide health information network.

The Workgroup identified overarching objectives, key principles, and core functions for governance in its Preliminary Report and Recommendations on the Scope of Governance presented to the Health Information Technology (HIT) Policy Committee on October 20^th. The Workgroup is now preparing final recommendations on how governance functions should be implemented and by whom.

As a first step, the Workgroup would like to identify:

Existing mechanisms that might be appropriate, with or without modifications, and with or without some added coordination; and
Whether and what new mechanisms are needed.

The Workgroup would like public input on these issues and has created a table listing the core functions and questions to frame the input.

Submit your comments here by November 3, 2010.

For More Information or Assistance

If you need assistance evaluating or responding to this development of other health care technology and process, compliance, risk management, transactional, operational, reimbursement, enforcement or public policy concerns, please contact the author of this update, Cynthia Marcotte Stamer, at (469) 767-8872, cstamer@Solutionslawyer.net.

Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 23 years experience advising health industry clients about these and other matters. She continuously advises health industry clients about the use of technology, process and other mechanisms to promote compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, and other risk management and operational needs. As part of this experience, she has worked extensively with health care providers, payers, health care technology and consulting and other health industry clients on the design and use of health information systems, technology, privacy and other related. A popular lecturer and widely published author on health industry concerns, Ms. Stamer also publishes and speaks extensively on health care privacy, technology, and other health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. To review some of her many publications and presentations, or for additional information about Ms. Stamer, her experience, involvements, programs or publications, see here.

Other Recent Developments

If you found this information of interest, you also may be interested in reviewing some of the following recent Updates available online by clicking on the article title:

OIG Shares Key Insights On When Owners, Officers & Managers Face OIG Program Exclusion Based On Health Care Entity Misconduct

HHS to Host Regional 11/18 Meeting in LA as Part of HITECH Act Psychotherapy Notes &Testing Data Study

CMS Delegated Lead Responsibility For Development of New Affordable Care Act-Required Medicare Self-Referral Disclosure Protocol

HHS announces Rules Implementing Tools Added By Affordable Care Act to Prevent Federal Health Program Fraud

Monday 9/13 Deadline To Comment Proposed HITECH Act HIPAA Privacy Rules; 9/14 Meeting Studies Proposed Changes

DMEPOS Suppliers Face 9/27 Deadline To Meet Tightened Medicare Standards Initial EHR Certification Bodies Named

HHS Announces Adjustments to Federal Medical Assistance Percentage (FMAP) Rates

CMS Publishes Corrections To Proposed 2011 Physician Fee Schedule Rules

Medicare Changing How It Pays For Outpatient Dialysis

Rite Aid Agrees to Pay $1 Million to Settle HIPAA Privacy Case As OCR Moves To Tighten Privacy Rules

HHS Invites Input On Medicaid Changes To Promote Children’s Health Quality

CMS Adopts ESRD Facility Prospective Payment System & Proposes New Quality Incentive Program

CMS Rule Clarifies When Outpatient Services Subject to 3-Day Rule & Finalizes FY 2011 Inpatient Payment Rates

New Affordable Care Act Mandated High Risk Pre-Existing Condition Insurance Pool Program Regulations Set Program Rules, Prohibit Plan Dumping of High Risk Members

CMS Proposes Changes To Civil Monetary Penalty Rules For Nursing Homes

For More Information

Leave a Comment » | Affordable Care Act, ARRA, Electronic Health Records, Health Care, Health IT, Health Policy, Patient Protection and Affordable Care Act, Privacy, Public Policy, Technology | Tagged: ARRA, Corporate Governance, Governance, health information network, Health IT, HIPAA, internal controls, ONC | Permalink
Posted by Cynthia Marcotte Stamer

HHS to Host Regional 11/18 Meeting in LA as Part of HITECH Act Psychotherapy Notes &Testing Data Study

October 19, 2010

The Substance Abuse and Mental Health Services Administration (SAMHSA) in cooperation with the Office for Civil Rights (OCR) is conducting a Confidentiality and Privacy Issues Related to Psychological Testing Data study pursuant to section 13424 of the Health Information Technology for Economic and Clinical Health (HITECH) Act, a component of the American Recovery and Reinvestment Act (ARRA) (P.L. 111-5) to assess whether the HIPAA Privacy Rule’s special protections relating to the use and disclosure of psychotherapy notes should also be applied to “test data that is related to direct responses, scores, items, forms, protocols, manuals or other materials that are part of a mental health evaluation.”

As part of this study, SAMHSA is hosting public meetings to bring together professionals in the areas of mental health and privacy protection to discuss current practices and the policy implications surrounding this very important issue. The next regional public meeting will be held at the Sheraton Los Angeles Gateway Hotel in Los Angeles, California on November 18, 2010. The details of this meeting, as well as the project staff contact information, are contained in the embedded brochure below.

You can register for this meeting directly: here , or via the same announcement on OCR’s website here.

Other Recent Developments

If you found this information of interest, you also may be interested in reviewing some of the following recent Updates available online by clicking on the article title:

For More Information

We hope that this information is useful to you. If you need assistance evaluating or responding to the Health Care Reform Law or health care compliance, risk management, transactional, operational, reimbursement, or public policy concerns, please contact the author of this update, Cynthia Marcotte Stamer, at (469) 767-8872, cstamer@Solutionslawyer.net.

You can review other recent health care and internal controls resources and additional information about the health industry and other experience of Ms. Stamer here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile at here or e-mailing this information here. To unsubscribe, e-mail here.

Leave a Comment » | Doctor, Electronic Health Records, Electronic Medical Records, Health Care, Health IT, Health Plan, HIPAA, HITECH Act, Hospital, Hospital | Tagged: HIPAA, HITECH Act, Medical Confidentiality, Psychotheraphy Notes | Permalink
Posted by Cynthia Marcotte Stamer

Monday 9/13 Deadline To Comment Proposed HITECH Act HIPAA Privacy Rules; 9/14 Meeting Studies Proposed Changes

September 10, 2010

9/14 NTHCPA Meeting on Strategies for Managing HIPAA Privacy Compliance After The HITECH Act

Health care providers, payers, healthcare clearinghouses and their businesses associates (Covered Entities) face a Monday, September 13, 2010 deadline to comment on proposed changes to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Enforcement Rules proposed by the U.S. Department of Health & Human Services Office for Civil Rights (OCR) on July 8, 2010 in response to amendments enacted under the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. If adopted as proposed, the more than 220 page Notice of Proposed Rulemaking (NPRM) will significantly tighten the requirements that existing Standards for Privacy of Individually Identifiable Health Information (Privacy Rule); the Security Standards for the Protection of Electronic Protected Health Information (Security Rule); and the rules pertaining to Compliance and Investigations, Imposition of Civil Money Penalties, and Procedures for Hearings (Enforcement Rule) applicable to Covered Entities under HIPAA. With the risks of HIPAA noncompliance highlighted by OCR’s August announcement that drugstore giant RiteAid would pay $1 million to settle OCR charges that it violated the existing HIPAA’s Privacy & Security Rules and considering , Covered Entities Learn more about Rite Aid Resolution Agreement here. Learn more about Breach Notification Rules here.

The North Texas Health Care Compliance Professionals Association invites health industry compliance professionals share and learn Strategies for Managing HIPAA Privacy Compliance After the HITECH Act by participating in its September 14, 2010 meeting from 11:30 a.m. – 1:30 p.m. hosted by Cynthia Marcotte Stamer, P.C., at One Hanover Park, 16633 North Dallas Parkway, 6^th Floor, Addison Room, Addison, Texas 75001.

The author of this update, attorney Cynthia Marcotte Stamer, has extensive experience advising and assisting health care providers and other health industry clients with HIPAA and other privacy and data security, reimbursement, compliance, public policy, regulatory, staffing, and other operations and risk management matters. Ms. Stamer also regularly conducts training on HIPAA and other health industry compliance, management and operations matters. You can get more information about her health industry experience here. If you need assistance with these or other compliance concerns, wish to inquire about arranging for compliance audit or training, or need legal representation on other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here.

Other Recent Developments

If you found this information of interest, you also may be interested in reviewing some of the following recent Updates available online by clicking on the article title:

For More Information

Leave a Comment » | Doctor, Electronic Health Records, Electronic Medical Records, Federal Sentencing Guidelines, Genetic Information, GINA, Health Care, Health IT, Health Plan, Health Plans, HIPAA, HITECH Act, Hospital, Physician, Privacy, Technology, Telemedicine | Tagged: Breach Notification, EPHI, Health Care, HIPAA, HIPAA Security, HITECH, PHI, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

Initial EHR Certification Bodies Named

August 30, 2010

The Office of the National Coordinator for Health Information Technology (ONC) today (August 30, 2010) named Certification Commission for Health Information Technology (CCHIT), Chicago, Ill. and the Drummond Group Inc. (DGI), Austin, Texas as the first technology review bodies authorized to test and certify electronic health record (EHR) systems for compliance with the standards and certification criteria that were issued by the U.S. Department of Health and Human Services earlier this year. The announcement comes less than two months after issuance of final meaningful use rules. Read more here.

For More Information or Assistance

If you need assistance responding to the EHR meaningful use, HITECH and other privacy, or other health industry regulatory, reimbursement or other operational or compliance concerns, please contact the author of this update, attorney Cynthia Marcotte Stamer. Ms. Stamer has extensive experience advising and assisting health care providers and other health industry clients with licensure, contracting, reimbursement, compliance, public policy, regulatory, staffing, and other operations and risk management matters. Ms. Stamer also regularly publishes and conducts training on these and other compliance, management and operations matters. You can contact Ms. Stamer to inquire about engaging her services or for information about training or other resources that she provides at (469) 767-8872 or via e-mail here. To get more information about Ms. Stamer and her health industry experience, see here.

Other Recent Developments

If you found this information of interest, you also may be interested in reviewing some of the following recent Updates available online by clicking on the article title:

About Solutions Law Press

Solutions Law Press™ provides health industry and other risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources available for review here. If you or someone else you know would like to receive future updates and notices about other upcoming Solutions Law Press events, please be sure that we have your current contact information – including your preferred e-mail- by creating or updating your profile at here. For important information concerning this communication click here.

Leave a Comment » | ARRA Funding, Doctor, Electronic Health Records, Electronic Medical Records, Evidence Based Medicine, Health Care, Health Care Finance, Health Care Quality, Health IT, Hospital, Meaningful Use, Medicaid, Medicare, Medicare Advantage, Physician | Permalink
Posted by Cynthia Marcotte Stamer

CMS & ONC To Co-Host 7/22 ONC Certification & Medicare/Medicaid EHR Incentive Program Audio Training

July 20, 2010

The Centers for Medicare & Medicaid Services (CMS) and the Office of the National Coordinator for Health Information Technology (ONC) will co-host an Audio Training on the Final Rules for ONC Certification and Medicare and Medicaid Electronic Health Record (EHR) Incentive Programs on July 22, 2010 from 2:00-3:30 pm EST.

During the training, the Agencies plan to discuss:

Benefits of HIT
Summary of the final rules
ONC temporary certification process
ONC initial set of standards and implementation specifications
Medicare and Medicaid EHR Incentives Programs including the initial definition of meaningful Use

To join the audio training, dial 1-877-251-0301 and enter the Conference ID pass code: 87841621

Materials will be made available prior to the training at the following web address here.

For more information about CMS EMR incentives, see here.

The author of this update, attorney Cynthia Marcotte Stamer, has extensive experience advising and assisting health care providers, health plans and insurers, and other health and insurance industry clients with HIPAA, EMR and other privacy and data security, reimbursement, compliance, public policy, regulatory, staffing, and other operations and risk management matters. Ms. Stamer also regularly conducts training on these and other health industry technology, compliance, management and operations matters. You can get more information about her health industry experience here. If you need assistance with these or other compliance concerns, wish to inquire about arranging for compliance audit or training, or need legal representation on other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here.

Other Recent Developments

If you found this information of interest, you also may be interested in reviewing some of the following recent Updates available online by clicking on the article title:

For More Information

Leave a Comment » | Affordable Care Act, ARRA, Doctor, E-Prescribing, Electronic Health Records, Genetic Information, GINA, Health Care, Health Care Provider, Health Care Reform, Health IT, Health Plan, Health Plans, HIPAA, HITECH Act, Hospital, Hospital, Meaningful Use, Medicaid, Medicare, Medicare Advantage, OCR, Privacy, Technology, Telemedicine | Tagged: Data Security, EHR, Electronic Health Records, EMR, Health Information Technology, Health IT, Hi-TECH Act, HIPAA, HITECH Act, IT, ONC, ONC Certification, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

Office of Civil Rights Proposes Changes To HIPAA Privacy, Security & Civil Sanctions Rules

July 9, 2010

Stay Tuned To Solutions Law Press For More Details

Get ready for even tighter privacy and security rules and more enforcement! The U.S. Department of Health & Human Services Office for Civil Rights (OCR) on July 8, 2010 proposed changes to its existing Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Enforcement Rules in response to amendments enacted under the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. Because of the lead time required to implement needed changes in policies, technology and training, health care providers, health plans, healthcare clearinghouses and their business associates should evaluate and begin preparations to adjust their health information privacy and data security policies and practices in anticipation of the finalization and implementation of these rules.

The more than 220 page Notice of Proposed Rulemaking (NPRM) proposes to revise the existing Standards for Privacy of Individually Identifiable Health Information (Privacy Rule); the Security Standards for the Protection of Electronic Protected Health Information (Security Rule); and the rules pertaining to Compliance and Investigations, Imposition of Civil Money Penalties, and Procedures for Hearings (Enforcement Rule) issued under HIPAA.

Solutions Law Press is finalizing arrangements to host a briefing on the proposed changes in August and planning more detailed updates on these developments. Stay tuned to Solutions Law Press for additional updates and details about a future briefing on these proposed HIPAA changes and other developments affecting HIPAA and other health plan and human resources matters. In the meanwhile, you may want to check out other existing Solutions Law Press updates and resources about HITECH Act and other HIPAA developments such as HIPAA Heats Up: HITECH Act Changes Take Effect & OCR Begins Posting Names, Other Details Of Unsecured PHI Breach Reports On Website.

The author of this update, attorney Cynthia Marcotte Stamer, has extensive experience advising and assisting health care providers and other health industry clients with HIPAA and other privacy and data security, reimbursement, compliance, public policy, regulatory, staffing, and other operations and risk management matters. You can get more information about her health industry experience here. If you need assistance with these or other compliance concerns, wish to inquire about arranging for compliance audit or training, or need legal representation on other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here.

Other Recent Developments

If you found this information of interest, you also may be interested in reviewing some of the following recent Updates available online by clicking on the article title:

For More Information

Leave a Comment » | Corporate Compliance, Doctor, Electronic Health Records, Electronic Medical Records, Employer, FACTA, Federal Sentencing Guidelines, Genetic Information, GINA, Health Care, Health IT, Health Plan, Health Plans, HIPAA, HITECH Act, Hospital, Hospital, Indian Health, OCR, Physician, Technology | Tagged: Data Breach, Data Securty, Health Care Provider, Health Plans, Healthcare Clearinghouse, HIPAA, OCR, Protected Health Information | Permalink
Posted by Cynthia Marcotte Stamer

NCPDP SCRIPT 10.6 Approved As Medicare Part D/Advantage E-Prescribing Option

July 1, 2010

The Centers for Medicare & Medicaid Services (CMS) today (July 1, 2010) issued an interim final rule (Rule) that permits the voluntary use of the National Council for the Prescription Drug Programs (NCPDP) Prescriber/Pharmacist Interface SCRIPT standard, Implementation Guide, Version 10, Release 6 (Version 10.6) (NCPDP SCRIPT 10.6) for conducting certain e-prescribing transactions for the Medicare Part D electronic prescription drug program. Review the Rule here.

Prior to the adoption the Rule, only NCPDP SCRIPT 8.1 was authorized for use in communicating Medicare Part D medication history among sponsors, prescribers and dispensers. The Rule revises Regulation §423.160(b)(4) to specify that entities now may use either NCPDP SCRIPT 10.6 or 8.1 for the communication of Medicare Part D medication history among sponsors, prescribers, and dispensers.

Along with the rule, CMS issued a request for comments on the Rule. The deadline for interested parties to comment is 5 p.m. Eastern Daylight Time on August 30, 2010.

Section 101 of the Medicare Prescription Drug, Improvement, and Modernization Act of 2003 (MMA) (Pub. L. 108-173) requires that Prescription Drug Plan (PDP) sponsors, Medicare Advantage (MA) organizations offering Medicare Advantage-Prescription Drug Plans and other Medicare Part D sponsors (Plans) provide for electronic transmittal the prescribing provider, dispensing pharmacy and the dispenser of information about:

Eligibility,
Benefits (including drugs included in the applicable formulary, any tiered formulary structure and any requirements for prior authorization),
The drug being prescribed or dispensed and other drugs listed in the medication history,
The availability of lower cost, therapeutically appropriate alternatives (if any) for the drug prescribed, and
Certain other information.

Before the Rule, CMS had approved NCPDP SCRIPT 8.1 for conducting these electronic transmittals.

As a consequence of the Rule, Plans, prescribers and dispensers now may use either NCPDP SCRIPT 10.6 or 8.1 when conducting e-Prescribing to conduct:

Get message transaction.
Status response transaction.
Error response transaction.
New prescription transaction.
Prescription change request transaction.
Prescription change response transaction.
Refill prescription request transaction.
Refill prescription response transaction.
Verification transaction.
Password change transaction.
Cancel prescription request transaction.
Cancel prescription response transaction.
Fill status notification transaction.
For the communication of Medicare Part D medication history among sponsors, prescribers, and dispensers.

The MMD does not require that prescribers or dispensers implement e-Prescribing, prescribers and dispensers who electronically transmit prescription and certain other prescription-related information for Medicare Part D covered drugs prescribed for Medicare Part D eligible individuals, directly or through an intermediary, must comply with any applicable final standards that are in effect. The Rule provides new choices on how to accomplish this.

The author of this update, attorney Cynthia Marcotte Stamer, has extensive experience advising and assisting health care providers and other health industry clients with reimbursement, compliance, public policy, regulatory, staffing, and other operations and risk management matters. You can get more information about her health industry experience here. If you need help with these or other compliance concerns, wish to ask about arranging for compliance audit or training, or need legal representation on other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here.

Other Recent Developments

If you found this information of interest, you also may be interested in reviewing some of the following recent Updates available online by clicking on the article title:

For More Information

Leave a Comment » | Controlled Substances, DEA, Doctor, Electronic Health Records, Electronic Medical Records, Health Care, Health Care Provider, Health IT, Health Plan, Health Plans, Hospital, Hospital, Meaningful Use, Medicare, Medicare Advantage, Pharmacy, Physician, Prescription Drugs, Privacy, Reimbursement, Telemedicine | Tagged: E-Prescribing, Health Care, Health Plans, Medicare Advantage, Medicare Part D NCPDP SCRIPTI, Payers, Physicians, Providers | Permalink
Posted by Cynthia Marcotte Stamer

DEA/DOJ Release Interim Final E-Prescribing Rules

March 25, 2010

Health care providers wishing to electronically prescribe controlled substance should begin reviewing and updating their practices and technology to comply with requirements of the Interim Final Regulations scheduled for publication in the Federal Register on March 31, 2010. Read details at http://wp.me/ptOGJ-94

An advance copy of the new Interim Final Regulation with Request for Comments released March 24, 2010 by the Drug Enforcement Administration (DEA) and Department of Justice on Electronic Prescribing of Controlled Substance on is posted for review here.

Concurrent with publication of the Interim Final Rule, the DEA is inviting comment on DEA is seeking additional comments on the following issues: identity proofing, access control, authentication, biometric subsystems and testing of those subsystems, internal audit trails for electronic prescription applications, and third-party auditors and certification organizations.

About The Author

If you need assistance with health industry human resources or other management, concerns, wish to inquire about compliance, risk management or training, or need legal representation on other matters please contact Cynthia Marcotte Stamer at cstamer@solutionslawyer.net or (469) 767-8872.

Nationally and internationally recognized for more than 22 years of work with health industry technology, privacy and data security, regulatory compliance, reimbursement, workforce and staffing, licensure and accreditation, and other quality, risk management, operations and public policy matters organizations, publications, workshops and presentations and leadership Cynthia Marcotte Stamer has worked extensively with physicians, health systems, specialty and other pharmacy, telemedicine and other health technology, and other health industry clients on a diverse range of operational, product and process development, regulatory, licensure, public policy and risk management protections relating to e-prescribing, telemedicine, interoperable and other electronic health and medicine arrangements and other health care internal controls, process and privacy and technology matters. The publisher of the Solutions Law Press Health Care Update, and Solutions Law Press Health Care Privacy & Technology Update, Ms. Stamer also is a popular speaker and author of these and other health industry topics. She regularly publishes, speaks and conducts training for health industry and other organizations, the ABA, American Health Lawyers Association (AHLA), Health Care Compliance Association, Institute of Internal Auditors, various medical society and other professional organizations, the Medical Group Management Association, and many other organizations. Her many publications and programs include“Changing Regulations Will Ease Way for E-Prescribing, But Physicians Shouldn’t Jump the Gun,” “Telemedicine, E-Prescribing & Electronic Health Records: Opportunities & Exposures,” “Telemedicine & E-Prescribing: Evolving Ethical, Licensing & Reimbursement Rules & Realities,” the “Tort & Other Liability” Chapter of the ABA Health Law Section/BNA E-Health & Technology Treatise, “Protecting & Using Patient Data in Disease Management Opportunities, Liabilities and Prescriptions,” Chapter 1: Privacy.” The Quest for Interoperable Electronic Health Records: A Guide to Legal Issues in Establishing Health Information Networks (AHLA 2005) (Contributing Author), “Cybercrime and Identity Theft: Health Information Security beyond HIPAA,” “Privacy & Securities Standards-A Brief Nutshell” and numerous other programs and publications on telemedicine and e-prescribing, HIPAA and other privacy and data security, and other related internal controls and operational matters. Publishers of her many highly regarded writings on health industry and human resources matters include the Bureau of National Affairs, Aspen Publishers, ABA, AHLA, Spencer Publications, World At Work, SHRM, Business Insurance, James Publishing and many others. You can review other highlights of Ms. Stamer’s health care experience here, and employment experience here. Her insights on these and other matters appear in Managed Care Executive, Modern Health Care, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, MDNews, Kentucky Physician, and many other national and local publications.

Other Resources

If you found this information of interest, you also may be interested in reviewing other updates and publications by Ms. Stamer including:

For More Information

We hope that this information is useful to you. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile at here or e-mailing this information here. To unsubscribe, e-mail here.

Leave a Comment » | Centers For Disease Control, Controlled Substances, Corporate Compliance, DEA, Doctor, E-Prescribing, Electronic Health Records, Electronic Medical Records, false claims act, FDA, Federal Sentencing Guidelines, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Quality, Health Care Reform, Health IT, HIPAA, HITECH Act, Hospital, Licensing, Meaningful Use, Medicaid, Medical Licensure, Medicare, Medicare Advantage, Medicare Prescription Drug Program, Pharmacy, Physician, Physician Licensing, Prescription Drugs, Privacy, Reimbursement, Telemedicine | Tagged: Controlled Substances, DEA, E-Prescribing, Health IT, Health Technology, HIPAA, HITECH Act, Meaningful Use, Telemedicine | Permalink
Posted by Cynthia Marcotte Stamer

House Could Vote On Health Care Reform As Early As Sunday

March 19, 2010

By Cynthia Marcotte Stamer

The stage now appears to be set for the House of Representatives to vote as early as Sunday on the latest version of health care reform backed by President Obama, Speaker Nancy Pelosi and other key Congressional Democrats, the Reconciliation Act of 2010 (H.R. 4872). The impending deadline means that health industry providers and other Americans concerned about the potential outcome of the impending vote need to act quickly if they wish to attempt to influence the decision. For tips about sharing your input with Congress effectively, see Getting Your Health Care Reform Message Heard By Key Congressional Leaders.

Developments Today Start Clock Running For Vote

On Thursday, March 18, 2010, two key developments set the stage for a vote on H.R. 4871 as early as Sunday:

The House Rules Committee posted the text of H.R. 4872 on its website; and
The Congressional Budget Office (CBO) delivered its scoring of H.R 4872 to House Speaker Nancy Pelosi.

The delivery of CBO scoring started the clock running on the 72 hour mandatory period between the release of the CBO scoring and any final vote on the bill. This means the House could vote on H.R. 4872 as early as Sunday, March 21.

If passed by the House, H.R. 4872 would make sweeping changes to the U.S. health care system impacting virtually every American patient, health care provider, employer and taxpayer. To learn the facts about these proposed changes, read the full text of H.R. 4872 here.

According to the CBO, H.R. 4872 will cost $940 billion over 10 years to extend coverage to 32 million uninsured people. To learn more specifics about these cost and other determinations, review the CBO scoring here.

This Is Only The Beginning: Stay Involved

The outcome of this latest health care reform push is only a small part of a continuing process. Whether or not the President’s proposal or some other version of health care reform passes this week, Congress already has and will continue to consider other legislation impacting health care reform. This reality is demonstrated by Congressional actions recently taken on the COBRA premium subsidy extension, Medical reimbursement for physicians, continuing federal efforts to develop and implement federal health care quality and technology standards, and other legislative, regulatory and enforcement actions taken while public attention has been focused largely only on the broader health care reform debate.

Upcoming mid-term elections will significantly impact the nature and scope of these upcoming efforts. Perhaps even more significantly, the enactment of legislation is only a beginning point. The real meaning of these or other health care reforms will be determined largely by the shaping and implementation of regulations and enforcement actions which generally are conducted outside the public eye. Monitoring and staying active in these ongoing processes provides a critical opportunity to continue to monitor your issues and provide input to shape how they are addressed.

Individuals concerned about these and other health care reform proposals and concerns are invited to stay involved in the discussion by sharing their input with Congress, regulators. Concerned individuals also are invited to stay involved in the discussion by joining the Coalition for Responsible Health Care Reform Group on Linkedin and registering to receive these updates here. The author of this article, Curran Tomko and Tarski LLP Health Care Practice Chair Cynthia Marcotte Stamer has extensive experience advising and assisting health industry clients and others about a diverse range of health care policy, regulatory, compliance, risk management and operational concerns. You can get more information about her health industry experience here.

Help Monitoring & Responding To Developments

If you need assistance evaluating or formulating comments on the proposed reforms contained in the House Bill or on other health industry matters please contact Cynthia Marcotte Stamer, CTT Health Care Practice Group Chair, at cstamer@cttlegal.com or 214.270.2402.

From her extensive involvement with federal and state legislative and regulatory licensing, telemedicine, managed care, privacy and other health, pension and other reforms in the U.S. to her involvement as a lead advisor to the Government of Bolivia on its pension privatization legislation, Ms. Stamer’s experience includes significant experience working with clients domestically on key health care and other public policy matters. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Chairman of the Board of Richardson Development Center for Children and past Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer couples her policy experience with her extensive experience working with health industry clients on regulatory, staffing, reimbursement, risk management and compliance and other operational matters. She has more than 22 years experience advising health industry clients about these and other matters. A popular lecturer and widely published author on health industry matters, Ms. Stamer advises hospitals and other health industry clients about responding to and using these and other quality measures and other related concerns. Ms. Stamer also publishes and speaks extensively on health and managed care industry quality, regulatory, reimbursement, and other operations, risk management and public policy concerns. Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. For additional information about Ms. Stamer, her experience, involvements, programs or publications, see here.

Other Recent Developments & Resources

If you found this information of interest, you also may be interested in reviewing some of the following recent Updates available online by clicking on the article title:

For More Information

We hope that this information is useful to you. If you need assistance with auditing or defending these or other health care compliance, risk management, transaction or operation concerns, please contact the author of this update, Curran Tomko Tarski LLP Health Practice Group Chair, Cynthia Marcotte Stamer, at (214) 270‑2402, cstamer@cttlegal.com, Edwin J. Tomko at (214) 270-1405 or another Curran Tomko Tarski LLP Partner of your choice. Ms. Stamer has extensive experience advising clients and writes and speaks extensively on these and other health industry and other internal controls and risk management matters.

Leave a Comment » | Anti-KickBack, ASC, Childrens Health Insurance Program, Consumer Driven Health Care, Durable Medical Equipment, Electronic Health Records, Employment, Evidence Based Medicine, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Quality, Health Care Reform, Health Insurance Exchange, Health IT, Health Plan, Health Plans, Hospital, Indian Health, Medical Malpractice, Medicare, Physician, Prescription Drugs, Public Policy, Reimbursement, Stark, Tax, Veterans Health, Veterans Health Care | Tagged: H.R. 4872, Health Care Fraud, Health Care Provider, Health Care Reform, Health insurer, Health IT, Health Plans, Payer, Physician, Provider, Reconciliation Act of 2010 | Permalink
Posted by Cynthia Marcotte Stamer

Southern States Collect Largest Share of $162 Million AARA Fund Meaningful Use Development Grants

March 16, 2010

By Cynthia Marcotte Stamer

Southern states are the big winners among the 16 states and qualified state designated entities (SDEs) to share in the approximately $162 Million in American Recovery and Reinvestment Act of 2009 (ARRA) fund grants to facilitate the development of health information exchange and advance health information technology (health IT) announced by the U.S. Department of Health and Human Services HHS today (March 15, 2010).

Drawn from the $2 billion in funding set aside in ARRA to promote widespread meaningful use of health IT and use of an electronic health record, the following health information exchange awards seek to facilitate to facilitate non-proprietary health information exchange that adheres to national standards widely perceived as critical to enabling care coordination and improving the quality and efficiency of health care.

The recipients and award amounts of the grants announced today are:

Texas Health and Human Services Commission, $28,810,208
Florida Agency of Health Care Administration, $20,738,582
New Jersey Health Care Facilities Financing Authority, $11,408,594
Louisiana Health Care Quality Forum, $10,583,000
State of Mississippi, $10,387,000
Indiana Health Information Technology, Inc., $10,300,000
The Maryland Department of Health and Mental Hygiene, $9,313,924
South Carolina Department of Health & Human Services, $9,576,408
Iowa Department of Public Health, $8,375,000
State of Connecticut Department of Public Health, $7,297,930
Nebraska Department of Administrative Services, $6,837,180
South Dakota Department of Health, $6,081,750
Idaho Health Data Exchange, $5,940,500
State of North Dakota, Information Technology Department, $5,343,733
State of Alaska, $4,963,063

Additional information about the state HIE program may be found here. Other information about other health IT programs funded through ARRA generally can be found at here.

For Assistance With This Opportunity Or Other Health Industry Concerns

If your organization needs advice or assistance with commenting on the AHRO proposal or to respond to other health care quality or other health care matters, consider contacting the author of this article, Curran Tomko Tarski LLP Partner Cynthia Marcotte Stamer at (214) 270-2402 or via e-mail here.

Other Recent Developments & Resources

If you found this information of interest, you also may be interested in reviewing some of the following recent Updates available online by clicking on the article title:

Leave a Comment » | ARRA, ARRA Funding, Consumer Driven Health Care, Doctor, Electronic Health Records, Electronic Medical Records, Health Care, Health Care Reform, Health IT, Health Policy, HIPAA, HITECH Act, Hospital, Meaningful Use, Physician, Public Policy, Reimbursement, Technology, Telemedicine | Tagged: ARRA, Doctor, Health Care, Health Care Policy, Health Care Provider, Health Care Reform, Health Care Reimbursement, Health Policy, HHS, Hospital, Physician, Physicians, Reimbursement | Permalink
Posted by Cynthia Marcotte Stamer

AHRO Invites Comments On Project To Develop & Test Hospital Toolkit Intended To Guide Hospitals In Using AHRQ Quality Indicators

March 15, 2010

By Cynthia Marcotte Stamer

April 12, 2010 is the deadline for interested person to comment on the request by the Agency for Healthcare Research and Quality (AHRQ) for approval of its proposed “Development and Evaluation of AIIRQ’s Quality Indicators Improvement Toolkit” information collection project.

AHRO’s mission under 42 U.S.C. 299(b)(1)(F); 299a(a)(1) and (2) is to disseminate information and tools that can support improvement in quality and safety in the U.S. health care community. In furtherance of this mission, AHRQ has developed sets of Quality Indicators (QIs) for use by AHRO and others to document quality and safety conditions at U.S. hospitals. These and other federally established quality standards are a key part of ongoing government efforts to promote quality and cost effectiveness in the U.S. medical system, as well as to tie reimbursement to the satisfaction of these or other government-adopted quality standards.

To encourage broader use and adoption of its QIs by hospitals and others, AHRO now is working on developing and evaluating a toolkit to help hospitals to effectively use AHRQ’s QIs. The proposed AHRO toolkit would use two sets of QIs already developed and evaluated by AHRO:

The Inpatient Quality Indicators (IQIs), which contain measures of volume, mortality, and utilization for common medical conditions and major surgical procedures; and
The Patient Safety Indicators (PSIs), which are a set of measures to screen for potentially preventable adverse events that patients may experience during hospitalization.

The QIs and supportive documentation on how to work with them are posted on AHRQ’s Web site here. Many of the QIs have been endorsed by the National Quality Forum through its consensus review process.

To promote the appropriate use of these tools, AHRO plans to develop and then field test an alpha version of the Quality Indicators Improvement Toolkit with six hospitals. The currently open invitation to comment invites public comment on the proposed information collection efforts to be conducted as part of this phase of the project.

To review the pending request for comment for additional details or instructions on submitting comments, see here.

For Assistance With These Or Other Health Industry Concerns

Other Recent Developments & Resources

If you found this information of interest, you also may be interested in reviewing some of the following recent Updates available online by clicking on the article title:

For More Information

We hope that this information is useful to you. If you need assistance with auditing or defending these or other health care compliance, risk management, transaction or operation concerns, please contact the author of this update, Curran Tomko Tarski LLP Health Practice Group Chair, Cynthia Marcotte Stamer, at (214) 270‑2402, cstamer@cttlegal.com, Edwin J. Tomko at (214) 270-1405 or another Curran Tomko Tarski LLP Partner of your choice. Ms. Stamer has extensive experience advising clients and writes and speaks extensively on these and other health industry and other internal controls and risk management matters.

Leave a Comment » | Evidence Based Medicine, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Quality, Health Care Reform, Health IT, Health Plan, Health Plans, Hospital, Medicaid, Medical Malpractice, Medicare, Medicare Advantage, Outcomes Data, Physician, Public Policy, Reimbursement | Tagged: AHRO, health care quality, Health Care Reform, Health Carfe, Managed Care, Medicaid, Medicare, Quality Indicators | Permalink
Posted by Cynthia Marcotte Stamer

HIPAA Heats Up: HITECH Act Changes Take Effect & OCR Begins Posting Names, Other Details Of Unsecured PHI Breach Reports On Website

February 25, 2010

By Cynthia Marcotte Stamer

The Department of Health and Human Services Office of Civil Rights (OCR) has begun posting on its website the names and certain information about health care providers, health insurers, employer and other health plans, health care clearinghouses and their business associates (Covered Entities) reporting to OCR “breaches” of “unsecured protected health information” (UPHI) under new breach notice rules added by the Health Information Technology for Economic and Clinical Health Act (HITECH Act).

Covered Entities should anticipate the posting of the breach information and other HITECH Act breach notices coupled with amendments to the medical privacy and security requirements of the Health Insurance Portability & Accountability Act (HIPAA) effective since February 17, 2010, will heighten enforcement risks and public sensitivities about medical information privacy safeguards. As failing to comply with the amended rules effective February 17, 2010 can trigger obligations under the Breach Regulations and other significant liability exposures, Covered Entities should act quickly to manage these emerging risks.

Covered Entity Breach Notification Requirements

The initial list of Covered Entities reporting breaches of UPHI affecting 500 or more individuals posted by OCR on February 22, 2010 discloses the Covered Entity’s name and State, the approximate number of individuals affected, the date and type of breach and the location of the breached information. OCR’s posting of this information is required under the HITECH Act breach notification requirements as part of its implementation and enforcement of new breach notification requirements added to HIPAA by Section 13402(e)(3) of the HITECH Act.

The HITECH Act amended HIPAA to require Covered Entities to require Covered Entities provide notification to individuals, OCR and others when certain breaches of UPHI happen. The implementing interim “Breach Notification For Unsecured Protected Health Information” regulations (Breach Regulation) published by OCR here require Covered Entities subject to HIPAA to notify affected individuals, OCR and in some cases the media within specified periods following a “breach” of UPHI occurring on or after September 23, 2009 unless the Covered Entity can demonstrate that the breach qualified as exempt from the breach notification obligation under the Breach Regulations.

Covered Entities generally should consider the need to provide breach notification under the Breach Regulation whenever electronic or non-electronic protected health information which is not adequately encrypted or destroyed to qualify as “secured” under the breach rules is used, accessed or disclosed in violation of HIPAA.

Since the potential need to provide breach notification is triggered by an impermissible use, access or disclosure of UPHI, up-to-date maintenance, monitoring and enforcement is at the heart of compliance with the Breach Regulation as well as HIPAA generally.

You can review the currently posted list of Covered Entities that have reported breaches on the OCR website here. Learn more about the Breach Regulation requirements here.

Broader & Stricter Medical Privacy Mandates Effective 2/17/210

The new breach notification requirements are part of a series of changes made to HIPAA under the HITECH Act that are increasing the responsibilities and liability exposures of Covered Entities. On February 17, 2010, Covered Entities and their business associates also became subject to tighter federal requirements for the use, access, protection and disclosure of protected health information under amendments to HIPAA’s Privacy & Security Standards enacted in the HITECH Act. When the HITECH Act was signed into law on February 17, 2009, Covered Entities also became subject to expanded sanctions and remedies for HIPAA violations.

To comply with the HITECH Act changes to HIPAA effective on February 17, 2010, most Covered Entities and their business associates generally will need to update their written policies, operational procedures, technical safeguards, privacy notices, vendor and other agreements, training, and other management procedures in several respects. For more details, see here.

While the HITECH Act gave Covered Entities and business associates a year to complete the necessary arrangements to comply with these HITECH Act changes, many Covered Entities and business associates have not adequately implemented the necessary arrangements. To mitigate these exposures, Covered Entities and their business associates should act quickly to review and update their policies, procedures, training, business associate and other services agreements, and other practices and procedures, as well as to implement the training, oversight, and other management necessary to comply with the HITECH Act changes and to mitigate other HIPAA risks.

Exposures Significant & Growing

HIPAA-associated exposures for Covered Entities are significant and growing. Timely action to comply with the amended HIPAA requirements and Breach Regulations is important to avoid triggering the breach notification requirements; to prevent loss of public trust and reputation; and to minimize exposures to legal actions, administrative complaints and sanctions and the investigation, defense and correction costs likely to result when a Covered Entity violates or is accused of violating HIPAA or otherwise mishandling medical or other personal information.

Even before the HITECH Act changes became effective, federal regulators were stepping up HIPAA enforcement. The HITECH Act amendments further increase the risk that Covered Entities violating HIPAA face investigation and sanction. The HITECH Act amendments increase the likelihood that Covered Entities violating HIPAA will get caught and will face some form of damage or penalty assessment. Heightened awareness of UPHI breaches resulting from HITECH Act mandated breach notifications are likely to fuel new HIPAA-related complaints, charges and demands. Covered Entities, workforce members who wrongfully access protected health information now face potential civil penalties, criminal prosecution, civil lawsuits and other actions. Allowing state attorneys general to bring suit adds more manpower to the enforcement team. Furthermore, the wrongful use, access or disclosure of protected health information or other confidential information also increasingly is the basis of civil or criminal actions brought under a variety of other federal and state laws.

New Risks Created By HITECH Act Amendments

Heightened HIPAA exposures stem in part from the HITECH Act’s amendments to HIPAA’s remedy provisions. Among other things, the HITECH Act amended HIPAA to:

Allow a State Attorney General to sue Covered Entities that commit HIPAA violations after February 16, 2009 for damages caused to state citizens;
Expand the mandate by OCR to investigate violations and audit compliance with HIPAA;
Require OCR to impose civil sanctions against Covered Entities and business associates involved in violations of HIPAA in accordance with tightened standards added to HIPAA by the HITECH Act;
Revise the criminal sanctions that the Department of Justice can seek against Covered Entities and others for violations of HIPAA; and
Amend HIPAA to make clear that workforce members and others improperly using, accessing or disclosing protected health information in violation of HIPAA can face criminal prosecution.

State Attorney General Lawsuit Exposures

Covered Entities must be concerned about the potential that a state Attorney General may bring civil suit to remedy damages caused to state citizens by a breach of HIPAA. In certain situations, the HITECH Act empowers a state attorney general to sue Covered Entities for damages if their HIPAA violations harm state citizens. Statutory damages equal to the sum of the number of violations multiplied by 100 up to a maximum of $25,000 per calendar year plus attorneys fees and costs are authorized.

A HIPAA civil lawsuit demonstrates the willingness of at least some states to exercise the new authority to sue Covered Entities. On January 13, 2010 Connecticut Attorney General Richard Blumenthal sued Health Net of Connecticut, Inc. (Health Net) for failing to secure private patient medical records and financial information involving 446,000 Connecticut enrollees and promptly notify consumers endangered by the security breach. The first attorney general enforcement action brought based on amendments made to HIPAA under the HITECH Act, Connecticut charges that Health Net violated HIPAA by failing to safeguard protected medical records and financial information on almost a half million Health Net enrollees in Connecticut then allowing this information to remain exposed for at least six months before notifying authorities and consumers. The suit also names UnitedHealth Group Inc. and Oxford Health Plans LLC, who have acquired Health Net.

Stepped Up Federal Enforcement

Even before the HITECH Act amendments, OCR and Department of Justice increased HIPAA investigation and enforcement. The Department of Justice has obtained a variety of criminal convictions against violators of HIPAA. See, e.g., 2 New HIPAA Criminal Actions Highlight Risks From Wrongful Use/Access of Health Information. Meanwhile, OCR also is emphasizing HIPAA enforcement. In February, 2009, OCR announced that CVS Pharmacies, Inc. would pay $2.25 million to resolve HIPAA charges. This announcement followed OCR’s announcement in July, 2008 that Providence Health Care would pay $100,000 to resolve HIPAA violation charges. OCR also has taken HIPAA enforcement actions against a broad range of other Covered Entities. See more details here. While not resulting in the significant payments involved in CVS or Providence, all Covered Entities involved in these and other enforcement actions or investigations have incurred significant legal and other defense costs, loss of community trust, or both.

In addition to these HIPAA-specific exposures, wrongful use, access or disclosure of medical information also can expose Covered Entities, members of their workforce and others improperly using, accessing or disclosing protected health information to liability under other federal or state laws. Federal and state prosecutors may and increasingly do bring criminal or civil actions against organizations or individuals for improperly accessing or using medical or other personal information under a variety of other federal or state laws . See e.g., Cybercrime & Identity Theft: Health Information Security Beyond HIPAA; NY AG Cuomo Announcement of 1st Settlement For Violation of NY Security Breach Notification Law; Woman Who Revealed AIDs Info Gets A Year.

State Civil Lawsuits

Covered Entities also need to prepare to defend HIPAA-related conduct in state civil actions. Individual plaintiffs increasingly used alleged HIPAA violations in state privacy, negligence, retaliation, wrongful discharge or other lawsuits. State courts have allowed private plaintiffs to use the obligations imposed by HIPAA as the basis of a Covered Entity’s duty for purposes of certain state law lawsuits. In Sorensen v. Barbuto, 143 P.3d 295 (Utah Ct. App. 2006), for example, a Utah appeals court ruled a private plaintiff could use HIPAA standards to establish that a physician owed a duty of confidentiality to his patients for purposes of maintaining a state law damages claim. Similarly, the Court in Acosta v. Byrum, 638 S.E. 2d 246 (N.C. Ct. App. 2006) ruled that a plaintiff could use HIPAA to establish the “standard of care” in a negligence lawsuit. Meanwhile, disgruntled employees or other business partners performing services for Covered Entities also increasingly are pointing to HIPAA as the basis for their retaliation or wrongful discharge claims. See, e.g., Retaliation For Filing HIPAA Complaint Recognized As Basis For State Retaliatory Discharge Claim. Read more here.

Coupled with the HITECH Act changes, these and other enforcement actions signal growing potential hazards for Covered Entities that fail to properly manage their HIPAA compliance obligations and risks. To help guard against these exposures, Covered Entities should act quickly to strengthen their HIPAA defenses by updating policies, contracts, practices, security, training, oversight, documentation and management.

Covered Entities & Business Associates Urged To Act Promptly To Manage Mitigating Expanded HIPAA Risks & Obligations

Faced with these expanding obligations and exposures, Covered Entities should prepare for the need to defend the adequacy of their HIPAA compliance efforts on paper and in operation. As part of these efforts, Covered Entities should consider:

Reviewing the adequacy of the practices, policies and procedures of the Covered Entities, business associates, and others that may come into contact with protected health information within the scope of attorney-client privilege taking into consideration the Corrective Action Plan, published OCR noncompliance and enforcement statistics, their own and reports of other security and privacy breaches and near misses, and other developments to determine if additional steps are necessary or advisable;
Updating policies, privacy and other notices, practices, procedures, training and other practices as needed to promote compliance and defensibility;
Renegotiating and enhancing service provider agreements to detail the specific compliance obligations of each party; to clarify the respective rights, procedures and responsibilities of each party in regards to compliance audits, investigation, breach reporting, and mitigation; to clarify rights of indemnification; and other related relevant matters;
Improving technological and other tracking, documentation and safeguards and controls to the use, access and disclosure of protected health information;
Conducting well-documented training as necessary to ensure that members of the Covered Entity’s workforce understand and are prepared to comply with the expanded requirements of HIPAA, can detect potential breaches or other compliance concerns, and understand and are prepared to follow appropriate procedures for reporting and responding to suspected violations;
Tracking actual and near miss violations and making adjustments to policies, practices, training, safeguards and other compliance components as necessary to deter future concern
Establishing and providing well-documented monitoring of compliance;
Establishing and providing well-documented timely investigation and redress of reported violations or other compliance concerns;
Establishing contingency plans for responding in the event of a breach;
Establishing a well-documented process for monitoring and updating policies, practices and other efforts in response to changes in risks, practices and requirements;
Preparing and maintaining a well-documented record of compliance activities; and
Pursuing other appropriate strategies to enhance the Covered Entity’s ability to demonstrate its compliance commitment both on paper and in operation.

For Assistance With Compliance Or Other Concerns

The author of this article, Ms. Stamer has extensive experience advising and assisting health care practitioners and other businesses and business leaders to establish, administer, investigate and defend health care fraud and other compliance and internal control policies and practices to reduce risk under federal and state health care and other laws. If you need assistance with these or other compliance concerns, wish to inquire about arranging for compliance audit or training, or need legal representation on other matters please contact the author of this article, Cynthia Marcotte Stamer, CTT Health Care Practice Group Chair, at cstamer@cttlegal.com, 214.270.2402 or another Curran Tomko Tarski LLP attorney of your choice. You can get more information about the CTT Health Care Practice and more specifics about Ms. Stamer’s health industry experience here.

Ms. Stamer is nationally known for her work, training and presentations, and publications on privacy and security of health and other sensitive information in health and managed care, employment, employee benefits, financial services, education and other contexts.

Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 22 years experience advising clients, conducting workshops and other training, and providing policy advice about health care, privacy, data security, and other matters. She advises health care providers, health insurers and administrators, employer and other health plan sponsors, employee benefit plan fiduciaries, schools, financial services providers, governments and others about privacy and data security, health care, insurance, human resources, ERISA, technology, and other legal and operational concerns. Ms. Stamer also publishes and speaks extensively on health and managed care industry privacy, data security and other technology, regulatory and operational risk management matters. A widely published author on privacy, data security, health care and other related matters, Ms. Stamer is the author of “Protecting & Using Patient Data In Disease Management: Opportunities, Liabilities And Prescriptions,” “Privacy Invasions of Medical Care-An Emerging Perspective,” “Cybercrime and Identity Theft: Health Information Security Beyond HIPAA,” and a host of other highly regarded publications. Her insights on health care, health insurance, human resources and related matters appear in the Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Managed Healthcare, Health Leaders, and a many other national and local publications. For additional information about Ms. Stamer, her experience, involvements, programs or publications, see here.

Other Helpful Resources & Other Information

If you found these updates of interest, you also be interested in one or more of the following other recent articles:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail- by creating or updating your profile at here. You can access other recent updates and other informative publications and resources provided by Curran Tomko Tarski LLP attorneys and get information about its attorneys’ experience, briefings, speeches and other credentials here.

For important information concerning this communication click here. If you do not wish to receive these updates in the future, send an e-mail with the word “Remove” in the Subject to here.

Leave a Comment » | ARRA, Electronic Health Records, Genetic Information, GINA, Health Care, Health Care Provider, Health IT, Health Plan, Health Plans, HIPAA, HITECH Act, Hospital, Medicare, Medicare Advantage, Mental Heatlh, Pharmacy, Prescription Drugs, Privacy, Wellness | Tagged: ARRA, Corporate Compliance, Data Security, Doctor, Federal Sentencing Guidelines, Health Care, Health Care Policy, Health Care Provider, Health Insurance, Health Plans, HIPAA, Hospital, Identity Theft, Physicians, Privacy, retaliation, Retalitory Discharge | Permalink
Posted by Cynthia Marcotte Stamer

HIT Policy Committee’s Nationwide Health Information Network Workgroup Meets December 16, 2009

December 1, 2009

The Office of the National Coordinator for Health Information Technology (ONC) HIT Policy Committee’s Nationwide Health Information Network Workgroup will hold a public meeting on December 16, 2009. The meeting is scheduled from 10 a.m. to 5 p.m./Eastern Time at the OMNI Shoreham Hotel, 2500 Calvert Street, NW., Washington, DC. Members of the public care invited to participate live, via telephone, or Webcast. For details about options for participation, instructions to present input, and other details, see here.

For More Information

We hope that this information is useful to you. If you need assistance with these or other health care public policy, regulatory, compliance, risk management, workforce and other staffing, transactional or operational concerns, please contact the author of this update, Curran Tomko Tarski LLP Health Practice Group Chair, Cynthia Marcotte Stamer, at (214) 270‑2402, cstamer@cttlegal.com. Ms. Stamer has extensive experience advising clients and writes and speaks extensively on these and other health industry and other reimbursement, operations, internal controls and risk management matters. You can review other recent health care and related resources and additional information about the health industry and other experience of Ms. Stamer here.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile at here or e-mailing this information here and/or by participating in the SLP Health Care Risk Management & Operations Group on LinkedIn. To unsubscribe, e-mail here.

Leave a Comment » | Electronic Health Records, Health Care, Health Care Reform, Health IT, Health Plan, Health Plans, HIPAA, HITECH Act, Hospital, Inpatient Rehabilitation Facility, Privacy | Tagged: ARRA, Corporate Compliance, Electronic Health Records, Electronic Medical Records, EMR, Health Care, Health Care Policy, Health Care Provider, Health Care Reform, Health Care Reimbursement, Health Plans, Health Policy, HHS, Hospital | Permalink
Posted by Cynthia Marcotte Stamer

Senate Finance Committee Releases Statutory Language of America’s Healthy Future Act To Present To Full Senate

October 22, 2009

Americans finally have a chance to read the actual statutory language of the painfully negotiated package of proposed health care reforms that the Senate Finance Committee proposes for adoption. The Senate Finance Committee leadership finally finished drafting has posted the 1506 page long text of the proposed statutory language of the health care reform provisions of the “America’s Healthy Future Act” on its website here.

When the Senate Finance Committee vote passing the America’s Health Future Act, members of the Senate Finance Committee had not yet had the opportunity to review the actual statutory language to be proposed to implement the package of heatlh care reforms painfully hashed out in their committee. As the actual statutory language had not been completed at the time a majority of the Democrats and one Republican Senator serving on the Senate Finance Committee voted to send the legislation to the the full Senate, the vote actually was taken based on a narative description of the intended reforms set forth in a revised draft of the “Chairman’s Mark” of the legislation. Since that time Senate Finance Committee Chairman Max Baucus and other key Democrat Senators on the Senate Finance Committee have worked behind closed doors to prepare the actual statutory language to be presented to the full Senate.

As proposed, the America’s Healthy Future Act would require sweeping changes to the U.S. health care systems that if adopted will radically impact the roles and responsibilities of every patient, health care provider, health care payor, employer and other American. Because of the potential implications on the way health care is financed, delivered and administered and the projections that the legislation will cost approximately $1 Trillion, all parties are urged to carefully review the complex and lengthy legislation to gain an understanding of the legislation and to act quickly to make any concerns known to elected leaders in Congress.

For More Information

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile at here or e-mailing this information here and/or by participating in the SLP Health Care Risk Management & Operations Group on LinkedIn. To unsubscribe, e-mail here.

Leave a Comment » | America's Healthy Futures Act, Anti-KickBack, ASC, Childrens Health Insurance Program, Consumer Driven Health Care, Doctor, Electronic Medical Records, Employer, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Quality, Health Care Reform, Health Insurance Exchange, Health IT, Health Plan, Health Plans, Hospital, Indian Health, Inpatient Rehabilitation Facility, Medicaid, Medical Licensure, Medical Malpractice, Medicare, Medicare Advantage, Mental Heatlh, OIG, Physician, Prescription Drugs, Reimbursement, Rural Health Care | Permalink
Posted by Cynthia Marcotte Stamer

Forms & Instructions To Provide HITECH Act-Required Notice To OCR Of Breach of Unsecured Protected Health Information Posted

October 15, 2009

The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) recently posted online forms and instructions for submitting notice of breaches of unsecured protected health information to OCR required under new protected health information breach notification rules enacted under the Health Information Technology for Economic and Clinical Health (HITECH) Act.

Under Section 13402 of the Health Information Technology for Economic and Clinical Health (HITECH) Act as implemented by the Interim Final Breach Notification Regulations published by OCR in August, health care providers, health plans, and health care clearinghouses (covered entities) and their business associates within the meaning of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) must provide certain notifications within 60 days following discovery of a breach of unsecured protected health information to individuals whose protected health information was breached, OCR, and certain other parties. The new breach notification requirements apply to breaches occurring after September 23, 2009.

The required form to submit notice to and deadline for submitting notice to OCR depends on the number of affected individuals. For breaches affecting 500 or more individuals, notice of the breach must be submitted without unreasonable delay and no later than 60 days from the discovery of the breach. In other cases, notice to affected individuals still must be provided without unreasonable delay and within 60 days of discovery; but notification to CMS may be provided within 60 days of the end of the calendar year of discovery of the breach.

The author of this update, Curran Tomko Tarski LLP Partner Cynthia Marcotte Stamer has extensive experience advising covered entities, their business associates and others about HIPAA and other privacy and data security matters affecting covered entities and their business associates and has conducted training on the breach notification and other new HITECH Act rules and other HIPAA Privacy and Security matters. You can review her experience, learn how to access recordings of her presentations and other details here.

Other Recent Developments

If you found this information of interest, you also may be interested in reviewing some of the following recent Solution Law Press Health Care Updates available online by clicking on the article title below:

For More Information

We hope that this information is useful to you. If you need assistance with these or other health care public policy, regulatory, compliance, risk management, workforce and other staffing, transactional or operational concerns, please contact the author of this update, Curran Tomko Tarski LLP Health Practice Group Chair, Cynthia Marcotte Stamer, at (214) 270‑2402, cstamer@cttlegal.com, Ms. Stamer has extensive experience advising clients and writes and speaks extensively on these and other health industry and other reimbursement, operations, internal controls and risk management matters.

Ms. Stamer has extensive experience in these and other health industry related representation. You can review other recent health care and related resources and additional information about the health industry and other experience of Ms. Stamer here.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile at here, or e-mailing this information to cstamer@cttlegal.com, and/or by participating in the SLP Health Care Risk Management & Operations Group

Leave a Comment » | ARRA, Electronic Health Records, Health Care, Health IT, Health Plan, Health Plans, Health Policy, HIPAA, HITECH Act | Tagged: Data Breach, Health Care, HIPAA, HITECH Act, Unsecured Protected Health Information | Permalink
Posted by Cynthia Marcotte Stamer

North Texas Healthcare Compliance Professional Association To Meet At Texas Health Resources On October 13

September 29, 2009

NORTH TEXAS HEALTHCARE COMPLIANCE PROFESSIONAL ASSOCIATION

October 13, 2009 Meeting Reminder

2:00 – 4:00 p.m. at the Texas Health Resources Pavilion

North Texas Health Care Compliance Professional Association’s October 13, 2009 Meeting will feature a participatory Health Care Compliance Roundtable Discussion of Hot Topics moderated by the Erma E. Lee, JPS Health Network District Compliance Officer and NTPCA President on Tuesday, October 13, 2009 from 2:00 – 4:00 p.m at the Texas Health Resources Pavilion located at 612 E. Lamar Blvd., Arlington, TX. Topics to be discussed include:

HIPAA Data Breach, Red Flag & Other Evolving Privacy & Data Security Obligations & Risks
Office of Civil Rights Health Industry Disability & Other Civil Rights Enforcement
Tax-Exemption Issues Including Proposed Form 990 and Exemption Reforms In Health Care Reform
Health Care Fraud Enforcement
Other Hot Developments

Come catch up on these and other new developments and exchange thoughts and insights with other Health Care Compliance Professionals!

NTHCPA thanks Texas Health Resources for hosting this month’s meeting.

For additional information, please contact NTHCPA Vice-President Cynthia Marcotte Stamer at (214) 270-2402 or by e-mail at cstamer@solutionslawyer.net.

We look forward to seeing you there!

About the NTHCPA

The vision of NTHCPA is to be a pre-eminent compliance and ethics group promoting lasting success and integrity of organizations within North Texas.

To register or update your registration or to receive notice of future meetings, e-mail here .

Leave a Comment » | Anti-KickBack, ARRA, Disability Discrimination, Discrimination, Doctor, Electronic Health Records, Electronic Medical Records, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Quality, Health IT, Health Policy, HIPAA, HITECH Act, Medicaid, Medicare, OCR, OIG, Physician, Privacy, Reimbursement, Tax, Tax-Exemption, Technology | Tagged: Data Security, Doctor, Events, false claims act, Form 990, Health Care, Health Care Compliance, Health Care Discrimination, Health Care Fraud, Health Care Policy, Health Care Reform, Health Care Reimbursement, Health Policy, HIPAA, HITECH Act, Hospital, North Texas Health Care Compliance Professionals Association, Physician, Red Flag Rules, Reimbursement, Tax-Exemption | Permalink
Posted by Cynthia Marcotte Stamer

HIT Committee To Meet October 14 In Washington, D.C.

September 29, 2009

The next meeting of the HIT Standards Committee of the Office of the National Coordinator for Health Information Technology (ONC) will be held on October 14, 2009, from 9 a.m. to 3 p.m./Eastern Time at the Omni Shoreham Hotel, 2500 Calvert Street, NW., Washington, DC. The hotel telephone number is 202-234-0700. Interested members of the public are invited to attend.

Created under the American Recovery and Reinvestment Act of 2009 (ARRA), the HIT Standards Committee is charged with making recommendations to the Office of National Coordinator for Health Information Technology (ONC) on standards, implementation specifications, and certification criteria for the electronic exchange and use of health information consistent with the implementation of the Federal Health IT Strategic Plan, and in accordance with policies developed by the HIT Policy Committee. Even as Congress debates further reforms, the activities of the HIT Committee and other components of the ONC are key actors in the continuing efforts of the Obama Administration to promote health care efficiency by reengineering health care technology.

During a previous meeting on August 20, 2009, the HIT Committee finalized certain recommendations concerning meaningful use of electronic medical records, clinical quality, and privacy and security of protected health information, which are available for review here.

According to the ONC announcement regarding the upcoming meeting in today’s (September 29, 2009) Federal Register available here, the Committee plans during the meeting to:

Discuss reports from its Clinical Operations, Clinical Quality, and Privacy and Security Workgroups
Take testimony from invited experts in the field of security as it relates to health information technology

Interested persons may present data, information, or views, orally or in writing, on issues pending before the committee. Written submissions may be made to the contact person on or before October 6, 2009. Oral comments from the public will be scheduled between approximately 2:30 p.m. to 3 p.m. Time allotted for each presentation may be limited. If the number of speakers requesting to comment is greater than can be reasonably accommodated during the scheduled open public hearing session, ONC will take written comments after the meeting until close of business.

ONC hopes to make background material available to the public at least two (2) business days prior to the meeting. However, if ONC is unable to post the background material on its Web site before the meeting, it will make that material publicly available at the location of the advisory committee meeting, and post the background material on ONC’s web site after the meeting here.

The designated person to contact for additional information is Jonathan Ishee, Office of the National Coordinator, HHS, 200 Independence Ave, SW., Room 729-G, Washington, DC 20201, 202-205-8493, Fax: 202-690-6079, e-mail: jonathan.ishee@hhs.gov.

If you need assistance preparing or presenting comments to the HIT Standards Committee or with monitoring or responding to other health care IT, privacy and data security, regulatory, operational, public policy or other health care concerns, please contact the author of this update, Curran Tomko Tarski LLP Health Practice Chair and Partner Cynthia Marcotte Stamer at (214) 270-2402 or via e-mail at CStamer@CTTLegal.com.

Other Recent Developments

If you found this information of interest, you also may be interested in reviewing some of the following recent Solution Law Press Updates available online by clicking on the applicable article title below:

For More Information

We hope that this information is useful to you. If you need assistance with auditing or defending these or other health care compliance, risk management, transaction or operation concerns, please contact the author of this update, Curran Tomko Tarski LLP Health Practice Group Chair, Cynthia Marcotte Stamer, at (214) 270‑2402, cstamer@cttlegal.com, Ms. Stamer has extensive experience advising clients and writes and speaks extensively on these and other health industry and other reimbursement, operations, internal controls and risk management matters.

You can review other recent health care and internal controls resources and additional information about the health industry and other experience of Ms. Stamer here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile at here, registering to receive updates in blog form here or e-mailing this information to support@solutionslawyer.net.

Leave a Comment » | ARRA, Doctor, Electronic Health Records, Electronic Medical Records, Health Care, Health Care Finance, Health Care Provider, Health Care Quality, Health Care Reform, Health IT, Health Plan, Health Plans, HIPAA, HITECH Act, Hospital, Laws, Medicaid, Medicare, Medicare Advantage, Outcomes Data, Physician, Technology | Tagged: ARRA, Health Care, Health Care Policy, Health Care Provider, Health Care Reform, Health Care Reimbursement, Health Insurance, Health IT, Health Plans, Health Policy, Health Technology, HHS, HIPAA, Hospital, Identity Theft, Medicare, Medicare Part B, PBMs, Privacy, Public Policy, Reimbursement, Technology | Permalink
Posted by Cynthia Marcotte Stamer

ONC Shares HIT Committee August Meeting Recommendations, Announcements Opportunity To Comment On Recommendations At September 15 HIT Committee Meeting

September 9, 2009

Register here to Participate In September 17 Briefing On New HIPAA Data Breach Rules

As part of the American Recovery and Reinvestment Act of 2009 (ARRA), the Office of the National Coordinator for Health Information Technology (ONC) is required to publicize the Health Information Technology Standards Committee (Committee) recommendations in the Federal Register and provide for public input.

During its August 20, 2009 meeting, ONC reports that the Committee’s recommendations focused on the following areas:

Clinical Quality
Clinical Operations
Privacy and Security.

Individuals wishing to make comments on the Committee’s August 20, 2009, recommendations may present oral comments at the Committee’s next meeting on September 15, 2009, from approximately 1:00 p.m. to 2:00 p.m. Eastern Time, at the Omni Shoreham Hotel, 2500 Calvert Street, NW, Washington, DC, 20008. Comments will be limited to two (2) minutes per person.

All recommendations from the August 20, 2009 meeting may be found here. In addition, specific URLs for each recommendation have been listed below.

Clinical Quality

The Clinical Quality recommendations pertain to the appropriate standardized performance measures that correspond to the HIT Policy Committee’s 2011 Meaningful Use Measures. The recommendations include 30 quality performance measures and the data types required for each, of which National Quality Forum (NQF)-endorsed measures can either be retooled for use in an Electronic Health Record (EHR) or will require attestation for the foreseeable future. The Clinical Recommendations of the Committee appear here.

Clinical Operations

The Clinical Operations recommendations focus on standards for 2011 Meaningful Use, including quality data reporting, messaging formats, and all the vocabularies necessary for semantic interoperability. The Clinical Operations recommendations appear here.

Privacy and Security

The Privacy and Security recommendations focus on authentication, authorization, auditing and secure data transmission standards as well as Meaningful Use measures related to HIPAA compliance. The Privacy & Security recommendations appear here.

Procedure

A separate notice announcing this meeting has been published in the Federal Register and provides additional information.

Other Recent Developments

If you need assistance with auditing, updating or defending your organizations HIPAA and other privacy and data security practices, or addressing other HITECH Act or related health care matters, please contact Curran Tomko Tarski LLP Partner Cynthia Marcotte Stamer at (214) 270-2402 or via e-mail at CStamer@CTTLegal.com.

Register Now For Upcoming September Health Industry Update Programs

If you found this information of interest, you also may be interested in one of the following upcoming health industry programs to be presented by Ms. Stamer during September:

How to Ensure That Your Organization Is In Compliance With Regulations Governing Discrimination — What You Should Be Doing To Be Prepared for the New, Stepped Up Enforcement Actions on September 10, 2009 hosted via teleconference by Health Resources Publishing
Health Information Security & Data Breach Under HITECH Act on September 17, 2009 hosted via teleconference by the Health Care Compliance Association

To register or for other details about these and other upcoming programs and presentations by Ms. Stamer and other Curran Tomko Tarski members, see here.

Other Recent Developments

If you found this information of interest, you also may be interested in reviewing some of the following recent Health Care Updates available online by clicking on the article title:

For More Information

We hope that this information is useful to you. If you need assistance with auditing or defending these or other health care compliance, risk management, transaction or operation concerns, please contact the author of this update, Curran Tomko Tarski LLP Health Practice Group Chair, Cynthia Marcotte Stamer, at (214) 270‑2402, cstamer@cttlegal.com, Edwin J. Tomko at (214) 270-1405 or another Curran Tomko Tarski LLP Partner of your choice. Ms. Stamer has extensive experience advising clients and writes and speaks extensively on these and other health industry and other internal controls and risk management matters.

Leave a Comment » | Electronic Health Records, Health Care, Health IT, HITECH Act | Permalink
Posted by Cynthia Marcotte Stamer

DEA Seeks Comments on Standardization of Code Number For Institutionally Based Practitioners Dispensing Controlled Substances

September 9, 2009

Midnight on November 9, 2009 is the deadline to respond to request for comments of the Drug Enforcement Administration (DEA) on how best to standardize the specific internal code number associated with each individual practitioner permitted by the hospital or other institutional practitioner to administer, dispense, or prescribe controlled substances using that institution’s DEA registration.

DEA is soliciting public input in response to comments received to its Notice of Proposed Rulemaking “Electronic Prescriptions for Controlled Substances” regarding electronic prescriptions for controlled substances published on June 27, 2008, 73 FR 36722. In that Notice, DEA proposed:

That pharmacy applications receiving electronic prescriptions for controlled substances be capable of reading and retaining the full DEA registration number, including any extensions, or other identification numbers used under 21 CFR 1306.05(c).
That the full number including extensions must be retained in the prescription record.
That the pharmacy application must verify that the practitioner’s DEA registration was valid at the time the prescription was signed by checking the DEA CSA database or by having another entity check the DEA CSA database during transmission and indicate on the record that the check has occurred and the registration is valid.
That the pharmacy application must reject prescriptions signed by practitioners without valid DEA registrations.
Every person who dispenses controlled substances is required to obtain a DEA registration under the Comprehensive Drug Abuse Prevention and Control Act of 1970, often referred to as the Controlled Substances Act (CSA) and the Controlled Substances Import and Export Act (21 U.S.C. 801-971), (CSA).
An individual practitioner who is an agent or employee of a hospital or other institution registered with DEA may use the DEA registration of that hospital or other institution to administer, dispense, or prescribe controlled substances in accordance with the regulations (21 CFR 1301.22(c)). Specifically, an individual practitioner who is an agent or employee of a hospital or other institution may, when acting in the normal course of business or employment, administer, dispense, or prescribe controlled substances under the registration of the hospital or other institution which is registered in lieu of being registered himself if:
The dispensing, administering or prescribing is done in the usual course of his professional practice;
The individual practitioner is authorized or permitted to do so by the jurisdiction in which he is practicing;
The hospital or other institution by whom he is employed has verified that the individual practitioner is so permitted to dispense, administer, or prescribe drugs within the jurisdiction;
The individual practitioner is acting only within the scope of his employment in the hospital or institution;
The hospital or other institution authorizes the individual practitioner to administer, dispense or prescribe under the hospital registration and designates a specific internal code number for each individual practitioner so authorized consisting of numbers, letters, or a combination thereof and shall be a suffix to the institution’s DEA registration number, preceded by a hyphen; and
A current list of internal codes and the corresponding individual practitioners is kept by the hospital or other institution and is made available at all times to other registrants and law enforcement agencies upon request for the purpose of verifying the authority of the prescribing individual practitioner. See 21 CFR 1301.22(c).

In response to the comments on these proposed provisions, DEA has determined standardization of the internal code numbers assigned by institutional practitioners to the individual practitioners they permit to use their registration to administer, dispense, and prescribe controlled substances is essential for DEA to require pharmacy systems to retain this information.

Since this number has never been standardized, however, DEA anticipates that institutional practitioner registrants have established a variety of internal code number systems. Accordingly, DEA is soliciting information from the regulated industry and other interested members of the public regarding current methods used and how best to implement industry standardization in this area. Specifically, DEA seeks the following information:

Information regarding formats used by institutional practitioners when establishing internal code numbers for individual practitioners permitted to use the institution’s registration number;
Estimates of the number of individual practitioners using internal code numbers for identification purposes;
Estimates of the number of individual practitioners using internal code numbers for identification purposes in a particular institutional practitioner;
Estimates of costs to institutional practitioners if code numbers for individual practitioners were to be standardized and what changes would be associated with those costs;
Formats pharmacy applications could accommodate or would prefer, recognizing that pharmacy applications may need to be reprogrammed to accept this information;
Estimates of the costs to pharmacies and/or pharmacy application providers for such reprogramming;
Comments regarding whether pharmacies have had difficulty obtaining information from institutional practitioners regarding individual practitioners’ internal code numbers and, if so, any proposed solutions.

Persons wishing to address the above topics or provide other information relative to these proposed rules should submit their comments by Midnight on November 9, 2009 in accordance with the instructions contained in the Notice available for review here.

Register Now For Upcoming September Health Industry Update Programs

If you found this information of interest, you also may be interested in one of the following upcoming health industry programs to be presented by Ms. Stamer during September:

How to Ensure That Your Organization Is In Compliance With Regulations Governing Discrimination — What You Should Be Doing To Be Prepared for the New, Stepped Up Enforcement Actions on September 10, 2009 hosted via teleconference by Health Resources Publishing
Health Information Security & Data Breach Under HITECH Act on September 17, 2009 hosted via teleconference by the Health Care Compliance Association

To register or for other details about these and other upcoming programs and presentations by Ms. Stamer and other Curran Tomko Tarski members, see here.

Other Recent Developments

If you found this information of interest, you also may be interested in reviewing some of the following recent Health Care Updates available online by clicking on the article title:

For More Information

We hope that this information is useful to you. If you need assistance with auditing or defending health care fraud concerns or other health care compliance, risk management, transaction or operation concerns, please contact the author of this update, Curran Tomko Tarski LLP Health Practice Group Chair, Cynthia Marcotte Stamer, at (214) 270‑2402, cstamer@cttlegal.com, Edwin J. Tomko at (214) 270-1405 or another Curran Tomko Tarski LLP Partner of your choice. Ms. Stamer has extensive experience advising clients and writes and speaks extensively on these and other health industry and other internal controls and risk management matters.

Leave a Comment » | Controlled Substances, DEA, Doctor, Electronic Health Records, Electronic Medical Records, FDA, Health Care, Health IT, HIPAA, Hospital, Pharmacy, Physician, Physician Licensing | Permalink
Posted by Cynthia Marcotte Stamer

Two Recent Criminal Prosecutions For HIPAA Privacy Rule Violations Signal Rising Criminal Enforcement Risks

September 8, 2009

Register here To Participate In September 9 or September 17 Briefings on New HIPAA Data Breach Rules

September 8, 2009

Two recent separate criminal actions against hospital workers for wrongfully accessed medical records in violation of the medical privacy provisions of the Health Insurance Portability & Accountability Act of 1996, as amended (HIPAA) are the latest reminders to health care providers, health plans, health care clearinghouses, their business associates and members of their workforce that the criminal provisions of the HIPAA Privacy Rules have teeth.

Palmetto General Hospital Employee And Accomplice Indicted For Stealing Patient Records As Part Of Fraud

In Miami-Dade County, federal felony charges are pending against Jacquettia L. Brown, 29, and Tear Renee Barbary, 25, prosecution on for offenses relating to the theft of patient profile records from Palmetto General Hospital to further a fraud scheme.

A seven-count Indictment announced by the Department of Justice on May 26, 2009 charges Brown and Barbary with conspiracy to commit access device fraud in violation of Title 18, United States Code, Section 1029(b)(2), and criminal violations of HIPAA. In addition, Brown is charged with aggravated identity theft, in violation of Title 18, United States Code, Section 1028A(a)(1). If convicted, the defendants face a statutory maximum of five (5) years’ imprisonment on Count 1, and a statutory maximum of ten (10) years’ imprisonment as to each of Counts 2, 3, and 7. As to Counts 4-6, Brown faces a two (2) year mandatory prison sentence per count.

According to the Indictment, Brown, a medical records employee of Palmetto General Hospital, took records containing personal profile information of Palmetto General Hospital patients. Defendant Brown and Barbary then used the stolen personal information to further a credit card fraud conspiracy. The patient profile records that Brown stole included personal identifying information, such as patients’ names, birthdates, Social Security numbers, addresses, driver’s license numbers, and next of kin contacts. Brown used the stolen identifying information to obtain patients’ credit card account numbers. She gave patient profile records and credit card account numbers to Barbary, who used the information to make unauthorized credit card purchases. When law enforcement officials disrupted the scheme, Brown was in possession of 41 patient profile records and Barbary was in possession of six patient profile records.

Curiosity Check of Medical Records Results In Arkansas Doctor, 2 Former Hospital Employees Guilty Plea To HIPAA Violation

Three Arkansas health care workers could be sentenced to up to 1 year in prison, a fine of not more than $50,000, or both after pleading guilty in July, 2009 to misdemeanor violations of the health information privacy provisions of HIPAA for accessing a patient’s record without any legitimate purpose.

United States Magistrate Judge Henry L. Jones, Jr. accepted the guilty pleas of Dr. Jay Holland, age 56, of Little Rock, Arkansas; Sarah Elizabeth Miller, age 28, of England Arkansas; and Candida Griffin, age 34 of Little Rock, Arkansas after each admitted to accessing patient records to satisfy their own curiosity.

Dr. Holland, Medical Director of Select Specialty Hospital, located on the 6 floor of the St. Vincent Infirmary Medical Center (SVIMC), admitted that after watching news reports on television, he logged on to the SVIMC patient records from his computer at home and accessed a patient’s files to determine if the news reports were accurate. He admitted he accessed the file because he was curious even though he had had HIPAA training and understood he was violating HIPAA when he accessed the file. SVIMC suspended Dr. Holland’s privileges for two weeks and required him to complete on-line HIPAA training.

Sarah Elizabeth Miller, formerly an account representative at SVIMC, Sherwood Campus, was responsible for checking patients in and out of the clinic and for processing patient billing. In order to perform her duties, she had access to the SVIMC patient records program which includes all locations, not just that of the Sherwood clinic. Miller admitted that on October 20 and 21, 2008, she accessed a patient’s files approximately 12 times out of curiosity. She admitted that she accessed the records without any legitimate purpose. Records show that Miller was trained on HIPAA privacy laws by SVIMC. SVIMC fired Miller from her position.

Candida Griffin was the emergency room unit coordinator at SVIMC. Her responsibilities were to order patient tests, perform data entry into electronic patient files for patients and perform other secretarial functions in the emergency room. Griffin admitted that on October 20, 2008, she was told by the charge nurse to set-up an alias for a particular patient admitted to the emergency room. On October 21, 2008, after the patient had been moved to ICU, Griffin admitted that she became curious about the patient’s status and accessed the medical chart to find out if the patient was still living. Although Griffin did not inform anyone about accessing the chart, hospital records show that the patient’s records were accessed three times that day by Ms. Griffin. SVIMC records show that Griffin was trained on HIPAA privacy laws. SVIMC fired Griffin from her position.

Pursuant to plea agreements with the United States, Holland, Miller and Griffin pleaded guilty to a misdemeanor a violation of the health information privacy provisions of HIPAA based on their accessing a patient’s record without any legitimate purpose. Each faces a maximum penalty of 1 year imprisonment, a fine of not more than $50,000, or both. A sentencing date has not yet been set, but is expected within the next few weeks.

Criminal Referral and Enforcement Continues

Together with the HIPAA-related criminal convictions of in 2008 of David Gibson, Ferando Ferrer, Jr. and Andrea Smith discussed here, these new Arkansas and Florida criminal actions document the willingness of Justice Department attorneys to investigate and prosecute certain criminal violations. Because they involved the theft of health information for use in furtherance of other health care fraud schemes, many have viewed as predictable and understandable the prosecution of Gibson, Ferrer, Brown and Barbary. In contrast, the willingness of Jane W. Duke, United States Attorney for the Eastern District of Arkansas, to prosecute criminally the wrongful access by the SVIMC health care workers and Andrea Smith in the absence of other health care fraud motives challenges the perception widely held among certain segments of the health care and health plan industry that the criminal provisions of HIPAA have little teeth. Since U.S. Attorney Duke pursued both the SVIMC and Smith prosecutions, it remains to be seen whether other U.S. Attorneys will be equally willing to pursue prosecution of HIPAA violations in the absence of evidence of other federal health care crimes.

Less speculative is the growing readiness of the Department of Health & Human Services Office of Civil Rights to pursue civil remedies for HIPAA violations. On February 18, 2009, for instance, OCR and the Federal Trade Commission (“FTC”) issued a joint announcement (the “Announcement”) ordering CVS Pharmacy, Inc., the nation’s largest retail pharmacy chain, to pay the U.S. government a $2.25 million settlement and to take other corrective action to ensure that it does not violate the privacy rights patients under HIPAA when disposing of patient information such as identifying information on pill bottle labels. In a coordinated action, CVS Caremark Corp., the parent company of the pharmacy chain, also signed a consent order and agreed to a settlement with the FTC to settle potential violations of the FTC Act. The investigation resulting in the settlement marks the first instance where the OCR formally coordinated on investigation and resolution of a case with the FTC.

Coming as new data breach notification requirements for HIPAA-covered entities are set to take effect on September 23, 2009, these and other stepped up oversight and enforcement activities make it critical that all health care providers, health plans, health care clearinghouses and their business associates need to update their policies and practices, tighten their compliance and data breach monitoring processes, and strengthen their internal controls, compliance in preparation for defending their actions under the newly strengthened Privacy Rules. Covered entities and their business associates more than ever must ensure their ability to demonstrate to federal regulators the effectiveness of their HIPAA compliance efforts by both adopting the written policies and procedures required by HIPAA and continuously monitoring and administering these safeguards. Covered entities should consider reviewing the adequacy of their current HIPAA Privacy and Security compliance practices taking into consideration the Corrective Action Plan, published OCR noncompliance and enforcement statistics, their own and reports of other security and privacy breaches and near misses, and other developments to determine if additional steps are necessary or advisable.

If you need assistance with auditing, updating or defending your organizations HIPAA and other privacy and data security practices, please contact Curran Tomko Tarski LLP Partner Cynthia Marcotte Stamer at (214) 270-2402 or via e-mail at CStamer@CTTLegal.com.

Register Now For Upcoming September Health Industry Update Programs

If you found this information of interest, you also may be interested in one of the following upcoming health industry programs to be presented by Ms. Stamer during September:

HITECH ACT Health Data Security & Breach Update on September 9, 2009 hosted live or via teleconference by Curran Tomko Tarski LLP
How to Ensure That Your Organization Is In Compliance With Regulations Governing Discrimination — What You Should Be Doing To Be Prepared for the New, Stepped Up Enforcement Actions on September 10, 2009 hosted via teleconference by Health Resources Publishing
Health Information Security & Data Breach Under HITECH Act on September 17, 2009 hosted via teleconference by the Health Care Compliance Association

To register or for other details about these and other upcoming programs and presentations by Ms. Stamer and other Curran Tomko Tarski members, see here.

Other Recent Developments

If you found this information of interest, you also may be interested in reviewing some of the following recent Curran Tomko Tarski LLP Latest in Health Care Updates available online by clicking on the article title:

For More Information

We hope that this information is useful to you. If you need assistance with auditing or defending these or other health care compliance, risk management, transaction or operation concerns, please contact the author of this update, Curran Tomko Tarski LLP Health Practice Group Chair, Cynthia Marcotte Stamer, at (214) 270‑2402, cstamer@cttlegal.com, Edwin J. Tomko at (214) 270-1405 or another Curran Tomko Tarski LLP Partner of your choice. Ms. Stamer has extensive experience advising clients and writes and speaks extensively on these and other health industry and other internal controls and risk management matters.

Leave a Comment » | Corporate Compliance, Electronic Medical Records, FACTA, Health Care, Health Care Provider, Health IT, Health Plan, Health Plans, HIPAA, OCR | Tagged: ARRA, Doctor, Federal Sentencing Guidelines, Health Care, Health Care Provider, Health Insurance, HIPAA, Hospital, Identity Theft, Physician, Physicians, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

Health Care Providers & Other HIPAA Covered Entities Must Comply With New Data Breach Rules By September 23

August 26, 2009

Health care providers, health clearinghouses, health plans and their business associates generally must start complying with new federal data breach notification rules on September 23, 2009.

The new “Breach Notification For Unsecured Protected Health Information” regulation (Breach Regulation) published here in today’s Federal Register requires health care providers, health plans, health care clearinghouses and their business associates (Covered Entities) covered under the personal health information privacy and security rules of the Health Insurance Portability & Accountability Act (HIPAA) to notify affected individuals following a “breach” of “unsecured” protected health information. The Breach Regulation is part of a series of guidance that HHS is issuing to implement new and stricter personal health information privacy and data security requirements for Covered Entities added to HIPAA under the Health Information Technology for Economic and Clinical Health (HITECH) Act signed into law on February 17, 2009 as part of American Recovery and Reinvestment Act of 2009 (ARRA).

HITECH Act Data Breach and Unsecured PHI Rules

Published in the Federal Register on August 24, 2009, the new Breach Regulation implements the HITECH Act requirement that Covered Entities and their business associates notify affected individuals, the Secretary of HHS, and in some cases, the media, when a breach of “unsecured protected health information” happens and the form, manner, and timing of that notification. Covered Entities must begin complying with the new Breach Regulation on September 23, 2009.

Part of a series of new HHS rules implementing recent changes to HIPAA enacted under the HITECH Act to strengthen existing federally mandates requiring Covered Entities to safeguard protected health information, the Breach Regulation will obligate Covered Entities and business associates to provide certain notifications following a breach of “protected health information” that not secured at the time of the breach through the use of a technology or methodology meeting minimum standards issued by HHS pursuant to other provisions of the HITECH Act.

Under the HITECH Act, the breach notification obligations contained in the Breach Notification only apply to a breach of “unsecured protected health information.” The Breach Regulation exempts breaches of protected health information that qualify as “secured” under separately issued HHS and Federal Trade Commission (FTC) standards for encryption and destruction of protected health information from its breach notification requirements.

For purposes of the HITECH Act, electronic protected health information is considered “unsecured” unless the Covered Entity has satisfied certain minimum standards for the protection of that data established pursuant to the HITECH Act. Earlier this year, HHS and the FTC issued interim rules defining the minimum encryption and destruction technologies and methodologies that Covered Entities must use to render protected health information unusable, unreadable, or indecipherable to unauthorized individuals for purposes of determining when protected health information is “unsecured” for purposes of the HITECH Act. Concurrent with its publication of the Breach Regulation, HHS also released guidance updating and clarifying this previously issued guidance.

Read the Breach Regulation here. To review the HITECH Act Breach Notification Guidance and Request for Information, see here.

OCR officials are continuing to work on other guidance concerning the amendments to HIPAA’s privacy and security rules enacted under the HITECH Act and the Genetic Information and Nondiscrimination Act (GINA). Differences in the effective dates of certain requirements generally will necessitate that Covered Entitites and their business associates move forward to comply with the Breach Regulations and other aspects of these changes before some of these other rules or guidance relating to them takes effect.

About The Author

The author of this update, Curran Tomko Tarski LLP Health Practice Leader Cynthia Marcotte Stamer is nationally known for her work, publications and presentations on privacy and security of health and other sensitive information in health and managed care, employment, employee benefits, financial services, education and other contexts.

Vice President of the North Texas Health Care Compliance Professionals Association and Past Chair of the ABA Health Law Section Managed Care & Insurance Section, and Former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 20 years experience advising clients about health and other privacy and security matters. A popular lecturer and widely published author on privacy and data security and other related health care and health plan matters, Ms. Stamer is the Editor in Chief of the forthcoming 2010 edition of the Information Security Guide to be published by the American Bar Association Information Security Committee in 2010, as well as the author of “Protecting & Using Patient Data In Disease Management: Opportunities, Liabilities And Prescriptions,” “Privacy Invasions of Medical Care-An Emerging Perspective,” “Cybercrime and Identity Theft: Health Information Security Beyond HIPAA,” and a host of other highly regarded publications. She has continuously advises employers, health care providers, health insurers and administrators, health plan sponsors, employee benefit plan fiduciaries, schools, financial services providers, governments and others about privacy and data security, health care, insurance, human resources, technology, and other legal and operational concerns. Ms. Stamer also publishes and speaks extensively on health and managed care industry privacy, data security and other technology, regulatory and operational risk management matters. Her insights on health care, health insurance, human resources and related matters appear in the Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Managed Healthcare, Health Leaders, and a many other national and local publications. For additional information about Ms. Stamer, her experience, involvements, programs or publications, see here.

We hope that this information is useful to you. If you need assistance monitoring, evaluating or responding to these or other compliance, risk management, transaction or operation concerns, please contact the author of this update, Cynthia Marcotte Stamer, at (214) 270-2402, cstamer@cttlegal.com or another Curran Tomko Tarski LLP Partner of your choice.

Other Helpful Resources & Other Information

If you found this updates of interest, you also be interested in one or more of the following other recent articles published on our electronic Curran Tomko Tarski LLP publications available for review here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail- by creating or updating your profile at here. You can access other recent updates and other informative publications and resources provided by Curran Tomko Tarski LLP attorneys and get information about its attorneys’ experience, briefings, speeches and other credentials here.

Leave a Comment » | ARRA, Doctor, Electronic Health Records, Electronic Medical Records, Employer, FACTA, Health Care, Health IT, Health Plan, Health Plans, HIPAA, Physician | Permalink
Posted by Cynthia Marcotte Stamer

Health Care Providers & Other HIPAA-Covered Entities & Their Business Associates Must Comply With New HHS Health Information Data Breach Rules By September 24

August 24, 2009

Register Now To Participate in September 9 “HITECH Act Health Data Security & Breach Update”

Health care providers, health clearinghouses, health plans and their business associates generally must start complying with new federal data breach notification rules on September 24, 2009.

You are invited to catch up on what these new rules mean for your organization and how it must respond by participating in the “HITECH Act Health Data Security & Breach Update” on Wednesday, September 9, 2009 from Noon to 1:30 P.M. Central Time.

HITECH Act Data Breach and Unsecured PHI Rules

Scheduled for publication in the Federal Register on August 24, 2009, the new Breach Regulation implements the HITECH Act requirement that Covered Entities and their business associates notify affected individuals, the Secretary of HHS, and in some cases, the media, when a breach of “unsecured protected health information” happens and the form, manner, and timing of that notification. Covered Entities must begin complying with the new Breach Regulation on September 24, 2009.

Read the Breach Regulation here. To review the HITECH Act Breach Notification Guidance and Request for Information, see here.

September 9 “HITECH Act Health Data Security & Breach Update” Briefing

Interested persons are invited to register here now to learn what these new rules mean for your organization and how it must respond by participating in the “HITECH Act Health Data Security & Breach Update” on Wednesday, September 9, 2009 from Noon to 1:30 P.M. Central Time. For a registration fee of $45.00, registrants will have the option to participate via teleconference or in person at the offices of Curran Tomko Tarski LLP, 2001 Bryan Street, Suite 2050, Dallas Texas 75201. For information about registering for this program or other questions here.

Conducted by Curran Tomko and Tarski LLP Partner Cynthia Marcotte Stamer, the briefing will cover:

Who must comply
What your organization must do
How to qualify protected health information as exempt from the breach regulations as “secure” protected health information
What is considered a breach of unsecured protected health information
What steps must a covered entity take if a breach of unsecured protected information happens
What liabilities do covered entities face for non-compliance
What new contractual requirements, policies and procedures Covered Entities and Business Associates will need
How the Breach Regulation, the Privacy Regulation, impending FTC red flag rules and state data breach and privacy rules interrelate
Other recent developments
Practical tips for assessing, planning, moving to and defending compliance
Participant questions
More

About The Presenter

The program will be presented by Curran Tomko Tarski LLP Partner Cynthia Marcotte Stamer. Ms. Stamer is nationally known for her work, publications and presentations on privacy and security of health and other sensitive information in health and managed care, employment, employee benefits, financial services, education and other contexts.

Other Helpful Resources & Other Information

If you found these updates of interest, you also be interested in one or more of the following other recent articles published on our electronic Curran Tomko Tarski LLP publications available for review here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail- by creating or updating your profile at here. You can access other recent updates and other informative publications and resources provided by Curran Tomko Tarski LLP attorneys and get information about its attorneys’ experience, briefings, speeches and other credentials here.

Leave a Comment » | ARRA, Disease Management, Doctor, Electronic Health Records, Electronic Medical Records, Employer, FACTA, FDA, Health Care, Health IT, Health Plan, Health Plans, HIPAA, Hospital, Indian Health, Inpatient Rehabilitation Facility, Medicaid, Medical Licensure, Medical Malpractice, Medicare, Medicare Advantage, Mental Heatlh, OCR, Outcomes Data, Peer Review, Physician, Prescription Drugs, Privacy, Reimbursement, Tax | Tagged: ARRA, Corporate Compliance, Data Security, Doctor, Health Care, Health Care Provider, Health Care Reimbursement, HHS, HIPAA, Hospital, Identity Theft, Long Term Care Hospital, Medicare, Medicare Part B, Physician, Physicians, Privacy, public health, Public Policy, Red Flag Rules, Reimbursement | Permalink
Posted by Cynthia Marcotte Stamer

HHS Issues Interim Final Requiring Health Care Provider, Health Plans & Other Covered Entities To Give Breach Notifications When Certain Personal Health Information Breached Beginning In September; Register to Participate In September 10th Briefing on New Rules In Person or Via Telephone

August 20, 2009

The U.S. Department of Health and Human Services (HHS) yesterday (August 19, 2009) issued “breach notification” regulations requiring health care providers, health plans and other covered entities (Covered Entities) under the personal health information privacy and security rules of the Health Insurance Portability & Accountability (HIPAA) to notify affected individuals following a “breach” of “unsecured” protected health information. Scheduled for publication in the Federal Register on August 24, 2009, the new breach notification regulations are part of a series of new rules that implement new electronic personal health information data security and data breach notification requirements for Covered Entities added to HIPAA under the Health Information Technology for Economic and Clinical Health (HITECH) Act signed into law on February 17, 2009 as part of American Recovery and Reinvestment Act of 2009 (ARRA). Covered entities must begin complying with the new rules no later than September 24, 2009.

Curran Tomko Tarski, LLP Health Practice leader Cynthia Marcotte Stamer will conduct a briefing on these new protected health information data security and data breach rules on Thursday, September 10, 2009 from Noon to 1:30 P.M. Central Time. For a registration fee of $45.00, registrants will have the option to participate via teleconference or in person at the offices of Curran Tomko Tarski LLP, 2001 Bryan Street, Suite 2050, Dallas Texas 75201. For more information, e-mail here.

HITECH Act Data Breach and Unsecured PHI Rules

The new data breach notification rules are part of a series of recent HIPAA enacted under the HITECH Act to strengthen the federal rules requiring HIPAA covered entities to safeguard electronic and certain other protected health information. Enhanced data security and data breach rules added as part of these HITECH Act amendments obligate covered entities and business associates to provide certain notifications following a breach of “unsecured” “protected health information” within the meaning of HIPAA, as amended. “Unsecured protected health information” is defined as protected health information that is not secured through the use of a technology or methodology specified by the HHS Secretary.

The new data breach regulations implement the HITECH Act requirement that Covered Entities and their business associates notify affected individuals, the Secretary of HHS, and in some cases, the media, of a breach and the form, manner, and timing of that notification. For purposes of the HITECH Act, electronic protected health information is considered “unsecured” unless the covered entity has satisfied certain minimum standards for the protection of that data established pursuant to the HITECH Act. HHS and the Federal Trade Commission previously issued certain initial guidance concerning the HITECH Act standards for determining when electronic personal health information qualifies as secure. To help further define when electronic health information is treated as “unsecured” and therefore subject to the breach notification requirements, the data breach rules also update and clarify the previously issued existing HHS guidance specifying encryption and destruction as the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals published earlier this year by HHS to for purposes of determining when protected health information will be considered “unsecured” for purposes of the HITECH Act data breach rules. Entities subject to the HHS and FTC regulations that secure health information as specified by the guidance through encryption or destruction are relieved from having to notify in the event of a breach of such information.

The HHS interim final regulations are effective September 24, 2009, which is the date 30 days after the date they will be published on the Federal Register and include a 60-day public comment period. To review the interim final data breach regulations, see here. To review the HITECH Act Breach Notification Guidance and Request for Information, see here.

For More Information

The author of this article, Curran Tomko and Tarski LLP Health Care Practice Chair Cynthia Marcotte Stamer has extensive experience advising and assisting health care providers, payors and their business associates about HIPAA and other privacy and data security matters, as well as a diverse range of health care policy, regulatory, compliance, risk management and operational concerns.

Past chair of the American Bar Association Health Law Section Managed Care & Insurance Section, Martindale Hubble AV-rated and recognized in International Who’s Who of Professionals, Ms. Stamer continuously advises health care providers, health care payers and administrators, employers, governments and others about health care, insurance, human resources, privacy and data security, technology, and other legal and operational concerns. A popular lecturer and widely published author on privacy and data security and other related health care and health plan matters, Ms. Stamer also writes and speaks extensively on health and managed care industry privacy, data security and other technology, regulatory and operational risk management matters. She currently serves as the Editor in Chief of the forthcoming 2010 edition of the Information Security Guide to be published by the American Bar Association Information Security Committee in 2010. Examples of her other works include “Protecting & Using Patient Data In Disease Management: Opportunities, Liabilities And Prescriptions,” “Privacy Invasions of Medical Care-An Emerging Perspective,” “Cybercrime and Identity Theft: Health Information Security Beyond HIPAA,” and a host of others. Her insights on health care, health insurance, human resources and related matters appear in the Atlantic Information Service Privacy Report, The Wall Street Journal, Business Insurance, the Dallas Morning News, Managed Healthcare, Health Leaders, and a various other national and local publications. For additional information about Ms. Stamer, her experience, involvements, programs or publications, see here.

We hope that this information is useful to you. If you need assistance monitoring, evaluating or responding to these or other proposed health care or other regulatory reforms or with other health care compliance, risk management, transaction or operation concerns, please contact the author of this update, Curran Tomko Tarski LLP Health Practice Group Chair, Cynthia Marcotte Stamer, at (214) 270-2402, cstamer@cttlegal.com or your other favorite Curran Tomko Tarski LLP Partner.

We also encourage you and others to join the discussion about these and other health care reform proposals and concerns by joining the Coalition for Responsible Health Care Reform Group on Linkedin, registering to receive these updates here.

Other Helpful Resources & Other Information

We hope that this information is useful to you. If you found these updates of interest, you also be interested in one or more of the following other recent articles published on our electronic Solutions Law Press Health Care Update publication available here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please register to receive this Solutions Law Press Health Care Update here and be sure that we have your current contact information – including your preferred e-mail- by creating or updating your profile at here. You can access other recent updates and other informative publications and resources provided by Curran Tomko Tarski LLP attorneys and get information about its attorneys’ experience, briefings, speeches and other credentials here.

Leave a Comment » | ARRA Funding, Corporate Compliance, Doctor, Electronic Health Records, Electronic Medical Records, FACTA, Health Care, Health IT, Health Plan, Health Plans, HIPAA, Hospital, Physician, Privacy | Tagged: ARRA, Corporate Compliance, Data Security, Doctor, Federal Sentencing Guidelines, Health Care, Health Care Policy, Health Care Provider, Health Insurance, Health Plans, Hospital, Identity Theft, Physician, Physicians, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

House Democratic Leaders Work To Resolve Differences In Committee Versions of Health Care Reform Legislation and Build Public Support During August Recess

August 5, 2009

Democratic Leaders in the House of Representatives plan to hammer out differences three versions of the America’s Affordable Health Choices Act (H.R. 3200) as separately passed by three key House Committees in July before House members return from their August recess in hopes of bringing the agreed to version of H.R. 3200 to the full house in September. Regardless of which version ultimately emerges, the enactment of H.R. 3200 would result in sweeping new regulation and federal control over health care providers, health care payers, employers, and individuals.

After negotiating a last minute pre-August recess deal with certain Blue Dog Democrat Committee members, the House Energy and Commerce Committee on July 31, 2009 passed its version of H.R. 3200, the America’s Affordable Health Choices Act (H.R. 3200). The version of H.R. 3200 passed by the House Energy and Commerce Committee incorporates a series of amendments to the language of H.R. 3200 as originally introduced. For instance, this version of H.R. 3200 provides incentives for states to adopt certain tort reforms, provides for a public plan option that would reimburse physicians based on negotiated rates rather Medicare rates, and would allow states to offer both state-based heath insurance exchanges and health insurance co-ops. To review H.R. 3200 as amended by the House Energy and Commerce Committee, see here.

The approval by the Energy and Commerce Committee of its version of H.R. 3200 follows the July 17, 2009 approval by the House Ways and Means Committee and Education and Labor Committee of their own versions of H.R. 3200. For details on the version of H.R. 3200 approved by the House Ways and Means Committee, see here. For details on the version of H.R. 3200 approved by the House Education and Labor Committee, see here.

Leading House Democrats have announced their intention to work to resolve differences between these three versions of H.R. 3200 as passed by these Committees during August recess in hopes of bringing the agreed to version of H.R. 3200 to a vote of the full House of Representatives in September.

Meanwhile, House members from both parties also generally are using the August recess as an opportunity to reconnect with local constituents on health care reform and other core issues.

For More Information

The author of this article, Curran Tomko and Tarski LLP Health Care Practice Chair Cynthia Marcotte Stamer has extensive experience advising and assisting health industry clients and others about a diverse range of health care policy, regulatory, compliance, risk management and operational concerns. You can get more information about her health industry experience here.

Other Helpful Resources & Other Information

Leave a Comment » | Disease Management, Electronic Health Records, Evidence Based Medicine, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Quality, Health Care Qulity, Health Care Reform, Health Insurance Exchange, Health IT, Health Plan, Health Plans, Health Policy, HIPAA, Hospital, Indian Health, Medicaid, Medical Malpractice, Medicare, Medicare Advantage, Outcomes Data, Physician, Prescription Drugs, Reimbursement, Rural Health Care, Tax, Wellness | Tagged: Affordable Health Choices Act, America's Affordable Health Choices Act, Doctor, Employer, Health Care, Health Care Policy, Health Care Provider, Health Care Reform, Health Care Reimbursement, Health Insurance, Health Plans, Health Policy, HHS, Hospital, Medicare, Medicare Part B, Nonprofits, Physician, Physicians, Prescription Drugs, public health, Public Policy, Reimbursement | Permalink
Posted by Cynthia Marcotte Stamer

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Partnership Expands Use & Reach of New Affordable Care Act & Other Health Care Fraud Detection & Enforcement Tools & Collaboration

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Health Care Providers Should Strengthen HIPAA Compliance & Defenses As Risks Rise

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Covered Entity Breach Notification Requirements

Broader & Stricter Medical Privacy Mandates Effective 2/17/210

Exposures Significant & Growing

New Risks Created By HITECH Act Amendments

State Attorney General Lawsuit Exposures

Stepped Up Federal Enforcement

State Civil Lawsuits

Covered Entities & Business Associates Urged To Act Promptly To Manage Mitigating Expanded HIPAA Risks & Obligations

For Assistance With Compliance Or Other Concerns

Other Helpful Resources & Other Information

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Recent Posts

Archives

About Cynthia Marcotte Stamer

Share this blog

Archives

Solutions Law Press Health Care Update