Lab Nailed For HIPAA Right Of Access Violation; Other Covered Entities Warned

January 3, 2023

A medical laboratory is the latest health care provider nailed under the U.S. Department of Health and Human Services Office for Civil Rights (OCR) Right of Access Initiative for violating the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule’s right of access requirements.

OCR announced the 43rd access rule settlement with Life Hope Labs, LLC (“Life Hope Labs”), a full-service diagnostic laboratory in Sandy Springs, Georgia Tuesday.

In August 2021, a complaint was filed with OCR alleging that Life Hope Labs would not provide a personal representative with a copy of her deceased father’s medical records. The personal representative first requested access to her father’s records on July 7, 2021, but did not receive them until February 16, 2022, over seven months later. OCR’s investigation determined that Life Hope Labs’ failure to provide timely access to the requested medical records was a potential violation of the HIPAA right of access provision.

The access rule requires that patients be able to access their health information in a timely manner.

In its Resolution Agreement, Life Hope Labs agreed to pay $16,500 to resolve this investigation. In addition to the monetary settlement, Life Hope Labs also agreed to implement a corrective action plan that includes two years of monitoring by OCR.

In announcing its filing of the settlement, OCR warned other labs and health care providers to ensure their right of access compliance.

“Access to medical records, including lab results, empowers patients to better manage their health, communicate with their treatment teams, and adhere to their treatment plans. The HIPAA Privacy Rule gives individuals and personal representatives a right to timely access their medical records from all covered entities, including laboratories,” said OCR Director Melanie Fontes Rainer in OCR’s announcement of the settlement. “Laboratories covered by HIPAA must follow the law and ensure that they are responding timely to records access requests.”

More Information

We hope this update is helpful. For more information about these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.  

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy. 

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely-known for 35 plus years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

A Fellow in the American College of Employee Benefit Counsel, Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee, Chair-Elect of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership on health and managed care and employer benefits legal, public policy and operational concerns in the healthcare, employer benefits, and insurance and financial services industries. She speaks and publishes extensively on HIPAA and other related compliance issues.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstances at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules make it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access to this publication. 

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2023 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™

Leave a Comment » | ambulance, DME, Doctor, drug treatment, Electronic Health Records, Emergency Care, EMTALA, English as A Second Language, Health Care, Health Care, Health IT, Health Plan, Health Plans, HIPAA, home health, Hospice, Hospital, Hospital, hospitals, Indian Health, medical devices, Pharmaceudical, Pharmacy, Physician, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

Chiropractor, Modern Vascular Office-Based Labs and Modern Vascular Corporate Entities Face False Claims Act Prosecution

December 19, 2022

Three consolidated False Claims Act (“FCA”) lawsuits against chiropractor Yury Gampel (“Gampel”), 15 Modern Vascular office-based labs owned primarily by Gampel located across the United States, and five Modern Vascular-affiliated companies owned by Gampel alert other chiropractic, physician and other medical providers using office-based labs send a clear warning to other health care providers and suppliers for services covered or billed to Medicare, Medicaid, TRICARE or other federal health care programs about the necessity to ensure their arrangements don’t involve illegal financial relationships or transactions.

False Claims Act Liability Arising From Participation In Or Filing Claims Involving Improper Inducements

The Justice Department suit against the defendants alleges the defendants both arose from the defendants participation in arrangements involving the offering and payment of illegal remuneration in violation of the federal Anti-Kickback Statute (“AKS”) and that the claims for benefits made to Medicare and other federal programs for care provided involving the arrangement violated the FCA.

The AKS generally prohibits any person or entity from soliciting, receiving, offering, or paying any direct or indirect prohibited remuneration as an inducement or reward for referring, recommending, ordering, or arranging for the purchase of any item or service for which payment may be made in whole or in part by a federal health care program. Parties violating the AKS commit a felony punishable with a fine of up to $100,000, imprisonment for up to 10 years or both.

In addition to any criminal liability arising under the AKS, filing claims derived or involving transactions prohibited by the AKS also can trigger liability for violation of the FCA. The FCA makes it unlawful for any person to submit, directly or indirectly, false or fraudulent claims for payment to the Government by among other things:

  • Knowingly presenting, or causing to be presented, a false or fraudulent claim for payment or approval in violation of 31 U.S.C. § 3729(a)(1)(A) (the “presentment provision”); or
  • Knowingly making, using, or causing to be made or used, a false record or statement material to a false or fraudulent claim in violation of 31 U.S.C. § 3729(a)(1)(B).

The FCA defines the term “knowingly” under the FCA very broadly. As defined, “knowingly” means that a person, with respect to information, (i) has actual knowledge of the information, (ii) acts in deliberate ignorance of the truth or falsity of the information, or (iii) acts in reckless disregard of the truth or falsity of the information. 31 U.S.C. § 3729(b). No proof of specific intent to defraud is required to show that a person acted knowingly under the FCA.

Violations of the FCA subject the defendant to mandatory civil penalties per FCA violation, plus three times the amount of damages that the Government sustains as a result of the defendant’s actions. 31 U.S.C. § 3729(a). Under 42 U.S.C. § 1320a-7(b)(7), health care providers submitting claims to Medicare or other federal health care programs also can face exclusion from participation in federal health care programs for FCA violations.

Health care providers filing claims for Medicare or other federal health plans can violate the FCA by knowingly presenting or causing to be presented claims for items or services that the person knew or should have known were not medically necessary, or were false or fraudulent. 42 U.S.C. §§ 1320a-7a(a)(1).

Moreover, health care providers under the Medicare statute have an affirmative duty to familiarize themselves with the statutes, regulations, and guidelines regarding coverage for the Medicare services. As a condition of program participation, Medicare regulations require providers and suppliers to certify that:

  • The provider or supplier meets, and will continue to meet, the requirements of the Medicare statute and regulations, 42 C.F.R. § 424.516(a)(1), including that any claims and underlying transactions made in a claim for Medicare comply with the Federal anti-kickback statute and the Stark law), and on the supplier’s compliance with all otherwise applicable conditions of participation in Medicare; and
  • The provider or supplier will not knowingly to present or cause to be presented a false or fraudulent claim for payment by Medicare, or to submit claims with deliberate ignorance or reckless disregard of their truth or falsity.

Additional certifications of continued compliance with these requirements also are required when claims are filed. Accordingly, since health care providers and suppliers are responsible for taking appropriate steps to familiarize themselves with the rules and regulations applicable to their claim and the transactions underlying it and certify in connection with the filing of the claim that the claim and its underlying transactions comply with the law, health care providers filing claims involving prohibited financial incentives or other transactions prohibited by law risk FCA liability.

Gampel, Modern Vascular FCA Complaint

Derived from the Justice Department’s assumption and consolidation of various qui tam lawsuits separately brought by various physicians, the United States filed its complaint in three consolidated lawsuits pending in the United States District Court for the District of Arizona under the qui tam, or whistleblower, provisions of the False Claims Act, 31 U.S.C. §§ 3729-3733 (“FCA”) which allow a private citizen to sue on behalf of the government and share in any recovery. The United States is also entitled to intervene in the lawsuits, as it did in these cases.

The resulting consolidated three consolidated Justice Department lawsuits seek to recover treble damages and civil penalties, and under common law and equitable theories of recovery from defendants for their billing of Medicare, TRICARE and other federal health care programs for claims resulting from transactions involving prohibited remuneration offered and provided in violation of the AKS under Gampel’s alleged schemes Nobility Management LLC; Modern Vascular LLC; Modern Vascular of South Florida LLC; Modern Vascular Management LLC; Modern Vascular Management – East LLC; Modern Vascular Management – West LLC; Modern Vascular Institute LLC; Modern Vascular of Mesa LLC; Modern Vascular of Glendale LLC; Modern Vascular of Sun City LLC; Modern Vascular of Tucson LLC; San Antonio Vascular Specialists Corp. dba Modern Vascular; Fort Worth Vascular Specialists Corp. dba Modern Vascular; Modern Vascular of Denver LLC; Modern Vascular – Navajo LLC; Modern Vascular of Fairfax LLC; Modern Vascular of Houston LLC; Modern Vascular of Indianapolis LLC; Modern Vascular of Southaven LLC; Modern Vascular of St. Louis LLC; and Modern Vascular of Kansas LLC. 

The Justice Department complaint alleges Defendant Yury Gampel, a chiropractor, is the founder and former Chief Executive Officer (“CEO”) of a franchise of office-based labs (“OBL”) located in Arizona, New Mexico, Colorado, Texas, Indiana, Kansas, Mississippi, Missouri, Tennessee, and Virginia operating under the name Modern Vascular (collectively, the “Modern Vascular OBLs”). The Modern Vascular OBLs – each its own separate legal entity – focus on the treatment of peripheral arterial disease (“PAD”), particularly through an aggressive use of vascular intervention procedures, such as angioplasty and atherectomy. The complaint claims Gampel and the Modern Vascular defendants designed and promoted the franchises that incorporated a package of management and other services provided by various Modern Vascular defendant companies.

Defendant Nobility Management, LLC, provides management services to the Modern Vascular OBLs. Defendants Modern Vascular Management, LLC; Modern Vascular Management – East, LLC; and Modern Vascular Management – West, LLC, offer
IT and management support to Modern Vascular OBLs. Defendants Modern Vascular, LLC, and Modern Vascular of South Florida, LLC, are corporations controlled by Gampel that have various ownership interests in Modern Vascular OBLs. Through Modern Vascular, LLC, and Modern Vascular of South Florida, LLC, and in his own capacity, Gampel is the majority owner of the Modern Vascular OBLs. (These entities that own and manage the Modern Vascular OBLs are referred to collectively below as “Modern Vascular Corporate.”)

The complaint alleges that Gampel and Modern Vascular Corporate designed and implemented a fraud scheme at Modern Vascular OBLs at the expense of patients and federal payors from at least January 1, 2018 through June 30, 2022. Among other things, the complaint charges Gampel and the Modern Vascular defendants offered physicians the opportunity to invest in Modern Vascular office-based labs to induce them to refer their Medicare and TRICARE patients to Modern Vascular for the treatment of peripheral arterial disease. More specifically, Gampel and Modern Vascular Corporate opened Modern Vascular OBLs in new markets where referring physicians and vascular surgeons had established relationships. Prior to opening an OBL in a particular location, Gampel sought out up to 20 local physicians – usually podiatrists and pain management physicians – who traditionally referred to vascular surgeons and offered each up to a two percent ownership interest in the OBL in order to induce the physicians to refer to the OBL. Gampel and Modern Vascular Corporate selected these particular physicians (hereinafter “physician investors”) to offer ownership investment because Gampel and Modern Vascular Corporate identified them as potential high-referral sources. Once they invested in an OBL, Gampel and Modern Vascular Corporate further required the physician-investors to make referrals to Modern Vascular OBLs as a condition for remaining as a physician-investor. The complaint also alleges that Gampel pressured vascular surgeons and interventional radiologists employed at the Modern Vascular office-based labs to increase the number of invasive surgical procedures performed by tracking procedures and setting aggressive weekly and monthly goals for such procedures. In particular, Gampel and Modern Vascular Corporate provided remuneration to physician investors in Modern Vascular OBLs to induce those investors to refer patients to the Modern Vascular OBL.

The Justice Department charges that using this scheme, Defendants between January 1, 2018 and June 30, 2022 submitted, and caused to be submitted, tens of millions of dollars in false or fraudulent claims to Medicare, TRICARE and other federal health care programs by offering and providing illegal remuneration to health care providers to induce referrals to the Modern Vascular OBLs in violation of the Anti-Kickback Statute (“AKS”), 42 U.S.C. § 1320a-7b. To induce referrals, Gampel and Modern Vascular Corporate provided remuneration to physician-investors in the form of equity ownership interests in an OBL, which also included distributions, the prospect of future distributions, and/or the prospect of a cash-out of the equity ownership amounts when
the Modern Vascular OBLs were sold. During the relevant time period, the Justice Department also claims Modern Vascular
OBLs received over $50 million from Medicare Part B alone for claims submitted for patients referred by physician-investors in violation of the FCA.

Warning To Other Heath Care Providers & Suppliers

In announcing its filing of the Gambrel FCA lawsuit, the Justice Department warned other federal health program providers and suppliers and their business partners, investors, employees and agents from violating the AKS, FCA or both in the provision of or billing of health care services or supplies. “As part of our mission to protect the American people, the FBI remains committed to safeguarding patients who rely on our healthcare systems,” said Deputy Assistant Director Aaron Tapp of the FBI’s Criminal Investigative Division. “The FBI and our law enforcement partners will continue to investigate those who abuse our healthcare systems, place patients at risk, and waste taxpayer dollars.” 

This warning, along with the ever-lengthening list of federal criminal and civil prosecutions, convictions and settlements by the Justice Department, the Department of Health & Human Services Office of Inspector General and other agencies provide a strong warning to health care providers, suppliers and others involved in creating or administering transactions and other arrangements for the delivery and billing for health are to be billed to Medicare, Medicaid, TRICARE and other health care arrangements covered by the AKS, the FCA or other federal or state health care fraud laws to take well documented care to ensure the care delivery arrangement does not involve transactions prohibited under the AKS or other federal or state health care fraud transactions and the care billed qualifies for reimbursement before submitting the claim. Parties who know or suspect that they may have participated in an arrangement prohibited under these laws or submitted prohibited claims should contact experienced legal counsel within the scope of attorney-client privilege for assistance in reviewing those concerns and exploring options for correction or mitigation.

For More Information

If your organization would like to learn more about the concerns discussed in this update or seeks assistance auditing, updating, administering or defending its human resources, compensation, benefits, corporate ethics and compliance practices, or other performance related concerns, contact management attorney and consultant Cynthia Marcotte Stamer.

An attorney Board Certified in Labor & Employment Law by Texas Board of Legal Specialization, Ms. Stamer is recognized for work helping organizations management people, operations and risk as  a Fellow in the American College of Employee Benefit Counsel, a “Top Woman Lawyer,” “Top Rated Lawyer,” and “LEGAL LEADER™” in Labor and Employment Law and Health Care Law; a “Best Lawyers” in “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law.”

For 35 years, Ms. Stamer’s work has focused on advising and assisting businesses and business leaders with these and other employment and other staffing, employee benefit, compensation, risk, performance and compliance management and other operational solutions and concerns. Her experience includes helping management both manage performance and manage legal risk and compliance.  While helping businesses define and manage the conduct and performance of their employees, contractors and vendors, she also assists employers and others about compliance with federal and state equal employment opportunity, compensation, health and other employee benefit, workplace safety, leave, and other labor and employment laws, advises and defends businesses against labor and employment, employee benefit, compensation, fraud and other regulatory compliance and other related audits, investigations and litigation, charges, audits, claims and investigations by the IRS, Department of Labor, Department of Justice, SEC,  Federal Trade Commission, HUD, HHS, DOD, Departments of Insurance, and other federal and state regulators. Ms. Stamer also speaks, coaches management and publishes extensively on these and other related matters. For additional information about Ms. Stamer and her experience or to access other publications by Ms. Stamer see hereor contact Ms. Stamer directly.

Other Helpful Resources & Information

If you found this article of interest, you also may be interested in reviewing other Breaking News, articles and other resources available including:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here. For important information concerning this communication click here.  If you do not wish to receive these updates in the future, unsubscribe by updating your profile here.

NOTICE: Terms. These materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice, a substitute for legal advice, an offer or commitment to provide legal advice or an admission. The information and statements in these materials may not address all relevant issues or apply to any situation or circumstances. The author reserves the right to qualify or retract any of these statements at any time. and does not necessarily address all relevant issues. Because the law evolves and in ways that subsequent developments could impact the currency and completeness of this discussion. The author disclaims and has no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstance at any time. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access of this publication. Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein. ©2022 Cynthia Marcotte Stamer. Nonexclusive right to republish granted to Solutions Law Press, Inc. All other rights reserved.

Leave a Comment » | Academic medicine, Anti-KickBack, ASC, billing, compensation, Conditions of Participation, Corporate Compliance, DME, Doctor, Durable Medical Equipment, Federal Health Center, Federal Sentencing Guidelines, Health Care, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Quality, health care reimbursement, Health IT, Home Health, Hospice, Hospital, Hospital, Indian Health, Inpatient Rehabilitation Facility, Laboratory tests, Laws, long-term care, Medicaid, Medicaid Advantage, Medicare, Mergers and Acquisitions, nursing home, Outpatient, pain management, Pharmaceudical, Physician, Physician Licensing, Prescription Drugs, Reimbursement | Tagged: , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

Act Promptly To Comment On ONC’s Proposed Electronic Clinical Quality Measure Draft Changes

September 14, 2022

Health care providers, health plans and insurers and other stakeholders concerned about the Department of Health and Human Services Office of the National Coordinator for Healthcare Information (“ONC”) electronic clinical quality measures (“eCQMs”) have the opportunity to review and comment on draft changes to the eCQM specifications and supporting resources  under consideration by ONC as part of ONC’s 2022 Change Review Process (CRP) for the ONC Project Tracking System. Interested stakeholders must monitor the posting of issues and act quickly to share their feedback, however, as stakeholders have only two weeks to comment after a ONC posts a new proposed eCQm change.

eCQMs As Measure of Health Care Quality

Electronic clinical quality measures or “eCQMs” are tools that ONC develops with stakeholder input to help Medicare and Medicaid measure and track the quality of health care services that eligible hospitals and critical access hospitals (CAHs) provide, as generated by a provider’s electronic health record (EHR). CMS Measuring and reporting eCQMs helps to ensure that our health care system is delivering effective, safe, efficient, patient-centered, equitable, and timely care. CMS’ eCQMs measure many aspects of patient care, including:

  • Patient and Family Engagement
  • Patient Safety
  • Care Coordination
  • Population/Public Health
  • Efficient Use of Healthcare Resources
  • Clinical Process/Effectiveness

To successfully participate in the Medicare and Medicaid Promoting Interoperability Programs, the Centers for Medicare and Medicaid Services (“CMS”) requires eligible providers, eligible hospitals, critical access hospitals and dual-eligible hospitals electronically to report on eCQMs determined by CMS that require the use of data from the provider’s certified electronic health record (“EHR”) technology (CEHRT) or other health information technology systems to measure and report quality measures in a standardized manner. For calendar year (CY) 2022, Medicare Promoting Interoperability Program participants are required to report on three self-selected eCQMand the Safe Use of Opioids – Concurrent Prescribing eCQM from the set of nine available for at least three self-selected quarters of CY 2022 data. To report eCQMs successfully, health care providers must use an EHR and adhere to the requirements identified by the CMS quality program. Failing to meet these eCQM reporting requirements can prevent the provider from meeting meaningful use requirements and trigger reductions in reimbursements for care.

Health care quality, credentialing, accreditation, and other provider, health plan and other organizations also use the eCQMs data alone or with other quality measures and tools to set standards and assess and enforce quality goals and performances.

As the proposed changes on a relevant eCQM could materially impact the reporting responsibilities of the reporting providers, the quality and meaning of a proposed data measure, or both, impacted stakeholders should monitor the system for possible changes impacting the eCQMs used or applicable to their organizations and its activities and if appropriate, comment promptly.

2022 eCQMs Updates

Each year, CMS makes updates to the eCQMs approved for CMS programs to reflect changes in:

  • Evidence-based Medicine
  • Code Sets
  • Measure Logic

Conducted annually as part of OCN’s eCQM Issue Tracker project, the CRP provides eCQM users the opportunity to review and comment on draft changes to the eCQM specifications and supporting resources under consideration by the measure stewards. The goal of the CRP is for eCQM implementers to comment on the potential impact of draft changes to eCQMs so CMS and measure stewards can make improvements to meet CMS’s intent of minimizing provider and vendor burden in the collection, capture, calculation, and reporting of eCQMs. 

Stakeholders with an account on the ONC Project Tracking System can monitor, review and comment on proposed eCQM changes through the eCQM Issue Tracker project during the two week period following the date the issue is posted in the eCQM Issue Tracker. To participate in the CRP, users must have an ONC Project Tracking System account. New users can create an account via the ONC Project Tracking System website.

The following table reflects the eCQM issues open on the eCQM Issue Tracker as of September 14, 2022 and their scheduled comment closing dates

Issues Open for Public Comment As of 9/14/2022

CMS eCQM Identifier and Measure TitleCRP Issue TitleIssue Number and LinkIssue TypeGoal of ReviewPublic Comment Open DatePublic Comment Close Date
Multiple measuresIncorporate ‘Diagnosis’ datatype to capture Hospice CareCQM-5561Logic; Value SetObtain clinical and technical feedback09/07/202209/21/2022
CMS128: Anti-depressant Medication Management; CMS136: Follow-Up Care for Children Prescribed ADHD Medication (ADD); CMS156: Use of High-Risk Medications in Older AdultsUpdate Cumulative Medication Duration function to calculate maximum daily frequencyCQM-5562LogicObtain technical feedback09/07/202209/21/2022
Multiple measuresExpand codes using ‘Diagnosis’ datatype to capture Palliative CareCQM-5563Logic; Value SetObtain clinical and technical feedback09/07/202209/21/2022
Multiple measuresRequire 2 indications of frailty to meet exclusionCQM-5564Header; Logic; Measure Intent ClarificationObtain clinical feedback09/07/202209/21/2022
CMS127: Pneumococcal Vaccination Status for Older AdultsExpand numerator to allow for pneumococcal vaccination since 19 years of ageCQM-5565Header; Logic; Measure Intent ClarificationObtain clinical feedback09/07/202209/21/2022
eCQM Issue Tracker Open Issues As Of September 14, 2022

As proposed eCQM changes are posted for public comment as CRP issues. ONC informs eCQM accountholders of the proposed change or eCQM issue by posting for review in the ONC Project Tracking System. Accountholders only have two weeks after ONC posts a proposed eCQM to comment on the posted issue. Stakeholders interested in commenting on a particular issue must submit their comment in accordance with the directions within this two week period.

More Information

We hope this update is helpful. For more information about the these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.  

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

A Fellow in the American College of Employee Benefit Counsel, Vice Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on health and managed care industry legal, public policy and operational concerns. 

Ms. Stamer’s work throughout her 30 plus year career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. 

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here.  

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access of this publication. 

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2022 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™

Share this:

Leave a Comment » | Academic medicine, ASC, Conditions of Participation, Disease Management, DME, Doctor, Durable Medical Equipment, E-Prescribing, Evidence Based Medicine, Health Care, Health care coding, Health Care Finance, Health Care Fraud, Health Care Quality, health care reimbursement, Health Insurance, Health Insurance Exchange, Health IT, Health Plan, Health Plans, healthcare, HHS, home health, Hospital, Hospital, hospitals, Indian Health, Inpatient Rehabilitation, managed care, Meaningful Use, Medicaid, Medicaid Advantage, medical devices, Medical Records, Medicare, Medicare Advantage, Medicare Fee Schedule, Medicare Fee Schedule, Mental Heatlh, ONC, Opiates, Outcomes Data, Outpatient, Physician, Prescription Drugs, Prospective Payment, quality reporting, quality repoting, Reimbursement, Substance Abuse | Tagged: | Permalink
Posted by Cynthia Marcotte Stamer

Learn About DOJ Federal Antitrust Health Industry Market Competition Enforcement & Latest On $2.67 Billion BCBS Class Action Antitrust Settlement In 9/8 JCEB Webex

September 2, 2022

As qualifying individuals and companies that purchased or received health insurance await instructions on how to claim their share of the $2.67 billion In re: Blue Cross Blue Shield Antitrust Litigation private federal class action civil antitrust lawsuit settlement (“Settlement”) finally approved August 9, 2022 against the Blue Cross Blue Shield Association (“BCBSA”) and other settling individual Blue Cross Plans, employers and other plan sponsors, health care systems and providers, health insurers, pharmacy benefit managers, brokerages, and other health and health insurance market participants need to keep in mind that the private antitrust judgements are not their only exposure under federal antitrust laws. Health insurance and health industry market participants that engage in anticompetitive conduct or business transactions also risk investigation and prosecution under federal antitrust laws by the U.S. Department of Justice, the Federal Trade Commission and state regulators or attorneys general.

Market participants and others with health or health insurance industry market competitiveness concerns or interests should register and attend the September 8, 2022 Justice Department Health Industry Antitrust Enforcement Update to learn about key federal antitrust statutes regulating or prohibiting anticompetitive conduct and business transactions and hear how the Department of Justice uses these laws to promote market competition in the health care and health insurance marketplaces.

Hosted by the American Bar Association Joint Committee on Employee Benefits, the webinar will feature a discussion by U.S. Department of Justice Civil Division Healthcare and Consumer Products Section Antitrust Attorney Natalie Melada of basic federal antitrust rules and principles the Justice Department relies upon to safeguard market competitiveness and discusses selected Justice Department antitrust litigation and other compliance and enforcement initiatives the Department of Justice has undertaken to protect competition in the healthcare industry. Attorney and Solutions Law Press, Inc. editor and author Cynthia Marcotte Stamer also will provide an update on the In re: Blue Cross Blue Shield Antitrust Litigation and resulting $2.67 billion settlement approved August 9.

For more details and to register for the program, see here.

More Information

We hope this update is helpful. For more information about the these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and following and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.  

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

A Fellow in the American College of Employee Benefit Counsel, Vice Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on health and managed care industry legal, public policy and operational concerns. 

Ms. Stamer’s work throughout her 30 plus year career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. 

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here.  

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access of this publication. 

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2022 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™

Leave a Comment » | Academic medicine, Anethesiology, Antitrust, ASC, Childrens Health Insurance Program, Conditions of Participation, Cyber crime, data breach, Direct Primary Care, Durable Medical Equipment, E-Prescribing, Electronic Medical Records, Employee Benefits, Federal Sentencing Guidelines, Health Apps, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Quality, Health Insurance, Health Insurance Exchange, Health IT, Health Plan, Health Plans, healthcare, HHS, HIPAA, HIPAA Cyber Crime, HITECH Act, Home Health, home health, Hospice, Hospital, Hospital, hospitals, Indian Health, Inpatient Rehabilitation, Inpatient Rehabilitation Facility, managed care, Medical Licensure, Medical Records, Medicare, Mental Health, Mental Heatlh, nursing home, occupational health, OCR, Outpatient, participating provider, Pharmaceudical, Pharmacy, Physician, Physician Licensing, physician licensure, Prescription Drugs, Privacy, Psychiatric, public health, Reproductive Rights, Rural Health Care, Self-Insured Group health Plans, Skilled Nursing Facility, substance abuse treatment | Tagged: , , , , , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

HIPAA Covered Entity Nailed With $300,000+ HIPAA Settlement For Improper PHI Disposal

August 23, 2022

A Massachusetts dermatology practice’s Health Insurance Portability & Accountability Act (“HIPAA”) $300,000 plus settlement with the Department of Health & Human Services Office for Civil Rights (OCR) reminds health care providers, health plans, health care clearinghouses and their business associates (“Covered Entities”) to use proper practices and safeguards when disposing of protected health information (“PHI”).

Following up on other OCR enforcement involving improper protection and disposal of paper and electronic PHI, the settlement with New England Dermatology P.C., d/b/a New England Dermatology and Laser Center (“NDELC”) OCR announced today (August 23, 2022) resolves charges that NDELC violated the HIPAA Privacy Rules when it placed specimen containers with patient identifying PHI in its parking lot garbage bin.

OCR interprets HIPAA as requiring Covered Entities to appropriate steps to ensure that safeguards are in place when disposing of patient information to keep it from being accessible by the public. ”Improper disposal of protected health information creates an unnecessary risk to patient privacy,” said Acting OCR Director Melanie Fontes Rainer.

On May 11, 2021, NEDLC filed a breach report with OCR that reported empty specimen containers with the PHI on labels were placed in a garbage bin in their parking lot. The containers’ labels included patient names and dates of birth, dates of sample collection, and name of the provider who took the specimen. On March 31, 2021, a third-party security guard found one specimen container bearing a label containing patient names, dates of birth, dates of sample collection, and name of the provider who took the specimen.  During the investigation, NEDLC stated that from February 4, 2011 until March 31, 2021, it regularly discarded specimen containers with an attached label that contained PHI as regular waste, bagged and placed in an exterior dumpster accessible via the parking lot, without alteration to the PHI containing label.

OCR’s New England Regional Office found the practice of disposing of specimen containers with their labels containing PHI violated the HIPAA Privacy Rule including the impermissible use and disclosure of PHI and failure to maintain appropriate safeguards to protect the privacy of PHI.

Under the NEDLC Resolution Agreement negotiated to settle the alleged violations, NEDLC paid $300,640 to OCR and agreed to implement a “robust” corrective action plan that includes two years of  OCR monitoring.  Among other things, the corrective action plan requires NEDLC to:

  • Within 60 days, develop, maintain, and revise, as needed and present for OCR review its written policies and procedures to comply with the physical safeguard and disposal of PHI created, received or maintained by or on behalf of NEDLC and all other HIPAA Privacy, Security and Breach Notification and training protocols to ensure workforce member compliance with these policies; and sanctions for workforce members violating these requirements;
  • Implement the updated policies and procedures within 30 days of receipt of HHS approval;
  • Distribute the policies to existing members of its workforce within 30 days of receipt of HHS approval of the policies and subsequently to new members of the workforce within 30 days of their beginning of service and obtain a signed written or electronic initial compliance certification from all members of the workforce and relevant business associates stating that the workforce members have read, understand, and shall abide by such policies and procedures;
  • Assess, update, and revise, as necessary, the policies and procedures at least annually or as needed, provide the revised policies and procedures to HHS for review and approval, and redistribute to and obtained new compliance certifications from workforce members and business associates within 30 days of HHS approval;
  • If it receives information during the Compliance Term that a workforce member or business associate may have failed to comply with its policies and procedures for safeguarding PHI, promptly investigate and it the investigation finds a violation, notify HHS within 30 days of the violation and corrective action taken;
  • Comply with specified breach investigation and notification requirements;
  • Provide reports certified by a designated leader of the organization its implementation of the corrective action plan, annually and upon the occurrence of certain other events during the two-year monitoring period.

The NEDLC Resolution Agreement is not the first time OCR has nailed a Covered Entity for improper disposal of PHI. In 2015 Cornell Prescription Pharmacy paid OCR $125,000 and implemented a correction action plan to correct alleged HIPAA violations after an OCR investigation of a local news report confirmed unsecured paper documents containing PHI of more than 1600 patients were disposed of in an unlocked, open container on Cornell’s premises. The documents were not shredded and contained identifiable information regarding specific patients. See Cornell Prescription Pharmacy Resolution Agreement. See also $800,000 HIPAA Settlement in Medical Records Dumping Case.

To reduce their own exposure to potential HIPAA liability arising from improper disposal of PHI, covered entities should evaluate the adequacy of the PHI handling, security and disposal policies, procedures, training and compliance for potential weaknesses and take appropriate, timely documented corrective action to tighten their compliance with OCR’s regulations, OCR’s Frequently Asked Questions About the Disposal and other OCR enforcement actions and guidance on PHI disposal.   

Since these evaluations could uncover past or ongoing compliance concerns, Covered Entities and business associates should consider engaging legal counsel experienced with HIPAA compliance to advise and aid the Covered Entity to structure, conduct, evaluate findings and determine and implement any corrective actions that the review reveals as required or advisable within the scope of attorney client privilege.

Effective protection and disposal of PHI requires that Covered Entities recognize and keep track of all PHI in the various phases of its lifecycle in the organization including when it is being disposed or or migrating through various systems. Sanctions for disposal of specimen bottles containing PHI labels should raise the need for awareness of disposal practices for other patient labeled items including identification bracelets, medication containers and labels, meal trays and the plethora of other items containing patient specific information. PHI disposal issues also can arise out of the disposal of files, storage containers, computers, copiers or other devices. For instance, under the Affinity Health Plan, Inc. Resolution Agreement, Affinity Health paid OCR $1,215,780 to settle potential HIPAA Civil Monetary Sanctions after OCR found it exposed the PHI of up to 344,579 individuals by returning photocopiers to a leasing agent without erasing the data contained on the copier hard drives. 

Because HIPAA obligations continue even when a Covered Entity or business associate goes out of business, Covered Entities also need to take appropriate steps to provide for ongoing management, protection and disposal of PHI when they or a business associate ceases business. Thus, in the FileFax Resolution Agreement, for instance the receiver appointed to liquidate the assets of Filefax, Inc. agreed to pay $ 100,000 out of the receivership estate to OCR to settle potential HIPAA violations after Filefax shut its doors during the course of OCR’s investigation into alleged HIPAA violations.

Covered Entities must understand that these responsibilities generally cannot be met merely through adoption of a standard set of policies and procedures from a third-party. The HIPAA Privacy Rule requires all Covered Entities to prepare and document risk assessments and develop and enforce appropriate privacy and security policies and procedures. Security and disposal practices and procedures are among the elements of HIPAA compliance that OCR expects Covered Entities to address in the documented risk assessments the regulations require Covered Entities to prepare and maintain. See $750,000 HIPAA Settlement Underscores the Need for Organization Wide Risk Analysis. As with other HIPAA compliance responsibilities, OCR regulations require that Covered Entities include their documented assessment and decision-making about the adequacy and reasonableness of their PHI protection and destruction practices under HIPAA as part of their overall HIPAA risk assessment plan and practices.

While OCR guidance provides some examples of several practices that a Covered Entity might use that could or could not meet the destruction standards, these examples are not safe harbors. The regulations and guidance expect Covered Entities to conduct a documented review and assessment “of their own circumstances to determine what steps are reasonable to safeguard PHI through disposal and develop and implement policies and procedures to carry out those steps.”  OCR guidance directs that Covered Entities should assess potential risks to patient privacy, as well as consider such issues as the form, type, and amount of PHI to be disposed. Covered entities are responsible for conducting and documenting their analysis as well as their adoption, implementation and enforcement of the resulting policies and procedures.

If circumstances come to light that indicate a breach of the standards in the course of the disposal compliance assessment or otherwise, Covered Entities also promptly should work with legal counsel timely to investigate, determine and provide any required notifications or other corrective action and document their actions to meet applicable HIPAA and other legal obligations and mitigate liability.

Of course, Covered Entities and their leaders always must keep in mind that their responsibilities and potential liability for mishandling PHI could extend well beyond HIPAA. In addition to the civil monetary penalties HIPAA authorizes, mishandling the collection, protection or disposal of PHI or other sensitive data also can trigger other legal exposures. For instance, as HIPAA compliance is part of the Conditions of Participation that Medicare participating Covered Entities and Medicare Advantage Plans must meet to qualify for program participation, noncompliance could trigger program exclusion, False Claims Act or related exposures. Deficiencies in security or destruction of credit card, banking or other PHI that also qualifies as personal financial information could trigger exposure under Federal Trade Commission, state identity theft and privacy or other laws. Public companies and their leaders also may need to evaluate if deficiencies in their security or destruction protocols trigger investor disclosure obligations under Securities and Exchange Commission rules or other federal or state laws. Considering these and other exposures, documented, compliance and defensibility of PHI and other sensitive information use, protection, disclosure and destruction should rank high among the priorities of all Covered Entities and their leaders.

More Information

We hope this update is helpful. For more information about the these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.  

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

A Fellow in the American College of Employee Benefit Counsel, Vice Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on health and managed care industry legal, public policy and operational concerns. 

Ms. Stamer’s work throughout her 30 plus year career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. 

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here.  

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access of this publication. 

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2022 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™

Leave a Comment » | Academic medicine, Anethesiology, ASC, Childrens Health Insurance Program, Conditions of Participation, Cyber crime, data breach, Direct Primary Care, Durable Medical Equipment, E-Prescribing, Electronic Medical Records, Employee Benefits, Health Apps, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Quality, Health Insurance, Health Insurance Exchange, Health IT, Health Plan, Health Plans, healthcare, HHS, HIPAA, HIPAA Cyber Crime, HITECH Act, Home Health, home health, Hospice, Hospital, Hospital, hospitals, Indian Health, Inpatient Rehabilitation, Inpatient Rehabilitation Facility, managed care, Medical Licensure, Medical Records, Medicare, Mental Health, Mental Heatlh, nursing home, occupational health, OCR, Outpatient, participating provider, Pharmaceudical, Pharmacy, Physician, Physician Licensing, physician licensure, Prescription Drugs, Privacy, Psychiatric, public health, Reproductive Rights, Rural Health Care, Self-Insured Group health Plans, Skilled Nursing Facility, substance abuse treatment | Tagged: , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

SCOTUS: Emotional Injury Damages Not Recoverable In Patient’s Private Rehab Act and ACA Disability Discrimination Lawsuit But Other Significant Liability Risks Remain

May 2, 2022

Today’s Supreme Court ruling that emotional distress damages are not recoverable in a private action to enforce the disability discrimination and accommodation requirements of either the Rehabilitation Act of 1973 (“Rehab Act”) or the Patient Protection and Affordable Care Act (“ACA”) prevents health care and other businesses subject to these requirements against the risk of large emotional injury awards in private actions for discrimination based on these laws. However, health care providers and other organizations subject to these requirements should use care to maintain compliance to avoid large actual damage awards to plaintiffs bringing private lawsuits, program exclusion, penalties or other governmental sanctions or both.

Cummings Supreme Court Ruling

The May 1, 2022 United States Supreme Court ruling in Cummings v. Premier Rehab Keller authored by Supreme Court Justice John Roberts resulted from a suit that sought emotional distress damages brought by filed by a deaf and legally blind woman, Jane Cummings against Premier Rehab Keller after it denied her request that it provide an American Sign Language interpreter at her physical therapy sessions.  Premier Rehab told Cummings the therapist could communicate with her through other means,  Claiming Premier Rehab’s failure to provide an ASL interpreter constituted discrimination on the basis of disability in violation of the Rehab Act and Section 1557 of the ACA, Cummings sued Premier Rehab seeking various damages and other relief, including emotional distress damages.

The Supreme Court took notice that Premier Rehab was subject to these laws because its receipt of Medicare and Medicaid payments qualified as federal financial assistance triggering their applicability.

The Supreme Court affirmed the previous District Court and Fifth Circuit Court of Appeals’ rulings that emotional distress damages are not recoverable in a private action to enforce either the Rehab Act or the ACA.

The Supreme Court Majority based its decision on its finding that the Rehab Act and Act both are spending statutes that condition their offer of federal funding on a promise by the recipient not to discriminate creating what amounts essentially to a contract between the Government and the recipient of funds.  Following previously established Supreme Court precedent for “private spending clause actions,” the Court ruled the emotional distress or other remedy is not available unless “the funding recipient is on notice that by accepting federal funding, it exposes itself to liability of that nature.”

To decide whether emotional distress damages are available under the Spending Clause statutes in this case, the Court therefore asked if a prospective funding recipient deciding whether to accept
federal funds would have had “clear notice” regarding that liability. Because the two statutes are silent on the availability of emotional injury damages, the Supreme Court followed prior precedent by looking to whether the emotional damages sought by Cummings were the type of damages traditionally available in suits for breach of contract so as to put Premier Rehab and other defendants on notice of their exposure to such damages from actions under the Rehab Act or ACA.  While acknowledging some exceptional circumstances where punitive damages may be recovered where “the conduct constituting the breach is also a tort for which punitive damages are recoverable,” the Court found such damages “are generally not available for breach of contract.” Concluding that the recognized exception to the general rule was insufficient to give funding recipients the requisite notice that they could face such damages. the Supreme Court ruled that funding recipients under the Rehab Act and the ACA “have not, merely by accepting funds, implicitly consented to liability for punitive damages.” 

To read the full Majority opinion and related consenting and dissenting opinions, see here. 

Liability Risks Remain Substantial Despite Cummings Ruling

While the Supreme Court’s ruling means private litigants cannot recover emotional injury damages in discrimination actions brought to enforce the Rehabilitation Act or the ACA, health industry and other organizations remain subject to other substantial liability risks for improper discrimination in violation of those laws.  Beyond recoveries for actual damages, attorneys’ fees and costs recoverable by private litigants, covered organizations also can face substantial civil monetary penalties, program disqualification, in some instances even False Claims Act liability for billing in violation of program conditions of participation and other risks.  As federal agencies continue to make enforcement of these sanctions a priority, organization covered by either of these laws should use care to maintain appropriate compliance and risk management to ensure their ability to defend against any potential charges.  

For instance, HHS recently reaffirmed its continued commitment and prioritization of protecting disabled individuals against disability discrimination by its publication of its February 4, 2022 FAQs for Healthcare Providers during the COVID-19 Public Health Emergency: Federal Civil Rights Protections for Individuals with Disabilities under Section 504 and Section 1557. Published to remind health care providers of their obligations under law and provide examples of applicability, HHS clarifies in that guidance that federal civil rights laws apply to health care providers, including those administering COVID-19 testing, medical supplies, and medication. These rules also apply to entities providing hospitalization, long-term care, intensive treatments, and critical care, such as oxygen therapy and mechanical ventilators. HHS also confirm that federal civil rights laws apply to state Crisis Standard of Care plans, procedures, and related standards for triaging scarce resources that hospitals are required to follow. HHS Issues New Guidance for Health Care Providers on Civil Rights Protections for People with Disabilities. See also New Guidance to Boost Accessibility and Equity in COVID-19 Vaccine Programs (December 22, 2021); HHS Takes Action to Prevent Discrimination and Strengthen Civil Rights (November 18, 2021); HHS and DOJ Issue Guidance on “Long COVID” and Disability Rights Under the ADA, Section 504, and Section 1557 (July 26, 2021); OCR Provides Technical Assistance to the State of Arizona to Ensure Crisis Standards of Care Protect Against Age and Disability Discrimination (May 25, 2021); HHS Announces Prohibition on Sex Discrimination Includes Discrimination on the Basis of Sexual Orientation and Gender Identity (May 10, 2021); New Legal Guidance and Resources to Ensure — and Expand — Access to COVID-19 Vaccines for People with Disabilities and Older Adults (April 13, 2021).

HHS’ guidance announcements all include a warning like the one from OCR Director Lisa J. Pino in the February 4, 2022 announcment that “OCR will continue our robust enforcement of federal civil rights laws that protect people with disabilities from discrimination, including when Crisis Standards of Care are in effect.”

The current and historical enforcement record of HHS demonstrates the teeth behind this commitment. OCR has a long and continuing history of extracting substantial settlements or civil monetary penalties from health care or other organizations receiving Medicare, Medicaid or other federal funds administered by HSS for engaging in conduct OCR finds inconsistent with the ACA or Rehabilitation Act discrimination requirements. See, e.g., Settlement Agreement Reached with Rhode Island Department of Children, Youth and Families to Address Discrimination Against Parents with Disabilities (March 30, 2022); Massachusetts Healthcare Provider Resolves Allegations of Discriminatory Practices Regarding Patients Needing Opioid Use Disorder Treatment (December 22, 2021); HHS Office for Civil Rights and U.S. Attorney’s Office for the District of Massachusetts Settle Disability Discrimination Case with Baystate Medical Center (November 17, 2021); HHS Office for Civil Rights and U.S. Attorney’s Office Settle Disability Discrimination Case with Backus Hospital (October 5, 2021); Rhode Island, Massachusetts Healthcare Provider Resolves Allegations of Discriminatory Practices Regarding Patients Needing Opioid Use Disorder Treatment (August 9, 2021).

These OCR guidance and enforcement actions and similar activities by other federal agencies send a strong message that OCR and other federal agencies will continue and expand their zealous investigation and enforcement of disability and other violations by health care providers and other public and private organizations covered by the Rehabilitation Act, the ACA or other federal discrimination and civil rights laws. Health care providers and others regulated by these federal discrimination laws should consider auditing the adequacy of existing practices, reaffirming their own and their business partners’ compliance, retraining workforce and taking other appropriate steps to help prevent illegal discrimination within their organization and to position their organization to respond and defend against potential discrimination investigations or charges.

For Additional Information Or Assistance

If you need have questions or need assistance with health, health or other insurance, employee benefit, payroll, investment or other data, systems or other privacy or security related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.  Longtime scribe for the American Bar Association Joint Committee on Employee Benefits agency meeting with OCR and author of leading publications on HIPAA and other privacy and data security concerns, Ms. Stamer regularly assists clients and provides input to Congress, OCR and other agencies, publishes and speaks extensively on medical and other privacy and cybersecurity, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns.

Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. Her insights on HIPAA risk management and compliance frequently appear in medical privacy related publications of a broad range of health care, health plan and other industry publications.  She also is a highly-sought out speaker on privacy and data security who serves on the planning faculty and speaks for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.  You can get more information about her HIPAA and other experience here.  If you need assistance with these or other compliance concerns, wish to inquire about arranging for compliance audit or training, or need legal representation on other matters, e-mail Ms. Stamer or call (214) 452-8297.  

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here.  

Important Information About This Communication

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2022 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™

Leave a Comment » | 1335 Waiver, Academic medicine, ADA, air ambulance, Ambulatory care, Childrens Health Insurance Program, Civil Rights, Conditions of Participation, Corporate Compliance, Covid, Disability Discrimination, Discrimination, DME, early childhood education, Emergency Care, Employee Benefits, Employment, false claims act, Health Care, Health Care Fraud, Health Care Provider, health care reimbursement, Health Plan, Health Plans, healthcare, HHS, Home Health, home health, Hospice, Hospital, Hospital, hospitals, Indian Health, Inpatient Rehabilitation, Inpatient Rehabilitation Facility, Labor Law, Laws, Life Sciences, Medicaid, Medicare, Medicare Advantage, Medicare Prescription Drug Program, Mental Health, Mental Heatlh, nursing home, occupational health, OCR, OIG, Opiates, Outpatient, Pharmaceudical, Pharmacy, Physician, Physician Licensing, Prescription Drugs, Reimbursement, Section 1557 | Permalink
Posted by Cynthia Marcotte Stamer

Biden-Harris Administration to Expand Vaccination Requirements for Health Care and Many Other Employers

September 9, 2021

All Medicare and Medicaid certified health care facilities, and a broad range of other employers must prepare to meet impending new federal COVID-19 vaccine mandates announced by the Biden-Harris Administration today.

According to today’s announcements all healthcare facilities participating in Medicare or Medicaid or employing 100 or more employees will be required to ensure all staff are vaccinated against COVID-19.

The Biden-Harris Administration says the new health industry COVID-19 vaccine mandates will be implemented through emergency regulations to be issued in October.

According to today’s announcement, the Centers for Medicare & Medicaid Service (“CMS”) in collaboration with the Centers for Disease Control (“CDC”) is developing an Interim Final Rule with Comment Period that will be issued in October that will extend vaccine mandates originally announced last month for all Medicare and Medicaid participating nursing home workers to include hospitals, dialysis facilities, ambulatory surgical settings, and home health agencies, among others, as a condition for participating in the Medicare and Medicaid programs. See .

The announcement of the vaccine mandates for healthcare workers coincides with the Biden-Harris Administration’s announcement of sweeping new vaccine mandates for all government workers, government contractors and employers employing more than 100 employees.

The two mandates will force most health care facilities to impose mask mandates for all staff in order to meet the requirement all staff be vaccinated.

CMS and CDC say the decision was based on the continued and growing spread of the virus in health care settings, especially in parts of the U.S. with higher incidence of COVID-19. They claim the action will protect patients of the 50,000 providers and over 17 million health care workers in Medicare and Medicaid certified facilities.

According to the CDC, nursing homes with an overall staff vaccination rate of 75% or lower experience higher rates of preventable COVID infection. In CMS’s review of available data, the agency is seeing lower staff vaccination rates among hospital and End Stage Renal Disease (ESRD) facilities. To combat this issue, CMS is using its authority to establish vaccine requirements for all providers and suppliers that participate in the Medicare and Medicaid programs. Vaccinations have proven to reduce the risk of severe illness and death from COVID-19 and are effective against the Delta variant.

In it’s announcement of the impending vaccination requirements, CDC urged health care facilities to prepare now to meet the new mandate in October. CMS expects certified Medicare and Medicaid facilities to act in the best interest of patients and staff by complying with new COVID-19 vaccination requirements.

CDC also urged any health care workers employed in these facilities who are not currently vaccinated are urged to begin the process immediately and facilities to use all available resources to support employee vaccinations, including employee education and clinics, as they work to meet new federal requirements.

While legal challenges to the mandate requirements are likely, most facilities that have not already adopted vaccine mandates are expected to adopt these mandates rather than risk losing eligibility for Medicare and Medicaid reimbursement and other sanctions.

Beyondprogram disqualification and attendant financial pressures, announcement of the new vaccine mandates adds vaccination to the list of safety safeguards that healthcare facilities as employers can expect to be required to enforce as part of the occupational safety rules of the Occupational Safety and Health Administration (”OSHA”).

OSHA already is sanctioning employers for violating COVID-19 related OSHA requirements. For instance, OSHA nailed Lakewood Resource and Referral Center Inc., dba Center for Education Medicine and Dentistry (CHEMED) with heavy fines for allegedly violating applicable COVID-19 safety guidelines in January, 2021.

In a July 23, 2021 citation letter, OSH proposes to fine CHEMED $273,064.00 for willfully violating OSHA by not providing a medical evaluation to determine each employee’s ability to use a N95 respirator, before the employee was fit tested or required to use the respirator in the workplace to protect against SARS-CoV-2 virus while testing suspected COVID-19 individuals.

In addition to the proposed fine, the citation also orders CHEMED to take a series of corrective actions and to post notices in the workplace informing workers of the violation. 

Along with the CHEMED citation, OSH also cited a staffing agency contracted to provide nursing staffing to CHEMED, Homecare Therapies for also failing to conduct medical evaluations and fit tests. It received two violations and a proposed fine of $13,653.

In the face of these potential consequences, most covered health care facilities and other employers impacted by the mandate are likely to implement mandates unless and until these requirements are struct down by the courts or withdrawn.

Assuming the Administration follows appropriate procedures to adopt the rules, most legal commentators do not expect the legal challenges opposing the mandate orders to be successful in the courts particularly after the Supreme Court refused to overturn or hear arguments for overturning a unanimous decision of a three-judge panel of the United States Court of Appeals for the Seventh Circuit in Klassen v. Trustees of Indiana University that refused to enjoin a vaccine mandate imposed by Indiana University as a condition of student or staff in person participation in classes or other activities.

While most healthcare and other covered businesses are not expected to challenge the rules, compliance us likely to trigger backlash from some unvaccinated workers strongly opposed to becoming vaccinated. Employers may find that some employees will resign their employment or take other tactics to avoid becoming vaccinated. Even those who elect to become vaccinated to retain their employment are likely to express opposition and dissatisfaction that could create liability exposures for the employers if it becomes a basis for retaliation claim.

Employers in Texas and certain other states that have adopted rules restricting or prohibiting vaccine, mask or other mandates also may face challenges based on the state rules.

In light of these and other uncertainties and challenges, Healthcare and Other or Employers generally should seek legal advice and assistance from legal counsel experienced with the relevant health care, labor and employment, privacy and other concerns.

More Information

This article is republished by permission of the author, Cynthia Marcotte Stamer.  To review the original work, see here.

Solutions Law Press, Inc. invites you to receive future updates by registering here and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here. For specific information about the these or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years working as an on demand, special project, consulting, general counsel or other basis with domestic and international business, charitable, community and government organizations of all types, sizes and industries and their leaders on labor and employment and other workforce compliance, performance management, internal controls and governance, compensation and benefits, regulatory compliance, investigations and audits, change management and restructuring, disaster preparedness and response and other operational, risk management and tactical concerns.

Most widely recognized for her work with health care, life sciences, insurance and data and technology organizations, she also has worked extensively with health plan and insurance, employee benefits, financial, transportation, manufacturing, energy, real estate, accounting and other services, public and private academic and other education, hospitality, charitable, civic and other business, government and community organizations. and their leaders.

Ms. Stamer has extensive experience advising, representing, defending, and training domestic and international public and private business, charitable, community and governmental organizations and their leaders, employers, employee benefit plans, their fiduciaries and service providers, insurers, and others has published and spoken extensively on these concerns. As part of these involvements, she has worked, published and spoken extensively on these and other human resources, employee benefits, compensation, worker classification and other workforce and other services; insurance; health care; workers’ compensation and occupational disease; business reengineering, disaster and distress; and many other performance, risk management, compliance, public policy and regulatory affairs, and other operational concerns. 

A former lead advisor to the Government of Bolivia on its pension  project, Ms. Stamer also has worked internationally and domestically as an advisor to business, community and government leaders on these and other legislative, regulatory and other legislative and regulatory design, drafting, interpretation and enforcement, as well as regularly advises and represents organizations on the design, administration and defense of workforce, employee benefit and compensation, safety, discipline, reengineering, regulatory and operational compliance and other management practices and actions.

Ms. Stamer also serves in leadership of a broad range of professional and civic organizations and provides insights and thought leadership through her extensive publications, public speaking and volunteer service with a diverse range of organizations including as Chair of the American Bar Association (“ABA”) Intellectual Property Section Law Practice Management Committee, Vice Chair of the International Section Life Sciences and Health Committee, Past ABA RPTE Employee Benefits & Other Compensation Group Chair and Council Representative and current Welfare Benefit Committee Co-Chair, Past Chair of the ABA Managed Care & Insurance Interest Group, past Region IV Chair and national Society of Human Resources Management Consultant Forum Board Member,  past Texas Association of Business BACPAC Chair, Regional Chair and Dallas Chapter Chair, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation and many others.

For more information about these concerns or Ms. Stamer’s work, experience, involvements, other publications, or programs, see www.cynthiastamer.com,  on  Facebook, on LinkedIn or Twitter or e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns.

©2021 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™

Leave a Comment » | Accreditation, ambulance, Ambulatory care, Anethesiology, Biological Warfare, CDC, Centers For Disease Control, Child Care, Conditions of Participation, Coronavirus, Corporate Compliance, Covid, Direct Primary Care, Disease Management, DME, Doctor, early childhood education, Emergency Care, Employer, Employment law, Health Care, Health Care Provider, Health Care Quality, health care reimbursement, Health Plan, healthcare, HHS, Home Health, home health, Hospice, Hospital, hospitals, Indian Health, Laboratory tests, Life Sciences, Medicaid, Medicaid Advantage, Medical Licensure, Medicare, Medicare Advantage, Medicare Fee Schedule, Mental Heatlh, nursing home, occupational health, OSHA, Pandemic, Peer Review, Physician, Reimbursement, Union, vaccination | Tagged: , , , , , , , , , , , , , , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

CMS Updates COVID-19 Accelerated and Advance Payments FAQs

July 8, 2021

Providers that received COVID-19 accelerated and advance payments should read the Centers for Medicare and Medicaid Services (“CMS”) updated FAQs (PDF) about repayment of COVID-19 accelerated and advance payments to learn how recoupment works and how it affects the provider’s Medicare claims payment amounts.

The new FAQ updates the Repayment of COVID-19 Accelerated and Advance Payments Began on March 30, 2021 (PDF) guidance.

For more information and to follow future updates, see the COVID-19 Accelerated and Advance Payments webpage or contact the author of this update.

More Information

If you are interested in a more detailed description of this or other developments discussed in this article, see here.

If you would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.  For specific information or counsel about the these or other legal, management or public policy developments,  Ms. Stamer’s work, experience, involvements, other publications, or programs, contact Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297,  follow her on FacebookLinkedIn or Twitter or see Cynthia Marcotte Stamer, P.C. Website.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years working as an on demand, special project, consulting, general counsel or other basis with domestic and international business, charitable, community and government organizations of all types, sizes and industries and their leaders on labor and employment and other workforce compliance, performance management, internal controls and governance, compensation and benefits, regulatory compliance, investigations and audits, change management and restructuring, disaster preparedness and response and other operational, risk management and tactical concerns.

Most widely recognized for her work with health care, life sciences, insurance and data and technology organizations, she also has worked extensively with health plan and insurance, employee benefits, financial, transportation, manufacturing, energy, real estate, accounting and other services, public and private academic and other education, hospitality, charitable, civic and other business, government and community organizations. and their leaders.

Ms. Stamer has extensive experience advising, representing, defending and training domestic and international public and private health care and life sciences, charitable, community and governmental, and other business organizations and their leaders, employee benefit plans, their fiduciaries and service providers, insurers, and others.  A widely published author and popular speaker, Ms. Stamer also has published and spoken extensively on wage and other and other health  care, human resources, employee benefits and other workforce and services; insurance; workers’ compensation and occupational disease; business reengineering, disaster and distress;  and many other compliance, governance, risk management, operational and public and regulatory affairs concerns.

A former lead advisor to the Government of Bolivia on its pension  project, Ms. Stamer also has worked internationally and domestically as an advisor to health, managed care, insurance, and other business, community and government leaders on these and other legislative, regulatory and other legislative and regulatory design, drafting, interpretation and enforcement, as well as regularly advises and represents organizations on the design, administration and defense of workforce, employee benefit and compensation, safety, discipline, reengineering, regulatory and operational compliance and other management practices and actions.

Ms. Stamer also serves in leadership of a broad range of professional and civic organizations and provides insights and thought leadership through her extensive publications, public speaking and volunteer service with a diverse range of organizations including as Chair of the American Bar Association (“ABA”) Intellectual Property Section Law Practice Management Committee, Vice Chair of the International Section Life Sciences and Health Committee, Past ABA RPTE Employee Benefits & Other Compensation Group Chair and Council Representative and current Welfare Benefit Committee Co-Chair, Past Chair of the ABA Managed Care & Insurance Interest Group, past Region IV Chair and national Society of Human Resources Management Consultant Forum Board Member,  past Texas Association of Business BACPAC Chair, Regional Chair and Dallas Chapter Chair, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation and many others.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.  ©2021 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™

Leave a Comment » | Academic medicine, American Rescue Plan Act of 2021, Anti-KickBack, billing, Centers For Disease Control, compensation, Conditions of Participation, Coronavirus, Corporate Compliance, COVID-19, Doctor, E-Prescribing, Emergency Care, Health Care, Health care coding, Health Care Finance, Health Care Fraud, Health Care Provider, Health Insurance, Health Plan, Health Plans, healthcare, HHS, Home Health, home health, Hospital, hospitals, Indian Health, Medicaid, Medicare, Medicare Advantage, Medicare Fee Schedule, OIG, Pandemic, Physician, public health, Reimbursement, Uncategorized | Tagged: , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

CME Credit Offered For Providers Completing Online Replay Of 4/16 CDC Training On Certifying COVID-19 Deaths

April 16, 2020

Healthcare providers, the Centers for Disease Control and Prevention (“CDC”) can get continuing education credit for completing free heath care provider training available online on “Guidance for Certifying Deaths Due to Coronavirus Disease 2019 (COVID-19)” originally presented by CDC live on April 16, 2020.

In addition to providing training about proper classification of COVID-19 related deaths on death certificates, health care providers participating in the call may qualify for continuing education credit.

About CDC’s 4/16 COVID-19 Death Reporting Training

The training covers updated rules on completing death certificates for patients believed to have died when infected with COVID-19 published April 2. Monitoring the emergence of Coronavirus Disease 2019 (COVID-19) and guiding public health response requires accurate and timely mortality data. As death certificates are one of the few sources of health-related data that are comparable for small geographic areas and are available over a long time period in the United States, mortality data from the National Vital Statistics System (NVSS) derived from information reported on death certificates to monitor deaths due to COVID-19 versus other causes of death.

During this COCA Call, the following presenters from the CDC provide an overview of the importance of mortality data, discuss the NCHS publication and the guidance it provides to clinicians who may need to certify a death involving COVID-19, and present a summary of COVID-19 surveillance through the NVSS.

  • Robert N. Anderson, PhD, Chief, Mortality Statistics Branch, National Center for  Health Statistics;
  • Margaret Warner, PhD,  Injury Epidemiologist, National Center for Health Statistics;
  • Lee Anne Flagg, PhD, Statistician (Health), National Center for Health Statistics; and
  • Farida Ahmad, MPH, Mortality Surveillance Lead, National Center for Health Statistics.

An advance copy of the program Slides is currently available on the CDC website and CDC plans to post a transcript of the program following the presentation.

Continuing Education Credit 

Health care providers participating in today’s training may be able to qualify for continuing education credit.  CDC says that health care providers wishing to receive continuing education for participation should complete the online between May 19, 2020, and May 19, 2022, and use course code WD2922. The access code is COCA041620. Continuing education certificates can be printed immediately upon completion of your online evaluation. A cumulative transcript of all CDC/ATSDR CEs obtained through the CDC Training & Continuing Education Online System will be maintained for each user.

Interested providers and others can learn mre at this CDC Clinician Outreach and Communication Activity (COCA) here.

More Information

We hope this update is helpful. In addition to this update, the author of this article also is extensively published and frequent speaker on HIPAA and other medical privacy and security, pandemic and other infectious disease, and other health industry crisis preparedness and response, regulatory compliance, risk management and operations, public policy and other concerns. For more information about the these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.  Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Cynthia Marcotte Stamer is a practicing attorney, management and regulatory affairs consultant, author and lecturer, who has worked extensively on pandemic and other crisis planning, preparedness and response and other business change, risk, compliance and operation management throughout her 30 plus year career.

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, and a Fellow in the American Bar Foundation, the Texas Bar Foundation and the American College of Employee Benefit Counsel, Ms. Stamer is most widely recognized for her career long  pragmatic, leading edge work, scholarship and thought leadership  domestic and international, public and private sector health care and managed care, workforce and employee benefits, insurance and financial services, their technology, data, and other service providers and advisors, and governments domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns.  As a part of this work, she has continuously and extensively worked with domestic and international hospitals, health care systems, clinics, skilled nursing, long term care, rehabilitation and other health care facilities; physicians, medical staff and other health care providers and organizations; creditation, peer review and quality committees and organizations;  health care management and technology and other health and managed care industry clients; self-insured and insured health and other employee benefit plans, their sponsors, fiduciaries, administrators, insurers and service providers, and other payers; employers; billing, utilization management, quality, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; EHR, claims, payroll and other technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; health industry advocacy and other service providers and groups and other health and managed care industry clients as well as federal and state legislative, regulatory, investigatory and enforcement bodies and agencies.

Board Certified in Labor and Employment Law by the Texas Board of Legal Specialization and the author of “Privacy and the Pandemic Workshop” for the Association of State and Territorial Health Plans and a multitude of other publications and workshops on health and other disaster and other crisis preparedness, risk management and response, as well as a multitude of other health care, workforce and other management and regulatory affairs publications and presentations, Ms. Stamer also shares her thoughtleadership through her extensive and diverse involvement in a broad range of other professional and civic organizations.  Examples of these involvements include her service as the current American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting and a former JCEB Council Representative;  past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group; former ABA RPTE Employee Benefits & Other Compensation Group Chair and Past Chair and current Co-Chair of its Welfare Benefits Committee;  former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas; former technical advisor to the National Physicians Council on Health Care Policy; former member of the Stem Cell Advisory Committee; and in a multitude of other professional, trade, civic and community service organizations . For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here. ©2020 Cynthia Marcotte Stamer.  Limited non-exclusive license to republish granted to Solutions Law Press, Inc.™ All other rights reserved.

Leave a Comment » | Academic medicine, ASC, Border Health, Childrens Health Insurance Program, COVID-19, data breach, data security, Direct Primary Care, Durable Medical Equipment, Electronic Health Records, Electronic Medical Records, Federal Health Center, Health Care, Health Care Provider, Health Care Quality, Health Insurance, Health IT, Health Plan, Health Plans, Health Policy, healthcare, HIPAA, Home Health, home health, Hospital, Indian Health, medical devices, Medical Licensure, Medical Privacy, Medical Records, Mental Health, occupational health, Pandemic, Privacy, public health, Uncategorized, Veterans Health Administration | Tagged: , , , , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

4/15 ONC Briefing Covers New Health IT Funding Opportunities

April 14, 2020

Working or interested in working on the development and testing of data sharing functionalities to support clinical care, research, and improved health care outcomes?  Listen in tomorrow (April 15, 2020) at 1:30 p.m. Eastern, 12:30 p.m. Central time to an informational briefing about newly announced funding opportunities issued by the Office of the National Coordinator for Health Information Technology under its Leading Edge Acceleration Projects (LEAP) in Health Information Technology (Health IT)  whose specific aims address one of the following areas:

  • Advancing Registry Infrastructure for a Modern API-based Health IT Ecosystem

  • Cutting Edge Health IT Tools for Scaling Research

  • Integrating Health Care and Human Services Data to Support Improved Outcomes

The new funding opportunities are part of efforts to promote the interoperability of heath care data to enhance health care quality and affordability that continues to be a top ONC priority since ONC released its 2018 Report to Congress: Annual Update on the Adoption of a Nationwide System for the Electronic Use and Exchange of Health Information (“Report”).

Under the 21st Century Cures Act, Congress gave ONC authority to enhance innovation, scientific discovery, and expand the access and use of health information through provisions related to:

  • The development and use of upgraded health IT capabilities;
  • Transparent expectations for data sharing, including through open application programming interfaces (APIs); and
  • Improvement of the health IT end user experience, including by reducing administrative burden.

The Report describes barriers, actions taken, and recommendations as well as ONC’s path forward to implement the 21st Century Cures Act and  to increase nationwide interoperability of health information and reduce clinician burden.

ONC’s resulting emphasis on health data interoperability  raises new business and compliance planning opportunities and challenges for health care providers, health insurers and other payers, health data and information technology (IT) providers and others.    The new funding opportunities are intended to produce new capabilities for achieving these objectives.

For more information, visit LEAP in Health IT.

More Information

We hope this update is helpful. In addition to this update, the author of this article also is extensively published and frequent speaker on HIPAA and other medical privacy and security, pandemic and other infectious disease, and other health industry crisis preparedness and response, regulatory compliance, risk management and operations, public policy and other concerns. For more information about the these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.  Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications. As a significant part of her work, Ms. Stamer has worked extensively on pandemic, business and other crisis planning, preparedness and response for more than 30 years.

Scribe for the ABA JCEB Annual Agency Meeting with OCR, Vice Chair of the ABA International Section Life Sciences Committee, past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and the ABA RPTE Employee Benefits & Other Compensation Group, Ms. Stamer is most widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on health and other privacy and data security and other health industry legal, public policy and operational concerns.  Ms. Stamer’s work throughout her 30 plus year career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns.  As a part of this work, she has continuously and extensively worked with domestic and international health plans, their sponsors, fiduciaries, administrators, and insurers; managed care and insurance organizations; hospitals, health care systems, clinics, skilled nursing, long term care, rehabilitation and other health care providers and facilities; medical staff, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; EHR, claims, payroll and other technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, self-insured health and other employee benefit plans, their sponsors, fiduciaries, administrators and service providers, insurers and other payers, health industry advocacy and other service providers and groups and other health and managed care industry clients as well as federal and state legislative, regulatory, investigatory and enforcement bodies and agencies.

This  involvement encompasses helping health care systems and organizations, group and individual health care providers, health plans and insurers, health IT, life sciences and other health industry clients prevent, investigate, manage and resolve  sexual assault, abuse, harassment and other organizational, provider and employee misconduct and other performance and behavior; manage Section 1557, Civil Rights Act and other discrimination and accommodation, and other regulatory, contractual and other compliance; vendors and suppliers; contracting and other terms of participation, medical billing, reimbursement, claims administration and coordination, Medicare, Medicaid, CHIP, Medicare/Medicaid Advantage, ERISA and other payers and other provider-payer relations, contracting, compliance and enforcement; Form 990 and other nonprofit and tax-exemption; fundraising, investors, joint venture, and other business partners; quality and other performance measurement, management, discipline and reporting; physician and other workforce recruiting, performance management, peer review and other investigations and discipline, wage and hour, payroll, gain-sharing and other pay-for performance and other compensation, training, outsourcing and other human resources and workforce matters; board, medical staff and other governance; strategic planning, process and quality improvement; meaningful use, EHR, HIPAA and other technology,  data security and breach and other health IT and data; STARK, ant kickback, insurance, and other fraud prevention, investigation, defense and enforcement; audits, investigations, and enforcement actions; trade secrets and other intellectual property; crisis preparedness and response; internal, government and third-party licensure, credentialing, accreditation, HCQIA and other peer review and quality reporting, audits, investigations, enforcement and defense; patient relations and care;  internal controls and regulatory compliance; payer-provider, provider-provider, vendor, patient, governmental and community relations; facilities, practice, products and other sales, mergers, acquisitions and other business and commercial transactions; government procurement and contracting; grants; tax-exemption and not-for-profit; privacy and data security; training; risk and change management; regulatory affairs and public policy; process, product and service improvement, development and innovation, and other legal and operational compliance and risk management, government and regulatory affairs and operations concerns. to establish, administer and defend workforce and staffing, quality, and other compliance, risk management and operational practices, policies and actions; comply with requirements; investigate and respond to Board of Medicine, Health, Nursing, Pharmacy, Chiropractic, and other licensing agencies, Department of Aging & Disability, FDA, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; JCHO and other accreditation and quality organizations; private litigation and other federal and state health care industry actions: regulatory and public policy advocacy; training and discipline; enforcement;  and other strategic and operational concerns.

Author of “Privacy and the Pandemic Workshop” for the Association of State and Territorial Health Plans, as well as a multitude of other health industry matters, workforce and health care change and crisis management and other highly regarded publications and presentations, the American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting and a former Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here. ©2020 Cynthia Marcotte Stamer.  Limited non-exclusive license to republish granted to Solutions Law Press, Inc.™ All other rights reserved.

Leave a Comment » | Academic medicine, ASC, Border Health, Childrens Health Insurance Program, COVID-19, data breach, data security, Direct Primary Care, Durable Medical Equipment, Electronic Health Records, Electronic Medical Records, Federal Health Center, Health Care, Health Care Provider, Health Care Quality, Health Insurance, Health IT, Health Plan, Health Plans, Health Policy, healthcare, HIPAA, Home Health, home health, Hospital, Indian Health, medical devices, Medical Licensure, Medical Privacy, Medical Records, Mental Health, occupational health, Pandemic, Privacy, public health, Uncategorized, Veterans Health Administration | Tagged: , , , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

OCR Adds HIPAA Privacy Rule Enforcement Relief For Community-Based COVID-19 Testing Sites; Updated HIPAA Risk Assessments Advisable For COVID-19 Impacted Operational Changes

April 9, 2020

All Health Care Providers & Business Associates Reminded To Conduct Documented Risk Assessments In Response To COVID-19 Operational Changes

The U.S Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced Health Insurance Portability & Accountability Act Privacy Rule 2019 Novel Coronavirus (COVID-19) emergency enforcement relief for certain covered health care providers and their business associates participating in the operation of mobile, drive-through, or walk-up COVID-19 specimen collection and testing sites that only provide COVID-19 specimen collection or testing services to the public (Community-Based Testing Sites, or CBTS).  The Notification of Enforcement Discretion ON CBTS During The COVID-19 Nationwide Public Health Emergency (“Notice”) expands upon the series of HIPAA enforcement relief and other flexibility OCR has granted to health care providers and other HIPAA-covered entities and business associates when dealing with the COVID-19 National Health Emergency declared by President Trump on March 13, 2020.

While welcome relief for those health care providers and business associates that qualify for this relief, it is critical that all health care providers, health plans, health care clearinghouses and their business associates do not overlook the importance of ensuring their HIPAA obligations are fulfilled amid the frenzy of coping with the ongoing COVID-19 crisis.  Like OCR’s previously announced March 30, 2020 Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency (“Telehealth Relief”) and the COVID-19 related flexibilities granted by OCR in its February 2020 Office for Civil Rights, U.S. Department of Health and Human Services BULLETIN: HIPAA Privacy and Novel Coronavirus (“OCR COVID-19 HIPAA Bulletin”), the CBTS Notice provides valuable flexibility and relief for HIPAA covered entities and business associates that qualify for the granted relief.  While welcoming this relief, all covered entities and business associates need to keep in mind that the shifting of care locations, systems, affiliations and other arrangements to deal with the COVID-19 national health emergency generally are accompanied by changes in the collection, use, access, disclosure, storage and transmission of protected health information generally and electronic protected health information and its associated devices and systems.  Except to the extent protected by COVID-19 or other specific disaster relief from OCR, covered entities and business associates need to use care to conduct appropriately documented risk assessments and take other necessary steps to maintain HIPAA compliance in these operations and systems throughout the emergency.  See also COVID-19 Telehealth Relief; CMS ESRD, General Practitioner Telehealth Toolkits Released;  OCR Grants HIPAA Telemedicine Relief During COVID-19 Crisis.

April 9 HIPAA Enforcement Relief For Certain COVID-19 Testing Related Activities

According to Director Roger Severino, the limited enforcement relief  in the Notice is intended  “to encourage the growth of mobile testing sites so more people can get tested quickly and safely.”  Under the April 9, 2020 Notice, OCR will not impose penalties for violations of HIPAA regulatory requirements committed by covered entities or business associates in connection with their good faith participation in the operation of COVID-19 testing sites during the COVID-19 nationwide public health emergency.  The enforcement relief provided by the s retroactive to violations committed on or after March 13, 2020 even though just announced on April 9.

The enforcement relief applies to all HIPAA covered health care providers and their business associates when such entities are, in good faith, participating in the operation of a CBTS.   According to the Notice, operation of a CBTS includes all activities that support the collection of specimens from individuals for COVID-19 testing.  Covered entities and business associates intending to rely upon the enforcement relief need to understand its limited scope. The relief only applies to health care providers or their business associates when participating in CBTS related activities. It does not apply to non-CBTS related activities of health care providers  or their business associates including the handling of PHI outside of the operation of a CBTS or to health plans, health care clearinghouses, or their business associates performing health plan and clearinghouse functions. To the extent that an entity performs both plan and provider functions, the Notice says the relief only applies to the entity in its role as a covered health care provider and only to the extent that it participates in a CBTS.  Covered entities and business associates not covered by the CBTS relief provided by the Notice generally remain subject to all otherwise applicable HIPAA requirements except as otherwise provided in the Telehealth Relief or other COVID-19 related flexibilities granted by OCR in the OCR COVID-19 HIPAA Bulletin or other previously issued HIPAA guidance for dealing with public emergencies,

While committing that OCR will not take HIPAA enforcement action against covered entities or business associates for violating HIPAA’s regulatory requirements during the COVID-19 emergency, the Notice nevertheless encourages covered entities and business associates participating in the good faith operation of a CBTS to implement reasonable safeguards to protect the privacy and security of individuals’ PHI including:

  • Using and disclosing only the minimum PHI necessary except when disclosing PHI for treatment.
  • Setting up canopies or similar opaque barriers at a CBTS to provide some privacy to individuals during the collection of samples.
  • Controlling foot and car traffic to create adequate distancing at the point of service to minimize the ability of persons to see or overhear screening interactions at a CBTS. (A six foot distance would serve this purpose as well as supporting recommended social distancing measures to minimize the risk of spreading COVID-19.)
  • Establishing a “buffer zone” to prevent members of the media or public from observing or filming individuals who approach a CBTS, and posting signs prohibiting filming.
  • Using secure technology at a CBTS to record and transmit electronic PHI.
  • Posting a Notice of Privacy Practices (NPP), or information about how to find the NPP online, if applicable, in a place that is readily viewable by individuals who approach a CBTS.

While OCR says the Notice’s enforcement relief for CBTS related activity is not conditional upon adherence to these recommendations, CBTS involved covered entities and business associations should keep in mind that the OCR relief does not necessarily affect their otherwise applicable requirements, if any, to comply to these and other health or medical privacy, data security, confidentiality or other similar requirements applicable under otherwise applicable state statutory or common laws, regulations, accreditation or credentialing, contractual or other legally relevant requirements or standards.

Covered Entities & Business Associates Should Conduct Documented Risk Assessment To Verify Compliance Taking Into Account COVID-19 Operational Changes & Relief

Health care providers, health plans, health care clearinghouses and their business associates hoping to rely upon the relief in the CBTS Notice, the Telehealth Relief,  the OCR COVID-19 HIPAA Bulletin or other previously issued HIPAA guidance for dealing with public emergencies, need to verify their qualification and compliance with that guidance.  In the meantime, all HIPAA covered entities and business associates also should be cognizant of the advisability of also conducting timely, documented risk assessments and taking other necessary steps to ensure that they can demonstrate that their ongoing operations, taking into account any COVID-19 specific changes in operations, systems, locations, business associates or other HIPAA relevant arrangements or operations, comply with all remaining relevant requirements of HIPAA or other relevant federal or state statutory, regulatory, common law, ethical, contractual or other requirements. This is particularly important with respect to modification locations, equipment, or other COVID-19 related changes may impact or disrupt usual operations or involve the use, access, disclosure, retention or transmission of protected health information or other sensitive data outside of processes, systems or location previously subject to a risk assessment to confirm and document adequate compliance with HIPAA or other relevant requirements.  To the extent that any deficiencies may have occurred, timely action should be taken to conduct an appropriate documented investigation and risk assessment, and provide any necessary breach notification or other corrective action necessary to correct or mitigate those events.  Because of the potential sensitivity of these activities, health care providers, health plans, health care clearinghouses and their business associations should consider contacting experienced legal counsel to arrange for those activities to be structured to preserve the possibility of using attorney-client privilege or other legal privileges to help defend sensitive communications or evaluations against discovery in the event of a future litigation or administrative investigation.

More Information

We hope this update is helpful. In addition to this update, the author of this article also is extensively published and frequent speaker on HIPAA and other medical privacy and security, pandemic and other infectious disease, and other health industry crisis preparedness and response, regulatory compliance, risk management and operations, public policy and other concerns. For more information about the these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.  Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications. As a significant part of her work, Ms. Stamer has worked extensively on pandemic, business and other crisis planning, preparedness and response for more than 30 years.

Scribe for the ABA JCEB Annual Agency Meeting with OCR, Vice Chair of the ABA International Section Life Sciences Committee, past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and the ABA RPTE Employee Benefits & Other Compensation Group, Ms. Stamer is most widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on health and other privacy and data security and other health industry legal, public policy and operational concerns.  Ms. Stamer’s work throughout her 30 plus year career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns.  As a part of this work, she has continuously and extensively worked with domestic and international health plans, their sponsors, fiduciaries, administrators, and insurers; managed care and insurance organizations; hospitals, health care systems, clinics, skilled nursing, long term care, rehabilitation and other health care providers and facilities; medical staff, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; EHR, claims, payroll and other technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, self-insured health and other employee benefit plans, their sponsors, fiduciaries, administrators and service providers, insurers and other payers, health industry advocacy and other service providers and groups and other health and managed care industry clients as well as federal and state legislative, regulatory, investigatory and enforcement bodies and agencies.

This  involvement encompasses helping health care systems and organizations, group and individual health care providers, health plans and insurers, health IT, life sciences and other health industry clients prevent, investigate, manage and resolve  sexual assault, abuse, harassment and other organizational, provider and employee misconduct and other performance and behavior; manage Section 1557, Civil Rights Act and other discrimination and accommodation, and other regulatory, contractual and other compliance; vendors and suppliers; contracting and other terms of participation, medical billing, reimbursement, claims administration and coordination, Medicare, Medicaid, CHIP, Medicare/Medicaid Advantage, ERISA and other payers and other provider-payer relations, contracting, compliance and enforcement; Form 990 and other nonprofit and tax-exemption; fundraising, investors, joint venture, and other business partners; quality and other performance measurement, management, discipline and reporting; physician and other workforce recruiting, performance management, peer review and other investigations and discipline, wage and hour, payroll, gain-sharing and other pay-for performance and other compensation, training, outsourcing and other human resources and workforce matters; board, medical staff and other governance; strategic planning, process and quality improvement; meaningful use, EHR, HIPAA and other technology,  data security and breach and other health IT and data; STARK, ant kickback, insurance, and other fraud prevention, investigation, defense and enforcement; audits, investigations, and enforcement actions; trade secrets and other intellectual property; crisis preparedness and response; internal, government and third-party licensure, credentialing, accreditation, HCQIA and other peer review and quality reporting, audits, investigations, enforcement and defense; patient relations and care;  internal controls and regulatory compliance; payer-provider, provider-provider, vendor, patient, governmental and community relations; facilities, practice, products and other sales, mergers, acquisitions and other business and commercial transactions; government procurement and contracting; grants; tax-exemption and not-for-profit; privacy and data security; training; risk and change management; regulatory affairs and public policy; process, product and service improvement, development and innovation, and other legal and operational compliance and risk management, government and regulatory affairs and operations concerns. to establish, administer and defend workforce and staffing, quality, and other compliance, risk management and operational practices, policies and actions; comply with requirements; investigate and respond to Board of Medicine, Health, Nursing, Pharmacy, Chiropractic, and other licensing agencies, Department of Aging & Disability, FDA, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; JCHO and other accreditation and quality organizations; private litigation and other federal and state health care industry actions: regulatory and public policy advocacy; training and discipline; enforcement;  and other strategic and operational concerns.

Author of “Privacy and the Pandemic Workshop” for the Association of State and Territorial Health Plans, as well as a multitude of other health industry matters, workforce and health care change and crisis management and other highly regarded publications and presentations, the American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting and a former Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here. ©2020 Cynthia Marcotte Stamer.  Limited non-exclusive license to republish granted to Solutions Law Press, Inc.™ All other rights reserved.

Leave a Comment » | Academic medicine, ASC, Border Health, Childrens Health Insurance Program, COVID-19, data breach, data security, Direct Primary Care, Durable Medical Equipment, Electronic Health Records, Electronic Medical Records, Federal Health Center, Health Care, Health Care Provider, Health Care Quality, Health Insurance, Health IT, Health Plan, Health Plans, Health Policy, healthcare, HIPAA, Home Health, home health, Hospital, Indian Health, medical devices, Medical Licensure, Medical Privacy, Medical Records, Mental Health, occupational health, Pandemic, Privacy, public health, Uncategorized, Veterans Health Administration | Tagged: , , , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

COVID-19 Telehealth Relief; CMS ESRD, General Practitioner Telehealth Toolkits Released

March 24, 2020

The U.S Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced Health Insurance Portability & Accountability Act Privacy Rule 2019 Novel Coronavirus (COVID-19) emergency enforcement relief for certain covered health care providers and their business associates participating in the operation of mobile, drive-through, or walk-up COVID-19 specimen collection and testing sites that only provide COVID-19 specimen collection or testing services to the public (Community-Based Testing Sites, or CBTS).  The Notification of Enforcement Discretion ON CBTS During The COVID-19 Nationwide Public Health Emergency (“Notice”) expands upon the series of HIPAA enforcement relief and other flexibility OCR has granted to health care providers and other HIPAA-covered entities and business associates when dealing with the COVID-19 National Health Emergency declared by President Trump on March 13, 2020.

While welcome relief for those health care providers and business associates that qualify for this relief, it is critical that all health care providers, health plans, health care clearinghouses and their business associates do not overlook the importance of ensuring their HIPAA obligations are fulfilled amid the frenzy of coping with the ongoing COVID-19 crisis.  Like OCR’s previously announced March 30, 2020 Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency (“Telehealth Relief”) and the COVID-19 related flexibilities granted by OCR in its February 2020 Office for Civil Rights, U.S. Department of Health and Human Services BULLETIN: HIPAA Privacy and Novel Coronavirus (“OCR COVID-19 HIPAA Bulletin”), the CBTS Notice provides valuable flexibility and relief for HIPAA covered entities and business associates that qualify for the granted relief.  While welcoming this relief, all covered entities and business associates need to keep in mind that the shifting of care locations, systems, affiliations and other arrangements to deal with the COVID-19 national health emergency generally are accompanied by changes in the collection, use, access, disclosure, storage and transmission of protected health information generally and electronic protected health information and its associated devices and systems.  Except to the extent protected by COVID-19 or other specific disaster relief from OCR, covered entities and business associates need to use care to conduct appropriately documented risk assessments and take other necessary steps to maintain HIPAA compliance in these operations and systems throughout the emergency.  See also COVID-19 Telehealth Relief; CMS ESRD, General Practitioner Telehealth Toolkits Released;  OCR Grants HIPAA Telemedicine Relief During COVID-19 Crisis.

April 9 HIPAA Enforcement Relief For Certain COVID-19 Testing Related Activities

According to Director Roger Severino, the limited enforcement relief  in the Notice is intended  “to encourage the growth of mobile testing sites so more people can get tested quickly and safely.”  Under the April 9, 2020 Notice, OCR will not impose penalties for violations of HIPAA regulatory requirements committed by covered entities or business associates in connection with their good faith participation in the operation of COVID-19 testing sites during the COVID-19 nationwide public health emergency.  The enforcement relief provided by the s retroactive to violations committed on or after March 13, 2020 even though just announced on April 9.

The enforcement relief applies to all HIPAA covered health care providers and their business associates when such entities are, in good faith, participating in the operation of a CBTS.   According to the Notice, operation of a CBTS includes all activities that support the collection of specimens from individuals for COVID-19 testing.  Covered entities and business associates intending to rely upon the enforcement relief need to understand its limited scope. The relief only applies to health care providers or their business associates when participating in CBTS related activities. It does not apply to non-CBTS related activities of health care providers  or their business associates including the handling of PHI outside of the operation of a CBTS or to health plans, health care clearinghouses, or their business associates performing health plan and clearinghouse functions. To the extent that an entity performs both plan and provider functions, the Notice says the relief only applies to the entity in its role as a covered health care provider and only to the extent that it participates in a CBTS.  Covered entities and business associates not covered by the CBTS relief provided by the Notice generally remain subject to all otherwise applicable HIPAA requirements except as otherwise provided in the Telehealth Relief or other COVID-19 related flexibilities granted by OCR in the OCR COVID-19 HIPAA Bulletin or other previously issued HIPAA guidance for dealing with public emergencies,

While committing that OCR will not take HIPAA enforcement action against covered entities or business associates for violating HIPAA’s regulatory requirements during the COVID-19 emergency, the Notice nevertheless encourages covered entities and business associates participating in the good faith operation of a CBTS to implement reasonable safeguards to protect the privacy and security of individuals’ PHI including:

  • Using and disclosing only the minimum PHI necessary except when disclosing PHI for treatment.
  • Setting up canopies or similar opaque barriers at a CBTS to provide some privacy to individuals during the collection of samples.
  • Controlling foot and car traffic to create adequate distancing at the point of service to minimize the ability of persons to see or overhear screening interactions at a CBTS. (A six foot distance would serve this purpose as well as supporting recommended social distancing measures to minimize the risk of spreading COVID-19.)
  • Establishing a “buffer zone” to prevent members of the media or public from observing or filming individuals who approach a CBTS, and posting signs prohibiting filming.
  • Using secure technology at a CBTS to record and transmit electronic PHI.
  • Posting a Notice of Privacy Practices (NPP), or information about how to find the NPP online, if applicable, in a place that is readily viewable by individuals who approach a CBTS.

While OCR says the Notice’s enforcement relief for CBTS related activity is not conditional upon adherence to these recommendations, CBTS involved covered entities and business associations should keep in mind that the OCR relief does not necessarily affect their otherwise applicable requirements, if any, to comply to these and other health or medical privacy, data security, confidentiality or other similar requirements applicable under otherwise applicable state statutory or common laws, regulations, accreditation or credentialing, contractual or other legally relevant requirements or standards.

Today, the Department of Health and Human Services (HHS) Centers for Medicare & Medicaid Services (CMS) released two comprehensive toolkits on telehealth:

  • The Telehealth Toolkit for General Practitioners available here;
  • The End-Stage Renal Disease Providers Toolkit available here.

The Toolkits’ release follows up on last week’s Centers for Medicare & Medicare Services (“CMS”) loosening of requirements for Medicare coverage of telehealth services and privacy and data security requirements so that beneficiaries can receive a wider range of services from their doctors without having to travel to a healthcare facility on a temporary and emergency basis under the 1135 waiver authority and Coronavirus Preparedness and Response Supplemental Appropriations Act.

COVID-19 Emergency TeleHealth Waivers & Rules

Under this temporary new waiver, Medicare can pay for office, hospital, and other visits furnished via telehealth across the country and including in patient’s places of residence starting March 6, 2020.  The waiver applies to a range of providers, such as doctors, nurse practitioners, clinical psychologists, and licensed clinical social workers, will be able to offer telehealth to their patients.

  • New TeleHealth Toolkits

Each of the telehealth toolkits released today contains electronic links to reliable sources of information on telehealth and telemedicine, which will reduce the amount of time providers spend searching for answers and increase their time with patients. HHS intends these links to help providers choose learn about the general concept of telehealth, choose telemedicine vendors, initiate a telemedicine program, monitor patients remotely, and develop documentation tools. Additionally, the information contained within each toolkit also outlines temporary virtual services that could be used to treat patients during this specific period of time.

  • COVID-19 Temporary Limited Scope HIPAA Privacy Telehealth Relief

The HHS COVID-19 emergency teleheath waivers follow up on the HHS Office for Civil Rights (OCR) March 20, 2020 Notification of Enforcement Discretion on Telehealth Remote Communications (the “Notice”) announcing temporary, limited scope enforcement relief from some, but not all of the requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security and Breach Notification Rules for health care providers using “non-public facing” communication technologies to provide telemedicine services during the COVID-19 health care emergency

Intended to allow health care providers greater latitude under HIPAA to  communicate with patients and provide telehealth services through remote communications technologies during the COVID-19 national emergency, the Notice allows covered health care providers wishing to use audio or video communication technology to provide telehealth to patients during the COVID-19 nationwide public health emergency the option to  any availabe “non-public facing” remote communication product to communicate with patients if the platform by verifying the platform is HIPAA compliant and securing the necessary business associate agreement (“BAA”) with the communication provider.

Specifically the Notice announces OCR is exercising its enforcement discretion  not to impose penalties for noncompliance with the HIPAA Rules in connection with the good faith provision of telehealth using non-public facing audio or video communication products during the COVID-19 nationwide public health emergency in accordance with the requirements set forth in the Notice.  The non-enforcement policy applies to telehealth provided for any reason, regardless of whether the telehealth service is related to the diagnosis and treatment of health conditions related to COVID-19.   During the COVID-19 emergency, this relief for non-public facing remote communications allows a health care providers  the flexibility when it determines appropriate in his or her professional judgement to request to examine a patient using a video chat application connecting the provider’s or patient’s phone or desktop computer in order to assess a greater number of patients while limiting the risk of infection of other persons who would be exposed from an in-person consultation.

The relief does not apply to “public facing” remote communications however,  Facebook Live, Twitch, TikTok, and similar video communication applications are considered “public facing.”  The OCR bulletin states health care providers should not use any of these or other public facing remote communications to provide telehealth services under the Bulletin.

The Notice also alerts health care providers providing telemedicine services under the Notice need to ensure they have in place appropriate business associate agreements {“BAAs”) with each technology vendors used to conduct these communications and that the vendor is otherwise HIPAA compliant.  The Notice lists the following as some vendors that have represented to OCR that they provide HIPAA-compliant video communication products and that they will enter into a HIPAA BAA include:

  • Skype for Business
  • Updox
  • VSee
  • Zoom for Healthcare
  • me
  • Google G Suite Hangouts Meet

Providers should note that the Notice also states that OCR does not endorse, recommend or certify any of these vendors or the adequacy of their BAAs.  Consequently, providers intending to use any of thes platforms should conduct their own documented due diligence to confirm that the necessary HIPAA requirements are met.    Providers also should keep in mind that the OCR Notice does not modify any otherwise applicable federal or state law, contractual or ethical requirements that may apply to their use of these telemedicine platforms.  As many provider’s HIPAA notices may have included statements inconsistent with the use of these technologies, the provider should consider providing notification of the change of its practices that includes disclosures about potentially lower privacy protections.  Because the relief is limited in scope and duration, providers relying on the relief also will need to closely monitor developments and adjust practices as necessary when the emergency waivers expire or are modified.

Covered Entities & Business Associates Should Conduct Documented Risk Assessment To Verify Compliance Taking Into Account COVID-19 Operational Changes & Relief

Health care providers, health plans, health care clearinghouses and their business associates hoping to rely upon the relief in the CBTS Notice, the Telehealth Relief,  the OCR COVID-19 HIPAA Bulletin or other previously issued HIPAA guidance for dealing with public emergencies, need to verify their qualification and compliance with that guidance.  In the meantime, all HIPAA covered entities and business associates also should be cognizant of the advisability of also conducting timely, documented risk assessments and taking other necessary steps to ensure that they can demonstrate that their ongoing operations, taking into account any COVID-19 specific changes in operations, systems, locations, business associates or other HIPAA relevant arrangements or operations, comply with all remaining relevant requirements of HIPAA or other relevant federal or state statutory, regulatory, common law, ethical, contractual or other requirements. This is particularly important with respect to modification locations, equipment, or other COVID-19 related changes may impact or disrupt usual operations or involve the use, access, disclosure, retention or transmission of protected health information or other sensitive data outside of processes, systems or location previously subject to a risk assessment to confirm and document adequate compliance with HIPAA or other relevant requirements.  To the extent that any deficiencies may have occurred, timely action should be taken to conduct an appropriate documented investigation and risk assessment, and provide any necessary breach notification or other corrective action necessary to correct or mitigate those events.  Because of the potential sensitivity of these activities, health care providers, health plans, health care clearinghouses and their business associations should consider contacting experienced legal counsel to arrange for those activities to be structured to preserve the possibility of using attorney-client privilege or other legal privileges to help defend sensitive communications or evaluations against discovery in the event of a future litigation or administrative investigation.

More Information & Resources

We hope this update is helpful. If you need assistance reviewing or responding to these or other health care related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, may be able to help.  To learn more about Ms. Stamer, her services, experience, publications or involvements; to review or request other developments, publications, resources and tools; or to register for future updates, see www.cynthiastamer.com, see www.cynthiastamer.com; connect on LinkedIn or Facebook; or contact us via e-mail or via telephone at (214) 452 -8297

About The Author

Cynthia Marcotte Stamer is a practicing attorney, management and regulatory affairs consultant, author and lecturer, who has worked extensively on pandemic and other crisis planning, preparedness and response and other business change, risk, compliance and operation management throughout her 30 plus year career.

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, and a Fellow in the American Bar Foundation, the Texas Bar Foundation and the American College of Employee Benefit Counsel, Ms. Stamer is widely recognized for her pragmatic, leading edge work, scholarship and thought leadership on domestic and international, public and private sector health care and managed care, workforce and performance, safety, legal and operational compliance and risk management, crisis preparedness and response, and other essential legal and operational concerns.

Her experience includes extensive work domestically and internationally with hospitals, health care systems, clinics, skilled nursing and other long term care, rehabilitation and other health care facilities; physicians, medical staff and other health care providers and organizations; accreditation, peer review and quality committees and organizations;  health care management and technology and other health and managed care industry clients; self-insured and insured health and other employee benefit plans, their sponsors, fiduciaries, administrators, insurers and service providers and other payers; employers; billing, utilization management, quality, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; EHR, claims, payroll and other technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; health industry advocacy and other service providers and groups and other health and managed care industry clients as well as federal and state legislative, regulatory, investigatory and enforcement bodies and agencies.

Board Certified in Labor and Employment Law by the Texas Board of Legal Specialization and the author of “Privacy and the Pandemic Workshop” for the Association of State and Territorial Health Plans and a multitude of other publications and workshops on health and other disaster and other crisis preparedness, risk management and response, as well as a multitude of other health care, workforce and other management and regulatory affairs publications and presentations, Ms. Stamer also shares her thought leadership through her extensive and diverse involvement in a broad range of other professional and civic organizations.  Examples of these involvements include her service as the current American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting and a former JCEB Council Representative;  past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group; former ABA RPTE Employee Benefits & Other Compensation Group Chair and Past Chair and current Co-Chair of its Welfare Benefits Committee;  former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas; former technical advisor to the National Physicians Council on Health Care Policy; former member of the Stem Cell Advisory Committee; and in a multitude of other professional, trade, civic and community service organizations.

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE:   These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.  Readers acknowledge and agree to the conditions of this Notice as a condition of their access of this publication.  Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein. ©2020 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™.

Leave a Comment » | Academic medicine, Centers For Disease Control, Childrens Health Insurance Program, Conditions of Participation, Coronavirus, COVID-19, Disease Management, Doctor, E-Prescribing, Electronic Health Records, Electronic Medical Records, Emergency Care, Employer, Health Care, Health Care Finance, Health Care Provider, Health Care Quality, Health Insurance, Health IT, Health Plan, HIPAA, Home Health, home health, Hospice, Hospital, hospitals, Indian Health, Inpatient Rehabilitation, Inpatient Rehabilitation Facility, Licensing, Meaningful Use, Medicaid, Medical Licensure, Medical Malpractice, Medical Privacy, Medical Records, Medicare, Medicare Advantage, Mental Health, Pandemic, Pharmaceudical, Pharmacy, Physician, Prescription Drugs, Prohibited Transaction, Reimbursement, Rural Health Care, Uncategorized, Veterans Health, Veterans Health Care | Permalink
Posted by Cynthia Marcotte Stamer

Court Ruling Gives Health Care & Other HIPAA Covered Entities Option To Reduce Costs of Responding To 3rd Party PHI Record Requests

January 29, 2020

Health care providers, health plans, health care clearinghouses and their records providers and other business associates should review and update their existing policies and practices on the charge and other procedures for responding to third party requests for records containing protected health information (“PHI”)  in response to newly allowed flexibility created by the January 23, 2020 federal district court order (the “Coix Order”) in Coix Health, LLC v. Azar, et al, No 18 –CV-0040 (D>D.C. January 23, 2020) that bars enforcement of certain requirements of the Department of Health & Human Service (“HHS”) Office of Civil Rights (“OCR”) rules implementing patient rights to access to PHI created by the Health Insurance Portability & Accountability Act (“HIPAA”) from health plans, health care providers, health care clearinghouses (“”Covered Entities”) and their business associates (“HIPAA entities”).  Utilizing the flexibility resulting from the Coix Order could help reduce health plan costs of compliance with the HIPAA right of access rule by allowing the health plan and its records providers more freedom to determine the charges and format for delivering PHI in response to records requests received from other insurers, lawyers and other third parties.  

Coix Order  Invalidates Pieces of OCR HIPAA Rules On PHI Record  Rules 

The new flexibility results from a January 23, 2020 Coix Order in response to a lawsuit brought by Coix Health, LLC (“”Coix”) challenging the “Patient Rate” and other provisions of OCR’s regulation implementing HIPAA’s right of access requirements under 45 C.F.R. §164.524 as adopted by OCR as part of its final rule entitled “Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under the Health Information Technology for Economic and Clinical Health Act, and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules.”  (The “2013 Omnibus Rule”) on January 25, 2013.   In particular, the 2013 Omnibus Rule includes a “Patient Rate” rule that limits the charges that Covered Entities can make for delivering PHI requested by patients and third parties to prevent patient access to PHI from being thwarted by excessive fees.  As part of the Patient Rate rule, OCR restricted what Covered Entities and their records providers can charge to provide copies of protected health information.  The Patient Rate rule restricts charges that can be imposed to provide protected health information, restricts the methods for calculating these charges and limits the type and amount of labor costs that can be included when calculating the Patient Rate. The Patient Rate rule in the 201 Omnibus Rule also requires that Covered Entities and their records companies provide the requested PHI directly to the patient or to a third party designed by the patient and in the format requested by the patient regardless of the format in which the Covered Entity or its medical provider maintains the PHI within its record.  

When originally implemented, the medical records industry generally understood that the Patient Rate limitations applied only to requests for PHI made by the patient for use by the patient.  Before 2016, however, Covered Entities and their medical records providers generally understood that this Patient Rate rule did not apply to or limit fees that Covered Entities or their medical records providers could charge commercial entities or other third parties like insurance companies and law firms to fill requests for PHI.  That understanding changed, in 2016, however, when HHS issued guidance that stated that the Patient Rate applies even to requests to deliver PHI to third parties.  

A specialized medical-records provider that contracts with healthcare suppliers nationwide to maintain, retrieve, and produce individuals’ PHI, Cox handles tens of millions of requests for records containing PHI annually including demands by healthcare providers for treatment purposes, patients asking for their own PHI, and third parties, such as life insurance companies and law firms, seeking a patient’s PHI for commercial or legal reasons.  According to Cox, OCR’s interpretation of the Patient Rate rule as applicable to third party requests as well as direct patient requests cost it and other medical records companies millions of dollars in revenue. Accordingly, Coix filed the Coix Health, LLC v. Azar, et al lawsuit challenging OCR’s 2016 application of the Patient Rate to third party requests as violating the procedural and substantive protections of the Administrative Procedure Act (“APA”). In addition to this challenge to the scope of the Patient Rate, Coix also contested OCR pronouncements in the 2016 guidance document on (1) the types of labor costs that are recoverable under the Patient Rate; and (2) the three alternative methods identified for calculating the Patient Rate as violating the APA’s procedural and substantive provisions. Finally, Coix also challenged the requirement in the Patient Rate rule that records companies to send PHI to third parties regardless of the format in which the PHI is contained and in the format specified by the patient. According to Coix, Congress required only that certain types of electronic health records be delivered to third parties, not all records regardless of their format, as HHS’s regulations now command.  

In its January 23, 2020 ruling on HHS’s motion to dismiss and the parties’ cross-motions for summary judgment, the D.C. District Court agreed with OCR that OCR’s rule requiring the use of one of three methods for calculating the Patient Rate was unreviewable as a final agency action and dismissed Coix’ challenge to that requirement. Concerning Coax’s other challenges, the Court sided with Coix.  It ruled that:  

  • OCR’s 2013 rule compelling delivery of PHI to third parties regardless of the records’ format is arbitrary and capricious insofar as it goes beyond the statutory requirements set by Congress;  
  • OCR’s broadening of the Patient 3 Rate in 2016 is a legislative rule that the agency failed to subject to notice and comment in violation of the APA; and  
  • OCR’s 2016 explanation concerning what labor costs can be recovered under the Patient Rate is an interpretative rule that OCR was not required to subject to notice and comment.  

Accordingly, District Court in the Coix Order declares unlawful and vacates (1) the 2016 Patient Rate expansion and (2) the 2013 mandate broadening PHI delivery to third parties regardless of format within the individual right of access” set forth in the provisions of 45 C.F.R. §164.524 of the 2013 Omnibus Rule insofar as it expands the HITECH Act’s third-party directive beyond requests for a copy of an electronic health record with respect to protected health information of an individual in an electronic format.” Additionally, the federal court ordered that the fee limitation set forth at 45 C.F.R. § 164.524(c)(4) only apply to an individual’s request for access to their own records, and does not apply to an individual’s request to transmit records to a third party.  

OCR Plans To Comply With Coix Order In Applying Patient Record Rule 

In an “Important Notice Regarding Individuals’ Right of Access to Health Records” released January 28, 2020, OCR announced that that it will comply with the Coix Order vacating the “third-party directive” within the individual right of access “insofar as it expands the HITECH Act’s third-party directive beyond requests for a copy of an electronic health record with respect to [protected health information] of an individual  . . . in an electronic format.” Additionally, OCR stated that the fee limitation set forth at 45 C.F.R. § 164.524(c)(4) will apply only to an individual’s request for access to their own records, and not apply to an individual’s request to transmit records to a third party.   However, OCR also added that the right of individuals to access their own records and the fee limitations that apply when exercising this right are undisturbed and remain in effect.  OCR will continue to enforce the right of access provisions in 45 C.F.R. § 164.524 that are not restricted by the court order.  

Update Patient Rate & Access Provisions Of HIPAA Policies & Notices 

As a result of the Coix Order, Covered Entities and their medical records providers still must calculate the Patient Rate in accordance with one of the three allowed methodologies when providing a patient with records containing PHI in response to a patient request.  However, Covered Entities and their medical records provider now may exercise greater flexibility when determining the format and charges when responding to requests from third parties other than the patient for records containing PHI.  Before doing so, however, most Covered Entities and business associates will want to update their HIPAA policies and procedures to reflect the new practices consistent with the new HIPAA and other relevant requirements.  Updating the policies first is important because the 2013 Omnibus Rule states Covered Entities violate HIPAA by failing to follow their own HIPAA privacy and security policies when those practices are more restrictive than those mandated by OCR’s 2013 Omnibus Rule.  Consequently however, Covered Entities and their medical records companies desiring to exercise this newly available flexibility should revise their existing policies and procedures to authorize their exercise of this new flexibility consistent with the Coix Order and associated OCR guidance. 

More Information  

We hope this update is helpful. For more information about the Coix Order or other health or other employee benefits, human resources, or health care developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.  

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.  

About the Author  

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.  

Scribe for the ABA JCEB Annual Agency Meeting with OCR, Vice Chair of the ABA International Section Life Sciences Committee, past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and the ABA RPTE Employee Benefits & Other Compensation Group, Ms. Stamer is most widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on health and other privacy and data security and other health industry legal, public policy and operational concerns.  Ms. Stamer’s work throughout her 30 plus year career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns.  As a part of this work, she has continuously and extensively worked with domestic and international health plans, their sponsors, fiduciaries, administrators, and insurers; managed care and insurance organizations; hospitals, health care systems, clinics, skilled nursing, long term care, rehabilitation and other health care providers and facilities; medical staff, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; EMR, claims, payroll and other technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, self-insured health and other employee benefit plans, their sponsors, fiduciaries, administrators and service providers, insurers and other payers, health industry advocacy and other service providers and groups and other health and managed care industry clients as well as federal and state legislative, regulatory, investigatory and enforcement bodies and agencies.  

This  involvement encompasses helping health care systems and organizations, group and individual health care providers, health plans and insurers, health IT, life sciences and other health industry clients prevent, investigate, manage and resolve  sexual assault, abuse, harassment and other organizational, provider and employee misconduct and other performance and behavior; manage Section 1557, Civil Rights Act and other discrimination and accommodation, and other regulatory, contractual and other compliance; vendors and suppliers; contracting and other terms of participation, medical billing, reimbursement, claims administration and coordination, Medicare, Medicaid, CHIP, Medicare/Medicaid Advantage, ERISA and other payers and other provider-payer relations, contracting, compliance and enforcement; Form 990 and other nonprofit and tax-exemption; fundraising, investors, joint venture, and other business partners; quality and other performance measurement, management, discipline and reporting; physician and other workforce recruiting, performance management, peer review and other investigations and discipline, wage and hour, payroll, gain-sharing and other pay-for performance and other compensation, training, outsourcing and other human resources and workforce matters; board, medical staff and other governance; strategic planning, process and quality improvement; meaningful use, EMR, HIPAA and other technology,  data security and breach and other health IT and data; STARK, ant kickback, insurance, and other fraud prevention, investigation, defense and enforcement; audits, investigations, and enforcement actions; trade secrets and other intellectual property; crisis preparedness and response; internal, government and third-party licensure, credentialing, accreditation, HCQIA and other peer review and quality reporting, audits, investigations, enforcement and defense; patient relations and care;  internal controls and regulatory compliance; payer-provider, provider-provider, vendor, patient, governmental and community relations; facilities, practice, products and other sales, mergers, acquisitions and other business and commercial transactions; government procurement and contracting; grants; tax-exemption and not-for-profit; privacy and data security; training; risk and change management; regulatory affairs and public policy; process, product and service improvement, development and innovation, and other legal and operational compliance and risk management, government and regulatory affairs and operations concerns. to establish, administer and defend workforce and staffing, quality, and other compliance, risk management and operational practices, policies and actions; comply with requirements; investigate and respond to Board of Medicine, Health, Nursing, Pharmacy, Chiropractic, and other licensing agencies, Department of Aging & Disability, FDA, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; JCHO and other accreditation and quality organizations; private litigation and other federal and state health care industry actions: regulatory and public policy advocacy; training and discipline; enforcement;  and other strategic and operational concerns.  

Author of leading works on HIPAA and a multitude of other health care, health plan and other health industry matters, the American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting and a former Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here 

About Solutions Law Press, Inc.™  

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:  

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.  

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often rapidly evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. The author and Solutions Law Press, Inc. disclaim, and have no responsibility to provide any update or otherwise notify anyone of any  fact or law specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.  

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.  

©2020 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved. 

Leave a Comment » | 21st century cures act, Academic medicine, Electronic Health Records, Health Care, Health Care Finance, Health Care Provider, Health Insurance, Health IT, Health Plan, Health Plans, HIPAA, home health, Hospital, Indian Health, Medical Privacy, Medical Records, Medicare, Medicare Fee Schedule, Rural Health Care, Uncategorized, Veterans Health, Veterans Health Care | Permalink
Posted by Cynthia Marcotte Stamer

$1.6M HIPAA Penalty Mostly Due To Inadequate Security Assessment & Oversight

December 16, 2019

The $1.6 million civil monetary penalty (“CMP”) assessed against the Texas Health and Human Services Commission (“TX HHSC”) for violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy and Security Rules between 2013 and 2017 committed by a predecessor agency, the Department of Aging and Disability Services (“DADS”) illustrates the critical need for all HIPAA covered entities and business associates to confirm the adequacy of their enterprise wide security assessment, oversight, and other HIPAA Privacy and Security compliance and risk management including documentation of the reassessment and updating of these materials and assessments in connection with any update or change in software, systems or other system and security relevant developments.

OCR imposed the CMPs against TX HHSC for violations of HIPAA OCR found DADS committed from 2015 to 2017, before it was reorganized into TX HHSC in September 2017.  Like most other large HIPAA CMPs and settlements paid to avoid CMPs, a review of the TX HSSC CMP events makes clear that the large penalty resulted mostly because of inadequate assessment and oversight of security, rather than the actual breach itself that prompted the investigation leading to the CMP assessment.

Before its merger into TX HHSC, DADS was the Texas agency primarily responsible for providing and administering the state’s long-term care services for aging and intellectually and physically disabled people.  TX HHSC now administers and provides the services previously provided by DADS as part of its broader operation of state supported living centers; provision of mental health and substance use services; regulation of child care and nursing facilities; and administration of hundreds of other programs for people needing supplemental nutrition benefits, Medicaid and certain other assistance including those previously provided by DADS.

DADS Breaches & Violations

The $1.6 million CMPs assessment against TX HHSC resulted after OCR investigated a 2015 breach report made by DADS.  On June 11, 2015, DADS submitted a Breach Notification Report (“Report”) notifying OCR that on April 21, 2015 names, addresses, social security numbers, treatment information and other electronic protected health information (“ePHI”) of 6,617 individuals was viewable over the internet when a software coding flaw allowed prohibited access to ePHI with access credentials when DADS moved an internal application from a private, secure server to a public server.  OCR’s investigation determined that, in addition to that impermissible disclosure, DADS violated the HIPAA Security Rule by failing to conduct an enterprise-wide risk analysis and implement access and audit controls on Community Living Assistance and Support Services and Deaf Blind with Multiple Disabilities (“CLASS/DBMD”) program information systems and applications intended to collect and report information about “Utilization Management and Review” activities to the Centers for Medicare & Medicaid Services (“CMS”) for the CLASS/DBMD waiver programs.. The CMS waiver programs required DADS to collect and report to CMS applicant and enrollee community and institutional service choice, Level of Care, Plan of Care, waiver provider choice  and other waiver program performance data for CLASS and DBMD as part of a required evidentiary report on all §1915(c) waiver programs.  The CLASS/DBMD application glitch compromised the ePHI by allowing an undetermined number of unauthorized users to view the ePHI without verifying user credentials. TX HHSC learned of the breach from an unauthorized user who accessed ePHI in the application without being required to input user credentials. Because of inadequate audit controls, DADS was unable to determine how many unauthorized persons accessed individuals’ ePHI.

OCR initiated a compliance review of DADS on June 23, 2015 in response to the breach notification. As HIPAA Security Rule at 45 C.F.R. ·§ 164.312(a)(l) requires a covered entity to implement technical policies and procedures for electronic information systems that maintain ePHI to allow access only to those persons or software programs properly granted access rights under HIPAA Security Rule § 164.308(a)(4), OCR found that by placing the CLASS/DBMD application on their public server without requiring users to provide access credentials, TX HHSC violated HIPAA by failing to implement access controls on all of its systems and applications throughout its enterprise in violation of 45 C.F.R. § 164.312(a)(l).

The HIPAA Security Rule at 45 C.F.R. § 164.312(b) requires a covered entity to implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.  In the course of its investigation, OCR requested in its June 23, 2015 Data Request that DADS provide a copy of its current HIPAA administrative and technical policies and procedures.  As DADS provided no evidence that the application was capable of auditing user access after it was moved to the unsecure public server as required by 45 C.F.R. § 164.312(b) with its response, OCR also concluded from its investigation that TX HHSC failed to implement audit controls to all of its systems and applications, like the application involved in the breach, as required by 45 C.F.R. § 164.312(b).

Beyond these violations, OCR also found that DADS also violated the HIPAA Security Rule by failing to conduct the required accurate and thorough enterprise wised risk analysis required by the HIPAA Security Rule.  In this respect, the HIPAA Security Rule at 45 C.F.R. § 164.308(a)(1)(ii)(A) requires a covered entity to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI it holds.  In its August 31, 2015 response to OCR’s Data Request dated July 23, 2015, DADS acknowledged that, while it had performed ”risk assessment activities” on individual applications and servers, it never performed an “agency-wide” security risk analysis.   On July 28, 2017, OCR received the documentation that DADS represented to be the documentation of its risk analysis.  After reviewing this evidence, OCR additionally found DADS violated the HIPAA Security Rule by failing to conduct an enterprise-wide risk analysis and implement access and audit controls.

Calculation & Assessment CMPs Totaling $1.6 Million

On May 23, 2018, OCR issued a Letter of Opportunity and informed TX HHSC that OCR’s investigation indicated that TX HHSC failed to comply with the Privacy and Security Rules, which remained unresolved despite OCR’s attempts to do so. The letter stated that pursuant to 45 C.F.R. § 160.312(a)(3), OCR was informing TX HHSC of the preliminary indications of non-compliance and providing TX HHSC with an opportunity to submit written evidence of mitigating factors under 45 C.F.R. § 160.408 or affirmative defenses under 45 C.F.R. § 160.410 for OCR’s consideration in making a CMP determination under 45 C.F.R. § 160.404. The letter identified each area of noncompliance.  It also stated that TX HHSC also could submit written evidence to support a waiver of a CMP for the indicated areas of non-compliance.

Although the designated representative for TX HHSC as DADS successor received the Letter of Opportunity on May 24, 2018, . TX HHSC did not provide any written evidence of mitigating factors under 45 C.F.R. § 160.408 or affirmative defenses under 4S C.F.R. § 160.410 for OCR’s consideration in making the CMP determination or submit any written evidence to support a waiver of a CMP for the indicated areas of non-compliance.  Accordingly, after securing the requisite approval from the Justice Department, OCR issued a Notice of Proposed Determination of Civil Monetary Penalties (“Proposed CMP”) on July 29, 2019.

As explained by the Proposed CMP, as amended by the HITECH Act, Section 13410, 42 U.S.C. § 1320d-5(a)(3), HIPAA authorizes OCR as the designated representative of the Secretary of HHS to impose CMPs against a covered entity for post-February 18, 2009 HIPAA Privacy or Security Rule violations.  These current CMP provisions provide the following rules for the assessment of CMPs for such violations:

  • A minimum of$100 for each violation where the covered entity or business associate did not know and, by exercising reasonable diligence, would not have known that the covered entity or business associate violated such provision, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $25,000.
  • A minimum of$1,000 for each violation due to reasonable cause and not to willful neglect, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $100,000. Reasonable cause means an act or omission in which a covered. entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity or business associate did not act with willful neglect.
  • A minimum of $10,000 for each violation due to willful neglect and corrected within 30 days, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $250,000.
  • A minimum of$50,000 for each violation due to willful neglect and uncorrected within 30 days, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $1,500,000.

By law, OCR adjusts the CMP ranges and calendar year cap for each penalty tier for inflation.  The adjusted amounts are applicable only to CMPs whose violations occurred after November 2, 2015.

The Proposed CMP included notice of the CMPs OCR intended to impose CMPs totaling $1.6 million for the violations.  Characterizing each of the violations as due to reasonable cause and not willful neglect, the Proposed CMP Notice made note that OCR was authorized by statute to assess penalties of up to $50,000 per day for each day of the identified violations due for reasonable cause, rather than willful neglect, but authorized OCR to adjust the penalties in light of aggravating and mitigating factors.  The Proposed CMP stated that in arriving at the lesser daily penalty amount, OCR considered as mitigating factors that:

  • The violations did not result in any known physical, financial, or reputational harm to any individuals nor did it hinder any individual’s ability to obtain health care;  and
  • TX HHSC immediately removed the application once it received a report that unauthorized users could access the ePHI of individual beneficiaries.

However, OCR also took note that it viewed DADS failure to act promptly to remediate the breach and to keep a commitment made to OCR in August, 2015 timely to conduct and complete the agency wide risk analysis by August 31, 2016 as an aggravating factor.  Considering these factors, the Proposed CMP notified TX HHSC that OCR intended to assess a daily penalty amount of$1,000 per day ($1,141 after November 2, 2015) per violation capped at $100,000 per calendar year per violation. Applying these amounts, the CMP notified TX HHSC that OCR intended to impose CMPs totaling $1.6 million, as follows:

  • Impermissible disclosures in violation of 45 C.F.R. § 164.502(a), a $100,000 CMP
  • Inadequate access controls in violation of 45 C.F .R. § 164.312(a)(l), a $500,000 CMP
  • Inadequate audit controls in violation of 45 C.F.R. § 164.312(b), a $500,000 CMP
  • Failure to perform required enterprise wide risk analysis in violation of 45 C.F.R. § 164.308(a)(l)(ii)(a), a $500,000.

After TX HHSC , as successor to DADS, did not file a request for hearing before an administrative law judge within the 90 days, OCR imposed the $1.6 million CMP in dated  October 25, 2019 made public on November 7, 2019.

Lessons For Other Health Care Providers, Health Plans, Clearinghouses & Business Associates

The latest in a growing series of multimillion dollar CMPs and Resolution Payments assessed and collected by OCR, the TX HHSC CMP illustrates the critical necessity for all covered entities and business both to take appropriate, well-documented action to prevent, timely discover and redress, and report ePHI breaches and otherwise comply with the otherwise applicable requirements of the HIPAA Privacy, Security and Breach Notification Rules including the conduct and continuous maintenance of appropriate enterprise wide security assessments, audits, and oversight.  With OCR promising to continue its enforcement, all covered entities and business associates should verify the existence and adequacy of their existing enterprise wide risk assessments and safeguards and procedures for monitoring, investigating potential security risks and other breaches and other HIPAA compliance oversight.  Beyond these compliance efforts, the TX HHSC and other CMP actions also drive home the strong advisability for covered entities or business associates that experience a known or potential breach or other violation promptly to investigate and mitigate potential breaches and other violations.  As part of these efforts, covered entities and business associates should seek assistance in conducting their assessments as well as responding to any preexisting and emergent breach or other compliance concerns within the scope of attorney-client privilege from qualified legal counsel with the necessary knowledge and experience of HIPAA and other federal and state laws, regulations and administrative and judicial decisions that define and shape their exposure.  In the event of a breach or other compliance concern, timely guidance and representation by legal counsel with both experience of these requirements and with dealing with OCR and other agencies may help mitigate exposures by expediting timely and appropriate response.

For More Information

We hope this update is helpful. For more information about this or other labor and employment developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

Scribe for the ABA JCEB Annual Agency Meeting with OCR, Vice Chair of the ABA International Section Life Sciences Committee, past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and the ABA RPTE Employee Benefits & Other Compensation GroupMs. Stamer’s work throughout her 30 plus year career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns.  As a part of this work, she has continuously and extensively worked with domestic and international hospitals, health care systems, clinics, skilled nursing, long term care, rehabilitation and other health care providers and facilities; medical staff, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; EMR, claims, payroll and other technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, self-insured health and other employee benefit plans, their sponsors, fiduciaries, administrators and service providers, insurers and other payers, health industry advocacy and other service providers and groups and other health and managed care industry clients as well as federal and state legislative, regulatory, investigatory and enforcement bodies and agencies.

Ms. Stamer is most widely recognized for her decades-long leading edge work, scholarship and thought leadership on health and other privacy and data security and other health industry legal, public policy and operational concerns.  This  involvement encompasses helping health care systems and organizations, group and individual health care providers, health plans and insurers, health IT, life sciences and other health industry clients prevent, investigate, manage and resolve  sexual assault, abuse, harassment and other organizational, provider and employee misconduct and other performance and behavior; manage Section 1557, Civil Rights Act and other discrimination and accommodation, and other regulatory, contractual and other compliance; vendors and suppliers; contracting and other terms of participation, medical billing, reimbursement, claims administration and coordination, Medicare, Medicaid, CHIP, Medicare/Medicaid Advantage, ERISA and other payers and other provider-payer relations, contracting, compliance and enforcement; Form 990 and other nonprofit and tax-exemption; fundraising, investors, joint venture, and other business partners; quality and other performance measurement, management, discipline and reporting; physician and other workforce recruiting, performance management, peer review and other investigations and discipline, wage and hour, payroll, gain-sharing and other pay-for performance and other compensation, training, outsourcing and other human resources and workforce matters; board, medical staff and other governance; strategic planning, process and quality improvement; meaningful use, EMR, HIPAA and other technology,  data security and breach and other health IT and data; STARK, antikickback, insurance, and other fraud prevention, investigation, defense and enforcement; audits, investigations, and enforcement actions; trade secrets and other intellectual property; crisis preparedness and response; internal, government and third-party licensure, credentialing, accreditation, HCQIA and other peer review and quality reporting, audits, investigations, enforcement and defense; patient relations and care;  internal controls and regulatory compliance; payer-provider, provider-provider, vendor, patient, governmental and community relations; facilities, practice, products and other sales, mergers, acquisitions and other business and commercial transactions; government procurement and contracting; grants; tax-exemption and not-for-profit; privacy and data security; training; risk and change management; regulatory affairs and public policy; process, product and service improvement, development and innovation, and other legal and operational compliance and risk management, government and regulatory affairs and operations concerns. to establish, administer and defend workforce and staffing, quality, and other compliance, risk management and operational practices, policies and actions; comply with requirements; investigate and respond to Board of Medicine, Health, Nursing, Pharmacy, Chiropractic, and other licensing agencies, Department of Aging & Disability, FDA, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; JCHO and other accreditation and quality organizations; private litigation and other federal and state health care industry actions: regulatory and public policy advocacy; training and discipline; enforcement;  and other strategic and operational concerns.

Author of leading works on HIPAA and a multitude of other health care, health plan and other health industry matters, the American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting and a former Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc. disclaim, and have no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2019 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.

Leave a Comment » | Academic medicine, Childrens Health Insurance Program, Electronic Health Records, ERISA, Fiduciary Responsibility, Health Care, Health care coding, Health Care Finance, Health Care Provider, Health Care Quality, Health Care Reform, Health Insurance, Health IT, Health Plan, Health Policy, healthcare, HIPAA, HIPAA Cyber Crime, Home Health, home health, Hospital, Indian Health, Medical Privacy, Medicare, Medicare Fee Schedule, Mental Health, occupational health, Privacy, public health, Rural Health Care, Uncategorized, Veterans Health, Veterans Health Administration, Veterans Health Care | Tagged: , , , , | Permalink
Posted by Cynthia Marcotte Stamer

New Pharma Transparency Rules Mean More Work For Providers

May 9, 2019

Physicians, pharmacists and pharmacies, prescription benefit management companies and other health industry participants should begin preparing for new questions and other responsibilities likely to arise from the Department of, Health and Human Services(“HHS”) Medicare and Medicaid Programs; Regulation to Require Drug Pricing Transparency Final Rule (the “Rule”) announced on Wednesday, May 8 and scheduled for official publication in the May 10, 2019 Federal Register.

Under the Rule, the Centers for Medicare & Medicaid Services (“CMS”) will require direct-to-consumer television advertisements for prescription pharmaceuticals covered by Medicare or Medicaid to include the list price – the Wholesale Acquisition Cost – if that price is equal to or greater than $35 for a month’s supply or the usual course of therapy. Basically this means the required price information will be added to the disclosures pharmaceutical manufacturers provide during their television advertisements.

Part of President Trump’s American Patients First blueprint, the 102 page Rule seeks to increase transparency for patients and bring down overall drug costs both for patients and for the Medicare and Medicaid programs with the prices updated quarterly.

According to CMS, the 10 most commonly advertised drugs have list prices ranging from $488 to $16,938 per month or usual course of therapy. CMS believes patients should know what a drug costs as they discuss their options with their doctor.

While pharmaceutical drug manufactures generally must obtain approval from the FDA Office of Prescription Drug Promotion (ODPD) for advertising, OPDP does not review price information in prescription drug advertisements. Consequently, HHS says ODPD will not require a manufacturer that simply adds price information to a direct-to-consumer advertisement as required by § 403.1202 of the Rule unless the price information explicitly or implicitly incorporates safety or efficacy information about the drug, or makes express or implied claims about the safety or efficacy of the drug.

In addition to the Rule, HHS continues to review a number of other rules and proposals it hopes to further advance the American Patients First blueprint initiative to improve drug price transparency and inform consumer decision making by fixing opaque systems, changing incentives that drive costs or other undesirable behaviors by pharmaceutical companies, prescription benefit management (“PBM”) companies, health insurers and plans, providers and patients.

While physicians and other health care providers, health plans and their employer sponsors and other health industry organizations have urged greater transparency and other reforms to impact skyrocketing pharmaceutical costs and other concerns, health care providers and health plans need to prepare for a wave of new questions from patients and their caregivers that the new information on pricing likely will fuel and the resulting scrutiny of their own activities and processes relation to the selection of prescription drugs. Physicians and other health care providers should anticipate that more patients and caregivers will question provider prescription of higher cost drugs and ask providers to justify their choices. Providers not only should be prepared to explain their own choices and also to chart their advice to help defend potential challenges. Meanwhile hospitals and other health care entities, health plans, health insurers, PBMs and other health industry players using internal pharmaceutical cost management programs also can anticipate those practices also will come under added scrutiny. In anticipating this added scrutiny, health and health plan players should resist the temptation of assuming that the availability of the additional price information will facilitate discussions with patients or their caregivers about prescription drugs, their selection and comparability for treatment choices and other related concerns. Rather, health care providers and plans alike should anticipate that the added discussions the new price transparency rules are intended to fuel will result in more questioning and require greater care in responding to and justifying their recommendations to patients and plan members. Prayers and providers alike need to anticipate these demands and make the necessary arrangements to prepare for these discussions, by budgeting and setting aside the required time, preparing defensible explanations for the recommendations, and creating the necessary documentation to defend these activities.

If you have questions or would like more information about the new Rule or other developments impacting your health plan design or administration, please contact the author directly. You also are invited to stay abreast of these and other health care developments by participating in our Solutions Law Press, Inc. Linkedin SLP Health Care Risk Management & Operations Group or COPE: Coalition On Patient Empowerment Group or Project COPE: Coalition on Patient Empowerment Facebook Page.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: Erisa & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

Ms. Stamer’s legal, management, governmental affairs work and speaking and publications have focused on helping health industry, health benefit and other organizations and their management use the law, performance and risk management tools and process to manage people, performance, quality, compliance, operations and risk.

Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer’s clients include public and private, domestic and international hospitals, health care systems, clinics, skilled nursing, long term care, rehabilitation and other health care providers and facilities; medical staff, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, insurers, self-insured health plans and other payers; and other health industry clients as well as a diverse array of other business and government entities. Ms. Stamer’s health industry clients include public health organizations; public and private hospitals, healthcare systems, clinics and other health care facilities; physicians, physician practices, medical staff, and other provider organizations; skilled nursing, long term care, assisted living, home health, ambulatory surgery, dialysis, telemedicine, DME, Pharma, clinics, and other health care providers; billing, management and other administrative services organizations; insured, self-insured, association and other health plans; PPOs, HMOs and other managed care organizations, insurance, claims administration, utilization management, and other health care payers; public and private peer review, quality assurance, accreditation and licensing; technology and other outsourcing; healthcare clearinghouse and other data; research; public and private social and community organizations; real estate, technology, clinical pathways, and other developers; investors, banks and financial institutions; audit, accounting, law firm; consulting; document management and recordkeeping, business associates, vendors, and service providers and other professional and other health industry organizations; academic medicine; trade associations; legislative and other law making bodies and others.

Ms. Stamer supports these organizations and their leaders on both a real-time, “on demand” basis as well as outsourced operations or special counsel on an interim, special project, or ongoing basis with operational compliance and risk management; strategic planning; product and services development and innovation; workforce and operations management: crisis preparedness and response; public and regulatory affairs and host of other concerns.

As part of this work, Ms. Stamer continuously advises clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, privacy and data security, and other risk management and operational matters. She helps clients to establish and administer compliance and risk management policies; comply with requirements, investigate and respond to Board of Medicine, Health, Nursing, Pharmacy, Chiropractic, and other licensing agencies, Department of Aging & Disability, FDA, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; JCHO and other accreditation and quality organizations; private litigation and other federal and state health care industry investigation, enforcement including insurance or other liability management and allocation; process and product development, contracting, deployment and defense; evaluation, commenting or seeking modification of regulatory guidance, and other regulatory and public policy advocacy; training and discipline; enforcement, and a host of other related concerns for public and private health care providers, health insurers, health plans, technology and other vendors, employers, and others.and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. She also helps health industry, health plans and insurers, health IT, life sciences and other health industry clients manage regulatory, contractual and other legal and operational compliance; vendors and suppliers; Medicare, Medicaid, CHIP, Medicare/Medicaid Advantage, ERISA and other private payer and other terms of participation, medical billing, reimbursement, claims administration and coordination, and other provider-payer relations, contracting, compliance and enforcement; Form 990 and other nonprofit and tax-exemption; fundraising, investors, joint venture, and other business partners; quality and other performance measurement, management, discipline and reporting; physician and other workforce recruiting, performance management, peer review and other investigations and discipline, wage and hour, payroll, gain-sharing and other pay-for performance and other compensation, training, outsourcing and other human resources and workforce matters; board, medical staff and other governance; strategic planning, process and quality improvement; meaningful use, EMR, HIPAA and other technology, data security and breach and other health IT and data; STARK, antikickback, insurance, and other fraud prevention, investigation, defense and enforcement; audits, investigations, and enforcement actions; trade secrets and other intellectual property; crisis preparedness and response; internal, government and third-party licensure, credentialing, accreditation, HCQIA and other peer review and quality reporting, audits, investigations, enforcement and defense; patient relations and care; internal controls and regulatory compliance; payer-provider, provider-provider, vendor, patient, governmental and community relations; facilities, practice, products and other sales, mergers, acquisitions and other business and commercial transactions; government procurement and contracting; grants; tax-exemption and not-for-profit; 1557 and other Civil Rights; privacy and data security; training; risk and change management; regulatory affairs and public policy; process, product and service improvement, development and innovation, and other legal and operational compliance and risk management, government and regulatory affairs and operations concerns.

Past Chair of the ABA Managed Care & Insurance Interest Group and, a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also has extensive health care reimbursement and insurance experience advising and defending health care providers, payers, and others about Medicare, Medicaid, Medicare and Medicaid Advantage, Tri-Care, self-insured group, association, individual and group and other health benefit programs and coverages including but not limited to advising public and private payers about coverage and program design and documentation, advising and defending providers, payers and systems and billing services entities about systems and process design, audits, and other processes; provider credentialing, and contracting; providers and payer billing, reimbursement, claims audits, denials and appeals, coverage coordination, reporting, direct contracting, False Claims Act, Medicare & Medicaid, ERISA, state Prompt Pay, out-of-network and other nonpar insured, and other health care claims, prepayment, post-payment and other coverage, claims denials, appeals, billing and fraud investigations and actions and other reimbursement and payment related investigation, enforcement, litigation and actions.

Heavily involved in health care and health information technology, data and related process and systems development, policy and operations innovation and a Scribe for ABA JCEB annual agency meeting with OCR for many years who has authored numerous highly-regarded works and training programs on HIPAA and other data security, privacy and use, Ms. Stamer also is widely recognized for her extensive work and leadership on leading edge health care and benefit policy and operational issues including meaningful use and EMR, billing and reimbursement, quality measurement and reimbursement, HIPAA, FACTA, PCI, trade secret, physician and other medical confidentiality and privacy, federal and state data security and data breach and other information privacy and data security rules and many other concerns. Her work includes both regulatory and public policy advocacy and thought leadership, as well as advising and representing a broad range of health industry and other clients about policy design, drafting, administration, business associate and other contracting, risk assessments, audits and other risk prevention and mitigation, investigation, reporting, mitigation and resolution of known or suspected violations or other incidents and responding to and defending investigations or other actions by plaintiffs, DOJ, OCR, FTC, state attorneys’ general and other federal or state agencies, other business partners, patients and others.

As part of this work, Ms. Stamer has worked extensively with health care providers, health plans, health care clearinghouses, their business associates, employers and other plan sponsors, banks and other financial institutions, and others on risk management and compliance with HIPAA, FACTA, trade secret and other information privacy and data security rules, including the establishment, documentation, implementation, audit and enforcement of policies, procedures, systems and safeguards, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and and enforcement, and a host of other related concerns. Her clients include public and private health care providers, health insurers, health plans, technology and other vendors, and others. In addition to representing and advising these organizations, she also has conducted training on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, MGMA, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

A former lead consultant to the Government of Bolivia on its Pension Privatization Project with extensive domestic and international public policy concerns in pensions, healthcare, workforce, immigration, tax, education and other areas, Ms. Stamer also continuously works with a diverse array of clients to monitor, shape and respond to federal and state legislative, regulatory, enforcement and other public policy and regulatory affairs concerns.

Author of leading works on a multitude of these and other concerns, the American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting, former Vice President of the North Texas Health Care Compliance Professionals Association, past Chair of the ABA Health Law Section Managed Care & Insurance Section, past ABA JCEB Council Representative and CLE and Marketing Committee Chair, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, and Board Certified by the Texas Board of Legal Specialization in Labor and Employment Law, Ms. Stamer also shares her thought leadership, experience and advocacy on these and other related concerns by her service in the leadership of the Solutions Law Press, Inc. Coalition for Responsible Health Policy, its PROJECT COPE: Coalition on Patient Empowerment, and a broad range of other professional and civic organizations including North Texas Healthcare Compliance Association, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children (now Warren Center For Children); current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, past Representative and chair of various committees of ABA Joint Committee on Employee Benefits; a ABA Health Law Coordinating Council representative, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.

For more information about Ms. Stamer or experience publications, speaking, public advocacy or other involvements, see here or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources here.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advise or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2019 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.

Leave a Comment » | Academic medicine, Conditions of Participation, Consumer Driven Health Care, continuing medical education (CME), Corporate Compliance, DEA, Direct Primary Care, Doctor, drug treatment, E-Prescribing, Employer, Evidence Based Medicine, FDA, Health Care, Health Care Provider, Health Care Quality, Health Care Reform, health care reimbursement, Health Insurance, Health Plan, Health Plans, healthcare, home health, Hospice, Hospital, hospitals, Indian Health, Medicaid, Medicaid Advantage, Medical Licensure, Medical Malpractice, Medicare, Medicare Advantage, Medicare Fee Schedule, Pharmaceudical, Pharmacy, Physician, Physician Licensing, Prescription Drugs, Public Policy, Reimbursement, Uncategorized | Permalink
Posted by Cynthia Marcotte Stamer

Providers, Other HIPAA-Covered Entities Must Provide PHI to Patient-Designated Apps; Liable For Security On Covered Entity Supplied Or Sponsored Apps

May 6, 2019

Health care providers, health plans and other entities (“covered entities”) subject to the Health Insurance Portability & Accountability Act (“HIPAA”) Privacy and Security Rules must deliver electronic protected health information (“ePHI”) to electronic applications or software (“apps”) used by plan members, and are responsible under HIPAA for the security of electronic PHI (“ePHI”) on apps the covered entity  sponsors or provides, according to new guidance from the Department of Health & Human Services (“HHS”) Office of Civil Rights (“OCR”). With health care providers and other covered entities increasingly offering or promoting the use of apps to patients or plan plan members to access, maintain and use their health information, covered entities and their business associates must understand and be prepared meet their HIPAA responsibilities to provide and protect ePHI to and on these apps, but may want to rethink sponsoring or providing a particular app for that purpose.

New HIPAA FAQ guidance (the “FAQs”) from OCR that addresses the implications of HIPAA on covered entities responsibility when asked to share or for ePHI shared or stored on apps or application programming interfaces (“APIs”) systems, covered entities have a legal obligation to disclose ePHI to an app when subjects of the ePHI or their personal representatives request such disclosures. However, the FAQs also state a covered entity or its business associates won’t be responsible for the security of the data shared to the app unless it sponsors or provides it.  The FAQs state that the liability of the covered entity for the security once delivered to the app depends upon whether the AP or API interface provider is a business associate of the covered entity versus just a third-party provider whose involvement and receipt of the PHI is requested and arranged by the subject of the PHI.

Covered Entities Obligated To Disclose ePHI to Apps Chosen By Individuals

The FAQs make crystal clear that covered entities do not have the option of refusing to share ePHI to an app when requested to do so by the subject of the ePHI or its personal representative. The FAQs states that covered entities cannot refuse to disclose ePHI to an app chosen by an individual because of concerns about how the app will use or disclose the ePHI it receives. In this regard, the FAQs state that the HIPAA Privacy Rule generally prohibits a covered entity from refusing to disclose ePHI to a third-party app designated by the individual if the ePHI is readily producible in the form and format used by the app. See 45 CFR 164.524(a)(1), (c)(2)(ii), (c)(3)(ii).According to the FAQ, the HIPAA Rules do not impose any restrictions on how an individual or the individual’s designee, such as an app, may use the health information that has been disclosed pursuant to the individual’s right of access. For instance, a covered entity is not permitted to deny an individual’s right of access to their ePHI where the individual directs the information to a third-party app because the app will share the individual’s ePHI for research or because the app does not encrypt the individual’s data when at rest.According to the FAQs, the liability a covered entity or business associate bears for sharing ePHI to an App under the HIPAA Privacy, Security, or Breach Notification Rules (HIPAA Rules) depends on the relationship between the covered entity and the app.

Breaches of Health Information Disclosed To An App

If an app that is neither a covered entity nor a business associate of the covered entity under HIPAA receives ePHI at the request of the subject or its personal representative, the FAQ states that the shared ePHI is no longer subject to the protections of the HIPAA Rules. Thus if the individual’s app – chosen by an individual to receive the individual’s requested ePHI – was not provided by or on behalf of the covered entity (and, thus, does not create, receive, transmit, or maintain ePHI on its behalf), the covered entity would not be liable under the HIPAA Rules for any subsequent use or disclosure of the requested ePHI received by the app. For example, the covered entity would have no HIPAA responsibilities or liability if such an app that the individual designated to receive their ePHI later experiences a breach. See also, See also OCR FAQ 2039, “What is the liability of a covered entity in responding to an individual’s access request to send the individual’s PHI to a third party.In contrast, however, the FAQ states that if the app was developed for, or provided by or on behalf of the covered entity – and, thus, creates, receives, maintains, or transmits ePHI on behalf of the covered entity – the covered entity could be liable under the HIPAA Rules for a subsequent impermissible disclosure because of the business associate relationship between the covered entity and the app developer. For example, if the individual selects an app that the covered health care provider uses to provide services to individuals involving ePHI, the FAQs state that the health care provider may be subject to liability under the HIPAA Rules if the app impermissibly discloses the ePHI received.

Transmission of ePHI to App Using Unsecured Method

The FAQs also address the potential exposures of covered entities and their business associates arising from the transmission of ePHI to an App using an unsecure method. According to the FAQs, the access rights HIPAA guarantees to individuals allows an individual to request that a covered entity to direct their ePHI to a third-party app in an unsecure manner or through an unsecure channel. See 45 CFR 164.524(a)(1), (c)(2)(ii), (c)(3)(ii). For instance, an individual may request that their unencrypted ePHI be transmitted to an app as a matter of convenience. The FAQ states that a covered entity that transmits ePHI through an unsecured means under such circumstances would not be responsible for unauthorized access to the individual’s ePHI while in transmission to the app. With respect to such apps, however, the FAQs also suggest that the covered entity may want to consider informing the individual of the potential risks involved the first time that the individual makes the request.

Post Transmission Exposure of Covered Entity’s EHR Systems Developer

The FAQ also discusses the potential exposure of a covered entity’s electronic health record (EHR) system developer under HIPAA after completing the transmission on behalf of a covered entity of ePHI to an app designated by the subject of the ePHI. According to the FAQs, the exposure of the HER system developer depends on the relationship, if any, between the covered entity, the EHR system developer, and the app chosen by the individual to receive the individual’s ePHI. A business associate relationship exists if an entity creates, receives, maintains, or transmits ePHI on behalf of a covered entity (directly or through another business associate) to carry out the covered functions of the covered entity. A business associate relationship exists between an EHR system developer and a covered entity. If the EHR system developer does not own the app, or if it owns the app but does not provide the app to, through, or on behalf of, the covered entity – e.g., if it creates the app and makes it available in an app store as part of a different line of business (and not as part of its business associate relationship with any covered entity) – the EHR system developer would not be liable under the HIPAA Rules for any subsequent use or disclosure of the requested ePHI received by the app.If the EHR system developer owns the app or has a business associate relationship with the app developer, and provides the app to, through or on behalf of, the covered entity (directly or through another business associate), however, the FAQs state the EHR system developer then potentially could face HIPAA liability (as a business associate of a HIPAA covered entity) for any impermissible uses and disclosures of the health information received by the app. For example, if an EHR system developer contracts with the app developer to create the app on behalf of a covered entity and the individual later identifies that app to receive ePHI, then the EHR system developer could be subject to HIPAA liability if the app impermissibly uses or discloses the ePHI received.

Covered Entity’s Duty To Enter Into Business Associate Agreement Depends Upon Relationship

Likewise, the FAQs also state that whether HIPAA requires a a covered entity or its EHR system developer to enter into a business associate agreement with an app designated by the individual in order to transmit ePHI to the app depends upon the relationship between the app developer and the covered entity and/or its EHR system developer. A business associate is a person or entity who creates, receives, maintains or transmits PHI on behalf of (or for the benefit of) a covered entity (directly or through another business associate) to carry out covered functions of the covered entity. An app’s facilitation of access to the individual’s ePHI at the individual’s request alone does not create a business associate relationship. Such facilitation may include API terms of use agreed to by the third-party app (i.e., interoperability arrangements).HIPAA does not require a covered entity or its business associate (e.g., EHR system developer) to enter into a business associate agreement with an app developer that does not create, receive, maintain, or transmit ePHI on behalf of or for the benefit of the covered entity (whether directly or through another business associate).  However if the app was developed to create, receive, maintain, or transmit ePHI on behalf of the covered entity, or was provided by or on behalf of the covered entity (directly or through its EHR system developer as the covered entity’s business associate), then a business associate agreement would be required.

Health Plan & Other Covered Entity Take Aways

The new FAQ raises several action items for health care providers and other covered entities and their business associates.  Among other things, covered entities must recognize and be prepared currently to provide PHI on the apps of the requesting individual’s preference within the time frames dictated by HIPAA.  Covered entities must recognize that the FAQs reflect this is a current, not future responsibility.

Second, covered entities that have or are considering providing apps or other tools to atients for use in accessing or using PHI also generally need to recognize that covered entity’s provision or sponsorship of the app generally makes the covered entity responsible under HIPAA for the adequacy of the security of the apps provided by or on behalf of the health plan or health care provider including any updates to the apps.  Given the general responsibility to provide PHI to any apps designated by a subject of PHI, many covered entities may want to rethink  whether providing or endorsing a particular app continues to make sense taking into account the HIPAA data privacy and security responsibilities and risks attendent to maintaining the security of PHI stored and accessed using those tools.  Those electing to provide apps or other tools need to take steps to ensure the current and future adequacy of the data security of the app and its associated storage and other components including any future modifications to those tools. 

Furthermore,  covered entities  also should consider the advisability of revising existing notices and authorizations in response to the new FAQs.  For instance, health plans, health care providers and others supplying PHI to an app designated by the requesting individual may want to consider revising forms to document the direction and consent of the requestor to the electronic delivery of the PHI to the designated app to better position themselves to claim the protection against liability for breaches on these subject designate apps described in the FAQs.  Meanwhile, covered entities providing apps also may wish to weigh options for supplementing disclosures to mitigate potential risks from use or failure to upgrade apps that might be viewed as covered entity provided or sponsored.   

Certainly, before sponsoring or allowing a business associate to offer or provide an app or other similar solution, health care providers and other covered entities must ensure that the business associate agreement requirements of HIPAA are met from the app developer and others providing services or the app as business associates to the covered entity.  Covered entities also should take steps to ensure that the interfaces between the apps and other systems are properly security at the point of implementation and during any subsequent upgrades keeping in mind that OCR guidance expects covered entities to reconfirm security for any system, software or app upgrades.  Meeting this expectation for apps within the possession of patients or plan members can present special challenges requiring careful planning. 

Beyond complying with the specific requirements of the FAQs concerning the obligation of health care providers and other covered entities to deliver PHI to apps in formats specified by patients, providers also need to take to heart OCR’s broader requirement that providers and other covered entities deliver and provide timely access to OHI as required by HIPAA generally. Recognizing that noncompliance with this rule remains a top violation, OCR has targeted enforcement of the access rules for increase enforcement. In addition, violations also expose providers to medical licensure and other discipline.

Have questions about the new FAQs or other health care regulatory developments or their implications on your organization, contact the author.  You also are invited to stay abreast of these and other health care developments by participating in our Solutions Law Press, Inc. Linkedin SLP Health Care Risk Management & Operations Group or COPE: Coalition On Patient Empowerment Group or Project COPE: Coalition on Patient Empowerment Facebook Page.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: Erisa & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of health industry, health and other benefit and insurance, workforce and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer’s clients include employers and other workforce management organizations; employer, union, association, government and other insured and self-insured health and other employee benefit plan sponsors, benefit plans, fiduciaries, administrators, and other plan vendors;  managed care organizations, insurers, self-insured health plans and other payers and their management; public and private, domestic and international hospitals, health care systems, clinics, skilled nursing, long term care, rehabilitation and other health care providers and facilities; medical staff, health care accreditation, peer review and quality committees and organizations; managed care organizations, insurers, third party administrative services organizations and other payer organizations;  billing, utilization management, management services organizations; group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; claims, billing and other health care and insurance technology and data service organizations; other health, employee benefit, insurance and financial services product and solutions consultants, developers and vendors; and other health, employee benefit, insurance, technology, government and other management clients.

A former lead consultant to the Government of Bolivia on its Pension Privatization Project with extensive domestic and international public policy concerns in pensions, healthcare, workforce, immigration, tax, education and other areas, Ms. Stamer has been extensively involved in U.S. federal, state and local health care and other legislative and regulatory reform impacting these concerns throughout her career. Her public policy and regulatory affairs experience encompassess advising and representing domestic and multinational private sector health, insurance, employee benefit, employer, staffing and other outsourced service providers, and other clients in dealings with Congress, state legislatures, and federal, state and local regulators and government entities, as well as providing advice and input to U.S. and foreign government leaders on these and other policy concerns.

Beyond her public policy and regulatory affairs involvement, Ms. Stamer also has extensive experience helping these and other clients to design, implement, document, administer and defend workforce, employee benefit, insurance and risk management, health and safety, and other programs, products and solutions, and practices; establish and administer compliance and risk management policies; comply with requirements, investigate and respond to government; accreditation and quality organizations; private litigation and other federal and state health care industry investigations and enforcement actions; evaluate and influence legislative and regulatory reforms and other regulatory and public policy advocacy; training and discipline; enforcement, and a host of other related concerns. Ms. Stamer’s experience in these matters includes supporting these organizations and their leaders on both a real-time, “on demand” basis with crisis preparedness, intervention and response as well as consulting and representing clients on ongoing compliance and risk management; plan and program design; vendor and employee credentialing, selection, contracting, performance management and other dealings; strategic planning; policy, program, product and services development and innovation; mergers, acquisitions, and change management; workforce and operations management, and other opportunities and challenges arising in the course of their operations.

Past Chair of the ABA Managed Care & Insurance Interest Group and, a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, heavily involved in health benefit, health care, health, financial and other information technology, data and related process and systems development, policy and operations throughout her career, and scribe of the ABA JCEB annual Office of Civil Rights agency meeting, Ms. Stamer also is widely recognized for her extensive work and leadership on leading edge health care and benefit policy and operational issues. She regularly helps employer and other health benefit plan sponsors and vendors, health industry, insurers, health IT, life sciences and other health and insurance industry clients design, document and enforce plans, practices, policies, systems and solutions; manage regulatory, contractual and other legal and operational compliance; vendors and suppliers; deal with Medicare, Medicaid, CHIP, Medicare/Medicaid Advantage, ERISA, state insurance law and other private payer rules and requirements; contracting; licensing; terms of participation; medical billing, reimbursement, claims administration and coordination, and other provider-payer relations; reporting and disclosure, government investigations and enforcement, privacy and data security; and other compliance and enforcement; Form 990 and other nonprofit and tax-exemption; fundraising, investors, joint venture, and other business partners; quality and other performance measurement, management, discipline and reporting; physician and other workforce recruiting, performance management, peer review and other investigations and discipline, wage and hour, payroll, gain-sharing and other pay-for performance and other compensation, training, outsourcing and other human resources and workforce matters; board, medical staff and other governance; strategic planning, process and quality improvement; HIPAA administrative simplification, meaningful use, EMR, HIPAA and other technology, data security and breach and other health IT and data; STARK, antikickback, insurance, and other fraud prevention, investigation, defense and enforcement; audits, investigations, and enforcement actions; trade secrets and other intellectual property; crisis preparedness and response; internal, government and third-party licensure, credentialing, accreditation, HCQIA, HEDIS and other peer review and quality reporting, audits, investigations, enforcement and defense; patient relations and care; internal controls and regulatory compliance; payer-provider, provider-provider, vendor, patient, governmental and community relations; facilities, practice, products and other sales, mergers, acquisitions and other business and commercial transactions; government procurement and contracting; grants; tax-exemption and not-for-profit; 1557 and other Civil Rights; privacy and data security; training; risk and change management; regulatory affairs and public policy; process, product and service improvement, development and innovation, and other legal and operational compliance and risk management, government and regulatory affairs and operations concerns.

Ms. Stamer has extensive health care reimbursement and insurance experience advising and defending plan sponsors, administrators, insurance and managed care organizations, health care providers, payers, and others about Medicare, Medicaid, Medicare and Medicaid Advantage, Tri-Care, self-insured group, association, individual and employer and association group and other health benefit programs and coverages including but not limited to advising public and private payers about coverage and program design and documentation, advising and defending providers, payers and systems and billing services entities about systems and process design, audits, and other processes; provider credentialing, and contracting; providers and payer billing, reimbursement, claims audits, denials and appeals, coverage coordination, reporting, direct contracting, False Claims Act, Medicare & Medicaid, ERISA, state Prompt Pay, out-of-network and other nonpar insured, and other health care claims, prepayment, post-payment and other coverage, claims denials, appeals, billing and fraud investigations and actions and other reimbursement and payment related investigation, enforcement, litigation and actions. Scribe for the ABA JCEB annual agency meeting with HHS OCR, she also has worked extensively on health and health benefit coding, billing and claims, meaningful use and EMR, billing and reimbursement, quality measurement and reimbursement, HIPAA, FACTA, PCI, trade secret, physician and other medical, workforce, consumer financial and other data confidentiality and privacy, federal and state data security, data breach and mitigation, and other information privacy and data security concerns.

Author of leading works on a multitude of health care, health plan and other health industry matters, the American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting, former Vice President of the North Texas Health Care Compliance Professionals Association, past Chair of the ABA Health Law Section Managed Care & Insurance Section, past ABA JCEB Council Representative and CLE and Marketing Committee Chair, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer’s health industry clients include public health organizations; public and private hospitals, healthcare systems, clinics and other health care facilities; physicians, physician practices, medical staff, and other provider organizations; skilled nursing, long term care, assisted living, home health, ambulatory surgery, dialysis, telemedicine, DME, Pharma, clinics, and other health care providers; billing, management and other administrative services organizations; insured, self-insured, association and other health plans; PPOs, HMOs and other managed care organizations, insurance, claims administration, utilization management, and other health care payers; public and private peer review, quality assurance, accreditation and licensing; technology and other outsourcing; healthcare clearinghouse and other data; research; public and private social and community organizations; real estate, technology, clinical pathways, and other developers; investors, banks and financial institutions; audit, accounting, law firm; consulting; document management and recordkeeping, business associates, vendors, and service providers and other professional and other health industry organizations; academic medicine; trade associations; legislative and other law making bodies and others.

A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, privacy and data security, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her thought leadership, experience and advocacy on these and other related concerns by her service in the leadership of the Solutions Law Press, Inc. Coalition for Responsible Health Policy, its PROJECT COPE: Coalition on Patient Empowerment, and a broad range of other professional and civic organizations including North Texas Healthcare Compliance Association, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children (now Warren Center For Children); current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, past Representative and chair of various committees of ABA Joint Committee on Employee Benefits; a ABA Health Law Coordinating Council representative, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.

For more information about Ms. Stamer or her health industry and other experience and involvements, see here or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources here such as:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advise or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2019 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.

 

 

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: Erisa & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

Ms. Stamer’s legal, management, governmental affairs work and speaking and publications have focused on helping health industry, health benefit and other organizations and their management use the law, performance and risk management tools and process to manage people, performance, quality, compliance, operations and risk.

Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer supports these organizations and their leaders on both a real-time, “on demand” basis as well as outsourced operations or special counsel on an interim, special project, or ongoing basis with strategic planning and product and services development and innovation; workforce and operations management, crisis preparedness and response as well as to prevent, stabilize and cleanup legal and operational crises large and small that arise in the course of operations.

As core components of this work, Ms. Stamer helps health industry, health plans and insurers, health IT, life sciences and other health industry clients manage regulatory, contractual and other compliance; vendors and suppliers; Medicare, Medicaid, CHIP, Medicare/Medicaid Advantage, ERISA and other private payer and other terms of participation, medical billing, reimbursement, claims administration and coordination, and other provider-payer relations, contracting, compliance and enforcement; Form 990 and other nonprofit and tax-exemption; fundraising, investors, joint venture, and other business partners; quality and other performance measurement, management, discipline and reporting; physician and other workforce recruiting, performance management, peer review and other investigations and discipline, wage and hour, payroll, gain-sharing and other pay-for performance and other compensation, training, outsourcing and other human resources and workforce matters; board, medical staff and other governance; strategic planning, process and quality improvement; meaningful use, EMR, HIPAA and other technology,  data security and breach and other health IT and data; STARK, antikickback, insurance, and other fraud prevention, investigation, defense and enforcement; audits, investigations, and enforcement actions; trade secrets and other intellectual property; crisis preparedness and response; internal, government and third-party licensure, credentialing, accreditation, HCQIA and other peer review and quality reporting, audits, investigations, enforcement and defense; patient relations and care;  internal controls and regulatory compliance; payer-provider, provider-provider, vendor, patient, governmental and community relations; facilities, practice, products and other sales, mergers, acquisitions and other business and commercial transactions; government procurement and contracting; grants; tax-exemption and not-for-profit; 1557 and other Civil Rights; privacy and data security; training; risk and change management; regulatory affairs and public policy; process, product and service improvement, development and innovation, and other legal and operational compliance and risk management, government and regulatory affairs and operations concerns.

Her clients include public and private, domestic and international hospitals, health care systems, clinics, skilled nursing, long term care, rehabilitation and other health care providers and facilities; medical staff, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, insurers, self-insured health plans and other payers; and other health industry clients to establish and administer compliance and risk management policies; comply with requirements, investigate and respond to Board of Medicine, Health, Nursing, Pharmacy, Chiropractic, and other licensing agencies, Department of Aging & Disability, FDA, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; JCHO and other accreditation and quality organizations; private litigation and other federal and state health care industry investigation, enforcement including insurance or other liability management and allocation; process and product development, contracting, deployment and defense; evaluation, commenting or seeking modification of regulatory guidance, and other regulatory and public policy advocacy; training and discipline; enforcement, and a host of other related concerns for public and private health care providers, health insurers, health plans, technology and other vendors, employers, and others.and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns.

Author of leading works on a multitude of health care, health plan and other health industry matters, the American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting, former Vice President of the North Texas Health Care Compliance Professionals Association, past Chair of the ABA Health Law Section Managed Care & Insurance Section, past ABA JCEB Council Representative and CLE and Marketing Committee Chair, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer’s health industry clients include public health organizations; public and private hospitals, healthcare systems, clinics and other health care facilities; physicians, physician practices, medical staff, and other provider organizations; skilled nursing, long term care, assisted living, home health, ambulatory surgery, dialysis, telemedicine, DME, Pharma, clinics, and other health care providers; billing, management and other administrative services organizations; insured, self-insured, association and other health plans; PPOs, HMOs and other managed care organizations, insurance, claims administration, utilization management, and other health care payers; public and private peer review, quality assurance, accreditation and licensing; technology and other outsourcing; healthcare clearinghouse and other data; research; public and private social and community organizations; real estate, technology, clinical pathways, and other developers; investors, banks and financial institutions; audit, accounting, law firm; consulting; document management and recordkeeping, business associates, vendors, and service providers and other professional and other health industry organizations; academic medicine; trade associations; legislative and other law making bodies and others.

Past Chair of the ABA Managed Care & Insurance Interest Group and, a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also has extensive health care reimbursement and insurance experience advising and defending health care providers, payers, and others about Medicare, Medicaid, Medicare and Medicaid Advantage, Tri-Care, self-insured group, association, individual and group and other health benefit programs and coverages including but not limited to advising public and private payers about coverage and program design and documentation, advising and defending providers, payers and systems and billing services entities about systems and process design, audits, and other processes; provider credentialing, and contracting; providers and payer billing, reimbursement, claims audits, denials and appeals, coverage coordination, reporting, direct contracting, False Claims Act, Medicare & Medicaid, ERISA, state Prompt Pay, out-of-network and other nonpar insured, and other health care claims, prepayment, post-payment and other coverage, claims denials, appeals, billing and fraud investigations and actions and other reimbursement and payment related investigation, enforcement, litigation and actions.

Heavily involved in health care and health information technology, data and related process and systems development, policy and operations innovation and a Scribe for ABA JCEB annual agency meeting with OCR for many years who has authored numerous highly-regarded works and training programs on HIPAA and other data security, privacy and use, Ms. Stamer also is widely recognized for her extensive work and leadership on leading edge health care and benefit policy and operational issues including meaningful use and EMR, billing and reimbursement, quality measurement and reimbursement, HIPAA, FACTA, PCI, trade secret, physician and other medical confidentiality and privacy, federal and state data security and data breach and other information privacy and data security rules and many other concerns. Her work includes both regulatory and public policy advocacy and thought leadership, as well as advising and representing a broad range of health industry and other clients about policy design, drafting, administration, business associate and other contracting, risk assessments, audits and other risk prevention and mitigation, investigation, reporting, mitigation and resolution of known or suspected violations or other incidents and responding to and defending investigations or other actions by plaintiffs, DOJ, OCR, FTC, state attorneys’ general and other federal or state agencies, other business partners, patients and others.

Ms. Stamer has worked extensively with health care providers, health plans, health care clearinghouses, their business associates, employers and other plan sponsors, banks and other financial institutions, and others on risk management and compliance with HIPAA, FACTA, trade secret and other information privacy and data security rules, including the establishment, documentation, implementation, audit and enforcement of policies, procedures, systems and safeguards, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and and enforcement, and a host of other related concerns. Her clients include public and private health care providers, health insurers, health plans, technology and other vendors, and others. In addition to representing and advising these organizations, she also has conducted training on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, MGMA, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

A former lead consultant to the Government of Bolivia on its Pension Privatization Project with extensive domestic and international public policy concerns in Pensions, healthcare, workforce, immigration, tax, education and other areas.

A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, privacy and data security, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her thought leadership, experience and advocacy on these and other related concerns by her service in the leadership of the Solutions Law Press, Inc. Coalition for Responsible Health Policy, its PROJECT COPE: Coalition on Patient Empowerment, and a broad range of other professional and civic organizations including North Texas Healthcare Compliance Association, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children (now Warren Center For Children); current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, past Representative and chair of various committees of ABA Joint Committee on Employee Benefits; a ABA Health Law Coordinating Council representative, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.

For more information about Ms. Stamer or her health industry and other experience and involvements, see here or contact Ms. Stamer via telephone at (469) 767-8872 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources here such as the following:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advise or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2019 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.

Leave a Comment » | E-Prescribing, Employee Benefits, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, Health Insurance Exchange, Health IT, home health, Hospital, Indian Health, Medicaid, Medicaid Advantage, Medical Licensure, Medicare Advantage, OCR, Physician, Uncategorized | Tagged: , , , | Permalink
Posted by Cynthia Marcotte Stamer

Provider Pays $3 Million For Breach With Delayed Investigation & Notice

May 6, 2019

A Franklin, Tennessee-based diagnostic medical imaging services provider Touchstone Medical Imaging (“Touchstone”) will pay $3,000,000 to the Office for Civil Rights (“OCR”) at the U.S. Department of Health and Human Services (“HHS”), and adopt a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security and Breach Notification Rules.  The Resolution Agreement and Corrective Action Plan announced May 6, 2019 illustrates for other health care providers, health plans, healthcare clearinghouses and their business associates (“Covered Entities”) the perils both of failing to properly secure and protect protected health information and the necessity for timely investigation and disclosure within the short time frames required by HIPAA.

The Resolution Agreement between Touchstone and OCR stems from Touchstone’s mishandling of a 2014 breach.  In May 2014, the Federal Bureau of Investigation (“FBI”) and OCR notified Touchstone that one of its FTP servers allowed uncontrolled access to protected health information (“PHI”).  This uncontrolled access permitted search engines to index the PHI of Touchstone’s patients, which remained visible on the Internet even after the server was taken offline.   While Touchstone initially claimed that no patient PHI was exposed,  in the course of OCR’s investigation, Touchstone subsequently admitted PHI of more than 300,000 patients was exposed including, names, birth dates, social security numbers, and addresses.  As a result of its delayed acknowledgement of the occurrence of the breach on May 9, 2014, Touchstone did not provide notice of the breach until October, 2014, months after OCR and FBI notified it of the breach.   See here.

OCR’s investigation found that Touchstone did not thoroughly investigate the security incident until several months after notice of the breach from both the FBI and OCR.  Consequently, Touchstone’s notification to individuals affected by the breach also was untimely.  OCR’s investigation further found that Touchstone failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of its electronic PHI (ePHI), and failed to have business associate agreements in place with its vendors, including their IT support vendor and a third-party data center provider as required by HIPAA.

In addition to the monetary settlement, Touchstone will undertake a robust corrective action plan that includes the adoption of business associate agreements, completion of an enterprise-wide risk analysis, and comprehensive policies and procedures to comply with the HIPAA Rules.

The Resolution Agreement illustrates the expensive price Covered Entities risk from failing to conduct risk assessments, obtain business associate agreements and fulfill other HIPAA requirements before a breach, then failing to promptly investigate, provide notification and redress a breach when discovered.  Covered Entities should learn from the painful lesson learned by Touchstone by reconfirming the adequacy of their current HIPAA  compliance and using care to timely and adequately investigate and provide notification if and when a breach occurs.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: Erisa & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

Ms. Stamer’s legal, management, governmental affairs work and speaking and publications have focused on helping health industry, health benefit and other organizations and their management use the law, performance and risk management tools and process to manage people, performance, quality, compliance, operations and risk.

Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer supports these organizations and their leaders on both a real-time, “on demand” basis as well as outsourced operations or special counsel on an interim, special project, or ongoing basis with strategic planning and product and services development and innovation; workforce and operations management, crisis preparedness and response as well as to prevent, stabilize and cleanup legal and operational crises large and small that arise in the course of operations.

As core components of this work, Ms. Stamer helps health industry, health plans and insurers, health IT, life sciences and other health industry clients manage regulatory, contractual and other compliance; vendors and suppliers; Medicare, Medicaid, CHIP, Medicare/Medicaid Advantage, ERISA and other private payer and other terms of participation, medical billing, reimbursement, claims administration and coordination, and other provider-payer relations, contracting, compliance and enforcement; Form 990 and other nonprofit and tax-exemption; fundraising, investors, joint venture, and other business partners; quality and other performance measurement, management, discipline and reporting; physician and other workforce recruiting, performance management, peer review and other investigations and discipline, wage and hour, payroll, gain-sharing and other pay-for performance and other compensation, training, outsourcing and other human resources and workforce matters; board, medical staff and other governance; strategic planning, process and quality improvement; meaningful use, EMR, HIPAA and other technology,  data security and breach and other health IT and data; STARK, antikickback, insurance, and other fraud prevention, investigation, defense and enforcement; audits, investigations, and enforcement actions; trade secrets and other intellectual property; crisis preparedness and response; internal, government and third-party licensure, credentialing, accreditation, HCQIA and other peer review and quality reporting, audits, investigations, enforcement and defense; patient relations and care;  internal controls and regulatory compliance; payer-provider, provider-provider, vendor, patient, governmental and community relations; facilities, practice, products and other sales, mergers, acquisitions and other business and commercial transactions; government procurement and contracting; grants; tax-exemption and not-for-profit; 1557 and other Civil Rights; privacy and data security; training; risk and change management; regulatory affairs and public policy; process, product and service improvement, development and innovation, and other legal and operational compliance and risk management, government and regulatory affairs and operations concerns.

Her clients include public and private, domestic and international hospitals, health care systems, clinics, skilled nursing, long term care, rehabilitation and other health care providers and facilities; medical staff, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, insurers, self-insured health plans and other payers; and other health industry clients to establish and administer compliance and risk management policies; comply with requirements, investigate and respond to Board of Medicine, Health, Nursing, Pharmacy, Chiropractic, and other licensing agencies, Department of Aging & Disability, FDA, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; JCHO and other accreditation and quality organizations; private litigation and other federal and state health care industry investigation, enforcement including insurance or other liability management and allocation; process and product development, contracting, deployment and defense; evaluation, commenting or seeking modification of regulatory guidance, and other regulatory and public policy advocacy; training and discipline; enforcement, and a host of other related concerns for public and private health care providers, health insurers, health plans, technology and other vendors, employers, and others.and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns.

Author of leading works on a multitude of health care, health plan and other health industry matters, the American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting, former Vice President of the North Texas Health Care Compliance Professionals Association, past Chair of the ABA Health Law Section Managed Care & Insurance Section, past ABA JCEB Council Representative and CLE and Marketing Committee Chair, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer’s health industry clients include public health organizations; public and private hospitals, healthcare systems, clinics and other health care facilities; physicians, physician practices, medical staff, and other provider organizations; skilled nursing, long term care, assisted living, home health, ambulatory surgery, dialysis, telemedicine, DME, Pharma, clinics, and other health care providers; billing, management and other administrative services organizations; insured, self-insured, association and other health plans; PPOs, HMOs and other managed care organizations, insurance, claims administration, utilization management, and other health care payers; public and private peer review, quality assurance, accreditation and licensing; technology and other outsourcing; healthcare clearinghouse and other data; research; public and private social and community organizations; real estate, technology, clinical pathways, and other developers; investors, banks and financial institutions; audit, accounting, law firm; consulting; document management and recordkeeping, business associates, vendors, and service providers and other professional and other health industry organizations; academic medicine; trade associations; legislative and other law making bodies and others.

Past Chair of the ABA Managed Care & Insurance Interest Group and, a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also has extensive health care reimbursement and insurance experience advising and defending health care providers, payers, and others about Medicare, Medicaid, Medicare and Medicaid Advantage, Tri-Care, self-insured group, association, individual and group and other health benefit programs and coverages including but not limited to advising public and private payers about coverage and program design and documentation, advising and defending providers, payers and systems and billing services entities about systems and process design, audits, and other processes; provider credentialing, and contracting; providers and payer billing, reimbursement, claims audits, denials and appeals, coverage coordination, reporting, direct contracting, False Claims Act, Medicare & Medicaid, ERISA, state Prompt Pay, out-of-network and other nonpar insured, and other health care claims, prepayment, post-payment and other coverage, claims denials, appeals, billing and fraud investigations and actions and other reimbursement and payment related investigation, enforcement, litigation and actions.

Heavily involved in health care and health information technology, data and related process and systems development, policy and operations innovation and a Scribe for ABA JCEB annual agency meeting with OCR for many years who has authored numerous highly-regarded works and training programs on HIPAA and other data security, privacy and use, Ms. Stamer also is widely recognized for her extensive work and leadership on leading edge health care and benefit policy and operational issues including meaningful use and EMR, billing and reimbursement, quality measurement and reimbursement, HIPAA, FACTA, PCI, trade secret, physician and other medical confidentiality and privacy, federal and state data security and data breach and other information privacy and data security rules and many other concerns. Her work includes both regulatory and public policy advocacy and thought leadership, as well as advising and representing a broad range of health industry and other clients about policy design, drafting, administration, business associate and other contracting, risk assessments, audits and other risk prevention and mitigation, investigation, reporting, mitigation and resolution of known or suspected violations or other incidents and responding to and defending investigations or other actions by plaintiffs, DOJ, OCR, FTC, state attorneys’ general and other federal or state agencies, other business partners, patients and others.

Ms. Stamer has worked extensively with health care providers, health plans, health care clearinghouses, their business associates, employers and other plan sponsors, banks and other financial institutions, and others on risk management and compliance with HIPAA, FACTA, trade secret and other information privacy and data security rules, including the establishment, documentation, implementation, audit and enforcement of policies, procedures, systems and safeguards, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and and enforcement, and a host of other related concerns. Her clients include public and private health care providers, health insurers, health plans, technology and other vendors, and others. In addition to representing and advising these organizations, she also has conducted training on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, MGMA, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

A former lead consultant to the Government of Bolivia on its Pension Privatization Project with extensive domestic and international public policy concerns in Pensions, healthcare, workforce, immigration, tax, education and other areas.

A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, privacy and data security, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her thought leadership, experience and advocacy on these and other related concerns by her service in the leadership of the Solutions Law Press, Inc. Coalition for Responsible Health Policy, its PROJECT COPE: Coalition on Patient Empowerment, and a broad range of other professional and civic organizations including North Texas Healthcare Compliance Association, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children (now Warren Center For Children); current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, past Representative and chair of various committees of ABA Joint Committee on Employee Benefits; a ABA Health Law Coordinating Council representative, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.

For more information about Ms. Stamer or her health industry and other experience and involvements, see here or contact Ms. Stamer via telephone at (469) 767-8872 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources here such as the following:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advise or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2019 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.

Leave a Comment » | E-Prescribing, Employee Benefits, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, Health Insurance Exchange, Health IT, home health, Hospital, Indian Health, Medicaid, Medicaid Advantage, Medical Licensure, Medicare Advantage, OCR, Physician, Uncategorized | Tagged: , , , | Permalink
Posted by Cynthia Marcotte Stamer

Year-End $3 Million HIPAA Settlement Pushes 2018 OCR HIPAA Recoveries Over $28 Million; Act Promptly To Strengthen Compliance & Share Ideas For Simplification

February 7, 2019

Health care providers, health plans, health care clearinghouse and their business associates (“Covered Entities”) should reconfirm the adequacy of their organization’s Health Insurance Portability and Accountability Act (“HIPAA”) compliance in light the U.S Department of Health and Human Services Office of Civil Rights (“OCR”) February 7, 2019 announcement that OCR reached a 2018 year-end $3 Million Resolution Agreement with California-based Cottage Health that pushed OCR’s already record-setting 2018 enforcement HIPAA recoveries to more than $28.7 million in a year already distinguished by OCR’s record-setting $16 million resolution payment collection from Anthem.

Along with acting to ensure their own organization’s ability to defend their HIPAA compliance, Covered Entities and their leaders also should take advantage of the opportunity to provide input to OCR on opportunities for simplifying and improving OCR’s HIPAA regulations and enforcement by submitting relevant comments by February 12, 2019 in response to a Request for Information published by OCR in December that invites public input.

Learn more de

2018 Cottage Health Resolution Agreement

According to OCR’s February 7, 2019 announcement, Cottage Health agreed in OCR’s final settlement of 2017 to pay OCR $3 million and to adopt a substantial corrective action plan to settle charges of HIPAA violations resulting from OCR’s investigations into two HIPAA Breach notifications Cottage Health filed regarding breaches of unsecured electronic protected health information (ePHI) affecting over 62,500 individuals.

  • A December 2, 2013 breach notification that the removal of electronic security protections by a Cottage Health contractor rendered ePHI such as patient names, addresses, dates of birth, diagnoses/conditions, lab results and other treatment information of 33,349 individuals on a Cottage Health server accessible for download without a username or password from the internet to anyone outside Cottage Health.  In an update to its original report filed on July 2, 2014, Cottage Health increased the number of individuals affected by this breach to 50,917. OCR’s investigation determined that security configuration settings of the Windows operating system permitted access to files containing ePHI without requiring a username and password.  As a result, patient names, addresses, dates of birth, diagnoses, conditions, lab results and other treatment information were available to anyone with access to Cottage Health’s server.
  • A December 1, 2015, that the misconfiguration of a server following an IT response to a troubleshooting ticket, exposed unsecured ePHI including patient names, addresses, dates of birth, social security numbers, diagnoses, conditions, and other treatment information of 11,608 individuals over the internet.

Based upon its investigation into the two breach reports, OCR concluded Cottage Health violated HIPAA by failing to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the ePHI; failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level; failed to perform periodic technical and non-technical evaluations in response to environmental or operational changes affecting the security of ePHI; and failed to obtain a written business associate agreement with a contractor that maintained ePHI on its behalf.

To resolve its exposure to potentially must greater civil monetary sanctions that OCR might seek for such potential violations under HIPAA’s civil monetary sanction rules, Cottage Health entered into December, 2018 Resolution Agreement to pay the $3 million settlement and undertake what OCR characterizes as “a robust corrective action plan to comply with the HIPAA Rules.” Among other things, the corrective action plan requires Cottage Health to:

  • Conduct an enterprise-wide risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by Cottage Health (“Risk Analysis”) that OCR views as satisfactory to meet the requirements of 45 CFR 164.308(a)(1)(ii)(A);
  • Develop and implement a risk management plan to address and mitigate any security risks and vulnerabilities identified in the Risk Analysis acceptable to OCR;
  • Implement a process for regularly evaluating environmental and operational changes that affect the security of Cottage Health’s  ePHI;
  • Develop, maintain, and revise, as necessary, written policies and procedures to comply with the Federal standards that govern the privacy and security of individually identifiable health information under 45 C.F.R. Part 160 and Subparts A, C, and E of Part 164 (the “Privacy Rule” and “Security Rule”).
  • Distribute to and conduct training on the HIPAA policies and procedures from all existing and new members of the Cottage Health workforce with access to PHI.  Additionally, Cottage Health require all workforce members that have access to PHI to certify their receipt of, understanding and commitment to comply with the HIPAA Policies before allowing access to PHI and must deny access to PHI to any workforce member that has not provided the required certification.
  • Submit to ongoing notification and reporting requirements to keep OCR informed about its compliance efforts.

2018 Record Setting HIPAA Enforcement Year

The final Resolution Agreement negotiated by OCR in 2018, the $3 million Cottage Health Resolution Agreement signed on December 11, 2018 added to an already record-setting year of HIPAA enforcement recoveries by OCR.  In addition to recovering the single largest individual HIPAA settlement in history of $16 million with Anthem, Inc.  OCR’s recovery of the following HIPAA settlements and fines totaling nearly $28.7 million surpassed its previous 2016 record of $23.5 million by 22 percent.

Date Name

Amount
Jan. 2018 Filefax, Inc (settlement) $      100,000
Jan. 2018 Fresenius Medical Care North America (settlement) $   3,500,000
June 2018 MD Anderson (judgment) $   4,348,000
Aug. 2018 Boston Medical Center (settlement) $      100,000
Sep. 2018 Brigham and Women’s Hospital (settlement) $      384,000
Sep. 2018 Massachusetts General Hospital (settlement) $      515,000
Sep. 2018 Advanced Care Hospitalists (settlement) $      500,000
Oct. 2018 Allergy Associates of Hartford (settlement) $      125,000
Oct. 2018 Anthem, Inc (settlement) $ 16,000,000
Nov. 2018 Pagosa Springs (settlement) $      111,400
Dec. 2018 Cottage Health (settlement) $   3,000,000
Total (settlements and judgment) $ 28,683,400

Aside from the previously discussed Cottage Health Resolution Agreement OCR announced on February 7, 2019, these OCR 2018 enforcement recoveries included:

  • FileFax Resolution Agreement.  In January 2018, OCR settled for $100,000 with Filefax, Inc., a medical records maintenance, storage, and delivery services provider.  OCR’s investigation found that Filefax impermissibly disclosed protected health information (PHI) by leaving the PHI in an unlocked truck in the Filefax parking lot, or by granting permission to an unauthorized person to remove the PHI from Filefax, and leaving the PHI unsecured outside the Filefax facility.
  • Fresenius Medical Care North America Resolution Agreement.  In January 2018, OCR also settled for $3.5 million with Fresenius Medical Care North America (FMCNA), a provider of products and services for people with chronic kidney failure.  FMCNA filed five breach reports for separate incidents occurring between February 23, 2012 and July 18, 2012, implicating the electronic protected health information (ePHI) of five FMCNA owned covered entities.  OCR’s investigation revealed that FMCNA failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of its ePHI.  Additional potential violations included failure to implement policies and procedures and failure to implement a mechanism to encrypt and decrypt ePHI, when it was reasonable and appropriate to do so under the circumstances.
  • MD Anderson ALJ Ruling.  In June 2018, an HHS Administrative Law Judge ruled in favor of OCR and required The University of Texas MD Anderson Cancer Center (MD Anderson), a Texas cancer center, to pay $4.3 million in civil money penalties for HIPAA violations.  OCR investigated MD Anderson following three separate data breach reports in 2012 and 2013 involving the theft of an unencrypted laptop from the residence of an MD Anderson employee and the loss of two unencrypted universal serial bus (USB) thumb drives containing the unencrypted ePHI of over 33,500 individuals.  OCR’s investigation found that MD Anderson had written encryption policies going back to 2006 and that MD Anderson’s own risk analyses had found that the lack of device-level encryption posed a high risk to the security of ePHI. Despite the encryption policies and high risk findings, MD Anderson did not begin to adopt an enterprise-wide solution to encrypt ePHI until 2011, and even then it failed to encrypt its inventory of electronic devices containing ePHI between March 24, 2011 and January 25, 2013.  This matter is under appeal with the HHS Departmental Appeals Board.
  • MMC/BWH/MGH Resolution Agreements.  In September 2018, OCR announced that it has reached separate settlements totaling $999,000, with Boston Medical Center (BMC), Brigham and Women’s Hospital (BWH), and Massachusetts General Hospital (MGH) for compromising the privacy of patients’ PHI by inviting film crews on premises to film an ABC television network documentary series, without first obtaining authorization from patients.
  • ACH Resolution Agreement.  In September 2018, OCR also settled with Advanced Care Hospitalists (ACH), a contractor physician group, for $500,000.  ACH filed a breach report confirming that ACH patient information was viewable on a medical billing services’ website.  OCR’s investigation revealed that ACH never had a business associate agreement with the individual providing medical billing services to ACH, and failed to adopt any policy requiring business associate agreements until April 2014.  Although ACH had been in operation since 2005, it had not conducted a risk analysis or implemented security measures or any other written HIPAA policies or procedures before 2014.
  • Allergy Associates Resolution Agreement.  In October 2018, OCR settled with Allergy Associates, a health care practice that specializes in treating individuals with allergies, for $125,000.  In February 2015, a patient of Allergy Associates contacted a local television station to speak about a dispute that had occurred between the patient and an Allergy Associates’ doctor. OCR’s investigation found that the reporter subsequently contacted the doctor for comment and the doctor impermissibly disclosed the patient’s PHI to the reporter.
  • Anthem Resolution Agreement.  In October 2018, Anthem, Inc. also paid $16 million to OCR and agreed to take substantial corrective action to settle potential violations of the HIPAA Rules after a series of cyberattacks led to the largest U.S. health data breach in history.  Anthem filed a breach report after discovering cyber-attackers had gained access to their IT system via an undetected continuous and targeted cyberattack for the apparent purpose of extracting data, otherwise known as an advanced persistent threat attack.  After filing their breach report, Anthem discovered cyber-attackers had infiltrated their system through spear phishing emails sent to an Anthem subsidiary after at least one employee responded to the malicious email and opened the door to further attacks. OCR’s investigation revealed that between December 2, 2014 and January 27, 2015, the cyber-attackers stole the ePHI of almost 79 million individuals, including names, social security numbers, medical identification numbers, addresses, dates of birth, email addresses, and employment information.
  • Pegosa Springs Medical Center.  In November 2018, Pagosa Springs Medical Center (PSMC), a critical access hospital, paid $111,400 to OCR to resolve potential violations concerning a former PSMC employee that continued to have remote access to PSMC’s web-based scheduling calendar, which contained patients’ ePHI, after separation of employment. OCR’s investigation revealed that PSMC impermissibly disclosed the ePHI of 557 individuals to its former employee and to the web-based scheduling calendar vendor without a business associate agreement in place.

These 2018 Resolution Agreements reaffirm the growing risks that Covered Entities and their business associates run by failing to take adequate steps to prevent and respond to breaches of ePHI and otherwise to maintain their compliance with HIPAA.  Covered entities and business associates and their leaders should recognize and respond to these growing risks by reevaluating and strengthening their HIPAA compliance and risk management efforts to minimize the likelihood of violations and enhance their ability to mitigate potential liability that can result from breaches of HIPAA by responding efficiently and effectively.

Other Regulatory & Enforcement Developments

In addition to reaffirming their ongoing compliance with the longstanding requirements of HIPAA and other related federal and state laws, Covered Entities also should use care to carefully monitor and respond to new regulatory and other developments that might create new responsibilities or new opportunities to simplify their HIPAA compliance.  In this respect, Covered Entities should take note of the 2018 and ongoing efforts by OCR to develop and publish new rules and other guidance intended to help health care providers and other Covered Entities, patients and caregivers and others understand their rights and responsibilities when dealing with protected health information in relation to patients afflicted with substance abuse and mental illness.   Undertaken as part of the Trump Administration’s broader effort to combat opiate and other substance abuse within the United States, OCR in October published a package of guidance on How HIPAA Allows Doctors To Respond To The Opioid Crisis.  Covered Entities and others concerned with the management of patients afflicted with substance abuse and mental illness should evaluate this guidance to understand and tailor their practices to respond to OCR’s perspectives of how HIPAA impacts the use, access and disclosure of protected health information as part of these efforts.

Covered Entities and others concerned about HIPAA compliance and interpretation also should carefully monitor and provide appropriate and timely input on developing HIPAA guidance that could impact their operations.  In this regard, Covered Entities with ideas about opportunities for improving existing HIPAA guidance are encouraged to submit comments to OCR by February 12, 2019 in response to its Request for Information on improving care coordination and reducing the regulatory burdens of the HIPAA Rules  published on December 12, 2018.  In that RFI, OCR invites input from the public on how the HIPAA Privacy Rule, could be modified to:

  • Encourage information-sharing for treatment and care coordination;
  • Facilitate parental involvement in care;
  • Address the opioid crisis and serious mental illness;
  • Account for disclosures of PHI for treatment, payment, and health care operations as required by the HITECH Act;
  • Change the current requirement for certain providers to make a good faith effort to obtain an acknowledgment of receipt of the Notice of Privacy Practices; and/or
  • Otherwise simplify or improve the existing HIPAA rules.

As a part of these efforts, Covered Entities and other concerned parties also should anticipate that OCR will be focusing heavily in the upcoming year on the potential HIPAA privacy and security implications of efforts by its sister agency, the Office of the National Coordinator for Health Information Technology (“ONC”), to promote greater interoperability of electronic medical records discussed in ONC’s recent 2018 Report to Congress: Annual Update on the Adoption of a Nationwide System for the Electronic Use and Exchange of Health Information (“Report”).

Under the 21st Century Cures Act, Congress gave ONC authority to enhance innovation, scientific discovery, and expand the access and use of health information through provisions related to:

  • The development and use of upgraded health IT capabilities;
  • Transparent expectations for data sharing, including through open application programming interfaces (APIs); and
  • Improvement of the health IT end-user experience, including by reducing administrative burden.

These priorities seek to increase nationwide interoperability of health information and reduce clinician burden.  The Report says increases in the adoption of health IT means most Americans receiving health care services now have their health data recorded electronically. However, this information is not always accessible across systems and by all end users—such as patients, health care providers, and payers—in the market in productive ways.  While the Report states ONC intends to move forward to promote efforts to help ensure that electronic health information can be shared safely and securely where appropriate to improve the health and care of all Americans, these activities inherently will raise many HIPAA concerns and challenges.  Covered Entities and others concerned with these activities will want to carefully monitor the concurrent activities of OCR and ONC as these efforts progress, both to help tailor their planning and compliance efforts to respond to the anticipated demand for greater interoperability as required by ONC and to help shape these rules by providing timely input as appropriate in response to these developments.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: Erisa & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of managed care and other health industry, health and other benefit and insurance, workforce and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

Past Chair of the ABA Managed Care & Insurance Interest Group and, a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer has been continuously involved the design, regulation, administration and defense of managed care and other health and employee benefit, health care, human resources and other staffing and workforce arrangements, contracts, systems, and processes.  As a continuous component of this work, Ms. Stamer has worked closely with these and other clients on the design, development, administration, defense, and breach and data recovery of health care, workforce, insurance and financial services, trade secret and other information technology, data and related process and systems development, policy and operations throughout her career.

Scribe of the ABA JCEB annual Office of Civil Rights agency meeting, Ms. Stamer also is widely recognized for her extensive work and leadership on leading edge health care and benefit policy and operational issues.

Ms. Stamer’s clients include public and private, domestic and international hospitals, health care systems, clinics, skilled nursing, long-term care, rehabilitation and other health care providers and facilities; medical staff, health care accreditation, peer review and quality committees and organizations; employers and other workforce management organizations; employer, union, association, government and other insured and self-insured health and other employee benefit plan sponsors, benefit plans, fiduciaries, administrators, and other plan vendors;  managed care organizations, insurers, self-insured health plans and other payers and their management; managed care organizations, insurers, third-party administrative services organizations and other payer organizations; billing, utilization management, management services organizations; group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; claims, billing and other health care and insurance technology and data service organizations; other health, employee benefit, insurance and financial services product and solutions consultants, developers and vendors; and other health, employee benefit, insurance, technology, government and other management clients.

A former lead consultant to the Government of Bolivia on its Pension Privatization Project with extensive domestic and international public policy concerns in pensions, healthcare, workforce, immigration, tax, education and other areas, Ms. Stamer has been extensively involved in U.S. federal, state and local health care and other legislative and regulatory reform impacting these concerns throughout her career. Her public policy and regulatory affairs experience encompasses advising and representing domestic and multinational private sector health, insurance, employee benefit, employer, staffing and other outsourced service providers, and other clients in dealings with Congress, state legislatures, and federal, state and local regulators and government entities, as well as providing advice and input to U.S. and foreign government leaders on these and other policy concerns.

Beyond her public policy and regulatory affairs involvement, Ms. Stamer also has extensive experience helping these and other clients to design, implement, document, administer and defend workforce, employee benefit, insurance and risk management, health and safety, and other programs, products and solutions, and practices; establish and administer compliance and risk management policies; comply with requirements, investigate and respond to government; accreditation and quality organizations; private litigation and other federal and state health care industry investigations and enforcement actions; evaluate and influence legislative and regulatory reforms and other regulatory and public policy advocacy; training and discipline; enforcement, and a host of other related concerns. Ms. Stamer’s experience in these matters includes supporting these organizations and their leaders on both a real-time, “on demand” basis with crisis preparedness, intervention and response as well as consulting and representing clients on ongoing compliance and risk management; plan and program design; vendor and employee credentialing, selection, contracting, performance management and other dealings; strategic planning; policy, program, product and services development and innovation; mergers, acquisitions, and change management; workforce and operations management, and other opportunities and challenges arising in the course of their operations.

Ms. Stamer also has extensive health care reimbursement and insurance experience advising and defending plan sponsors, administrators, insurance and managed care organizations, health care providers, payers, and others about Medicare, Medicaid, Medicare and Medicaid Advantage, Tri-Care, self-insured group, association, individual and employer and association group and other health benefit programs and coverages including but not limited to advising public and private payers about coverage and program design and documentation, advising and defending providers, payers and systems and billing services entities about systems and process design, audits, and other processes; provider credentialing, and contracting; providers and payer billing, reimbursement, claims audits, denials and appeals, coverage coordination, reporting, direct contracting, False Claims Act, Medicare & Medicaid, ERISA, state Prompt Pay, out-of-network and other nonpar insured, and other health care claims, prepayment, post-payment and other coverage, claims denials, appeals, billing and fraud investigations and actions and other reimbursement and payment related investigation, enforcement, litigation and actions. Scribe for the ABA JCEB annual agency meeting with HHS OCR, she also has worked extensively on health and health benefit coding, billing and claims, meaningful use and EMR, billing and reimbursement, quality measurement and reimbursement, HIPAA, FACTA, PCI, trade secret, physician and other medical, workforce, consumer financial and other data confidentiality and privacy, federal and state data security, data breach and mitigation, and other information privacy and data security concerns.

Author of leading works on a multitude of health care, health plan and other health industry matters, the American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting, former Vice President of the North Texas Health Care Compliance Professionals Association, past Chair of the ABA Health Law Section Managed Care & Insurance Section, past ABA JCEB Council Representative and CLE and Marketing Committee Chair, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer’s health industry clients include public health organizations; public and private hospitals, healthcare systems, clinics and other health care facilities; physicians, physician practices, medical staff, and other provider organizations; skilled nursing, long-term care, assisted living, home health, ambulatory surgery, dialysis, telemedicine, DME, Pharma, clinics, and other health care providers; billing, management and other administrative services organizations; insured, self-insured, association and other health plans; PPOs, HMOs and other managed care organizations, insurance, claims administration, utilization management, and other health care payers; public and private peer review, quality assurance, accreditation and licensing; technology and other outsourcing; healthcare clearinghouse and other data; research; public and private social and community organizations; real estate, technology, clinical pathways, and other developers; investors, banks and financial institutions; audit, accounting, law firm; consulting; document management and recordkeeping, business associates, vendors, and service providers and other professional and other health industry organizations; academic medicine; trade associations; legislative and other law making bodies and others.

A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about contracting, credentialing and quality assurance,  compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, privacy and data security, and other risk management and operational matters. Author of works on Payer and Provider Contracting and many other managed care concerns, Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her thought leadership, experience and advocacy on these and other related concerns by her service in the leadership of the Solutions Law Press, Inc. Coalition for Responsible Health Policy, its PROJECT COPE: Coalition on Patient Empowerment, and a broad range of other professional and civic organizations including North Texas Healthcare Compliance Association, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children (now Warren Center For Children); current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, past Representative and chair of various committees of ABA Joint Committee on Employee Benefits; an ABA Health Law Coordinating Council representative, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.

For more information about Ms. Stamer or her health industry and other experience and involvements, see here or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources here such as:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advise or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2019. Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.

Leave a Comment » | 21st century cures act, Academic medicine, ADA, ASC, Consumer Driven Health Care, Controlled Substances, Corporate Compliance, Cyber crime, data breach, Direct Primary Care, Disease Management, DME, Doctor, drug treatment, Durable Medical Equipment, E-Prescribing, Electronic Health Records, Electronic Medical Records, Employee Benefits, Employer, ERISA, Evidence Based Medicine, FACTA, FDA, Federal Health Center, Genetic Information, GINA, Health Care, Health care coding, Health Care Finance, Health Care Provider, Health Care Quality, health care reimbursement, Health Insurance, Health Insurance Exchange, Health IT, Health Plan, Health Plans, healthcare, HHS, HIPAA, HIPAA Cyber Crime, HITECH Act, Home Health, home health, Hospice, Hospital, hospitals, Human Subjects Research, Indian Health, Inpatient Rehabilitation, Joint Commission, Laws, legal epidemiology, managed care, Meaningful Use, Medicaid, medical devices, Medical Licensure, Medical Privacy, Medical Records, Medicare, Medicare Advantage, Medicare Fee Schedule, Mental Health, Mental Heatlh, NIOSH, NIST, OCR, Opiates, Outpatient, participating provider, Physician, Prescription Drugs, Privacy, Prospective Payment, Provider contracting, public health, Public Policy, quality reporting, quality repoting, Reimbursement, research, Skilled Nursing Facility, Substance Abuse, Technology, Telemedicine, Veterans Health, Veterans Health Care, Wellness | Tagged: , , , , | Permalink
Posted by Cynthia Marcotte Stamer

ONC Report Signals New Interoperability Demands Coming

January 8, 2019

Interoperability will be a key priority for the Office of the National Coordinator for Health Information Technology (“ONC”) going forward.

That’s the message in the just released 2018 Report to Congress: Annual Update on the Adoption of a Nationwide System for the Electronic Use and Exchange of Health Information (“Report”).

The plan to promote interoperability raises new business and compliance planning opportunities for health care providers, health insurers and other payers, health data and information technology (IT) providers and others.

The Report describes barriers, actions taken, and recommendations as well as ONC’s path forward to implement the 21st Century Cures Act.

Under the 21st Century Cures Act, Congress gave HHS authority to enhance innovation, scientific discovery, and expand the access and use of health information through provisions related to:

  • The development and use of upgraded health IT capabilities;
  • Transparent expectations for data sharing, including through open application programming interfaces (APIs); and
  • Improvement of the health IT end user experience, including by reducing administrative burden.

These priorities seek to increase nationwide interoperability of health information and reduce clinician burden..

Current Status

The Report says increases in the adoption of health IT means most Americans receiving health care services now have their health data recorded electronically. However, this information is not always accessible across systems and by all end users—such as patients, health care providers, and payers—in the market in productive ways. For example:

  • Despite the individual right to access health information about themselves established by the HIPAA Privacy Rule, patients often lack access to their own health information, which hinders their ability to manage their health and shop for medical care at lower prices;
  • Health care providers often lack access to patient data at the point of care, particularly when multiple health care providers maintain different pieces of data, own different systems, or use health IT solutions purchased from different developers; and
  • Payers often lack access to clinical data on groups of covered individuals to assess the value of services provided to their customers.
  • The Report says these limitations create several problems, including:
      • Patients should be able to easily and securely access their medical data through their smartphones. Currently, patients electronically access their health information through patient portals that prevent them from easily pulling from multiple sources or health care providers. Patient access to their electronic health information also requires repeated use of logins and manual data updates.
    • For health care providers and payers, interoperable access and exchange of health records is focused on accessing one record at a time.
    • Payers cannot effectively represent their members if they lack computational visibility into which health care providers offer the highest quality care at the lowest cost. Without the capability to access multiple records across a population of patients, health care providers and payers will not benefit from the value of using modern computing solutions—such as machine learning and artificial intelligence—to inform care decisions and identify trends.
    • Payers and employer group health plans which purchase health care have little information on health outcomes. Often, health care providers and payers negotiate contracts based on the health care provider’s reputation rather than on the quality of care that health care provider offers to patients. Health care providers should instead compete based on the entire scope of the quality and value of care they provide, not on how exclusively they can craft their networks. Outcome data will allow payers to apply machine learning and artificial intelligence to have better insight into the value of the care they purchase.
  • Current Barriers
  • According to the Report, HHS heard from stakeholders over the past year that barriers to interoperable access to health information remain, including technical, financial, trust, and business practice barriers. These barriers impede the movement of health information to where it is needed across the care continuum. In addition, burden arising from quality reporting, documentation, administrative, and billing requirements that prescribe how health IT systems are designed also hamper the innovative usability of health IT.
  • Current and Upcoming Actions
  • The Report states HHS has many efforts to help ensure that electronic health information can be shared safely and securely where appropriate to improve the health and care of all Americans.
  • ONC also reports Federal agencies, states, and industry have taken steps to address technical, trust, and financial challenges to interoperable health information access, exchange, and use for patients, health care providers, and payers (including insurers). HHS aims to build on these successes through the ONC Health IT Certification Program, HHS rulemaking, health IT innovation projects, and health IT coordination.
  • In accordance with the Cures Act, HHS is actively leading and coordinating a number of key programs and projects. These include continued work to deter and penalize poor business practices and that HHS conducted multiple outreach efforts to engage the clinical community and health IT stakeholders to better understand these barriers, challenges, and health care provider burden.
  • Recommendations
  • The Report makes the following overarching recommendations for future actions HHS plans to support through its policies and that the health IT community as a whole can take to accelerate progress:
      • Focus on improving interoperability and upgrading technical capabilities of health IT, so patients can securely access, aggregate, and move their health information using their smartphones (or other devices) and health care providers can easily send, receive, and analyze patient data.
      Increase transparency in data sharing practices and strengthen technical capabilities of health IT so payers can access population-level clinical data to promote economic transparency and operational efficiency to lower the cost of care and administrative costs.
      Prioritize improving health IT and reducing documentation burden, time inefficiencies, and hassle for health care providers, so they can focus on their patients rather than their computers.

    The Report also says interoperable access underpins HHS’s efforts to pursue a health care system where data are available when and where needed.

    ONC intends to particularly focus on promoting open APIs. Open APIs are technology that allow one software program to access the services provided by another software program and can improve access and exchange of health information. ONC says APIs can:

    • Support patients’ ability to have more access to information electronically through, for example, smartphones and mobile applications. HHS applauds the emergence of patient-facing applications that allow patients to access, aggregate, and act on their health information; and
    • Allow payers to receive necessary and appropriate information on a group of members without having to access one record at a time.
    • Increase institutional accountability, support value- based care models, and lead to competitive medical care pricing that benefits patients.

    The Report claims patients, health care providers, and payers with appropriate access to health information can use modern computing solutions to generate value from the data. Improved interoperability can strengthen market competition, result in greater quality, safety, and value for the healthcare system, and enable patients, health care providers, and payers to experience the benefits of health IT.

    Prepare For Enhanced Operability Requirements

    ONC’s plan to achieve greater interoperability presents new business and compliance planning opportunities and challenges for health care providers, health insurers and other payers, health data and information technology (IT) providers and others. Among other things, participants in the healthcare system and their suppliers will need to prepare to comply with new expectations and mandates for interoperability. Meeting these demands will require financial expenditures as well as present technological challenges.The increased availability and access to electronica medical records and information resulting from these changes also a can be expected to drive new challenges and demands. Among other things, businesses relying on control of health information or records to influence or control patience, reimbursement, or other business value need to reevaluate and adjust their business models accordingly.

    Improve accessibility and interoperability also is likely to create new expectations and demands by patients, payers, other providers and perhaps most significantly for providers and payers, regulators. Participants in the system will need to understand these applications and prepare to both defend their business performance as well as their compliance taking into account these new demands.

    Amid all of this, of course, providers, pears, and their business associates can anticipate continued if not enhanced demands for enhanced data security and privacy protections and accompanying enforcement of these standards.

    As ONC move forward on its plans to enhance interoperability, all concerned stakeholders will want to monitor developments and provide thoughtful and timely input. The time to get started is now. ONC and it’s sister agency, the Office of Civil Rights currently are inviting public comments about how to achieve these and other health IT and privacy improvements. Those interested in providing input should make sure their comments are submitted by the applicable deadlines next month.

    Read the full Report here and share your input by the specified deadlines.

    About the Author

    Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: Erisa & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of managed care and other health industry, health and other benefit and insurance, workforce and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

    Past Chair of the ABA Managed Care & Insurance Interest Group and, a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer has been continuously involved the design, regulation, administration and defense of managed care and other health and employee benefit, health care, human resources and other staffing and workforce arrangements, contracts, systems, and processes.  As a continuous component of this work, Ms. Stamer has worked closely with these and other clients on the design, development, administration, defense, and breach and data recovery of health care, workforce, insurance and financial services, trade secret and other information technology, data and related process and systems development, policy and operations throughout her career.

    Scribe of the ABA JCEB annual Office of Civil Rights agency meeting, Ms. Stamer also is widely recognized for her extensive work and leadership on leading edge health care and benefit policy and operational issues.

    Ms. Stamer’s clients include employers and other workforce management organizations; employer, union, association, government and other insured and self-insured health and other employee benefit plan sponsors, benefit plans, fiduciaries, administrators, and other plan vendors;  managed care organizations, insurers, self-insured health plans and other payers and their management; public and private, domestic and international hospitals, health care systems, clinics, skilled nursing, long-term care, rehabilitation and other health care providers and facilities; medical staff, health care accreditation, peer review and quality committees and organizations; managed care organizations, insurers, third-party administrative services organizations and other payer organizations; billing, utilization management, management services organizations; group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; claims, billing and other health care and insurance technology and data service organizations; other health, employee benefit, insurance and financial services product and solutions consultants, developers and vendors; and other health, employee benefit, insurance, technology, government and other management clients.

    A former lead consultant to the Government of Bolivia on its Pension Privatization Project with extensive domestic and international public policy concerns in pensions, healthcare, workforce, immigration, tax, education and other areas, Ms. Stamer has been extensively involved in U.S. federal, state and local health care and other legislative and regulatory reform impacting these concerns throughout her career. Her public policy and regulatory affairs experience encompasses advising and representing domestic and multinational private sector health, insurance, employee benefit, employer, staffing and other outsourced service providers, and other clients in dealings with Congress, state legislatures, and federal, state and local regulators and government entities, as well as providing advice and input to U.S. and foreign government leaders on these and other policy concerns.

    Beyond her public policy and regulatory affairs involvement, Ms. Stamer also has extensive experience helping these and other clients to design, implement, document, administer and defend workforce, employee benefit, insurance and risk management, health and safety, and other programs, products and solutions, and practices; establish and administer compliance and risk management policies; comply with requirements, investigate and respond to government; accreditation and quality organizations; private litigation and other federal and state health care industry investigations and enforcement actions; evaluate and influence legislative and regulatory reforms and other regulatory and public policy advocacy; training and discipline; enforcement, and a host of other related concerns. Ms. Stamer’s experience in these matters includes supporting these organizations and their leaders on both a real-time, “on demand” basis with crisis preparedness, intervention and response as well as consulting and representing clients on ongoing compliance and risk management; plan and program design; vendor and employee credentialing, selection, contracting, performance management and other dealings; strategic planning; policy, program, product and services development and innovation; mergers, acquisitions, and change management; workforce and operations management, and other opportunities and challenges arising in the course of their operations.

    Ms. Stamer also has extensive health care reimbursement and insurance experience advising and defending plan sponsors, administrators, insurance and managed care organizations, health care providers, payers, and others about Medicare, Medicaid, Medicare and Medicaid Advantage, Tri-Care, self-insured group, association, individual and employer and association group and other health benefit programs and coverages including but not limited to advising public and private payers about coverage and program design and documentation, advising and defending providers, payers and systems and billing services entities about systems and process design, audits, and other processes; provider credentialing, and contracting; providers and payer billing, reimbursement, claims audits, denials and appeals, coverage coordination, reporting, direct contracting, False Claims Act, Medicare & Medicaid, ERISA, state Prompt Pay, out-of-network and other nonpar insured, and other health care claims, prepayment, post-payment and other coverage, claims denials, appeals, billing and fraud investigations and actions and other reimbursement and payment related investigation, enforcement, litigation and actions. Scribe for the ABA JCEB annual agency meeting with HHS OCR, she also has worked extensively on health and health benefit coding, billing and claims, meaningful use and EMR, billing and reimbursement, quality measurement and reimbursement, HIPAA, FACTA, PCI, trade secret, physician and other medical, workforce, consumer financial and other data confidentiality and privacy, federal and state data security, data breach and mitigation, and other information privacy and data security concerns.

    Author of leading works on a multitude of health care, health plan and other health industry matters, the American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting, former Vice President of the North Texas Health Care Compliance Professionals Association, past Chair of the ABA Health Law Section Managed Care & Insurance Section, past ABA JCEB Council Representative and CLE and Marketing Committee Chair, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer’s health industry clients include public health organizations; public and private hospitals, healthcare systems, clinics and other health care facilities; physicians, physician practices, medical staff, and other provider organizations; skilled nursing, long-term care, assisted living, home health, ambulatory surgery, dialysis, telemedicine, DME, Pharma, clinics, and other health care providers; billing, management and other administrative services organizations; insured, self-insured, association and other health plans; PPOs, HMOs and other managed care organizations, insurance, claims administration, utilization management, and other health care payers; public and private peer review, quality assurance, accreditation and licensing; technology and other outsourcing; healthcare clearinghouse and other data; research; public and private social and community organizations; real estate, technology, clinical pathways, and other developers; investors, banks and financial institutions; audit, accounting, law firm; consulting; document management and recordkeeping, business associates, vendors, and service providers and other professional and other health industry organizations; academic medicine; trade associations; legislative and other law making bodies and others.

    A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about contracting, credentialing and quality assurance,  compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, privacy and data security, and other risk management and operational matters. Author of works on Payer and Provider Contracting and many other managed care concerns, Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns.

    A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her thought leadership, experience and advocacy on these and other related concerns by her service in the leadership of the Solutions Law Press, Inc. Coalition for Responsible Health Policy, its PROJECT COPE: Coalition on Patient Empowerment, and a broad range of other professional and civic organizations including North Texas Healthcare Compliance Association, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children (now Warren Center For Children); current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, past Representative and chair of various committees of ABA Joint Committee on Employee Benefits; an ABA Health Law Coordinating Council representative, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.

    For more information about Ms. Stamer or her health industry and other experience and involvements, see here or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

    About Solutions Law Press, Inc.™

    Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources here such as:

    If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

    NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advise or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

    Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

    ©2019. Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.

    Leave a Comment » | 21st century cures act, Academic medicine, ADA, ASC, Consumer Driven Health Care, Controlled Substances, Corporate Compliance, Cyber crime, data breach, Direct Primary Care, Disease Management, DME, Doctor, drug treatment, Durable Medical Equipment, E-Prescribing, Electronic Health Records, Electronic Medical Records, Employee Benefits, Employer, ERISA, Evidence Based Medicine, FACTA, FDA, Federal Health Center, Genetic Information, GINA, Health Care, Health care coding, Health Care Finance, Health Care Provider, Health Care Quality, health care reimbursement, Health Insurance, Health Insurance Exchange, Health IT, Health Plan, Health Plans, healthcare, HHS, HIPAA, HIPAA Cyber Crime, HITECH Act, Home Health, home health, Hospice, Hospital, hospitals, Human Subjects Research, Indian Health, Inpatient Rehabilitation, Joint Commission, Laws, legal epidemiology, managed care, Meaningful Use, Medicaid, medical devices, Medical Licensure, Medical Privacy, Medical Records, Medicare, Medicare Advantage, Medicare Fee Schedule, Mental Health, Mental Heatlh, NIOSH, NIST, OCR, Opiates, Outpatient, participating provider, Physician, Prescription Drugs, Privacy, Prospective Payment, Provider contracting, public health, Public Policy, quality reporting, quality repoting, Reimbursement, research, Skilled Nursing Facility, Substance Abuse, Technology, Telemedicine, Veterans Health, Veterans Health Care, Wellness | Tagged: , , , , | Permalink
    Posted by Cynthia Marcotte Stamer

    2/11/19 Deadline To Comment On Reducing HIPAA Regulatory Burden

    December 13, 2018

    February 12, 2019 is the deadline for health care providers, health plans, health care clearinghouses, their business associates, health care consumers, employer and other plan sponsors and fiduciaries, and other concerned persons to provide input on reducing the regulatory burdens of the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security and Breach Notification Rules in response to the December 12, 2018 invitation of the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR).

    OCR issued the invitation for public comment in a December 12, 2019 Request for Information (RFI).  The RIF seeks input from the public on how OCR’s HIPAA Privacy and other Rules could be modified to further the HHS Secretary’s goal of promoting coordinated, value-based healthcare. This RFI is a part of the Regulatory Sprint to Coordinated Care, an initiative led by HHS Deputy Secretary Eric Hargan.

    HHS developed the HIPAA Rules to protect individuals’ health information privacy and security interests, while permitting information sharing needed for important purposes. However, in recent years, OCR has heard calls to revisit aspects of the Rules that may limit or discourage information sharing needed for coordinated care or to facilitate the transformation to value-based health care. The RFI requests information on any provisions of the HIPAA Rules that may present obstacles to these goals without meaningfully contributing to the privacy and security of protected health information (PHI) and/or patients’ ability to exercise their rights with respect to their PHI.

    OCR’s December 12, 2018 press release concerning the RFI indicates that OCR is looking for candid feedback about how the existing HIPAA regulations are working in the real world and how OCR can improve them to improve quality of care and eliminate undue burdens on covered entities while maintaining robust privacy and security protections for individuals’ health information.

    In addition to requesting broad input on the HIPAA Rules, the RFI also seeks comments on specific areas of the HIPAA Privacy Rule, including:

    • Encouraging information-sharing for treatment and care coordination
    • Facilitating parental involvement in care
    • Addressing the opioid crisis and serious mental illness
    • Accounting for disclosures of PHI for treatment, payment, and health care operations as required by the HITECH Act
    • Changing the current requirement for certain providers to make a good faith effort to obtain an acknowledgment of receipt of the Notice of Privacy Practices

    Public comments on the RFI are due by February 11, 2019.

    The RFI follows up on OCR’s announcement of another series of high dollar resolution agreements against covered entities and business associates for alleged breaches of HIPAA’s Privacy or Security Rules, as well as publication of various new guidance intended to help patients, their families, covered entities, business associates and others understand when HIPAA restricts or allows the release of protected health information by covered entities and business associates in mass shooting or other disaster situations, when dealing with patients with substance abuse or mental health conditions and in various other scenarios.  Covered entities, their business associates as well as employer and other health plan sponsors, fiduciaries and others involved with protected health information transactions and disclosures should review this new guidance and evaluate its implications on their actions and practices in addition to sharing input with OCR about opportunities to improve existing HIPAA Rules.

    About the Author

    Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: Erisa & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of managed care and other health industry, health and other benefit and insurance, workforce and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

    Past Chair of the ABA Managed Care & Insurance Interest Group and, a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer has been continuously involved the design, regulation, administration and defense of managed care and other health care and health benefit arrangements, contracts, systems, and processes throughout her career.  In addition to her extensive provider and payer contracting work, Ms. Stamer also is recognized for her knowledge, experience and leadership on health benefit, health care, health, financial and other information technology, data and related process and systems development, policy and operations throughout her career, and scribe of the ABA JCEB annual Office of Civil Rights agency meeting, Ms. Stamer also is widely recognized for her extensive work and leadership on leading edge health care and benefit policy and operational issues. Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer’s clients include employers and other workforce management organizations; employer, union, association, government and other insured and self-insured health and other employee benefit plan sponsors, benefit plans, fiduciaries, administrators, and other plan vendors;  managed care organizations, insurers, self-insured health plans and other payers and their management; public and private, domestic and international hospitals, health care systems, clinics, skilled nursing, long-term care, rehabilitation and other health care providers and facilities; medical staff, health care accreditation, peer review and quality committees and organizations; managed care organizations, insurers, third-party administrative services organizations and other payer organizations; billing, utilization management, management services organizations; group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; claims, billing and other health care and insurance technology and data service organizations; other health, employee benefit, insurance and financial services product and solutions consultants, developers and vendors; and other health, employee benefit, insurance, technology, government and other management clients.

    A former lead consultant to the Government of Bolivia on its Pension Privatization Project with extensive domestic and international public policy concerns in pensions, healthcare, workforce, immigration, tax, education and other areas, Ms. Stamer has been extensively involved in U.S. federal, state and local health care and other legislative and regulatory reform impacting these concerns throughout her career. Her public policy and regulatory affairs experience encompasses advising and representing domestic and multinational private sector health, insurance, employee benefit, employer, staffing and other outsourced service providers, and other clients in dealings with Congress, state legislatures, and federal, state and local regulators and government entities, as well as providing advice and input to U.S. and foreign government leaders on these and other policy concerns.

    Beyond her public policy and regulatory affairs involvement, Ms. Stamer also has extensive experience helping these and other clients to design, implement, document, administer and defend workforce, employee benefit, insurance and risk management, health and safety, and other programs, products and solutions, and practices; establish and administer compliance and risk management policies; comply with requirements, investigate and respond to government; accreditation and quality organizations; private litigation and other federal and state health care industry investigations and enforcement actions; evaluate and influence legislative and regulatory reforms and other regulatory and public policy advocacy; training and discipline; enforcement, and a host of other related concerns. Ms. Stamer’s experience in these matters includes supporting these organizations and their leaders on both a real-time, “on demand” basis with crisis preparedness, intervention and response as well as consulting and representing clients on ongoing compliance and risk management; plan and program design; vendor and employee credentialing, selection, contracting, performance management and other dealings; strategic planning; policy, program, product and services development and innovation; mergers, acquisitions, and change management; workforce and operations management, and other opportunities and challenges arising in the course of their operations.

    As a key part of this work, Ms. Stamer throughout her career regularly has worked with health care providers and payers, employer and other health benefit plan sponsors and vendors, health industry, insurers, health IT, life sciences and other health and insurance industry clients design, document and enforce managed care and other contracts, benefit plans and insurance arrangements, practices, policies, systems and solutions; manage regulatory, contractual and other legal and operational compliance; vendors, supplier, and patient and member relations and requirements; deal with Medicare, Medicaid, CHIP, Medicare/Medicaid Advantage, ERISA, state insurance law and other private payer rules and requirements; contracting; licensing; terms of participation; medical billing, reimbursement, claims administration and coordination, and other provider-payer relations; reporting and disclosure, government investigations and enforcement, privacy and data security; and other compliance and enforcement; Form 990 and other nonprofit and tax-exemption; fundraising, investors, joint venture, and other business partners; quality and other performance measurement, management, discipline and reporting; physician and other workforce recruiting, performance management, peer review and other investigations and discipline, wage and hour, payroll, gain-sharing and other pay-for performance and other compensation, training, outsourcing and other human resources and workforce matters; board, medical staff and other governance; strategic planning, process and quality improvement; HIPAA administrative simplification, meaningful use, EMR, HIPAA and other technology, data security and breach and other health IT and data; STARK, antikickback, insurance, and other fraud prevention, investigation, defense and enforcement; audits, investigations, and enforcement actions; trade secrets and other intellectual property; crisis preparedness and response; internal, government and third-party licensure, credentialing, accreditation, HCQIA, HEDIS and other peer review and quality reporting, audits, investigations, enforcement and defense; patient relations and care; internal controls and regulatory compliance; payer-provider, provider-provider, vendor, patient, governmental and community relations; facilities, practice, products and other sales, mergers, acquisitions and other business and commercial transactions; government procurement and contracting; grants; tax-exemption and not-for-profit; 1557 and other Civil Rights; privacy and data security; training; risk and change management; regulatory affairs and public policy; process, product and service improvement, development and innovation, and other legal and operational compliance and risk management, government and regulatory affairs and operations concerns.

    Ms. Stamer also has extensive health care reimbursement and insurance experience advising and defending plan sponsors, administrators, insurance and managed care organizations, health care providers, payers, and others about Medicare, Medicaid, Medicare and Medicaid Advantage, Tri-Care, self-insured group, association, individual and employer and association group and other health benefit programs and coverages including but not limited to advising public and private payers about coverage and program design and documentation, advising and defending providers, payers and systems and billing services entities about systems and process design, audits, and other processes; provider credentialing, and contracting; providers and payer billing, reimbursement, claims audits, denials and appeals, coverage coordination, reporting, direct contracting, False Claims Act, Medicare & Medicaid, ERISA, state Prompt Pay, out-of-network and other nonpar insured, and other health care claims, prepayment, post-payment and other coverage, claims denials, appeals, billing and fraud investigations and actions and other reimbursement and payment related investigation, enforcement, litigation and actions. Scribe for the ABA JCEB annual agency meeting with HHS OCR, she also has worked extensively on health and health benefit coding, billing and claims, meaningful use and EMR, billing and reimbursement, quality measurement and reimbursement, HIPAA, FACTA, PCI, trade secret, physician and other medical, workforce, consumer financial and other data confidentiality and privacy, federal and state data security, data breach and mitigation, and other information privacy and data security concerns.

    Author of leading works on a multitude of health care, health plan and other health industry matters, the American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting, former Vice President of the North Texas Health Care Compliance Professionals Association, past Chair of the ABA Health Law Section Managed Care & Insurance Section, past ABA JCEB Council Representative and CLE and Marketing Committee Chair, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer’s health industry clients include public health organizations; public and private hospitals, healthcare systems, clinics and other health care facilities; physicians, physician practices, medical staff, and other provider organizations; skilled nursing, long-term care, assisted living, home health, ambulatory surgery, dialysis, telemedicine, DME, Pharma, clinics, and other health care providers; billing, management and other administrative services organizations; insured, self-insured, association and other health plans; PPOs, HMOs and other managed care organizations, insurance, claims administration, utilization management, and other health care payers; public and private peer review, quality assurance, accreditation and licensing; technology and other outsourcing; healthcare clearinghouse and other data; research; public and private social and community organizations; real estate, technology, clinical pathways, and other developers; investors, banks and financial institutions; audit, accounting, law firm; consulting; document management and recordkeeping, business associates, vendors, and service providers and other professional and other health industry organizations; academic medicine; trade associations; legislative and other law making bodies and others.

    A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about contracting, credentialing and quality assurance,  compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, privacy and data security, and other risk management and operational matters. Author of works on Payer and Provider Contracting and many other managed care concerns, Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns.

    A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her thought leadership, experience and advocacy on these and other related concerns by her service in the leadership of the Solutions Law Press, Inc. Coalition for Responsible Health Policy, its PROJECT COPE: Coalition on Patient Empowerment, and a broad range of other professional and civic organizations including North Texas Healthcare Compliance Association, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children (now Warren Center For Children); current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, past Representative and chair of various committees of ABA Joint Committee on Employee Benefits; an ABA Health Law Coordinating Council representative, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.

    For more information about Ms. Stamer or her health industry and other experience and involvements, see here or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

    About Solutions Law Press, Inc.™

    Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources here such as:

    If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

    NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advise or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

    Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

    ©2018 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.

    Leave a Comment » | Academic medicine, ADA, Ambulatory care, Anethesiology, Centers For Disease Control, Child Care, Childrens Health Insurance Program, Civil Rights, Clinical pathway, Conditions of Participation, Consumer Driven Health Care, Corporate Compliance, Cultural diversity, Cyber crime, data breach, DEA, Direct Primary Care, Disability Discrimination, Discrimination, Disease Management, DME, Doctor, drug treatment, Durable Medical Equipment, E-Prescribing, Electronic Health Records, Electronic Medical Records, Employer, FACTA, FDA, Fiduciary Responsibility, GINA, Health Care, Health Care Finance, Health Care Provider, Health Care Quality, Health Insurance, Health IT, Health Plan, Health Plans, healthcare, HIPAA, HIPAA Cyber Crime, HITECH Act, Home Health, home health, Hospice, Hospital, hospitals, Indian Health, managed care, Meaningful Use, medical devices, Medical Licensure, Medical Malpractice, Medical Privacy, Medical Records, Medicare, Mental Health, OCR, pain management, participating provider, Pharmaceudical, Pharmacy, Physician, Physician Licensing, Provider contracting, Reimbursement, Uncategorized, Wellness | Permalink
    Posted by Cynthia Marcotte Stamer

    Allergy Practice $125,000 Settlement Reminds Health Care Providers, Other HIPAA Entities Of Press-Related HIPAA Risk

    November 27, 2018

    Physician practices and other health care providers, health plans and insurers, health care clearinghouses (“Covered Entities”) and their business associates should learn from the costly schooling the Allergy Associates of Hartford, P.C. (“Allergy Associates”) is paying to settle charges that its physician violated the Privacy Rules of the Health Insurance Portability and Accountability Act (“HIPAA”) by commenting to a reporter on a patient complaint under a Resolution Agreement and Corrective Action Plan (“Resolution Agreement”) announced by the Department of Health & Human Services (HHS) Office of Civil Rights (“OCR”) yesterday (November 26, 2018).  The latest in a series of OCR HIPAA settlements arising from health care providers improperly discussing or disclosing protected health information (PHI) with the press or other media, the Resolution Agreement reminds health care providers and other HIPAA-Covered Entities and their business associates not to discuss or disclose PHI  with the media or others without first obtaining a HIPAA compliant authorization even to respond to accusations made by the patient or others.

    Allergy Associates HIPAA Complaint Charge & Resolution

    On November 26, 2018, OCR announced  that Allergy Associates, a three doctor health care practice that specializes in treating individuals with allergies at four locations across Connecticut, has agreed to pay OCR $125,000 and take corrective action under the Resolution Agreement to resolve charges that the comments a physician made to a reporter on a patient dispute with the practice in 2015 violated HIPAA.

    According to OCR, the disclosure of patient information that prompted OCR’s HIPAA charges resulted from a physician associated with the practice commenting to a local television station reporter doing on a story about a disabled patient’s complaint to the station that Allergy Associates turned her away from a scheduled appointment because of her use of a service animal.  After the patient contacted the television statement to complain about being turned away by the practice when accompanied by her service animal, the Resolution Agreement indicates that the station contacted the doctor for comment about the dispute between the Allergy Associates’ doctor and the patient.  Although OCR reports its investigation revealed that Allergy Associates’ Privacy Officer instructed the doctor to either not respond to the media or respond with “no comment,” the doctor nevertheless accepted the television station reporter’s invitation to comment and discussed the dispute with the reporter.

    The physician’s comments to the reporter were brought to the attention of OCR when OCR received a copy of an October 6, 2015, HHS civil rights complaint filed on behalf of the patient with the Department of Justice, Connecticut, U.S. Attorney’s Office (DOJ) by the Connecticut Office of Protection and Advocacy for Persons with Disabilities (OPA).  In response to this complaint, OCR initiated a joint investigation with DOJ into the civil rights allegations against Allergy Associates. The complaint also alleged that Allergy Associates impermissibly disclosed the patient’s PHI in violation of HIPAA.

    OCR found the physician’s discussion of the patient’s complaint without first obtaining a HIPAA-complaint authorization from the patient both violated HIPAA and demonstrated a reckless disregard for the patient’s HIPAA privacy rights.  Additionally, Resolution Agreement also states that OCR’s investigation revealed that Allergy Associates did not take any disciplinary or other corrective action against the doctor after learning of his impermissible disclosure to the media.

    To resolve the HIPAA charges, Allergy Associates agrees in the Resolution Agreement and Corrective Action Plan to pay $125,000 as well as to undertake a corrective action plan that includes two years of monitoring their compliance with the HIPAA Rules.

    Other Providers Also Paid High Price To OCR For Sharing PHI With Media

    Of course, OCR enforcement action against and Resolution Agreement with Allergy Associates is just one of several reported OCR actions against health care providers for improperly disclosing or allowing the press or other media access to PHI without patient authorization.

    For instance, a Resolution Agreement announced by OCR on June 14, 2013 required Shasta Regional Medical Center (SRMC) to pay OCR $275,000 and implement a series of corrective actions for using and disclosing to the media PHI of a patient while trying to perform public relations damage control against accusations reported in the media that SRMC had engaged in fraud or other misconduct when dealing with the patient.   That Resolution Agreement resulted from OCR investigating a January 4, 2012 Los Angeles Times article report that two SRMC senior leaders had met with media to discuss medical services provided to a patient.  OCR’s investigation indicated that SRMC failed to safeguard the patient’s PHI from impermissible disclosure by intentionally disclosing PHI to multiple media outlets on at least three separate occasions, without a valid written authorization. OCR’s review also revealed senior management at SRMC impermissibly shared details about the patient’s medical condition, diagnosis and treatment in an email to the entire workforce.  Further, SRMC failed to sanction its workforce members for impermissibly disclosing the patient’s records pursuant to its internal sanctions policy.

    The sanctions were even greater in the May 10, 2017 Resolution Agreement and Corrective Action Plan OCR announced with the largest not-for-profit health system in Southeast Texas, Memorial Hermann Health System (MHHS) for issuing a press release with the name and other PHI  about a patient arrested and charged with presenting an allegedly fraudulent identification card to MHHS office staff to fraudulently obtain care without first obtaining a HIPAA-compliant authorization from the patient. MHHS paid OCR a $2.4 million resolution payment to resolve HIPAA charges OCR brought against MHHS as well as agreed to implement a detailed corrective action plan.  See $2.4M HIPAA Settlement Warns Providers About Media Disclosures Of PHI.

    The costs of resolution have been even higher when OCR has addressed disclosures to media made by health care providers or other Covered Entities that allowed their desire for media publicity and coverage of their organizations ahead of patient privacy.  For instance, OCR collected a $2.2 million resolution payment from New York Presbyterian Hospital (NYP) for allowing unauthorized filming and photographing of patients in its facility by a television film crew and other staff filming for the television program “NY Med”  in the hospital.  See $2 Million+ HIPAA Settlement, FAQ Warn Providers Protect PHI From Media, Other Recording Or Use.

    Furthermore, earlier this year OCR collected a total of $999,0000 from Boston Medical Center (BMC), Brigham and Women’s Hospital (BWH), and Massachusetts General Hospital (MGH)(collectively, the “Hospitals”) for putting publicity before patient privacy by allowing ABC News documentary film crews to film patients and access other patient information for a news documentary without obtaining prior patient authorization under three settlement agreements with the Hospitals announced by OCR in September, 2018.  The payments were made under three separate settlement agreements between OCR and each respective Hospital made public by OCR in connection with the September 20, 2018 announcement stemming from the Hospital’s allowing ABC film crews to film in patient treatment and other areas for  the ABC medical documentary “Save My Life: Boston Trauma” series.  See $999K Price Hospitals Pay To Settle HIPAA Privacy Charges From Allowing ABC To Film Patients Without Authorization.

    OCR’s concern about and intolerance for improper disclosures of PHI to the media by health care providers and other Covered Entities is further demonstrated by OCR’s publication of  its 2016 Frequently Asked Question (Media FAQ) addressing Covered Entities’ responsibilities when dealing with the media coincident with OCR’s announcement of its Resolution Agreement with NYP in 2016.   The Allergy Associates’ Resolution Agreement further reinforces OCR’s continuing commitment to hold health care providers and other Covered Entities and their business associates accountable for complying with HIPAA when dealing with the press and other media.  In the fact of this commitment, health care providers and other Covered Entities must take the necessary steps to implement the appropriate policies, training and controls to ensure that they and their staff and representatives comply with these directives when dealing with press and other media.

    Resolution Agreement Also Highlights Need For Sensitivity When Dealing With Disabled Patients With Service Animals

    Beyond the HIPAA charges and settlement discussed in the Resolution Agreement, health care providers and other Covered Entities also should heed the factual circumstances that prompted the television interview of the Allergy Associates’ physician that prompted the OCR HIPAA enforcement action as a precautionary warning to ensure that their policies, procedures and staff training for dealing with disabled patients supported by service animals are defensible legally and in the court of public opinion.

    The Allergy Associates Resolution Agreement states that OCR’s HIPAA investigation was conducted in response to and in tandem with a Department of Justice (“Justice Department”) Office of Civil Rights investigation of a complaint that Allergy Associates violated the patient’s civil rights by improperly refusing to allow the patient’s service animal to accompany the patient during the patient’s appointment.  The patient’s complaint about the practice that the television reporter asked for and obtained the comments from the Allergy Associates’ physician that OCR found violated HIPAA related to Allergy Associates refusing to allow the patient to be accompanied by her service animal during her appointment with Allergy Associates.

    While research as of the date of the publication of this article did not uncover any published record of any Justice Department prosecution or settlement or other official notification concerning the Justice Department civil rights investigation against Allergy Associates, the Justice Department Office of Civil Rights as well as the HHS OCR Civil Rights Division have in the past pursued enforcement action against health care providers and others for improperly restricting or denying access to care or facilities by disabled persons based on their accompaniment by service animals.

    Title III of the Americans With Disabilities Act (“ADA”) generally prohibits places of public accommodations, including the professional office of a health care provider, from discriminating against any individual on the basis of disability in the full and equal enjoyment of the goods, services, facilities, privileges, advantages, or accommodations of any place of public accommodation, by any person who owns, leases (or leases to), or operates a place of public accommodation, including health care services. 42 U.S.C. § 12182(a); 28 C.F.R. § 36.201. The ADA also requires that such entities make reasonable modifications in policies, practices, or procedures to permit the use of service animals by people with disabilities. 42 U.S.C. § 12182(b)(2)(A)(ii); 28 C.F.R. § 36.302(c).  Health care providers also generally are prohibited from discriminating against and required to provide accommodation to individuals with disabilities under the Rehabilitation Act and the Medicare statutes.

    The Justice Department, HHS and courts have interpreted these disability prohibition and accommodation laws as making it illegal for a health care provider or its agent to fail to make reasonable accommodations for a person with a service animal unless the health care provider proves (1) the accommodations would fundamentally alter the nature of the facility or service it provides; or (2) based upon an individual assessment, the hospital determines that the service animal poses a substantial and direct threat to health or safety which cannot be mitigated by reasonable accommodations.  See, e.g., Tamara v. El Comino Hospital, 964 F.Supp.2d 1077 (N.D.Ca. 2013).

    While other types of discriminatory actions by health care providers found to be in violation of these rules often trigger substantial damage awards, administrative penalties, disqualification or restriction of Medicare and other federal program participation for violation of Conditions of Participation, to date the reported agency and judicial enforcement actions brought against health care providers for improperly refusing to allow service animals to accompany patients when accessing facilities or receiving care generally have ordered injunctive or other corrective action but have not imposed substantial damage or administrative penalties upon the culpable provider.  Health care providers should avoid the temptation to underestimate the potential seriousness or liability that their organization is likely to incur based on the current lack of substantial financial damage awards or administrative sanctions, however.  The 11th Circuit’s ruling in Sheely v. MRI Radiology Network, P.A., 505 F.3d 1173 (11th Cir. 2007), that noneconomic compensatory damages were available as a remedy for the emotional distressed caused by the violation under the Rehabilitation Act and that the voluntary correction of its policies during the pendency of the litigation did not render moot Sheely’s claim for monetary relief clearly opens the door for a jury to award substantial damages against a health care provider when the jury perceives the circumstances warrant.   Furthermore, health care providers need to keep in mind the typically financial and operational burdens of defending litigation or a Justice Department or HHS OCR Civil Rights investigation and costs of implementation and compliance with administrative or injunctive orders to take corrective action as well as the negative public relations attend these types of complaints, their investigation and resolution. Moreover, health care providers participating in Medicare, Medicaid or other federal health care programs also need to take into account the possibility that an alleged violation of these nondiscrimination rules also can serve as a basis for investigation of compliance with applicable Conditions of Participation for program participation and reimbursement.  Considering these risks, physician and other health care providers should heed the reminder of their obligations to offer and provide proper accommodation to allow appropriate access to disabled individuals with disabilities  requiring service animal support and take steps to review and update their policies, practices and staff training to minimize the risk of potential charges of violation of these requirements.

    Health Care Providers, Other Covered Entities Encouraged To Act To Manage HIPAA & Disability Accommodation Risks

    The Allergy Associates and other HIPAA Resolution Agreements arising from improper sharing of PHI with the press or other media make clear the need for health care providers and other Covered Entities to exercise great care when dealing with the press and other media.

    Clearly, health care providers and other Covered Entities should heed the warning by conducting a risk assessment of their organization’s susceptibility to potential improper disclosures to media or others and reviewing and implementing necessary written policies, procedures and training to prevent the improper disclosure of patient PHI to media or others unless the Covered Entity either secures prior HIPAA-compliant authorization from the patient or can prove the disclosure falls squarely under an exception to the Privacy Rule’s prohibition against disclosure of PHI without authorization except as allowed by the Privacy Rule.

    Based on experiences reported in the Allergy Associates and other Resolution Agreements and OCR guidance concerning media disclosures, Covered Entities also generally will want to ensure that their policies, procedures and training extend to all potential sources of communications that could involve patient information and make clear that the Privacy Rule restrictions must be followed even if the circumstances involve allegations of misconduct, special performance by healthcare providers or others that it would benefit the organization or certain individuals to have known to the public, or other circumstances likely to be of interest to the media or other parties.

    As part of this process, health care providers and other Covered Entities should ensure they look outside the four corners of their Privacy Policies to ensure that appropriate management, supervision, training and direction is provided to address media, practice transition, workforce communication and other policies and practices that may be covered by pre-existing or other policies of other departments or operational elements not typically under the direct oversight and management of the Privacy Officer such as media relations. Media relations, physician and patients affairs, outside legal counsel, media relations, marketing and other internal and external departments and consultants dealing with the media, the public or other inquiries or disputes should carefully include and coordinate with the privacy officer both to ensure appropriate policies and procedures are followed and proper documentation created and retained to show authorization, account, or meet other requirements.

    In conducting this analysis and risk assessment, it also is important that Covered Entities include, but also look beyond the four corners of their Privacy Policies to ensure that their review and risk assessment identifies and assesses and addresses compliance risks on an entity wide basis. This entity-wide assessment should include both communications and requests for information normally addressed to the Privacy Officer as well as requests and communications that could arise in the course of media or other public relations, practice transition, workforce communication and other operations not typically under the direct oversight and management of the Privacy Officer.

    For this reason, Covered Entities also generally will not only to adopt and implement specific policies, processes and training in these other departments to prohibit and prevent inappropriate disclosures of PHI in the course of those departments operations. As part of these processes, Covered Entities generally will want to implement a  pre-established process for reviewing media or other communications for potential PHI content which includes a requirement for  prior review of any proposed public relations and other internal or external communications containing patient PHI or other information by the privacy officer, legal counsel or another suitably qualified party.

    Because of the high risk that the preparation or review of media or other public communications reports will involve the use and disclosure of PHI, Covered Entities also generally should verify that all outside media or public relations, legal, or other outside service providers participating in the investigation, response or preparation or review of communications to the media or others both are covered by signed business associate agreements that fulfill the Privacy Rule and other requirements of HIPAA as well as possess detailed knowledge and understanding of the Privacy and Security Rules suitable to participate in and help safeguard the Covered Entity against violations of these and other Privacy Rules. See e.g., Latest HIPAA Resolution Agreement Drives Home Importance Of Maintaining Current, Signed Business Associate Agreements.

    About the Author

    Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: Erisa & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of managed care and other health industry, health and other benefit and insurance, workforce and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

    Past Chair of the ABA Managed Care & Insurance Interest Group and, a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer has been continuously involved the design, regulation, administration and defense of managed care and other health care and health benefit arrangements, contracts, systems, and processes throughout her career.  In addition to her extensive provider and payer contracting work, Ms. Stamer also is recognized for her knowledge, experience and leadership on health benefit, health care, health, financial and other information technology, data and related process and systems development, policy and operations throughout her career, and scribe of the ABA JCEB annual Office of Civil Rights agency meeting, Ms. Stamer also is widely recognized for her extensive work and leadership on leading edge health care and benefit policy and operational issues. Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer’s clients include employers and other workforce management organizations; employer, union, association, government and other insured and self-insured health and other employee benefit plan sponsors, benefit plans, fiduciaries, administrators, and other plan vendors;  managed care organizations, insurers, self-insured health plans and other payers and their management; public and private, domestic and international hospitals, health care systems, clinics, skilled nursing, long-term care, rehabilitation and other health care providers and facilities; medical staff, health care accreditation, peer review and quality committees and organizations; managed care organizations, insurers, third-party administrative services organizations and other payer organizations; billing, utilization management, management services organizations; group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; claims, billing and other health care and insurance technology and data service organizations; other health, employee benefit, insurance and financial services product and solutions consultants, developers and vendors; and other health, employee benefit, insurance, technology, government and other management clients.

    A former lead consultant to the Government of Bolivia on its Pension Privatization Project with extensive domestic and international public policy concerns in pensions, healthcare, workforce, immigration, tax, education and other areas, Ms. Stamer has been extensively involved in U.S. federal, state and local health care and other legislative and regulatory reform impacting these concerns throughout her career. Her public policy and regulatory affairs experience encompasses advising and representing domestic and multinational private sector health, insurance, employee benefit, employer, staffing and other outsourced service providers, and other clients in dealings with Congress, state legislatures, and federal, state and local regulators and government entities, as well as providing advice and input to U.S. and foreign government leaders on these and other policy concerns.

    Beyond her public policy and regulatory affairs involvement, Ms. Stamer also has extensive experience helping these and other clients to design, implement, document, administer and defend workforce, employee benefit, insurance and risk management, health and safety, and other programs, products and solutions, and practices; establish and administer compliance and risk management policies; comply with requirements, investigate and respond to government; accreditation and quality organizations; private litigation and other federal and state health care industry investigations and enforcement actions; evaluate and influence legislative and regulatory reforms and other regulatory and public policy advocacy; training and discipline; enforcement, and a host of other related concerns. Ms. Stamer’s experience in these matters includes supporting these organizations and their leaders on both a real-time, “on demand” basis with crisis preparedness, intervention and response as well as consulting and representing clients on ongoing compliance and risk management; plan and program design; vendor and employee credentialing, selection, contracting, performance management and other dealings; strategic planning; policy, program, product and services development and innovation; mergers, acquisitions, and change management; workforce and operations management, and other opportunities and challenges arising in the course of their operations.

    As a key part of this work, Ms. Stamer throughout her career regularly has worked with health care providers and payers, employer and other health benefit plan sponsors and vendors, health industry, insurers, health IT, life sciences and other health and insurance industry clients design, document and enforce managed care and other contracts, benefit plans and insurance arrangements, practices, policies, systems and solutions; manage regulatory, contractual and other legal and operational compliance; vendors, supplier, and patient and member relations and requirements; deal with Medicare, Medicaid, CHIP, Medicare/Medicaid Advantage, ERISA, state insurance law and other private payer rules and requirements; contracting; licensing; terms of participation; medical billing, reimbursement, claims administration and coordination, and other provider-payer relations; reporting and disclosure, government investigations and enforcement, privacy and data security; and other compliance and enforcement; Form 990 and other nonprofit and tax-exemption; fundraising, investors, joint venture, and other business partners; quality and other performance measurement, management, discipline and reporting; physician and other workforce recruiting, performance management, peer review and other investigations and discipline, wage and hour, payroll, gain-sharing and other pay-for performance and other compensation, training, outsourcing and other human resources and workforce matters; board, medical staff and other governance; strategic planning, process and quality improvement; HIPAA administrative simplification, meaningful use, EMR, HIPAA and other technology, data security and breach and other health IT and data; STARK, antikickback, insurance, and other fraud prevention, investigation, defense and enforcement; audits, investigations, and enforcement actions; trade secrets and other intellectual property; crisis preparedness and response; internal, government and third-party licensure, credentialing, accreditation, HCQIA, HEDIS and other peer review and quality reporting, audits, investigations, enforcement and defense; patient relations and care; internal controls and regulatory compliance; payer-provider, provider-provider, vendor, patient, governmental and community relations; facilities, practice, products and other sales, mergers, acquisitions and other business and commercial transactions; government procurement and contracting; grants; tax-exemption and not-for-profit; 1557 and other Civil Rights; privacy and data security; training; risk and change management; regulatory affairs and public policy; process, product and service improvement, development and innovation, and other legal and operational compliance and risk management, government and regulatory affairs and operations concerns.

    Ms. Stamer also has extensive health care reimbursement and insurance experience advising and defending plan sponsors, administrators, insurance and managed care organizations, health care providers, payers, and others about Medicare, Medicaid, Medicare and Medicaid Advantage, Tri-Care, self-insured group, association, individual and employer and association group and other health benefit programs and coverages including but not limited to advising public and private payers about coverage and program design and documentation, advising and defending providers, payers and systems and billing services entities about systems and process design, audits, and other processes; provider credentialing, and contracting; providers and payer billing, reimbursement, claims audits, denials and appeals, coverage coordination, reporting, direct contracting, False Claims Act, Medicare & Medicaid, ERISA, state Prompt Pay, out-of-network and other nonpar insured, and other health care claims, prepayment, post-payment and other coverage, claims denials, appeals, billing and fraud investigations and actions and other reimbursement and payment related investigation, enforcement, litigation and actions. Scribe for the ABA JCEB annual agency meeting with HHS OCR, she also has worked extensively on health and health benefit coding, billing and claims, meaningful use and EMR, billing and reimbursement, quality measurement and reimbursement, HIPAA, FACTA, PCI, trade secret, physician and other medical, workforce, consumer financial and other data confidentiality and privacy, federal and state data security, data breach and mitigation, and other information privacy and data security concerns.

    Author of leading works on a multitude of health care, health plan and other health industry matters, the American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting, former Vice President of the North Texas Health Care Compliance Professionals Association, past Chair of the ABA Health Law Section Managed Care & Insurance Section, past ABA JCEB Council Representative and CLE and Marketing Committee Chair, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer’s health industry clients include public health organizations; public and private hospitals, healthcare systems, clinics and other health care facilities; physicians, physician practices, medical staff, and other provider organizations; skilled nursing, long-term care, assisted living, home health, ambulatory surgery, dialysis, telemedicine, DME, Pharma, clinics, and other health care providers; billing, management and other administrative services organizations; insured, self-insured, association and other health plans; PPOs, HMOs and other managed care organizations, insurance, claims administration, utilization management, and other health care payers; public and private peer review, quality assurance, accreditation and licensing; technology and other outsourcing; healthcare clearinghouse and other data; research; public and private social and community organizations; real estate, technology, clinical pathways, and other developers; investors, banks and financial institutions; audit, accounting, law firm; consulting; document management and recordkeeping, business associates, vendors, and service providers and other professional and other health industry organizations; academic medicine; trade associations; legislative and other law making bodies and others.

    A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about contracting, credentialing and quality assurance,  compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, privacy and data security, and other risk management and operational matters. Author of works on Payer and Provider Contracting and many other managed care concerns, Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns.

    A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her thought leadership, experience and advocacy on these and other related concerns by her service in the leadership of the Solutions Law Press, Inc. Coalition for Responsible Health Policy, its PROJECT COPE: Coalition on Patient Empowerment, and a broad range of other professional and civic organizations including North Texas Healthcare Compliance Association, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children (now Warren Center For Children); current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, past Representative and chair of various committees of ABA Joint Committee on Employee Benefits; an ABA Health Law Coordinating Council representative, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.

    For more information about Ms. Stamer or her health industry and other experience and involvements, see here or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

    About Solutions Law Press, Inc.™

    Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources here such as:

    If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

    NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advise or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

    Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

    ©2018 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.

    Leave a Comment » | Academic medicine, ADA, Ambulatory care, Anethesiology, Centers For Disease Control, Child Care, Childrens Health Insurance Program, Civil Rights, Clinical pathway, Conditions of Participation, Consumer Driven Health Care, Corporate Compliance, Cultural diversity, Cyber crime, data breach, DEA, Direct Primary Care, Disability Discrimination, Discrimination, Disease Management, DME, Doctor, drug treatment, Durable Medical Equipment, E-Prescribing, Electronic Health Records, Electronic Medical Records, Employer, FACTA, FDA, Fiduciary Responsibility, GINA, Health Care, Health Care Finance, Health Care Provider, Health Care Quality, Health Insurance, Health IT, Health Plan, Health Plans, healthcare, HIPAA, HIPAA Cyber Crime, HITECH Act, Home Health, home health, Hospice, Hospital, hospitals, Indian Health, managed care, Meaningful Use, medical devices, Medical Licensure, Medical Malpractice, Medical Privacy, Medical Records, Medicare, Mental Health, OCR, pain management, participating provider, Pharmaceudical, Pharmacy, Physician, Physician Licensing, Provider contracting, Reimbursement, Uncategorized, Wellness | Permalink
    Posted by Cynthia Marcotte Stamer

    Record $16M HIPAA Sanction Shows Need For Current Enterprise Risk Assessment; ONC/OCR Share New Tool To Help HIPAA Covered Entities Comply

    October 17, 2018

    Following on the heels of Monday’s announcement that Anthem, Inc. is paying a record setting $16 million to resolve charges its violations of the enterprise risk assessment and other requirements of the Health Insurance Portability & Accountability Act (HIPAA) Security Rule allowed cybercriminals to breach the electronic protected health information (ePHI) of more than 79 million patients, physicians and other health care providers, health plans and health insurers, health care clearinghouses (covered entities) and their service providers acting as their business associates (business associates) (hereafter collectively “HIPAA Entities”) should reconfirm their own and their business associates’ compliance with the HIPAA Security Rule’s enterprise risk assessment and other ePHI security requirements.

    When conducting these assessments, HIPAA Entities generally will want to ensure that their new enterprise risk assessment documents their consideration of the newly updated Security Risk Assessment (SRA) Tool jointly announced yesterday (October 16, 2018) by the Department of Health & Human Services (HHS) Office of the National Coordinator for Health Information Technology (ONC) and OCR, lessons shared in OCR’s $16 million Anthem, Inc. resolution agreement, $5.55 million resolution agreement with Memorial Healthcare System and other OCR HIPAA resolution agreements, civil monetary penalty assessments and other Security Rule guidance, as well as other emergent internal and external data suggesting potential susceptibilities of their own systems and data to breach or loss.

    HIPAA Entities are reminded that HIPAA requires that all HIPAA covered entities and business associates to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by their organization.  Any HIPAA Entity that hasn’t already conducted a recent, appropriately documented enterprise wide risk analysis or updated their analysis in response to changes in equipment, vendors or emerging threats and developments should do so as soon as possible.

    HIPAA’s requirement that HIPAA entities conduct and maintain an appropriately comprehensive and timely updated enterprise-wide risk analysis of potential security threats to ePHI both an affirmative requirement of the HIPAA Security Rule and an indispensable process to help healthcare organizations understand their security posture to prevent, detect, respond to and mitigate potential legal, operational and reputational costs that commonly result when ePHI or other sensitive information is breached or destroyed.

    The importance of HIPAA entities having and being able to produce in the event of a breach or OCR audit an up-to-date, comprehensively enterprise risk assessment and response plan cannot be overstated.  Beyond OCR’s publication of extensive regulatory guidance and educational outreach discussing the responsibility to conduct and maintain documentation of appropriate enterprise risk assessments, virtually every announced HIPAA Security Rule civil monetary penalty assessment and other enforcement action identifies violation of the HIPAA Security Rule’s enterprise risk assessment requirements among the material transgressions committed and required to be corrected by HIPAA entities like Anthem, Inc. subjected to Security Rule enforcement.

    The updated SRA Tool jointly released by OCR and ONC on October 16, 2018 further reinforces the importance of complying with the enterprise wide risk assessment requirement while simultaneously encouraging and facilitating compliance by small to medium sized health care practices.  Particularly designed with an eye to helping health care providers that work as solo practitioners or in groups with 10 or less health care providers and their business associates identify risks and vulnerabilities to ePHI, OCR says the updated SRA Tool “provides enhanced functionality to document how such organizations can implement or plan to implement appropriate security measures to protect ePHI” and incorporates new features to make the tool “more user friendly.” New features OCR hopes will make the SRA tool more user friendly include:

    • Enhanced User Interface
    • Modular workflow with question branching logic
    • Custom Assessment Logic
    • Progress Tracker
    • Improved Threats & Vulnerabilities Rating
    • Detailed Reports
    • Business Associate and Asset Tracking
    • Overall improvement of the user experience

    HIPAA Entities should take note, however, that as of its October 16, 2018 released date, the updated version of the SRA Tool currently is only available in Windows format.  OCR has indicated that the OCR and ONC have not yet updated the OS iPad version of the previously published version of the SRA Tool. While the previous OS iPad version remains available at the Apple App Store exit disclaimer icon (search under “HHS SRA Tool”), HIPAA Entities that presently use or plan to use the OS iPad tool should consider comparing the prior tool against the updated Windows SRA Tool to verify the continued suitability of its continued use and any adjustments in understanding or application that might be warranted by these differences.  Additionally, HIPAA Entities also should review the revised User Guide available on the SRA Tool’s website before starting the assessment.

    While the SRA Tool provides valuable guidance to help HIPAA Entities to conduct their own enterprise wide risk assessment, HIPAA Entities should keep in mind that the responsibility to assess their enterprise wide risk and to update their security safeguards to respond to these risks is a continuous one.  While using the SRA Tool is an excellent starting point for beginning this assessment, HIPAA Entities need to realize that OCR expects HIPAA Entities to tailor their assessments to identify and respond to the full range of risks and exposures to their ePHI and associated systems and to constantly reevaluate and adjust these assessments in response to emerging system and ePHI threats identified in the course of their operations as well as external developments suggesting previously unidentified or inadequately appreciated threats.  Moreover, in addition to conducting the risk assessment, OCR regulatory guidance and guidance drawn from OCR’s civil monetary settlements resolution agreements and other enforcement and audit activities also make clear that in addition to conducting the enterprise wide risk analysis, HIPAA entities also need to be prepared to produce documentation that their organizations took appropriate and timely action to address the risks identified in the risk assessment in accordance with the HIPAA Security Rule.

    In addition to mitigate their exposure to potentially substantial HIPAA civil monetary penalties for violating the HIPAA Security Rule, HIPAA Entities also should keep in mind the potential role that their conduct and maintenance of appropriately comprehensive enterprise wide security risk assessments can play in helping to mitigate other legal, financial, operational and reputational risks that commonly also arise along with the HIPAA exposures associated with a breach of HIPAA.  In addition to HIPAA’s Security Rules for ePHI, HIPAA Entities typically also are subject to a hodgepodge of non-HIPAA statutory, regulatory and/or contractual obligations to safeguard patient, employee, business partners and other individual, financial, health, tax, peer review and credentialing, trade secrets and other confidential information against improper use, access, destruction or disclosure.  Examples of such obligations include the privacy and data security rules of the Fair and Accurate Credit Transaction Act (FACTA), the Internal Revenue Code and other tax laws, federal and state consumer debt and information, electronic crime, data security and identity theft statutes; federal and state trade secret and intellectual property laws; and others, for which violations often equal or substantially exceed the civil monetary penalty liability that commonly arise under the HIPAA Security Rule.  The experience of Anthem, Inc. illustrates this point.  While the $16 million resolution payment that OCR announced Anthem, Inc. is paying to resolve its HIPAA civil monetary penalty exposures for allowing the breach of the ePHI of 79 million individuals, this payment reflects only a very small portion of the overall liability that Anthem, Inc. incurred from data breach that lead to this resolution payment.  Anthem, Inc. also separately already reportedly also has paid more than $115 million to settle other statutory and contractual liabilities arising from the breach separate as well as substantial investigatory and defense costs in addition to the HIPAA liabilities settled under the resolution agreement announced Monday.  Other HIPAA Entities subjected to HIPAA civil monetary penalties or paying resolution payments to OCR also typically also have incurred substantial non-HIPAA sanctions and settlements, as well as other defense, investigation, operational and reputational losses as a result of their breaches.  HIPAA Entities should strive to ensure that their HIPAA enterprise wide risk assessment and compliance efforts are properly coordinated and administered to manage these overall risks and responsibilities in addition to their HIPAA-specific responsibilities and liabilities.

    Because enterprise wide risk assessments and discussions of their structuring, scope and findings are likely to produce legally sensitive evidence, HIPAA Entities are encouraged to seek the advice of qualified and suitably experienced legal counsel about the advisability of conducting all or certain aspects of an enterprise wide risk analysis and their documentation of their risk evaluation and response to take advantage of possible attorney-client privilege, work-product or other evidentiary rules before or throughout the risk assessment and response process and deliberations.

    About The Author

    A practicing attorney and Managing Shareholder of Cynthia Marcotte Stamer, P.C, Cynthia Marcotte Stamer’s more than 30 years’ of leading edge work as an practicing attorney, author, lecturer and industry and policy thought leader have resulted in her recognition as a “Top” attorney in employee benefits, labor and employment and health care law.

    Board certified in labor and employment law by the Texas Board of Legal Specialization, a Fellow in the American College of Employee Benefit Counsel, Scribe for the American Bar Association (ABA) Joint Committee on Employee Benefits (JCEB) Annual Agency Meeting with the Office of Civil Rights and a former JCEB Council Representative; former Chair of the ABA Health Law Section Managed Care & Insurance Interest Group; and past Chair, former Welfare Benefit Committee Co-Chair and current Fiduciary Responsibility Committee Co-Chair of the American Bar Association (ABA) RPTE Section Employee Benefits Group, former Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, Ms. Stamer is recognized nationally and internationally for her practical and creative insights and leadership on HIPAA and other health care, managed care and insurance, and other employee benefit, human resources, and related antitrust, corporate, privacy and data security, tax and other internal controls, regulatory affairs and public policy concerns.

    Ms. Stamer’s legal and management consulting work throughout her career has focused on helping organizations and their management use the law and process to manage people, process, compliance, operations and risk. Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer helps public and private, domestic and international health, insurance and financial security, and other businesses, governments, and other organizations and their leaders manage their employees, vendors and suppliers, and other workforce members, customers and other’ performance, compliance, compensation and benefits, operations, risks and liabilities, as well as to prevent, stabilize and cleanup legal and operational crises large and small that arise in the course of operations.

    In this respect, Ms. Stamer works with businesses and their management, employee benefit plans, governments and other organizations deal with all aspects of human resources and workforce, regulatory compliance and operational and performance management. She supports her clients both on a real time, “on demand” basis and with longer term basis to deal with daily performance management and operations, emerging crises, strategic planning, process improvement and change management, investigations, defending litigation, audits, investigations or other enforcement challenges, government affairs and public policy.

    Well known for her extensive work with health care, insurance and other highly regulated entities on corporate compliance, internal controls and risk management, her clients range from highly regulated entities like employers, contractors and their employee benefit plans, their sponsors, management, administrators, insurers, fiduciaries and advisors, technology and data service providers, health care, managed care and insurance, financial services, government contractors and government entities, as well as retail, manufacturing, construction, consulting and a host of other domestic and international businesses of all types and sizes.

    As a key part of this work, Ms. Stamer uses her deep and highly specialized health, insurance, labor and employment and other knowledge and experience to help health industry, insurance and financial services and other employers and other employee benefit plan sponsors; health, pension and other employee benefit plans, their fiduciaries, administrators and service providers, insurers, and others design legally compliant, effective compliance and internal controls, risk management, human resources and other workforce performance, discipline, compensation, employee benefits and related programs, products and arrangements.

    In the course of this work, Ms. Stamer has accumulated an impressive resume of experience advising and representing clients on HIPAA and other privacy and data security concerns. The scribe for the American Bar Association (ABA) Joint Committee on Employee Benefits annual agency meeting with the Department of Health & Human Services Office of Civil Rights for several years, Ms. Stamer has worked extensively with health plans, health care providers, health care clearinghouses, their business associates, employer and other sponsors, banks and other financial institutions, and others on risk management and compliance with HIPAA and other information privacy and data security rules, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and enforcement, and a host of other related concerns. Her clients include public and private health plans, health insurers, health care providers, banking, technology and other vendors, and others. Beyond advising these and other clients on privacy and data security compliance, risk management, investigations and data breach response and remediation, Ms. Stamer also advises and represents clients on OCR and other HHS, Department of Labor, IRS, FTC, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. She also is the author of numerous highly acclaimed publications, workshops and tools for HIPAA or other compliance including training programs on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

    Ms. Stamer also is deeply involved in helping to influence the health care, workforce, insurance and financial services, employee benefit, privacy and data security and other federal, state and local laws, regulations and enforcement actions. She both helps her clients respond to and resolve emerging regulations and laws, government investigations and enforcement actions and helps them shape the rules through dealings with Congress and other legislatures, regulators and government officials domestically and internationally. A former lead consultant to the Government of Bolivia on its Social Security reform law and most recognized for her leadership on U.S. health and pension, wage and hour, tax, education and immigration policy reform, Ms. Stamer works with U.S. and foreign businesses, governments, trade associations, and others on workforce, social security and severance, health care, immigration, privacy and data security, tax, ethics and other laws and regulations. Founder and Executive Director of the Coalition for Responsible Healthcare Policy and its PROJECT COPE: the Coalition on Patient Empowerment and a Fellow in the American Bar Foundation and State Bar of Texas. She also works as a policy advisor and advocate to health, insurance and financial services, employee benefits and other business, professional and civic organizations.

    Author of the thousands of publications and workshops these and other employment, employee benefits, health care, insurance, workforce and other management matters, Ms. Stamer also is a highly sought out speaker and industry thought leader known for empowering audiences and readers. Ms. Stamer’s insights on employee benefits, insurance, health care and workforce matters in Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, Modern Healthcare, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications. Ms. Stamer also regularly serves on the faculty and planning committees for symposia of LexisNexis, the American Bar Association, ALIABA, the Society of Employee Benefits Administrators, the American Law Institute, ISSA, HIMMs, and many other prominent educational and training organizations and conducts training and speaks on these and other management, compliance and public policy concerns.

    Ms. Stamer also has a lifelong history of involvement with and service with a diverse range of professional, community and charitable organizations and causes including as founder and Executive Director of the Coalition for Responsible Health Care Policy and its PROJECT COPE: Coalition for Patient Empowerment; technical advisor to the National Physicians’ Council for Health Care Policy; a founding Board Member and President of the Alliance for Healthcare Excellence and its Patient Empowerment and Health Care Heroes Projects; a Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; the Board President of the early childhood development intervention agency, The Richardson Development Center for Children; a member of the Dallas United Way Long Range Planning Committee; as well as leadership involvement in the ABA Joint Committee on Employee Benefits Council, the North Texas Healthcare Compliance Professionals Association; the ABA RPTE Employee Benefits & Other Compensation Committee, the ABA Health Law Section, the ABA International Section Life Sciences Committee, and the ABA TIPS Employee Benefit Committee; TEGE Coordinator of the Gulf Coast TEGE Council TE Division; Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee; a member of the Board of Directors of the Southwest Benefits Association; Dallas, Regional and State BACPAC Chair of the Texas Association of Business; SHRM Regional Chair and National Advisory Board Chair; WEB Network of Benefits Professionals National and Dallas Boards; as a contributing author and the Advisory Board member of the BNA EBCD CD, InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications and as chair or planning faculty of a multitude of symposia.. For additional information about Ms. Stamer, see www.cynthiastamer.com, or contact Ms. Stamer via email here or via telephone to (214) 452.8297.

    About Solutions Law Press, Inc.™

    Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also may be interested reviewing other Solutions Law Press, Inc.™ resources at www.solutionslawpress.com such as:

    If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here.

    ©2018 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.  All other rights reserved.

     

    Leave a Comment » | Ambulatory care, Anethesiology, Cyber crime, data breach, Doctor, Electronic Medical Records, Employer, ERISA, FACTA, Fiduciary Responsibility, Health Care, Health care coding, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Quality, Health Care Qulity, health care reimbursement, Health Insurance, Health Insurance Exchange, Health IT, Health Plan, healthcare, HHS, HIPAA, HIPAA Cyber Crime, HITECH Act, Home Health, home health, Hospital, Indian Health, Uncategorized | Permalink
    Posted by Cynthia Marcotte Stamer

    HIPAA Lessons Every Health Plan, Health Care Provider & Business Associate Should Learn From Bankrupt FileFax’s HIPAA Settlement

    February 16, 2018

    Health care providers, health plans and insurers, health care clearinghouses (Covered Entities) and their business associates within the meaning of the Health Insurance Portability & Accountability Act (HIPAA) should heed the warnings contained in the new Resolution Agreement (FileFax Resolution Agreement) with former HIPAA business associate FileFax, Inc. announced by the Department of Health & Human Services (HHS) Office of Civil Rights (OCR) about their own need to ensure that they and their business associates comply with HIPAA’s business associate and other Privacy, Security, Breach Notification rules as well as the advisability of tightening up their risk management and oversight of business associates that handle protected health information (PHI).

    Significant for business associates as what appears to be the first announced resolution agreement with a business associate directly charged by OCR with violating HIPAA and the second resolution agreement pursued and reached with a HIPAA-regulated entity in bankruptcy, the FileFax, Inc. Resolution Agreement OCR announced February 13, 2018 also contains critical lessons for Covered Entities about their dealings with their own business associates when read in conjunction with the April, 2017 resolution agreement the Center for Children’s Digestive Health (CCDH) agreed to resolve OCR charges CCDC, as a Covered Entity, violated HIPAA by allowing FileFax, Inc. to act as its business associate without adequately complying with HIPAA’s business associate requirements.

    With widespread media coverage over large scale breaches of health care and other sensitive information placing further pressure upon OCR and other governmental agencies to act to protect Americans’ privacy and data fueling even greater demands for OCR and other agencies to take meaningful action to enforce HIPAA and other privacy and data security requirements, health plans, health care providers, health care clearinghouses (Covered Entities) and their business associates can expect OCR and other agencies to continue to turn up the heat on investigation and enforcement of HIPAA compliance.

    In the face of these developments, Covered Entities, their business associates and those responsible for their leadership and operations need to recognize and take the necessary steps both effectively to manage their own HIPAA compliance and risk management as well as to anticipate and make provision to deal with the likelihood that they may face HIPAA responsibilities, exposures and other fallout from their own or another business partner’s breach of PHI or other sensitive data or other HIPAA violations, bankruptcy or other business distress, or other compliance or business event.

    HIPAA Privacy, Security & Breach Notification Rule Responsibilities & Risks

    The Privacy Rule requires that Covered Entities and their vendors that qualify as “business associates” under HIPAA comply with detailed requirements concerning the protection, use, access, destruction and disclosure of PHI.  As part of these requirements, Covered Entities and their business associates must adopt, administer and enforce detailed policies and practices, assess, monitor and maintain the security of electronic protected health information (ePHI) and other protected health information, provide notices of privacy practices and breaches of “unsecured” ePHI, afford individuals that are the subject of protected health information certain rights and comply with other requirements as specified by the Privacy, Security and Breach Notification Rules.  In addition, Covered Entities and business associates also must enter into a written and signed business associate agreement that contains the elements specified in Privacy Rule § 164.504(e) before the business associate creates, uses, accesses or discloses PHI of the Covered Entity. Furthermore, the Privacy Rule includes extensive documentation and keeping requirements require that Covered Entities and BAs maintain copies of these BAAs for a minimum of six years and to provide that documentation to OCR upon demand.

    Violations of the Privacy Rule can carry stiff civil monetary penalties or even criminal penalties.  Pursuant to amendments to HIPAA enacted as part of the HITECH Act, civil penalties typically do not apply to violations punished under the criminal penalty rules of HIPAA set forth in Social Security Act , 42 U.S.C § 1320d-6 (Section 1177).

    Resolution Agreements the just announced FileFax Resolution Agreement allow Covered Entities and business associates to resolve potentially substantially larger civil monetary penalty liabilities that OCR can impose under the civil enforcement provisions of HIPAA for HIPAA violations through a negotiated settlement process.  As amended by the HITECH Act, the civil enforcement provisions of HIPAA empower OCR to impose Civil Monetary Penalties on both Covered Entities and BAs for violations of any of the requirements of the Privacy or Security Rules.  The penalty ranges for civil violations depends upon the circumstances associated with the violations and are subject to upward adjustment for inflation.  As most recently adjusted here effective September 6, 2016, the following currently are the progressively increasing Civil Monetary Penalty tiers:

    • A minimum penalty of $100 and a maximum penalty of $50,000 per violation, for violations which the CE or BA “did not know, and by exercising reasonable diligence would not have known” about using “the business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances;”
    • A minimum penalty of $1,000 and a maximum penalty of $50,000 per violation, for violations for “reasonable cause” which do not rise to the level of “willful neglect” where “reasonable cause” means the “circumstances that would make it unreasonable for the Covered Entity, despite the exercise of ordinary business care and prudence, to comply with the violated Privacy Rule requirement;”
    • A minimum penalty of $10,000 and a maximum penalty of $50,000 per violation, for violations attributed to “willful neglect,” defined as “the conscious, intentional failure or reckless indifference to the obligation to comply” with the requirement or prohibition; and
    • A minimum penalty of $50,000 and a maximum penalty of $1.5 million per violation, for violations attributed to “willful neglect” not remedied within 30 days of the date that the Covered Entity or BA knew or should have known of the violation.

    For continuing violations such as failing to implement a required BAA, OCR can treat each day of noncompliance as a separate violation.  However, sanctions under each of these tiers generally are subject to a maximum penalty of $1,500,000 for violations of identical requirements or prohibitions during a calendar year.  For violations such as the failure to implement and maintain a required BAA where more than one Covered Entity bears responsibility for the violation, OCR an impose Civil Monetary Penalties against each culpable party. OCR considers a variety of mitigating and aggravating facts and circumstances when arriving at the amount of the penalty within each of these applicable tiers to impose.

    In addition to these potential civil liability exposures, Covered Entities, their business associates and other individuals or organizations that wrongfully use, access or disclose electronic or other protected health information also can face civil liability under various circumstances.  The criminal enforcement provisions of HIPAA authorize the Justice Department to prosecute a person who knowingly in violation of the Privacy Rule (1) uses or causes to be used a unique health identifier; (2) obtains individually identifiable health information relating to an individual; or (3) discloses individually identifiable health information to another person, punishable by the following criminal sanctions and penalties:

    • A fine of up to $50,000, imprisoned not more than 1 year, or both;
    • If the offense is committed under false pretenses, a fine of up to $100,000, imprisonment of not more than 5 years, or both; and
    • If the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, a fine of up to $250,000, imprisoned not more than 10 years, or both.

    Because HIPAA Privacy Rule criminal violations are Class A Misdemeanors or felonies, Covered Entities and business associates should include HIPAA compliance in their Federal Sentencing Guideline Compliance Programs and practices and need to be concerned both about criminal exposure for their own direct violations, as well as imputed organizational liability for violations committed by their employees or agents under the Federal Sentencing Guidelines, particularly where their failure to implement or administer these required compliance policies and practices or failure to properly investigate or redress potential violations enables, perpetuates or covers up the criminal breach.

    FileFax, Inc.  Breach & Resolution Agreement

    While Congress amended the Civil Monetary Penalty provisions of HIPAA enforced by OCR to make many of the requirements and Civil Monetary Penalty sanctions of HIPAA directly enforceable by OCR against business associates as part of the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, the FileFax Resolution Agreement appears to be the first HIPAA resolution agreement with a business associate announced by OCR.

    Indeed, OCR’s enforcement action that resulted in the FileFax Resolution Agreement would never have occurred had FileFax, Inc. not become involved in handling medical records containing PHI in the capacity of a business associate for Covered Entities.

    Before filing for bankruptcy in 2016, FileFax, Inc. advertised it provided HIPAA-compliant storage, maintenance, and delivery of medical records for HIPAA Covered Entities including Illinois based health care provider CCDC, which entered into a resolution agreement with OCR in April, 2017 to resolve OCR charges that it violated HIPAA by allowing FileFax, Inc. to handle PHI without fulfilling HIPAA’s business associate agreement requirements.

    Like the CCDC Resolution Agreement, the FileFax, Inc. Resolution Agreement resulted from an investigation of FileFax, Inc. that OCR began in response to a February 10, 2015 anonymous complaint filed with OCR about FileFax, Inc. about deficiencies in its delivery of these HIPAA services in its capacity as a business associate to Covered Entities. The complaint to OCR alleged that FileFax, Inc. violated these requirements because an individual transported medical records obtained from FileFax, Inc. to a shredding and recycling facility to sell on February 6 and 9, 2015.

    OCR’s investigation of the complaint against FileFax, Inc. confirmed that an individual had left medical records of approximately 2,150 patients at the shredding and recycling facility, and that these medical records contained patients’ PHI.  OCR’s investigation additionally found that between January 28, 2015, and February 14, 2015, FileFax, Inc. impermissibly disclosed the PHI of 2,150 individuals by leaving the PHI in an unlocked truck in the FileFax, Inc.  parking lot, or by granting permission to an unauthorized person to remove the PHI from FileFax, Inc. and leaving the PHI unsecured outside the FileFax, Inc. facility.

    After OCR commenced its investigation of the complaint, FileFax, Inc. was placed into bankruptcy and a receiver was appointed to liquidate FileFax, Inc.’s assets for distribution to creditors and others in 2016.  Despite the bankruptcy, OCR continued to pursue enforcement against FileFax, Inc. for the HIPAA violations it found through its investigation.  On February 13, 2018, OCR announced that that the receiver on behalf of FileFax, Inc. had agreed in the FileFax Resolution Agreement to pay a $100,000 monetary settlement out of the bankruptcy estate and to arrange to properly store and dispose of remaining medical records found at FileFax, Inc.’s facility in compliance with HIPAA to resolve OCR’s HIPAA charges against FileFax, Inc.

    OCR Previously Sanctioned Covered Entity For Involvement With FileFax, Inc.

    Beyond affirming the exposure business associates to OCR civil monetary penalties or other enforcement for violating HIPAA, the FileFax Resolution Agreement in conjunction with OCR’s previously announced April 20, 2017 resolution agreement (CCDC Resolution Agreement) with CCDC also demonstrates the need for Covered Entities to recognize that their organizations are likely to face HIPAA investigations or enforcement from HIPAA violations by or OCR audits or investigations of the conduct of their business associates.

    In fact, this is exactly what happened to CCDC.  A small, Illinois based Covered Entity, CCDC used FileFax, Inc. to store and dispose of medical records.  As a consequence of the FileFax, Inc. investigation, OCR conducted a compliance review of CCDC.  OCR reports that its compliance review revealed that while CCDC had disclosed to and allowed FileFax, Inc. to store records containing PHI for CCDC since in 2003, neither party could produce a signed business associate agreement (BAA) prior to October 12, 2015.   As a consequence, OCR charged CCDC with violating HIPAA by disclosing PHI to FileFax, Inc. in violation of HIPAA’s business associate requirements.

    To resolve its exposure to potentially much greater civil monetary penalties associated with this charge, CCDC agreed under the CCDC Resolution Agreement to pay OCR a $31,000 resolution payment and take a variety of corrective actions.  Beyond requiring CCDC to implement and maintain  written business associate agreements before allowing business associates to possess or access PHI, the corrective action plan imposed as part of the CCDC Resolution Agreement also expressly requires CCDC to promptly investigate information of a possible violation of its HIPAA policies and procedures by  a “workforce member,” which the Privacy Rule defines to include a business associate, and if the investigation reveals a violation, to report the violation and corrective action taken to OCR.

    OCR Enforces HIPAA Against Covered Entities & Business Associates In Bankruptcy

    OCR’s announcement of the FileFax Resolution Agreement also is significant in its reaffirmation of OCR to its commitment to HIPAA enforcement, even if the HIPAA-violating Covered Entity or business associate goes bankruptcy.

    OCR’s enforcement action against FileFax, Inc. despite its bankruptcy and its successful negotiation of the FileFax Resolution Agreement within the bankruptcy should alert Covered Entities and business associates that OCR does not consider the bankruptcy of a Covered Entity or business associate as an obstacle to OCR enforcement against Covered Entities or business associates that violate HIPAA.   The seriousness of OCR’s commitment to enforcement, even in the face of bankruptcy is driven home by its announcement of the FileFax Resolution Agreement on the heels of its December, 2017 announcement of its first OCR HIPAA resolution agreement secured with the formal approval of a bankruptcy court, a resolution agreement (21CO Resolution Agreement) against bankrupt health care provider, 21CO.

    Secured with bankruptcy court approval, the 21CO Resolution Agreement resolved potentially much larger civil monetary penalties that the Fort Myers, Florida based provider of cancer care services and radiation oncology could have faced for alleged HIPAA breaches OCR charged it committed in connection with its failure to adequately act to prevent and respond to hacking and misappropriation of records containing sensitive electronic protected health information (ePHI) of up to 2,213597 individuals.

    The OCR charges against 21CO arose from an OCR investigation commenced after the Federal Bureau of Investigation (FBI) notified 21CO on November 13, 2015 and a second time on December 13, 2015 than unauthorized third party illegally obtained 21CO sensitive patient information and produced 21CO patient files purchased by a FBI informant.  As part of its internal investigation, 21CO hired a third party forensic auditing firm in November 2015. 21CO determined that the attacker may have accessed 21CO’s network SQL database as early as October 3, 2015, through Remote Desktop Protocol from an Exchange Server within 21CO’s network. 21CO determined that it is possible that 2,213,597 individuals may have been affected by the impermissible access to their names, social security numbers, physicians’ names, diagnoses, treatment and insurance information.

    Although it knew of the breaches in November and December, 2015, 21CO waited more than three months after the FBI notified it of the breaches before it sent HIPAA or other breach notifications about the data breach to patients or notified investors in March, 2016. Its March 4, 2016 Securities and Exchange Commission 8-K on Data Security Incident (Breach 8-K) states 21CO delayed notification at the request of the FBI to avoid interfering in the criminal investigation of the breach.

    When announcing the breach, 21CO provided all individuals affected by the breach with a free one-year subscription to the Experian ProtectMyID fraud protection service. At that time, 21CO said it had no evidence that any patient information actually had been misused.  However some victims of the breach subsequently have claimed being victimized by a variety of scams since the breach in news reports and lawsuits about the breach.

    At the time of the breach and its March 4, 2016 announcement of the breach, 21CO already was working to resolve other compliance issues.  On December 16, 2015, 21CO announced that a 21CO subsidiary had agreed to pay $19.75 million to the United States and $528,000 in attorneys’ fees and costs and comply with a corporate integrity agreement related to a qui tam action in which it was accused of making false claims to Medicare and other federal health programs. See 21CO 8-K Re: Entry into a Material Definitive Agreement (December 22, 2015).  Among other things, the corporate integrity agreement required by that settlement required 21CO to appoint a compliance officer and take other steps to maintain compliance with federal health care laws.  In addition, five days after releasing the March 4, 2017 Breach 8-K, 21CO notified investors that its subsidiary, 21st Century Oncology, Inc. (“21C”), had agreed to pay $37.4 million to settle health care fraud law charges relating to billing and other protocols of certain staff in the utilization of state-of-the-art radiation dose calculation system used by radiation oncologists called GAMMA.  See 21CO 8-K Re: GAMMA Settlement March 9, 2016 ;  See also United States Settles False Claims Act Allegations Against 21st Century Oncology for $34.7 Million.

    Based on OCR’s subsequent investigation into these breaches, OCR found:

    • 21CO impermissibly disclosed certain PHI of 2,213,597 of its patients in violation of 45 C.F.R. § 164.502(a);
    • 21CO failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the electronic protected health information (ePHI) held by 21CO in violation of 45 C.F.R. § 164.308(a)(1)(ii)(A);
    • 21CO failed to implement certain security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with 45 C.F.R. § 164.306(A) in violation of 45 C.F.R. § 164.308(a)(1)(ii)(B);
    •  21CO failed to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports as required by 45 C.F.R. §164.308(a)(1)(ii)(D);
    • 21CO disclosed protected health information to a third party vendors, acting as its business associates, without obtaining satisfactory assurances in the form of a written business associate agreement in violation of HIPAA’s business associate rule requirements under 45 C.F.R. §§ 164.502(e) and 164.308(b)(3).

    In return for OCR’s agreement not to further pursue charges or penalties relating to the breach investigation, the Resolution Agreement entered into with the approval of the Bankruptcy Court requires that 21CO pay OCR a $2.3 million Resolution Amount and implement to OCR’s satisfaction a corrective action plan that among other things requires that 21CO complete a detailed series of corrective actions to the satisfaction of OCR.

    In addition to the OCR investigation that lead to the 21CO Resolution Agreement announced by OCR on December 28, 2017, 21CO experienced other fallout following its March 4, 2016 public disclosure of the breach.  Not surprisingly, the breach notification led to a multitude of class-action civil lawsuits by breach victims and shareholders.  See, e.g., 16 Data Breach Class Action Lawsuits Filed Against 21st Century Oncology Consolidated; 21st Century Oncology data breach prompts multiple lawsuits.  Reports of spoofing and other misleading contacts made to 21CO patients following the breach prompted the Federal Trade Commission (FTC) to issue a specific notice alerting victims about potential false breach notifications and other misleading contacts.  See April 4, 2016 FTC Announcement Re: 21st Century Oncology breach exposes patients’ info.

    These and other developments also had significant consequences on 21CO’s financial status and leadership.  By March 31, 2015, 21CO notified the SEC and investors that it needed added time to complete its financial statements.  Subsequent SEC filings document its restatement of financial statements, the departure of board members and other leaders, default on credit terms, and ultimately its filing for Chapter 11 bankruptcy protection in the United States Bankruptcy Court for the Southern District of New York on May 25, 2017.

    Because 21CO sought bankruptcy court protection from the fallout of its HIPAA breaches and other compliance and business issues, the 21CO Resolution Agreement required bankruptcy court approval. Funds for payment of the required $2.3 million resolution payment and other charges associated with the investigation apparently are being provided in part from breach liability insurance coverage provided under a policy issued by Beazley Insurance, as the Bankruptcy Court order directs Beazley Breach Response Policy No. W140E2150301 to make immediate payment to the OCR of the resolution amount and the payment of fees incurred by 21CO in connection with regulatory defense issues.

    HIPAA & Data Breach Enforcement & Other Risks Growing 

    Covered Entities, their business associates, their leaders, investors and members of their workforce need to recognize that the FileFax, CCDC, 21CO and other resolution agreements are part of a growing trend, rather than isolated incidents of enforcement and that their exposure to investigation and enforcement is likely to continue to rise in the face of growing public and Congressional concern about privacy and data security.

    While civil monetary penalty enforcement remains much more common than criminal prosecution, Covered Entities, their business associates and members of their workforce must understand that HIPAA enforcement and resulting liability is growing and that this trend is likely to continue if not increase.

    While Department of Justice federal criminal prosecutions and convictions under HIPAA remain relatively rare, they occur and are growing.  See e.g.,  Former Hospital Employee Sentenced for HIPAA Violations (Texas man sentenced to 18 months in federal prison for obtaining protected health information with the intent to use it for personal gain); Three Life Sentences Imposed On Man Following Convictions For Drug Trafficking, Kidnapping, Using Firearms and HIPAA Violations (drug king pin gets multiple 10 year consecutive prison terms for unauthorized access to private health information in violation of HIPAA; his health care worker friend sentenced for accessing electronic medical files and reporting information to him); Former Therapist Charged In HIPAA Case; Hefty Prison Sentence in ID Theft Case (former assisted living facility worker gets 37 months in prison after pleading guilty to wrongful disclosure of HIPAA protected information and other charges); Hefty Prison Sentence in ID Theft Case (former medical supply company owner sentenced to 12 years for HIPAA violations and fraud).  While the harshest sentences tend to be associated with health care fraud or other criminal conduct, lighter criminal sentences are imposed against defendants in other cases as well. See e.g., Sentencing In S.C. Medicaid Breach Case (former South Carolina state employee sentenced to three years’ probation, plus community service, for sending personal information about more than 228,000 Medicaid recipients to his personal e-mail account.); HIPAA Violation Leads To Prison Term (former UCLA Healthcare System surgeon gets four months in prison after admitting he illegally read private electronic medical records of celebrities and others.)

    While criminal enforcement of HIPAA remains relatively rare and OCR to date only actually has assessed HIPAA civil monetary penalties against certain Covered Entities for violating HIPAA in a couple isolated instances, the growing list of multi-million dollar resolution payments against Covered Entities and with the FileFax Resolution Agreement announcement, now also business associates for violating HIPAA make clear that HIPAA enforcement is both meaningful and growing.   See e.g., Learn From Children’s New $3.2M+ HIPAA CMP For “Knowing” Violation of HIPAA Security Rules ($3.2 million Children’s Medical Center HIPAA Civil Monetary Penalty);  1st HIPAA Privacy Civil Penalty of $4.3 Million Signals CMS Serious About HIPAA Enforcement;  $400K HIPAA Settlement Shows Need To Conduct Timely & Appropriate Risk Assessments; $5.5M Memorial HIPAA Resolution Agreement Shows Need To Audit.  For more examples, also see here.

    The experiences of FileFax, Inc., CCDC, 21CO and these other OCR HIPAA Resolution Agreements provide strong evidence that that health plans and other Covered Entities and their business associates can anticipate that OCR will continue to zealously investigate HIPAA breaches and other HIPAA violations.  Aside from OCR’s recurrent affirmations of its commitment to HIPAA enforcement, Covered Entities, their business associates and their leaders must recognize that public and Congressional privacy and data security concerns fueled by the ever growing stream of massive data breaches at Alteryx, eBay, Paypal owner TIO Networks, Uber, Equifax and a long list of other previously trusted prominent businesses are creating additional pressure upon OCR and other agencies to pursue even stronger and more aggressive HIPAA oversight and enforcement. Amid this growing concern, OCR, the FTC and other federal and state agencies with regulatory or enforcement authority over HIPAA or other data security and privacy concerns face increasing scrutiny and pressure to take meaningful action to regulate and enforce HIPAA and other laws intended to protect sensitive data even as private litigants enjoy increasing success in obtaining civil judgments from damages resulting from breaches of their PHI or other sensitive personal information using an expanding arsenal of legal theories of recovery.  In the face of these growing concerns about privacy and data security, OCR can be expected to continue, if not increase its HIPAA compliance enforcement and oversight by OCR.

    Furthermore, the experiences of FileFax, Inc., 21CO, CCDC and other Covered Entities and business associates that already have become the subject of OCR investigation or enforcement also reflect that HIPAA resolution payments or penalties paid to OCR and other costs and expenses associated with the defense and resolution of OCR’s investigations and enforcement actions typically only a portion of the financial and other business consequences that Covered Entities or business associates might expect to incur as a consequence of a breach of PHI or other substantial HIPAA violation or charge.

    Beyond their potential HIPAA enforcement exposures following a HIPAA covered data breach or other violation, health care or other Covered Entities and members of their workforce experiencing breaches of ePHI or other PHI often also face FTC or other government investigations and enforcement relating their data breaches under the Fair and Accurate Credit Transactions Act (FACTA) and other federal or state identity theft, data privacy and security, electronic crimes and other laws.  They or members of their workforce may face licensing board, credentialing, accreditation, contractual or other investigations or sanctions.  Victims, business partners, investors and others often bring civil litigation to address losses or other injures associated with the breach or other misconduct.  In addition, losses and disruptions in patients, plan member, vendor, investor, employee, management and other business relationships, and other business disruptions also are common.

    Where the breach of other HIPAA violation involves a health plan, health plans, their fiduciaries and sponsors also need to give due consideration to the implications and exposures that might arise under the fiduciary responsibility rules of the Employee Retirement Income Security Act (ERISA). Beyond the direct exposure of their health plan to HIPAA and other compliance liabilities, health plan fiduciaries generally will want to consider whether their fiduciary responsibility under ERISA requires that prudent or other steps be taken to safeguard health plan information and maintain and administer their health plan in accordance with HIPAA and other laws.  As a consequence, fiduciaries generally will want to ensure that they take and document prudent steps to evaluate, monitor and address HIPAA and other privacy and data security safeguards to minimize not only the liability exposures of their health plans, but also to help mitigate their own potential personal liability exposures that could arise or be asserted in response to a HIPAA breach or other HIPAA violation involving their health plans.

    In the face of these growing risks and liabilities, Covered Entities and their business leaders face a strong imperative to clean up and maintain their HIPAA compliance and other data security to minimize their exposure to similar consequences.  In addition to reaffirming the need for Covered Entities and their business associates to take the necessary steps to maintain and effectively demonstrate the adequacy of their own HIPAA compliance, the CCDC and FileFax Resolution Agreements alert Covered Entities and business associates of the advisability of greater oversight and risk management of their dealings and relationships with the other Covered Entities and business associates with access to or involvement with their PHI or other critical functions.

    In light of these rises, leaders, investors, insurers, lenders and others involved with Covered Entities and their business associates should take steps to verify that the Covered Entities and their business associates not only maintain compliance with HIPAA and its business associate and other privacy, data security and breach notification and response requirements, but also maintain appropriate practices, insurance and other safeguards to prevent, respond to and mitigate exposures in the event of a breach of protected health information or other sensitive data.  The bankruptcies and other financial and business fallout of HIPAA or other data breaches experienced by FileFax, Inc. 21CO and other HIPAA-covered and non-HIPAA regulated entities also makes clear that Covered Entities and business associates should anticipate that their own fallout from a breach or other HIPAA event and resulting responsibilities and consequences could be impacted by their own or a business associate’s financial distress or bankruptcy.  Beyond the risk that their own or another entity’s breach, compliance issues, or other financial or business issues could trigger breach investigation, notice or other responsibilities for their own organizations, Covered Entities, business associates and their leaders also should evaluate and revise their HIPAA risk assessments and security plans to address foreseeable threats to the availability, access, retention and security of PHI and associated records and systems.

    The Bankruptcy Court’s order to 21CO’s cyber liability insurer to pay the resolution payment required under the 21CO Resolution Agreement and other costs of investigation and defense also strongly suggests that the purchase of insurance and other arrangements for funding costs of defense or settlement should be included in these evaluations.

    In light of these rises, leaders, investors, insurers, lenders and others involved with Covered Entities and their business associates should take steps to verify that the Covered Entities and their business associates not only maintain compliance with HIPAA, but also comply with data security, privacy and other information protection requirements arising under other laws, regulations, and contracts, as well as the practical business risks that typically follow the announcement of a breach.  Considering these risks, Covered Entities and their business associates should recognize the advisability of taking meaningful, documented action to verify their existing compliance and ongoing oversight to ensure their organizations can demonstrate appropriate action to maintain appropriate practices, insurance and other safeguards to prevent, respond to and mitigate exposures in the event of a breach of protected health information or other sensitive data.

    As part of these efforts, Covered Entities and their business associates should ensure that they have conducted, and maintain and are ready to produce appropriate policies and procedures backed up by a well-documented, up-to-date industry wide risk assessment of their organization’s susceptibility to breaches or other misuse of electronic or other protected health information.  The starting point of these efforts should be to adopt and enforce updated written policies, procedures, technical and physical safeguards, processes and training to prevent the improper use, access, destruction or disclosure of patient PHI.  Processes also should create, retain and be designed to cost effectively track, capture, and retain both all protected health information, its use, access, protection, destruction and disclosure, and the requisite supportive documentation supporting the appropriateness of those action to position the organization cost-effectively and quickly to fulfill required accounting, reporting and other needs in the event of a data breach, audit, participant inquiry or other event.

    As part of this process, Covered Entities and business associates should maintain strong and ongoing processes for assessing and monitoring the adequacy of their policies and practices.  In addition to ensuring that their organization has a comprehensive risk management and compliance assessment, Covered Entities and business associates need to conduct documented periodic audits and spot HIPAA audits and assessments.  In doing so, they must use care to look outside the four corners of their Privacy Policies and core operating systems to ensure that their policies, practices, oversight and training address all protected health information within their operations on an entity wide basis. This entity-wide assessment should include communications and requests for information normally addressed to the Privacy Officer as well as requests and communications that could arise in the course of media or other public relations, practice transition, workforce communication and other operations not typically under the direct oversight and management of the Privacy Officer.

    In connection with these efforts, the enforcement actions make clear that Covered Entities and business associates should adopt, implement and monitor PHI privacy, and security on an entity wide basis.  These efforts should include general policies, practices and procedures as well as specifically tailored policies, processes and training to protect PHI and preserve HIPAA compliance throughout their organization. Testing and analysis should be conducted on a regular basis.  Documented reassessments and testing should be performed in response to software, hardware or other changes or events that could impact security or other operations.  Beyond security, attention also should cover business or system interruption including losses that might occur from the bankruptcy, termination of business or other disruptions of business associates or other parties.  Attention should be paid both to protecting access and use of PHI and ePHI in the course of business as well as the transmission, transport, storage and destruction of records or systems containing such information.

    Careful attention should be devoted to ensuring that business associate agreements   as well and other processes provide for HIPAA compliance with respect to all PHI created, used, accessed or disclosed to business associates or others not part of their direct workforce or operating outside the core boundaries of their facilities.

    Covered entities and their business associates also must recognize and design their compliance efforts and documentation recognizing that HIPAA compliance is a living process, which require both constant diligence about changes in systems or other events that may require reevaluation or adjustments, whether from changes in software, systems or processes or external threats.

    Because the cost of responding to and investigating breaches or other compliance concern can be quite burdensome, Covered Entities and their business associates also generally will want to pursue options to plan for and minimize potential expenses in the design and administration of their programs as well as to minimize and cover the potentially extraordinary costs of breach or other compliance investigation and results that commonly arise following a breach or other compliance event.  As a part of this planning, Covered Entities and their business associates also generally will want to add consideration of changes to federal tax rules on the deductibility of compliance penalty and other related compliance expenditures.

    While the Internal Revenue Code traditionally has prohibited businesses and individuals from deducting penalties, fines and other expenditures arising from violations of federal or state laws under Section 162(f) of the Internal Revenue Code, Section 13306 of the Tax Cuts and Jobs Creation Act creates a new exception for amounts  (other than amounts paid or incurred any amount paid or incurred as reimbursement to the government or entity for the costs of any investigation or litigation) that a taxpayer establishes meet the following requirements:

    • Constitute restitution (including remediation of property) for damage or harm which was or may be caused by the violation of any law or the potential violation of any law, or
    • Are paid to come into compliance with any law which was violated or otherwise involved in the investigation or inquiry into a violation or potential violation of any law;
    • Are identified as restitution or as an amount paid to come into compliance with such law, as the case may be, in the court order or settlement agreement, and
    • In the case of any amount of restitution for failure to pay any tax imposed under this title in the same manner as if such amount were such tax, would have been allowed as a deduction under this chapter if it had been timely paid.

    Because the true effect of these modifications will be impacted by implementing regulations and a number of other special conditions and rules may impact the deductibility of these payments and the reporting obligations attached to their payment, Covered Entities will want to consult with legal counsel about these rules and monitor their implementation to understand their potential implications on compliance expenditures and penalties.

    About The Author

    Repeatedly recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, a Fellow in the American College of Employee Benefit Council, the American Bar Foundation and the Texas Bar Foundation and board certified in labor and employment law by the Texas Board of Legal Specialization, Cynthia Marcotte Stamer is a practicing attorney, management consultant, author, public policy advocate and lecturer widely known for health and managed care, employee benefits, insurance and financial services, data and technology and other management work, public policy leadership and advocacy, coaching, teachings, and publications. Nationally recognized for her work, experience, leadership and publications on HIPAA and other medical privacy and data use and security, FACTA, GLB, trade secrets and other privacy and data security concerns, Ms. Stamer has worked extensively with health care providers, health plans, insurers and financial services, and other clients and the government on cybersecurity, technology and processes and other issues involved in the use and management of medical, insurance and other financial, workforce, trade secrets and other sensitive data and information throughout her career.  Scribe or co-scribe of the ABA Joint Committee on Employee Benefits Agency meeting with OCR since 2011 and author of a multitude of highly regarded publications on HIPAA and other health care, insurance, financial and other privacy and data security, Ms. Stamer is widely known for her extensive and leading edge experience, advising, representing, training and coaching health care providers, health plans, healthcare clearinghouses, business associates, their information technology and other solutions providers and vendors, and others on HIPAA and other privacy, data security and cybersecurity design, documentation, administration, audit and oversight, business associate and other data and technology contracting, breach investigation and response, and other related concerns including extensive involvement representing clients in dealings with OCR and other Health & Human Services, Federal Trade Commission, Department of Labor, Department of Treasury, state health, insurance and attorneys’ general, Congress and state legislators and other federal officials.

    Ms. Stamer also has an extensive contributes her leadership and insights with other professionals, industry leaders and lawmakers.    Her insights on HIPAA risk management and compliance often appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, SHRM, HIMMS, the American Bar Association, the Health Care Compliance Association, a multitude of health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.  You can get more information about her HIPAA and other experience here. For additional information about Ms. Stamer, see here, e-mail her here or telephone Ms. Stamer at (214) 452-8297.

    About Solutions Law Press, Inc.™

    Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources here including:

    If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

    NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

    Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

    ©2018 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™  For information about republication, please contact the author directly. All other rights reserved.

     

    Leave a Comment » | Academic medicine, Ambulatory care, Anethesiology, Centers For Disease Control, Childrens Health Insurance Program, Civil Rights, Conditions of Participation, Corporate Compliance, Cyber crime, data breach, data security, Doctor, E-Prescribing, Electronic Health Records, Electronic Medical Records, Employee Benefits, Employer, ERISA, FACTA, Federal Health Center, Federal Sentencing Guidelines, Fiduciary Responsibility, Genetic Information, Health Care, Health care coding, Health Care Provider, health care reimbursement, Health Insurance Exchange, Health IT, Health Plan, Health Plans, Health Policy, healthcare, HHS, HIPAA, HIPAA Cyber Crime, home health, Hospital, Indian Health, Inpatient Rehabilitation, Inpatient Rehabilitation Facility, Joint Commission, Medical Privacy, Medical Records, Mental Health, Pharmaceudical, Pharmacy, Privacy, Public Policy, Technology, Uncategorized | Permalink
    Posted by Cynthia Marcotte Stamer

    Check Your Medicare/Medicaid Compliance Against Against Quarterly Guidance Changes List

    October 27, 2017

    Healthcare providers, Medicare/Medicaid Advantage Plans, beneficiaries, and suppliers should use the Medicare and Medicaid Programs; Quarterly Listing of Program Issuances—July Through September 2017 published today to help confirm compliance and other practices take into account potentially relevant new key Medicare and Medicaid guidance issued during the period from July 1 to September 30, 2017.

    Staying up-to-date with the latest Program is critical maintain qualification for benefits and rights and avoid getting nailed for harsh civil or even criminal penalties that violations can trigger. However keeping up with the constantly evolving guidance can be daunting.

    The quarterly notice lists updates that happened in the 3-month period along with a hyperlink to the full listing that is available on the CMS Web site or the appropriate data registries that are used as Center for Medicare and Medicaid Services resources. for beneficiaries, providers, and suppliers.

    The resource provides a convenient tool for the public to find the full list of qualified providers for these specific services and offers more flexibility and ‘‘real time’’ accessibility. In addition, many of the Web sites have listservs; that the public can subscribe and receive immediate notification of any updates to the Web site. These listservs avoid the need to check the Web site, as notification of updates is automatic and sent to the subscriber as they occur.

    This notice is organized into 15 addenda so that a reader may access the subjects published during the quarter covered by the notice to determine whether any are of particular interest. Interested persons should use the Quarterly Notice in concert with previously published notices.

    About The Author

    Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: Erisa & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications. Ms. Stamer works with health industry and related businesses and their management, employee benefit plans, governments and other organizations deal with all aspects of human resources and workforce, internal controls and regulatory compliance, change management, disaster and other crisis preparedness and response, and other performance and operations management and compliance. Her experienced includes career long involvement in advising and defending health industry and other organizations about disaster and other crisis preparation, response and mitigation arising from natural and man-made disasters, government enforcement, financial distress, workplace emergencies and accidents, data breach and other cybersecurity and other events.  For additional information about Ms. Stamer, see here, e-mail her here or telephone Ms. Stamer at (214) 452-8297.

    About Solutions Law Press, Inc.™

    Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources here.

    If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

    NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advise or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

    Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

    ©2017 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.

    Leave a Comment » | Academic medicine, Affordable Care Act, ASC, Border Health, Centers For Disease Control, Childrens Health Insurance Program, Conditions of Participation, Consumer Driven Health Care, Controlled Substances, Corporate Compliance, Cultural diversity, data breach, data security, Disability Discrimination, Disease Management, DME, Doctor, drug treatment, Durable Medical Equipment, E-Prescribing, Electronic Health Records, Electronic Medical Records, EMTALA, Evidence Based Medicine, false claims act, FDA, Federal Health Center, Federal Sentencing Guidelines, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Quality, Health Care Reform, health care reimbursement, Health Insurance Exchange, Health IT, healthcare, HIPAA, Home Health, Hospice, Hospital, Indian Health, Inpatient Rehabilitation, Inpatient Rehabilitation Facility, Meaningful Use, Medicaid, Medical Licensure, Medicare, Medicare Advantage, Medicare Fee Schedule, Medicare Prescription Drug Program, Mental Health, Mental Heatlh, Money Laundering, NIOSH, OCR, OIG, Outcomes Data, Pharmaceudical, Pharmacy, Physician, Physician Licensing, Prescription Drugs, Psychiatric, quality reporting, Reimbursement, Rural Health Care, Stark, Substance Abuse, Telemarketing, Uncategorized, Veterans Health, Veterans Health Care | Permalink
    Posted by Cynthia Marcotte Stamer

    HHS Picks Hargan As Acting HHS Secretary

    October 11, 2017

    President Trump has appointed Eric D. Hargan Acting Secretary of the U.S. Department of Health and Human Services (HHS).

    Hargan, who was just sworn into office as Deputy Secretary of HHS on Oct. 6, 2017, takes over the duties of former Secretary Dr. Tom Price, who recently resigned in response to criticism about his expenditures for charter flights.

    Before joining HHS, Mr. Hargan was an attorney, most recently a shareholder in Greenberg Traurig’s Chicago office in the Health and FDA Business department, where he focused his practice on transactions, healthcare regulations and government relations. He represented investors, companies, and individuals in healthcare investments and issues across the entire sector.

    From 2003 to 2007, Mr. Hargan served at HHS in a variety of capacities, ultimately holding the position of Acting Deputy Secretary. During his tenure at HHS, Mr. Hargan also served as the Department’s Regulatory Policy Officer, overseeing the development and approval of all HHS, CMS, and FDA regulations and significant guidances.

    Prior to this role, he served HHS as Deputy General Counsel. More recently, he was tapped by Governor Bruce Rauner to serve during transition as lead co-chair for Gov. Rauner’s Healthcare and Human Services committee.

    During his time in Illinois, Mr. Hargan taught at Loyola Law School in Chicago, focusing on administrative law and healthcare regulations. He was a member of the U.S. government team at the inaugural U.S.-China Strategic Economic Dialogue in Beijing in 2006-2007, worked with the State Department’s Bureau of Arms Control to advance biosecurity in developing nations, and initiated and led the HHS team that developed the first responses to international food safety and importation issues in 2007.

    He received his B.A. cum laude from Harvard University, and his J.D. from Columbia University Law School, where he was Senior Editor of the Columbia Law Review. Mr. Hargan also received a Certificate in International Law from the Parker School of Foreign and Comparative Law at Columbia University.

    Before returning to Washington, D.C., Mr. Hargan lived in the suburbs of Chicago with his wife, Emily, and their two sons.

    About The Author

    Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: Erisa & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

    Ms. Stamer works with health industry and related businesses and their management, employee benefit plans, governments and other organizations deal with all aspects of human resources and workforce, internal controls and regulatory compliance, change management, disaster and other crisis preparedness and response, and other performance and operations management and compliance. Her experienced includes career long involvement in advising and defending health industry and other organizations about disaster and other crisis preparation, response and mitigation arising from natural and man-made disasters, government enforcement, financial distress, workplace emergencies and accidents, data breach and other cybersecurity and other events.  For additional information about Ms. Stamer, see here, e-mail her here or telephone Ms. Stamer at (214) 452-8297.

    About Solutions Law Press, Inc.™

    Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources here.

    If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

    NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advise or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and publisher disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

    Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

    ©2017 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.

    Leave a Comment » | Academic medicine, Affordable Care Act, Anti-KickBack, ASC, Centers For Disease Control, Childrens Health Insurance Program, Conditions of Participation, data breach, data security, DEA, Doctor, Electronic Medical Records, EMTALA, FDA, Federal Health Center, Federal Sentencing Guidelines, Health Care, Health care coding, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Quality, Health Care Reform, health care reimbursement, Health Insurance Exchange, Health IT, Health Plan, Health Plans, healthcare, HHS, HIPAA, HIPAA Cyber Crime, HITECH Act, Home Health, Hospice, Hospital, hospitals, Indian Health, Inpatient Rehabilitation, Inpatient Rehabilitation Facility, managed care, Meaningful Use, Medicaid, Medical Privacy, Medical Records, Medicare, Medicare Advantage, Medicare Fee Schedule, Medicare Prescription Drug Program, Mental Health, Mental Heatlh, OCR, OIG, Outcomes Data, Outpatient, Peer Review, Pharmaceudical, Pharmacy, Physician, Preexisting Condition Insurance Plan, Prescription Drugs, Privacy, Prospective Payment, Psychiatric, public health, Public Policy, quality reporting, Reimbursement, Reproductive Rights, Rural Health Care, Skilled Nursing Facility, Stark, Substance Abuse, substance abuse treatment, Telemarketing, Telemedicine, Uncategorized, Wellness | Tagged: , , , , , , , , , , , , , , , , , , , , , , , | Permalink
    Posted by Cynthia Marcotte Stamer

    Stamer Speaks, Moderates On Medical Cyber Security At LA Medical Privacy Summit

    May 12, 2017

    Solutions Law Press, Inc. editor and attorney Cynthia Marcotte Stamer will speak and moderate two key panel programs on health care privacy and data security scheduled at the Healthcare Privacy & Security Form hosted on May 19, 2017 by the Information Security Systems Association of Los Angeles County (ISSA-LA) as a component of its 9th Annual ISSA-LA Information Security Summit. The presentations of Ms. Stamer and others at the conference are particularly timely coming on the heels of the May 12 Cyber alerts to U.S. health industry and other businesses about the urgent need to defend against the spread of an epidemic international malware threat targeting U.S. healthcare and other businesses.  See Health Care, Health Plan & Other Health IT Systems Warned of E-Mail Cyber AttackUrgent WannaCry Ransomware Cyber Warning IssuedAlert: Guard Health E-Mail, Other IT Against WannaCry Malware Attack.

    The Medical Privacy & Security Summit is part of the 9th Annual ISSA-LA Information Security Summit scheduled for May 18-19, 2017 at the Universal City Hilton in Los Angeles.  Recognized as a premier information security education and networking event, the Summit is expected to bring together 1000 or more health industry and other IT and InfoSec executives, leaders, analysts, and practitioners to learn from the experts, exchange ideas with their peers, and enjoy conversations with the community.

    The Healthcare Privacy & Security Forum offered for the 5th year as a component of the annual Summit on May 19 specifically focuses on leading challenges, issues and opportunities confronted by health industry privacy and security professionals and their organizations.  Ms. Stamer has served on the steering committee, moderator and popular faculty member for the 2017 Forum for the 5th consecutive year.  During the 2017 Forum, she will moderate and speak on two panels:

    • “Finding & Negotiating The Mine Fields: CISO, CIO & Privacy Officer’s Playbook for Promoting Compliance & Security Without Getting Fired,” a luncheon interactive panel discussion with the audience exploring the challenging mission CISOs, CIOs and Privacy Officers face to ensure their healthcare, financial and other critical information, data and systems continue to support the patient care and operating functions of their organizations, while at the same time defending these systems, operations and their sensitive, but mission critical data against malicious or innocent misappropriation, use, access or destruction; and
    • The closing panel on “What Initiatives Are on the Horizon in Healthcare, and How Can We Secure Them?”, which will explore likely future emerging privacy and security threats and technologies, regulatory challenges and enforcement, and other trends that Privacy and Security professionals are likely to face and tips and strategies for preparing to leverage these likely new opportunities and manage new challenges.

    Register or get the full schedule of programs and other events scheduled at the Healthcare Privacy & Security Forum specifically along with the overall Information Security Summit here.

    About Ms. Stamer

    Cynthia Marcotte Stamer is a Martindale-Hubble “AV-Preeminent (Top 1%) rated practicing attorney and management consultant, health industry public policy advocate, widely published author and lecturer, recognized for her nearly 30 years’ of work on health industry and other privacy and data security and other health care, health benefit, health policy and regulatory affairs and other health industry legal and operational as a LexisNexis® Martindale-Hubbell® “LEGAL LEADER™ and “Top Rated Lawyer,” in Health Care Law and Labor and Employment Law; a D Magazine “Best Lawyers In Dallas” in the fields of “Health Care,” “Labor & Employment,” “Tax: Erisa & Employee Benefits” and “Business and Commercial Law,” a Fellow in the American Bar Foundation, the Texas Bar Foundation and the American College of Employee Benefit Counsel.

    Scribe for ABA JCEB annual agency meeting with OCR for many years, Ms. Stamer is well-known for her extensive work and leadership throughout her career on HIPAA, FACTA, PCI, IRC and other tax, Social Security, GLB, trade secret, physician and other medical confidentiality and privacy, federal and state data security and data breach and other information privacy and data security rules and concerns.  Ms. Stamer has worked extensively throughout her career with health care providers, health plans, health care clearinghouses, their business associates, employers and other plan sponsors, banks, insurers and other financial institutions, and others on trade secret confidentiality, privacy, data security and other risk management and compliance including design, establishment, documentation, implementation, audit and enforcement of policies, procedures, systems and safeguards, drafting and negotiation of business associate, chain of custody, confidentiality, and other contracting; risk assessments, audits and other risk prevention and mitigation; investigation, reporting, mitigation and resolution of known or suspected breaches, violations or other incidents; and defending investigations or other actions by plaintiffs, OCR, FTC, state attorneys’ general and other federal or state agencies, other business partners, patients and others; reporting known or suspected violations; commenting or obtaining other clarification of guidance and other regulatory affairs, training and enforcement, and a host of other related concerns.

    Her clients include public and private health care providers, health insurers, health plans, employers, payroll, staffing, recruitment, insurance and financial services, health and other technology and other vendors, and others.

    Author of a multitude of highly-regarded works and training programs on HIPAA and other data security, privacy and use published by BNA, the ABA and other premier legal industry publishers In addition to representing and advising these organizations, she also speaks extensively and conducts training on health care and other privacy and data security and many other matters Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

    Beyond these involvements, Ms. Stamer also is active in the leadership of a broad range of other professional and civic organizations. Through these and other involvements, she helps develop and build solutions, build consensus, garner funding and other resources, manage compliance and other operations, and take other actions to identify promote tangible improvements in health care and other policy and operational areas.

    For additional information about Ms. Stamer, see here or contact Ms. Stamer directly by e-mail here or by telephone at (469) 767-8872. ©2017 Cynthia Marcotte Stamer.  Limited, non-exclusive right to republish granted to Solutions Law Press, Inc.  All other rights reserved.

    Leave a Comment » | Corporate Compliance, Cyber crime, data breach, data security, Disease Management, DME, Doctor, drug treatment, Durable Medical Equipment, E-Prescribing, Electronic Health Records, Electronic Medical Records, Employer, ERISA, FDA, Federal Health Center, Federal Sentencing Guidelines, Fiduciary Responsibility, Genetic Information, GINA, Health Care, Health Care Finance, Health Care Provider, Health Care Quality, Health Insurance Exchange, Health IT, Health Plan, Health Plans, healthcare, HIPAA, HIPAA Cyber Crime, HITECH Act, Home Health, Hospice, Hospital, Hospital, hospitals, Indian Health, Inpatient Rehabilitation, Inpatient Rehabilitation Facility,