HHS |

New CMS LTC Staffing Requirements Likely To Increase Workforce Competition, Costs Industry-Wide

May 12, 2024

Nursing homes and other health care facilities competing for staffing with these facilities should begin preparing to cope with expected wage costs and other pressures expected to result from new staffing and other changes to staffing requirements for Meficare and Medicaid participating long-term care favorites released by the Department of Health and Human Services Centers for Medicare & Medicaid Services (“”CMS”) on April 22, 2024.

The Minimum Staffing Standards for Long-Term Care (LTC) Facilities and Medicaid Institutional Payment Transparency Reporting final rule (“Final Rule”) will require long-term care facilities participating in federal programs such as Medicare and Medicaid are to have a licensed registered nurse (“RN”) on site at all times and to meet minimum nurse staffing (“TNS”) requirements imposed under the Final Rule. The Final Rule also will face enhanced facility assessment requirements under the Final Rule.

The mandates of the Final Rule and resulting increases in compensation and competition will impact both participating LTCs and other health care providers competing for staffing.

Total Nurse Staffing

CMS says its new minimum nurse staffing standards “will set a national and broadly applicable baseline that will significantly reduce the risk of unsafe and low-quality care for residents across all LTC facilities.”

Subject to certain limited temporary exceptions, the TNS requirements for long-term care (“LTC”) facilities aim to significantly reduce the risk of residents receiving unsafe and low-quality care within LTC facilities by specifying required minimum nurse staffing.

The Final Rule generally will require LTC facilities to meet a total nurse staffing standard of 3.48 hours per resident day (HPRD), which must include at least 0.55 HPRD of direct registered nurse (RN) care and 2.45 HPRD of direct nurse aide care. LTCs may use any combination of registered nurse (“RN”), licensed practical nurse (“LPN”), licensed vocational nurse (“LBN”), or nurse aide) to account for the additional 0.48 HPRD needed to comply with the total nurse staffing standard.

In addition, the Final Rule will require LTCs to have at least one RN on site 24 hours a day, 7 days a week to provide skilled nursing care.

Some “limited temporary exceptions” may apply to all the requirements for qualifying LTCs in areas with workforce shortages that meet other criteria. While an estimated 25% of nursing homes would be eligible for exceptions, these are “limited, temporary exceptions,” LTC must be in a workforce shortage area and report the amount of their income spent on wage and other information to prove their “good faith” efforts to hire by paying competitive wages.”

While these are minimum staffing standards, CMS expects LTC facilities to use the updated and newly strengthened facility assessment to determine whether their staffing needs to be set above these minimums, based on resident acuity and individual care needs. CMS is committed to continued examination of staffing thresholds, including work to review quality and safety data resulting from initial implementation of these finalized policies, as well as robust public engagement.

Additionally, to increase transparency related to compensation for workers, CMS will also require states to collect and report on the percent of Medicaid payments that are spent on compensation for direct care workers, and support staff, delivering care in nursing facilities and intermediate care facilities, for individuals with intellectual disabilities.

CMS Tightening LTC Assessments

LTC facilities are already required to conduct, document, and review, annually and as necessary, a facility-wide assessment to determine what resources are necessary to care for residents competently during both day-to-day operations and emergencies. ensure that facilities are utilizing the assessment as intended by making thoughtful, person-centered staffing plans, and decisions focused on meeting resident needs, including staffing at levels above the finalized minimums as indicated by resident acuity, the Final Rule raises the assessment requirements as follows:

Facilities must use evidence-based methods when care planning for their residents, including consideration for those residents with behavioral health needs.
Facilities must use the facility assessment to assess the specific needs of each resident in the facility and to adjust as necessary based on any significant changes in the resident population.
Facilities must include the input of the nursing home leadership, including but not limited to, a member of the governing body and the medical director; management, including but not limited to, an administrator and the director of nursing; and direct care staff, including but not limited to, RNs, LPNs/LVNs, and NAs, and representatives of direct care staff as applicable. The LTC facility must also solicit and consider input received from residents, resident representatives, and family members.
Facilities are required to develop a staffing plan to maximize recruitment and retention of staff consistent with what was described in the President’s April Executive Order on Increasing Access to High-Quality Care and Supporting Caregivers.

Temporary Limited Exceptions

LTC facilities may qualify for a temporary hardship exemption from the minimum nurse staffing HPRD standards and the 24/7 RN requirement only if they meet the following criterion for geographic staffing unavailability, financial commitment to staffing, and good faith efforts to hire:

The facility is located in an area where the supply of RN, NA, or total nurse staff is not sufficient to meet area needs as evidenced by the applicable provider-to-population ratio for nursing workforce (RN, NA, or combined licensed nurse and nurse aide), which is a minimum of 20% below the national average, as calculated by CMS using data from the U.S. Bureau of Labor Statistics and the U.S. Census Bureau.
- The facility may receive an exemption from the total nurse staffing requirement of 3.48 HPRD if the combined licensed nurse and nurse aide to population ratio in its area is a minimum of 20% below the national average.
- The facility may receive an exemption from the 0.55 RN HPRD requirement, and an exemption of eight hours a day from the RN on-site 24 hours per day for seven days a week requirement, if the RN to population ratio in its area is a minimum of 20% below the national average.
- The facility may receive an exemption from the 2.45 NA HPRD requirement if the NA to population ratio in its area is a minimum of 20% below the national average.

Eligible LTC facilities that meet the criteria will receive a temporary hardship exemption by completing the following:

The facility provides documentation of good faith efforts to hire and retain staff, such as through job postings, the number and duration of vacancies, job offers made, and competitive wage offerings.
The facility provides documentation of the facility’s financial commitment to staffing, including the amount the facility expends on nurse staffing relative to revenue.

Before being considered, the LTC facility must be surveyed for compliance with the LTC participation requirements. CMS will coordinate with state survey agencies to determine if the facility meets the criteria for a hardship exemption noted above.

Facilities granted an exemption will be required to: 1) post a notice of its exemption status in a prominent and publicly viewable location in each resident facility; 2) provide notice of its exemption status, and the degree to which it is not in compliance with the HPRD requirements, to each current and prospective resident; and 3) send a copy of the notice to a representative of the Office of the State Long-Term Care Ombudsman.

CMS will indicate if a facility has obtained an exemption on the Medicare.gov Care Comparewebsite.

Facilities are not eligible for an exemption if any one of the following is true:

They have failed to submit their data to the Payroll Based Journal System.
They have been identified as a special focus facility (SFF).
They have been identified within the preceding 12 months as having: widespread, or a pattern of, insufficient staffing that resulted in actual harm to a resident; or an incident of insufficient staffing that caused or is likely to cause serious harm or death to a resident.

Facilities that meet the hardship exemption criteria are eligible from the time at which the exemption is granted until the next standard recertification survey, unless the facility meets any of the above-mentioned criteria for not being eligible for the exemption during that time. The hardship exemption may be extended on each standard recertification survey, after the initial period, if the facility continues to meet the exemption criteria.

Implementation Deadlines

The Final Rule has staggered implementation timeframe for its minimum nurse staffing standards and 24/7 RN requirement based on geographic location as well as possible exemptions for qualifying facilities for some parts of these requirements based on workforce unavailability and other factors.

CMS is implementing the minimum nurse staffing requirements to occur in three phases over a three-year period for all non-rural facilities. The following deadlines apply for non-rural facilities:

Phase 1 — Within 90 days of the final rule publication, facilities must meet the facility assessment requirements.
Phase 2 — Within two years of the final rule publication, facilities must meet the 3.48 HPRD total nurse staffing requirement and the 24/7 RN requirement.
Phase 3 — Within three years of the final rule publication, facilities must meet the 0.55 RN and 2.45 NA HPRD requirements.

The Final Rule sets later deadlines for rural facilities in acknowledgment of the unique challenges that rural LTC facilities may face in staffing as follows:

Phase 1 — Within 90 days of the final rule publication, facilities must meet the facility assessment requirements.
Phase 2 — Within three years of the final rule publication, facilities must meet the 3.48 HPRD total nurse staffing requirement and the 24/7 RN requirement.
Phase 3 — Within five years of the final rule publication, facilities must meet the 0.55 RN and 2.45 NA HPRD requirements.

Qualification as a rural facility is determined by the Office of Management and Budget.

CMS Nursing Home Staffing Campaign

CMS continues efforts to encourage the availability to increase the number of nurses in nursing homes. As part of these efforts, CMS plans to promote awareness of the many career pathways in the nursing field that are available to help recruit all types of individuals, from NAs to LPNs/LVNs and RNs. It also plans to offer financial incentives like tuition assistance for nurses to work in the nursing home environment in qualifying facilities or state oversight roles and to make it easier for individuals to become nurse aides by streamlining the process for enrolling in training programs and finding placement in a nursing home.

Additionally, CMS plans to partner with states to bolster nurse recruitment.

CMS says more announcements are expected later this year and it anticipates beginning distribution of financial incentives in 2025.

Begin Preparing Now

All nursing homes and other health care facilities competing for staffing should begin preparing for these changes immediately. Obviously, LTC is participating in Medicare, Medicaid or other covered programs will face the most immediate and direct impact from these rules. Facility should begin documented efforts to meet the staffing requirements and where applicable, evidence and other materials needed to prepare for required surveys and to establish, other criteria necessary to qualify for exemption if needed.

It is not just the facilities directly covered by the rules that the new staffing requirements will impact.

While the new requirements technically apply only to LTCs participating in Medicare, Medicaid or other CMS regulated programs, their applicability likely will impact non-participating programs as well. the new minimum requirements will affect standards of care for negligence and other purposes.

Likewise, increases in compensation and other terms and conditions of employment at covered facilities will affect other types of providers. Non-participating nursing homes, home health, hospice, rehabilitation, hospitals, rehabilitation, facilities, assisted living facilities and other providers should expect greater scrutiny of their staffing and greater pressure to pay better wages and improve other work conditions and benefits in response to greater competition for workers.

Facilities that have used noncompetition agreements or other restraints on post employment eligibility to work are cautioned that these types of restraints could run afoul of the federal trade commissions new Non-Competition Clause Final Rule slated to take affect in September, 2024 if the current judicial stay against it is lifted by that time.

Likewise, long-term care another healthcare employers planning to increase wages, or other terms of employment are cautioned to use care to comply with any applicable duties to bargain or other requirements if subject to union organization or contracts.

Given the complicated maze of employment, benefits, and healthcare regulations that facilities working to deal with these new requirements must negotiate, healthcare providers working with these and other recruitment rules are encouraged to consult with qualified legal counsel with experience in both the healthcare and employment issues involved.

For Additional Information

We hope this update is helpful. Solutions Law Press, Inc. invites you to receive future updates by registering on here and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

If you need have questions or need assistance with this or other cybersecurity, health, benefit, payroll, investment or other data, systems or other privacy or security related risk management, compliance, enforcement or management concerns, to inquire about arranging for compliance audit or training, or need legal representation on other matters, contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

About the Author

Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of workforce, risk management, compliance, regulatory and government affairs and other work with health care, employee benefit, managed care and other insurance, education, workforce and other performance and data dependent organizations, public policy leadership and advocacy, coaching, teachings, and publications.

A Fellow in the American College of Employee Benefit Counsel, Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee and Vice-Chair Elect of its International Employment Law Committee, Chair of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership on heath benefit and other healthcare and life science, managed care and insurance and other workforce and staffing, employee benefits, safety, contracting, quality assurance, compliance and risk management, and other legal, public policy and operational concerns in the healthcare and life sciences, employee benefits, managed care and insurance, technology and other related industries. She speaks and publishes extensively on these and other related compliance issues.

Ms. Stamer’s work throughout her career has focused heavily on working with government and private health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services, education and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Author of a multitude of highly regarded publications, her experience includes extensive involvement throughout her career advising and representing health care and life sciences and other clients about preventing, investigating and defending HHS CMS, OIG, CIICO, OCR; , DOL WHD, EEOC, EBSA, OSHA; DOJ, OFCCP; NLRB; DOE; ICE; state attorney general licensing, Department of Health, Aging, Disability, Insurance, and other federal and state, JCHO and other accreditation and quality, peer review, employment and other workforce, contract and other investigations, audits, and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state laws.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Laws Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here.

IMPORTANT NOTICE

NOTICE: These statements and materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstances at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules make it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access to this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

Leave a Comment » | Academic medicine, Accreditation, Ambulatory care, compensation, Conditions of Participation, Doctor, Emergency Care, Employee Benefits, Employer, Employment law, ERISA, FLSA, FTC, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Quality, health care reimbursement, Health Plan, Health Plans, healthcare, HHS, Home Health, Hospice, Hospital, hospitals, Immigration, Indian Health, Labor Law, Medicaid, Medicaid Advantage, Medical Licensure, Medical Malpractice, Medicare, Medicare Advantage, nursing home, OIG, Patients, Peer Review, Reimbursement, Rural Health Care, Skilled Nursing Facility | Tagged: Health Care, Health Care Provider, nursing home, Skilled Nursing | Permalink
Posted by Cynthia Marcotte Stamer

OCR Updated Guidance Reminds HIPAA Entities Of HIPAA Online Tracking Duties

March 19, 2024

Health care providers, heath plans, health care clearinghouses and their business associates (covered entities) should verify that any online tracking technology used in their or their business partner websites or mobile applications comply with the Department of Health and Human Services, Office of Civil Rights (OCR) updated guidance on “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates” published March 18, 2024.

The Guidance reminds covered entities that the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules (HIPAA Rules) apply to their use of online tracking technologies like Google Analytics or Meta Pixel, collect and analyze information about how users are interacting with a regulated entity’s website or mobile application.

The HIPAA Rules apply when the information that regulated entities collect through tracking technologies or disclose to tracking technology vendors includes electronic protected health information (ePHI).

OCR’s information bulletin reminds covered entities that they can only use online tracking technologies provided that the entities comply with their obligations under the HIPAA Rules. Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of ePHI to tracking technology vendors or any other violations of the HIPAA Rules.

OCR’s Bulletin provides a general overview of how the HIPAA Rules apply to covered entities use of tracking technologies. It also updates to the Bulletin include:

Additional examples of when visits to an unauthenticated webpage may or may not involve the disclosure of ePHI.
Additional tips for complying with the HIPAA Rules when using online tracking technologies.
Guidance about OCR’s enforcement priorities in investigations involving regulated entities’ use of online tracking technologies.

Covered entities need to understand that online tracking technologies commonly are included in Website, mobile application, and other Internet based tools. These tools frequently include online tracking even if not specifically requested by the covered entity.

Covered entities should conduct a documented inventory of all website, mobile app, and other Internet, based tools that they or their business associates use, which includes an assessment of whether those tools include online tracking, or other technologies, covered by the guidance. For any online tools using tracking capability, cupboard entities, must ensure that the tool is designed and administered to comply with the HIPAA requirements. Overed entities also should adopt a process for regularly reevaluating and monitoring compliance with this and other HIPAA security requirements in their Internet based in other electronic applications that collect, use, store, access, or disclose electronic, protected health information.

Along with specifically evaluating the existence and compliance of any online tracking technologies, covered entities, also should reevaluate and reconfirm the adequacy of their electronic security overall. The HIPAA Rules require healthcare providers and other covered entities to regularly conduct documented risk assessments to verify the adequacy of their security safeguards, and to make updates to guard against emerging threats based on these recurrent assessments. The importance of compliance with this ongoing recurrent risk assessment obligation is repeatedly reinforced in each HIPAA settlement announced by OCR. See, e.g., OCR Nails Second HIPAA Covered For Allowing Ransomware Breach.

Covered entities should ensure that they and their business associates maintain compliance with these other HIPAA obligations.

For More Information

We hope this update is helpful. For more information about these or other health or other legal, management, or public policy developments, please get in touch with the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy

About the Author

A Fellow in the American College of Employee Benefit Counsel, Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee and Vice-Chair Elect of its International Employment Law Committee, Chair-Elect of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership on heath benefit and other healthcare and life science, managed care and insurance and other workforce and staffing, employee benefits, safety, contracting, quality assurance, compliance and risk management, and other legal, public policy and operational concerns in the healthcare and life sciences, employee benefits, managed care and insurance, technology and other related industries. She speaks and publishes extensively on these and other related compliance issues.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Author of a multitude of highly regarded publications on HIPAA and other medical record and data privacy and scribe for the ABA JCEB Annual Meeting with the HHS Office of Civil Rights, her experience includes extensive involvement throughout her career in advising health care and life sciences and other clients about preventing, investigating and defending EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state discrimination investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state equal opportunity, equity and other laws.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Laws Press, Inc.™

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Leave a Comment » | Academic medicine, air ambulance, ASC, business associate, Childrens Health Insurance Program, Conditions of Participation, Electronic Medical Records, Emergency Care, Health Care, Health Care, Health Care Provider, Health IT, Health Plan, Health Plans, healthcare, HHS, HIPAA, HIPAA Cyber Crime, HITECH Act, home health, Hospital | Permalink
Posted by Cynthia Marcotte Stamer

OCR Nails Second HIPAA Covered For Allowing Ransomware Breach

February 23, 2024

Health care providers, health plans, health care clearinghouses and their business associates (covered entities) that fail to appropriately safeguard their protected health information and systems against randomware and other malware threats as required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) should expect to pay hefty amounts to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) if an attack occurs. That is the clear message sent by OCR’s February 22, 2022 announcement of its second ransomware settlement since October, 2023.

Duty To Guard Against Malware

OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which sets forth the requirements that HIPAA covered entities (most health care providers, health plans, and health care clearinghouses) and their business associates must follow to protect the privacy and security of protected health information.

Ransomware and hacking are the primary cyber-threats in health care. A type of malware (malicious software) designed to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker who deployed the malware, until a ransom is paid, OCR has seen large breaches affecting more than 500 individuals reported to OCR involving hacking increase 256% and those from ransomware increase 264% increase over the past five years,

In 2023, hacking accounted for 79% of the large breaches reported to OCR. The large breaches reported in 2023 affected over 134 million individuals, a 141% increase from 2022.

In light of the growing threat, OCR is prioritizing enforcement, education and compliance outreach to HIPAA covered entities.

OCR’s February 22, 2024 announcement of its second ever and second settlement of a malware related enforcement action in less than five months demonstrates OCR’s readiness to hold covered entities accountable for failing to fulfill this responsibility.

Green Ridge Ransomeware Breach

OCR’s February 22, 2022 announcement of its second ever ransomware related resolution agreement and corrective action plan reaffirms OCR’s readiness to hold covered entities accountable for failing to guard against ransomware and other cyber risks.

Green Ridge Behavioral Health, LLC, (Green Ridge), a Maryland-based practice that provides psychiatric evaluations, medication management, and psychotherapy. This marks the second settlement that OCR has reached with a HIPAA regulated entity for potential violations identified during an investigation following a ransomware attack.

The settlement resolves an investigation following a ransomware attack that affected the protected health information of more than 14,000 individuals.

OCR learned of the breach after Green Ridge filed a breach report with OCR in February 2019 that stated that its network server had been infected with ransomware resulting in the encryption of company files and the electronic health records of all patients.

In keeping with its policy of investigating all breaches affecting more that 500 individuals (large breaches), OCR opened an investigation in April, 2019.

OCR’s investigation of the breach found evidence of potential violations of the HIPAA Privacy and Security Rules leading up to and at the time of the breach. Other findings included that Green Ridge Behavioral Health failed to:

Have in place an accurate and through analysis to determine the potential risks and vulnerabilities to electronic protected health information;
Implement security measures to reduce risks and vulnerabilities to a reasonable and appropriate level; and
Have sufficient monitoring of its health information systems’ activity to protect against a cyber-attack.

Under the terms of the settlement, Green Ridge agreed to pay $40,000 and implement a corrective action plan that will be monitored by OCR for three years to avoid exposure to potentially much greater HIPAA monetary penalties.

The plan also requires Green Ridge to take many actions to resolve potential HIPAA violations and to protect electronic protected health information, including:

Conducting a comprehensive and thorough analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information;
Designing a Risk Management Plan to address and mitigate security risks and vulnerabilities found in the Risk Analysis;
Reviewing, and as necessary, developing, or revising its written policies and procedures to comply with the HIPAA Rules;
Providing workforce training on HIPAA policies and procedures;
Conducting an audit of all third-party arrangements to ensure appropriate business associate agreements are in place, where applicable; and
Reporting to OCR when workforce members fail to comply with HIPAA.

First Malware Settlement

Prior to this week’s announcement of the Green Ridge resolution agreement, OCR already had announced its first ever malware related resolution agreement on October 31, 2023.

That $100,000 settlement resolved a potentially much greater HIPAA liability business associate Doctors’ Management Services (DMS) could have faced for alleged HIPAA violations OCR found investigating a large breach report DMS filed on April 22, 2019.

The DMS breach report disclosed that a ransomware attack affected DMS’ network server with GandCrab ransomware beginning with an initial unauthorized access to the network that occurred on April 1, 2017; however, DMS did not detect the intrusion until December 24, 2018, Once the DNS system was accessed, ransomware was used to encrypt their files. The attack affected the electronic protected health information of 206,695 individuals

OCR’s investigation of the DNS breach found evidence of potential failures by DMS to have in place an analysis to determine the potential risks and vulnerabilities to electronic protected health information across the organization. Other findings included insufficient monitoring of its health information systems’ activity to protect against a cyber-attack, and a lack of policies and procedures in place to implement the requirements of the HIPAA Security Rule to protect the confidentiality, integrity, and availability of electronic protected health information.

Under the terms of the DMS settlement agreement paid $100,000 to OCR and agreed to implement a corrective action plan that requires:

DMS to submit to OCR monitoring for three years to ensure compliance with HIPAA
Review and update its Risk Analysis to identify the potential risks and vulnerabilities to Doctor’s Management Services data to protect the confidentiality, integrity, and availability of electronic protected health information.
Update its enterprise-wide Risk Management Plan (strategy to protect the confidentiality, integrity, and availability of ePHI) to address and mitigate any security risks and vulnerabilities found in the updated Risk Analysis.
Review and revise, if necessary, its written policies and procedures to comply with the Privacy and Security Rules.
Provide workforce training on HIPAA policies and procedures.

Warning To All Covered Entities

Along with announcing the two recent resolution agreements, OCR also is warning all covered entities to tighten their malware and ransomware safeguards.

OCR’s announcement of the Green Ridge resolution agreement, for instance, quotes OCR Director Melanie Fontes Rainer as stating, “Health care providers need to understand the seriousness of these attacks and must have practices in place to ensure patients’ protected health information is not subjected to cyber-attacks such as ransomware.”

To assist covered entities to meet this responsibility, OCR has developed Fact Sheet guidance that recommends covered entities to take at least the following steps to guard against breaches from ransomware and other malware attacks:

Review all vendor and contractor relationships to ensure business associate agreements are in place as appropriate and address breach/security incident obligations.
Risk analysis and risk management should be integrated into business processes; conducted regularly and when new technologies and business operations are planned.
Ensure audit controls are in place to record and examine information system activity.
Implement regular review of information system activity.
Utilize multi-factor authentication to ensure only authorized users are accessing ePHI.
Encrypt ePHI to guard against unauthorized access to ePHI.
Incorporate lessons learned from incidents into the overall security management process.
Provide training specific to organization and job responsibilities and on regular basis; reinforce workforce members’ critical role in protecting privacy and security.
two recent resolutions agreements and other guidance and enforcement actions make clear that all covered entities should ensure their ability to demonstrate their completion of these and other actions a risk analysis shows are needed to defend against a ransomware or other malware threats. This guidance also alerts covered entities to stay vigilant and update risk assessments and safeguards in response as to evolving threats.

Covered entities should not assume the relatively modest settlement amounts collected in the two new ransomware settlements compared to exponentially greater resolution settlements like the $4.75 million settlement payment New York based Montefiore Medical Center made last year reflect greater tolerance for ransomware related threats versus internal or external hacking. To the contrary, the Montefiore Medical Center resolution makes clear the randomware threat is one of a multitude of internal and external threats covered entities must defend their protected health information against to comply with HIPAA.

Moreover, covered entities and their leaders also should take steps to understand and fully address all other statutory, ethical, contractual or other privacy or confidentiality requirements beyond those imposed by HIPAA. For example, health care providers, health plans and their fiduciaries, brokers, administrators and insurers also may bear responsibilities under the Employee Retirement Income Security Act fiduciary responsibility rules, the Fair and Accurate Credit Transactions Act, federal and state electronic crimes, privacy data security, artificial intelligence, workforce, tax, and other laws.

Publicly traded organizations and their leaders also may face responsibilities and liability under new Securities and Exchange Commission regulations, clawback rules and other laws arising from the occurrence or bungled response to a breach.

Likewise, got businesses sponsoring or administering employment-based health plans, Employee Benefit Security Administration considers managing cybersecurity risks a part of the fiduciary obligations of fiduciaries of employment-based health plans. Meanwhile, health care providers, insurance organizations and brokers, third party administrators, government contractors, attorneys and other advisors and others also may be subject to medical confidentiality and other data privacy and security obligations under federal and state electronic crimes, identity theft, ethics, professional licensure, contractual, common law privacy and other statutory and common laws. Since HIPAA and many of these other laws involve potential criminal as well as civil liability, organizations and leaders in covered entities generally should ensure their HIPAA and other cybersecurity compliance efforts are included in and administered according to their Federal Sentencing Guidelines Compliance program.

While it commonly is necessary or advisable to involve consulting or other technical support in the conduct of these activities, HIPAA entities should keep in mind the likelihood that their analysis and review is likely to uncover and prompt discussion of potentially legally or politically sensitive information. For this reason, HIPAA entities and their leaders generally will want to engage experienced legal counsel for assistance in structuring and executing these activities to maximize their ability to claim attorney-client privilege or other evidentiary protections against discovery or disclosure of certain aspects of these activities.

In planning for an implementing these procedures, Covered Entities also are reminded that the effectiveness of these efforts requires that the Covered Entities incorporate appropriate processes and policies for monitoring and investigating compliance with the policies and procedures implemented to comply with HIPAA. Conducting this monitoring and investigation by necessity is likely to involve surveillance, investigation and cooperation of employees, contractors, vendors and others for which Fair Credit Reporting Act background check notification and consent and other procedures are necessary or advisable.

Finally, HIPAA entities should keep in mind that HIPAA and other cybersecurity compliance and risk management is an ongoing process requiring constant awareness and diligence. Consequently, HIPAA entities should both monitor OCR and other regulatory and enforcement developments as well as exercise ongoing vigilance to monitor and maintain compliance within their organizations.

For More Informational

We hope this update is helpful. For more information about these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

About the Author

A Fellow in the American College of Employee Benefit Counsel, Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee and Vice-Chair Elect of its International Employment Law Committee, Chair-Elect of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership on healthcare and life science, managed care and insurance and other workforce and staffing, employee benefits, safety, contracting, quality assurance, compliance and risk management, and other legal, public policy and operational concerns in the healthcare and life sciences, employee benefits, managed care and insurance, technology and other related industries. She speaks and publishes extensively on these and other related compliance issues.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Scribe for the ABA JCEB Annual Meeting with the HHS Office of Civil Rights, her experience includes extensive involvement throughout her career in advising health care and life sciences and other clients about preventing, investigating and defending EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state discrimination investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state equal opportunity, equity and other laws.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Leave a Comment » | business associate, data breach, data security, Doctor, Electronic Health Records, Electronic Medical Records, Employer, Federal Health Center, Federal Sentencing Guidelines, Fiduciary Responsibility, Genetic Information, GINA, Health Care, Health Care Finance, Health Care Provider, Health Insurance, Health IT, Health Plan, Health Plans, healthcare, HHS, HIPAA, HIPAA Cyber Crime, HITECH Act, Home Health, home health, Hospice, Hospital, hospitals, long-term care, Medical Privacy, Medical Records, NIST, nursing home, occupational health, OCR, Pharmacy, Physician, primary care, Self-Insured Group health Plans, Telemedicine | Tagged: Breach Notification, Data Breach, Data Security, Federal Sentencing Guidelines, Health Care, Health Care Compliance, Health Care Provider, Health Plans, Health Policy, HHS, HIPAA, Hospital, Hospitals, Medical Privacy, OCR, pharmacy, PHI, Physician, Privacy, Security | Permalink
Posted by Cynthia Marcotte Stamer

Accommodating Patient Preferences No Defense To Prohibited Employment Discrimination

July 31, 2023

A new federal Equal Employment Opportunity Commission (“EEOC”) lawsuit reminds health industry and other employers that patient or other customer preferences do not justify or excuse an employer’s discrimination against employees in violation of the Civil Rights Act or other federal employment discrimination laws.

Brooklyn-based home health company ACARE HHC Inc., doing business as Four Seasons Licensed Home Health Care Agency (“Four Seasons”) faces a race discrimination suit for allegedly removing home health aides from their work assignments due to their race and national origin to accommodate client preferences.

According to a lawsuit (EEOC v. ACARE HHC d/b/a Four Seasons Licensed Home Health Care, 23-cv-5760), filed by the EEOC in the U.S. District Court for Eastern District of New York on July 31, 2023, Four Seasons violated the Title VII of the Civil Rights Act of 1964 (“Civil Rights Act”) by routinely acceding to racial preferences of patients in making home health aide assignments. The EEOC claims Four Seasons routinely removed Black and Hispanic home health aides based on clients’ race and national origin-based requests. Four Seasons would transfer aides to a new assignment or, if no other assignment was available, the aides lost their employment completely. The EEOC charges this alleged conduct violates the Civil Rights Act, which among other things prohibits employers from discriminating against employees on the basis of race and national origin. The EEOC seeks compensatory damages and punitive damages for the affected employees, and injunctive relief to remedy and prevent future discrimination based on employees’ race and national origin.

The lawsuit, warns employers against resigning or assigning workers to accommodate racial or other prohibited discriminatory preferences of customers, or business partners. “Making work assignment decisions based on an employee’s race or national origin is against the law, including when these decisions are grounded in preferences of the employer’s clients,” said Jeffrey Burstein, regional attorney for the EEOC’s New York District Office.

The lawsuit is one of a plethora of enforcement Civil Rights and other federal discrimination law actions by EEOC, the Department of Health and Human Services Office of Civil Rights, and other federal agencies under the Biden Administration’s prioritization of expansion and enforcement of discrimination and other discrimination and equal opportunity laws.

In light of these efforts, employers should take immediate steps to update policies, postings, training, and practices to ensure their ability to defend their compliance with race and other federal nondiscrimination laws.

For More Information

About the Author

A Fellow in the American College of Employee Benefit Counsel, Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee and VIce-Chair Elect of its International Employment Law Committee, Chair-Elect of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership on healthcare and life science, managed care and insurance and other workforce and staffing, employee benefits, safety, contracting, quality assurance, compliance and risk management, and other legal, public policy and operational concerns in the healthcare and life sciences, employee benefits, managed care and insurance, technology and other related industries. She speaks and publishes extensively on these and other related compliance issues.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Scribe for the ABA JCEB Annual Meeting with the HHS Office of Civil Rights, her experience includes extensive involvement throughout her career in advising health care and life sciences and other clients about preventing, investigating and defending EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state discrimination investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state equal opportunity, equity and other laws.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Leave a Comment » | Abortion, Academic medicine, air ambulance, Child Care, Childcare, Childrens Health Insurance Program, Civil Rights, Conditions of Participation, Corporate Compliance, Direct Primary Care, Discrimination, DME, Doctor, drug treatment, early childhood education, Emergency Care, Employer, exchange plans, Federal Health Center, Health Care, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Quality, Health Insurance, Health Plan, HHS, Home Health, home health, Hospice, Hospital, Hospital, hospitals, Indian Health, Inpatient Rehabilitation, Inpatient Rehabilitation Facility, Life Sciences, long-term care, Medicare Prescription Drug Program, Mental Health, Nonprofits, nursing home, OCR, OIG, Physician, Prescription Drugs, Provider contracting, Rehabilitation Act, Reproductive Rights, Section 1557, Sexual Abuse, Sexual Assault, Sexual Harassment | Permalink
Posted by Cynthia Marcotte Stamer

HHS Recommits To LGBTQ Nondiscrimination Protections In Newly Proposed Rules; Religious Exemption Likely Limited By Pending HHS Changes In Religious Freedom Protections

July 11, 2023

Health care providers, health insurance issuers, health care professional associations, state and local government entities and other organizations and providers participating or receiving funds from the Department of Health and Human Services (“HHS”) funded programs should evaluate their likely responsibilities and exposures for preventing discrimination on the basis of sexual orientation and gender under the Notice of Proposed Rule Making (“NPRM”) to the Health and Human Services Grants Regulation (the “Proposed HHS Grants Rule”) the HHS Office for Civil Rights (“OCR”) and the Assistant Secretary for Financial Resources (“ASFR”) released to the public today (July 11, 2023) and scheduled for joint publication the Federal Register on July 13, 2023.

Proposed HHS Grants Rule Overview

The NPRM builds on HHS’ efforts to ensure access to health and human services for Lesbian, Gay, Bisexual, Transgender, Queer, and Intersex (“LGBTQI”) individuals in furtherance of President Biden’s Executive Orders on Preventing and Combating Discrimination on the Basis of Gender Identity and Sexual Orientation and Advancing Equality for Lesbian, Gay, Bisexual, Transgender, Queer, and Intersex Individuals by reaffirming the prohibition against discrimination on the basis of sexual orientation and gender identity in federal statutes administered by HHS while defining procedures through which HHS would permit organization with religious objections to seek an exemption from or modification of the otherwise applicable requirements.

The Proposed HHS Grants Rule clarifies and reaffirms HHS’ prohibition against LGBTQI discrimination by stating, “In statutes that HHS administers which prohibit discrimination on the basis of sex, the Department interprets those provisions to include a prohibition against discrimination on the basis of sexual orientation and gender identity, consistent with the Supreme Court’s decision in Bostock v. Clayton County, 140 S. Ct. 1731 (2020), and other federal court precedent applying Bostock’s reasoning that sex discrimination includes discrimination based on sexual orientation and gender identity.”

The Proposed HHS Grants Rule represents the latest effort of HHS to finalize and implement prohibition against LGBTQI individuals in HHS first undertaken in 2016. Since HHS originally adding the prohibition against LGBTQI discrimination to its HHS Grants Rule, HHS faced various court challenges to its LGBTQI nondiscrimination provisions. These challenges included lawsuits challenging HHS’ interpretation of the sex discrimination prohibitions of Title VII of the Civil Rights Act of 1964, 42 U.S.C. 2000e-2(a)(1) (“Title VII”) as prohibiting discrimination based on sexual orientation and identity, First Amendment religious freedom challenges and challenges based on alleged violations of the Administrative Procedures Act.

In the intervening years, HHS originally granted various waivers, then subsequently adopted a blanket non-enforcement policy to address First Amendment religious freedom concerns about the LGBTQI discrimination prohibition and attempted to resolve Administrative Procedures Act challenges in subsequently published versions of the rules. Meanwhile, the U.S. Supreme Court resolved objections to HHS’ expansive interpretation of Title VII as extending to LGBTQI when it affirmed Title VII’s prohibition against discrimination on the basis of sex includes discrimination based on sexual orientation and gender identity in Bostock v. Clayton County, 140 S. Ct. 1731 (2020).

As currently proposed, the HHS Grants Rule has a sweeping reach. In the Proposed HHS Grant Rule, HHS reaffirms that discrimination against LGBTQI individuals is prohibited in virtually all HHS-funded and administered programs while revising the existing HHS Grants Rule to address when and how a provider with faith-based objections to the rules can seek exemption or other religious accommodations from HHS.

As currently proposed the Proposed HHS Grants Rule would treat LGBTQI discrimination as prohibited discrimination on the basis of sex in most HHS regulated or funded programs. The LGBTQI discrimination prohibition would apply to authorizations for domestic resettlement of and assistance to refugees; assistance in transition from homelessness; Children with Serious Emotional Disturbances; Title VII Health Workforce Programs; Nursing Workforce Development; Preventive Health Services Block Grant; Substance Abuse Treatment and Prevention Block Grant; Community Mental Health Services Block Grant; Maternal and Child Health Block Grant; Disaster relief; Low-Income Home Energy Assistance Program; Head Start; Community Services Block Grant Program; and Family Violence Prevention and Services programs.

HHS’ announcement of its plans to reaffirm its LGBTQI equal protection requirements in the HHS Grants Rule likely will prompt new attention and scrutiny from organizations and individuals with faith-based objections to its mandates, particularly given HHS’ release of the rule comes less than two weeks after the Supreme Court’s June 30, 2023 landmark ruling in 303 Creative LLC . v. Elenis, 600 U. S. ____ (2023), upholding the right of a website designer, who believes same-sex marriage contravenes her faith, to exemption from enforcement of a state law that prohibited a public business from communicating to patrons that service would be refused based on sexual orientation.

The Proposed HHS Grants Rule includes provisions requiring HHS to accommodate the religious rights of organizations or individuals with faith-based objections protected by the Religious Freedom Restoration Act (“RFRA”) or the First Amendment when administering and enforcing its provisions without specifically detailing the procedures for raising such objections or the standards HHS will apply to decide whether to approve a request for religious exemption or accommodation.

In this respect, the Proposed HHS Grants Rule provides that a recipient at any time may notify the HHS awarding agency, ASFR, or the Office for Civil Rights (OCR) of the recipient’s view that it is exempt from, or requires modified application of, certain provisions of the Rule due to the RFRA, the First Amendment or another religious freedom law. The Proposed HHS Grants Rule also directs that once the awarding agency receives notice of religious objection from a particular recipient, “any relevant ongoing compliance activity regarding the recipient shall be held in abeyance” until the applicable agencies in legal consultation with the HHS Office of the General Counsel determine whether the recipient is exempt from the application of certain provisions or entitled to modified application of the rules based on a federal religious freedom law.

While the Proposed HHS Grants Rule does not detail the procedures for requesting religious accommodation or the standards HHS will use to decide whether to approve requests, HHS does address those standards and procedures in other guidance, the current provision of which are highlighted on the HHS Conscience and Religious Freedom Webpage. It bears noting, however, that along with the Proposed HHS Grants Rule, HHS also currently is considering a separate proposal to narrow the availability of religious and conscience objections to its rules it announced in a January 5, 2023 Notice of Proposed Rule Making titled “Safeguarding the Rights of Conscience as Protected by Federal Statutes” (“Proposed Religion Rule”). While the official comment period for the Proposed Religion Rule closed on March 6, 2023, its provisions, if adopted as proposed, could materially affect the interpretation and enforcement of the HHS Grants Rule. Accordingly, organizations and other parties concerned about the likely interpretation and enforcement of the HHS Grants Rule with respect to parties claiming religious freedom objections should consider the likely implications of the Proposed Religion Rule in their evaluation of the HHS Grants Rule.

In response to the HHS Grants Rule, all health care providers, health plans and others expected to be impacted by the Proposed HHS Grants Rule should both begin preparing to adjust their existing policies and practices in anticipation of the finalization of the Proposed HHS Grants Rule as well as submit relevant concerns and other feedback on the Proposed Rule by the September 11, 2023 comment deadline established in the NPRM. Providers and other stakeholders with potential faith-based concerns about any of the requirements of the Proposed HHS Grants Rule should take particular note of the Rule’s proposed provisions regarding religious accommodation, taking into account the Proposed Religion Rule purposes of this planning as well as their timely submission of any comments by the applicable September 11, 2023 comment deadline.

For More Information

About the Author

A Fellow in the American College of Employee Benefit Counsel, Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee, Chair-Elect of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership on health and managed care and employer benefits legal, public policy and operational concerns in the healthcare, employer benefits, and insurance and financial services industries. She speaks and publishes extensively on HIPAA and other related compliance issues.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Banner Health Pays $1.25 Million To Settle Cybersecurity Breach Impacting Nearly 3 Million Individuals

February 3, 2023

Phoenix-based nonprofit health system Banner Health and its affiliates (“Banner Health”) paid $1.25 million and agreed to take corrective actions to resolve its exposure to potentially much greater Health Insurance Portability and Accountability Act (HIPAA) Security Rule civil monetary penalty exposure for a 2016 cyber hacking breach that compromised the personal health information of 2.81 million consumers. OCR used its February 2 announcement of the Banner Health settlement to warn health care providers, health plans, health care clearinghouses (“covered entities”) and business associates covered by HIPAA to guard their own systems containing protected health information against breach by cyber hacking.

Banner Health Settlement

Banner Health is one of the largest non-profit health systems in the country, with over 50,000 employees and operating in six states. Banner Health is the largest employer in Arizona and one of the largest in northern Colorado.

In November 2016, OCR initiated an investigation of Banner Health following the receipt of a breach report stating that a threat actor had gained unauthorized access to electronic protected health information, potentially affecting millions. The hacker accessed protected health information that included patient names, physician names, dates of birth, addresses, Social Security numbers, clinical details, dates of service, claims information, lab results, medications, diagnoses and conditions, and health insurance information.

OCR’s investigation found evidence of long-term, pervasive noncompliance with the HIPAA Security Rule across Banner Health’s organization, a serious concern given the size of this covered entity. Organizations must be proactive in their efforts to regularly monitor system activity for hacking incidents and have measures in place to sufficiently safeguard patient information from risk across their entire network.

The potential violations OCR identified specifically included:

A lack of an analysis to determine risks and vulnerabilities of electronic protected health information across the organization;
Insufficient monitoring of its health information systems’ activity to protect against a cyber-attack;
Failure to implement an authentication process to safeguard its electronic protected health information; and
Failure to have security measures in place to protect electronic protected health information from unauthorized access when it was being transmitted electronically.

Under the Resolution Agreement and Corrective Action Plan negotiated to resolve these potential violations, Banner Health paid $1,250,000 to OCR. Banner Health also agreed to implement a corrective action plan, which identifies steps Banner Health will take to resolve these potential violations of the HIPAA Security Rule and protect the security of electronic patient health information that will be monitored for two years by OCR to ensure compliance with the HIPAA Security Rule. Under the corrective action plan, Banner has agreed to take the following steps:

Conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic patient/system data across the organization
Develop and implement a risk management plan to address identified risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI
Develop, implement, and distribute policies and procedures for a risk analysis and risk management plan, the regular review of activity within their information systems, an authentication process to provide safeguards to data and records, and security measures to protect electronic protected health information from unauthorized access when it is being transmitted electronically, and
Report to HHS within thirty (30) days when workforce members fail to comply with the HIPAA Security Rule.

OCR Warns Other HIPAA-Covered Entities

In the health care sector, hacking is now the greatest threat to the privacy and security of protected health information. OCR’s announcement of the settlement reports 74 percent (74%) of the breaches reported to OCR in 2021 involved hacking/IT incidents.

The announcement also notes OCR offers an array of resources to help health care organizations bolster their cybersecurity posture and comply with the HIPAA Rules,

The settlement and OCR’s announcement warn other covered entities and business associates to use these and other necessary resources to protect their systems with protected health information from cyber hacking and other breaches.

In conjunction with reminding other covered entities of these resources, the settlement announcement quotes OCR Director Melanie Fontes Rainer as a warning, “Hackers continue to threaten the privacy and security of patient information held by health care organizations, including our nation’s hospitals, … It is imperative that hospitals and other covered entities and business associates be vigilant in taking robust steps to protect their systems, data, and records, and this begins with understanding their risks, and taking action to prevent, respond to and combat such cyber-attacks. … Cyber security is on all of us, and we must take steps to protect our health care systems from these attacks.”

OCR’s enforcement record confirms these are not idyl threats. Breaches of the Security or Breach Notification Rules often result in significant civil monetary penalty assessments or negotiated settlements to mitigate civil liability exposures arising out of such breaches. See e.g., Clinical Laboratory Pays $25,000 To Settle Potential HIPAA Security Rule Violations (May 25, 2021); Health Insurer Pays $5.1 Million to Settle Data Breach Affecting Over 9.3 Million People (January 15, 2021); Aetna Pays $1,000,000 to Settle Three HIPAA Breaches(October 28, 2020); Health Insurer Pays $6.85 Million to Settle Data Breach Affecting Over 10.4 Million People (September 25, 2020); HIPAA Business Associate Pays $2.3 Million to Settle Breach Affecting Protected Health Information of Over 6 million Individual – (September 23, 2020); Lifespan Pays $1,040,000 to OCR to Settle Unencrypted Stolen Laptop Breach (July 27, 2020); Small Health Care Provider Fails to Implement Multiple HIPAA Security Rule Requirements (July 23, 2020).

Alerts issued by OCR regarding heightened security risks in recent months and a growing tide of highly publicized breaches send a strong warning to other covered entities and their business associates to reconfirm the adequacy of their own HIPAA privacy, security, breach notification and other procedures and protections by among other things:

Reviewing and monitoring on a documented, ongoing basis the adequacy and susceptibilities of existing practices, policies, safeguards of their own organizations, as well as their business associates and their vendors within the scope of attorney-client privilege taking into consideration data available from OCR, data regarding known or potential susceptibilities within their own operations as well as in the media, and other developments to determine if additional steps are necessary or advisable.
Updating policies, privacy and other notices, practices, procedures, training and other practices as needed to promote compliance and defensibility.
Renegotiating and enhancing service provider agreements to detail the specific compliance, audit, oversight and reporting rights, workforce and vendor credentialing and access control, indemnification, insurance, cooperation and other rights and responsibilities of all entities and individuals that use, access or disclose, or provide systems, software or other services or tools that could impact on security; to clarify the respective rights, procedures and responsibilities of each party in regards to compliance audits, investigation, breach reporting, and mitigation; and other relevant matters.
Verifying and tightening technological and other tracking, documentation and safeguards and controls to the use, access and disclosure of protected health information and systems.
Conducting well-documented training as necessary to ensure that members of the workforce of each covered entity and business associate understand and are prepared to comply with the expanded requirements of HIPAA, understand their responsibilities and appropriate procedures for reporting and investigating potential breaches or other compliance concerns, and understand as well as are prepared to follow appropriate procedures for reporting and responding to suspected
violations or other indicia of potential security concerns.
Tracking and reviewing on a systemized, well-documented basis actual and near-miss security threats to evaluate, document decision-making and make timely adjustments to policies, practices, training, safeguards and other compliance components as necessary to identify and resolve risks.
Establishing and providing well-documented monitoring of compliance that includes board-level oversight and reporting at least quarterly and sooner in response to potential threat indicators.
Establishing and providing well-documented timely investigation and redress of reported
violations or other compliance concerns.
Establishing contingency plans for responding in the event of a breach.
Establishing a well-documented process for monitoring and updating policies, practices and other efforts in response to changes in risks, practices and requirements.
Preparing and maintaining a well-documented record of compliance, risk, investigation and other security activities.
Pursuing other appropriate strategies to enhance the covered entity’s ability to demonstrate its compliance commitment both on paper and in operation.

Because of susceptibilities in systems, software and other vendors of business associates, suppliers and other third parties, covered entities and their business associates should use care to assess and manage business associate and other vendor-associated risks and compliance as well as tighten business associate and other service agreements to promote the improved cooperation, coordination, management and oversight required to comply with the new breach notification and other HIPAA requirements by specifically mapping out these details.

Beyond these HIPAA exposures, breaches and other HIPAA noncompliance carries other liability risks. Leaders of covered entities or their business associates also are cautioned that while HIPAA itself does not generally create any private right of action for victims of breach under HIPAA, breaches may create substantial liability for their organizations or increasingly, organizational leaders. For instance, the Department of Health & Human Services has warned health care providers participating in Medicare or other federal programs and Medicare Advantage health plans that HIPAA compliance is a program term of participation.

Health care providers and health insurers can face liability under state data privacy and breach, negligence or other statutory or common laws. In addition, physicians and other licensed parties may face professional discipline or other professional liability for breaches violating statutory or ethical standards.

Health plans also face a myriad of other exposures from failing to use appropriate cyber safeguards. Plan fiduciaries of employment-based health plans covered by the Employee Retirement Income Security Act (“ERISA”) risk liability under ERISA’s fiduciary responsibility rules. The Department of Labor Employee Benefit Security Administration (“EBSA”) now audits the adequacy of the cybersecurity and other HIPAA compliance of health plans and their third-party administrators and other business associates as part of EBSA’s oversight and enforcement of ERISA. Department of Labor Assistant Secretary for EBSA Lisa Gomez confirmed audit and enforcement of cybersecurity obligations is a key priority in EBSA’s current work plan in her February 4, 2023 comments to the American Bar Association.

Meanwhile, the Securities and Exchange Commission has indicated that it plans to pursue enforcement against leaders of public health care or other public companies that fail to use appropriate care to ensure their organizations comply with privacy and data security obligations.

Furthermore, appropriate cyber security practices also may be advisable elements for organizations to include in their Federal Sentencing Guideline Compliance Programs to mitigate potential organization liability risks under federal electronic crime and related laws.

In the face of these risks and warnings, all covered entities and their business associates should reassess and confirm the adequacy of their and their business associates’ cyber security defenses and breach response preparations.

More Information

About the Author

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Leave a Comment » | Cyber crime, data breach, data security, DME, Doctor, Employer, ERISA, Federal Sentencing Guidelines, Health Care Finance, Health Care Provider, Health Insurance, Health IT, Health Plan, Health Plans, HHS, HIPAA, HIPAA Cyber Crime, HITECH Act, home health, Hospice, Hospital, hospitals, Licensing, Meaningful Use, Medicaid, Medicaid Advantage, Medical Licensure, Medical Malpractice, Medical Privacy, Medical Records, Medicare, Medicare Advantage, OCR, Peer Review, Physician Licensing, retaliation, Technology, Telemedicine, Whistleblower | Tagged: ARRA, Breach Notification, CMS, Compliance, Corporate Compliance, Data Breach, Data Security, Doctor, DOJ, EHR, Electronic Health Records, Employer, false claims act, Federal Sentencing Guidelines, Health Care, Health Care Compliance, Health Care Fraud, Health Care Provider, Health Care Reimbursement, Health Insurance, Health IT, Health Plan, Health Plans, HHS, HIPAA, HIPAA Privacy, HITECH Act, Hospital, Hospitals, licensure, Medicaid, Medical Privacy, Medicare, OCR, Office of Civil Rights, OIG, PHI, Physician, Physicians, Privacy, Protected Health Information | Permalink
Posted by Cynthia Marcotte Stamer

Act Promptly To Comment On ONC’s Proposed Electronic Clinical Quality Measure Draft Changes

September 14, 2022

Health care providers, health plans and insurers and other stakeholders concerned about the Department of Health and Human Services Office of the National Coordinator for Healthcare Information (“ONC”) electronic clinical quality measures (“eCQMs”) have the opportunity to review and comment on draft changes to the eCQM specifications and supporting resources under consideration by ONC as part of ONC’s 2022 Change Review Process (CRP) for the ONC Project Tracking System. Interested stakeholders must monitor the posting of issues and act quickly to share their feedback, however, as stakeholders have only two weeks to comment after a ONC posts a new proposed eCQm change.

eCQMs As Measure of Health Care Quality

Electronic clinical quality measures or “eCQMs” are tools that ONC develops with stakeholder input to help Medicare and Medicaid measure and track the quality of health care services that eligible hospitals and critical access hospitals (CAHs) provide, as generated by a provider’s electronic health record (EHR). CMS Measuring and reporting eCQMs helps to ensure that our health care system is delivering effective, safe, efficient, patient-centered, equitable, and timely care. CMS’ eCQMs measure many aspects of patient care, including:

Patient and Family Engagement
Patient Safety
Care Coordination
Population/Public Health
Efficient Use of Healthcare Resources
Clinical Process/Effectiveness

To successfully participate in the Medicare and Medicaid Promoting Interoperability Programs, the Centers for Medicare and Medicaid Services (“CMS”) requires eligible providers, eligible hospitals, critical access hospitals and dual-eligible hospitals electronically to report on eCQMs determined by CMS that require the use of data from the provider’s certified electronic health record (“EHR”) technology (CEHRT) or other health information technology systems to measure and report quality measures in a standardized manner. For calendar year (CY) 2022, Medicare Promoting Interoperability Program participants are required to report on three self-selected eCQMs and the Safe Use of Opioids – Concurrent Prescribing eCQM from the set of nine available for at least three self-selected quarters of CY 2022 data. To report eCQMs successfully, health care providers must use an EHR and adhere to the requirements identified by the CMS quality program. Failing to meet these eCQM reporting requirements can prevent the provider from meeting meaningful use requirements and trigger reductions in reimbursements for care.

Health care quality, credentialing, accreditation, and other provider, health plan and other organizations also use the eCQMs data alone or with other quality measures and tools to set standards and assess and enforce quality goals and performances.

As the proposed changes on a relevant eCQM could materially impact the reporting responsibilities of the reporting providers, the quality and meaning of a proposed data measure, or both, impacted stakeholders should monitor the system for possible changes impacting the eCQMs used or applicable to their organizations and its activities and if appropriate, comment promptly.

2022 eCQMs Updates

Each year, CMS makes updates to the eCQMs approved for CMS programs to reflect changes in:

Evidence-based Medicine
Code Sets
Measure Logic

Conducted annually as part of OCN’s eCQM Issue Tracker project, the CRP provides eCQM users the opportunity to review and comment on draft changes to the eCQM specifications and supporting resources under consideration by the measure stewards. The goal of the CRP is for eCQM implementers to comment on the potential impact of draft changes to eCQMs so CMS and measure stewards can make improvements to meet CMS’s intent of minimizing provider and vendor burden in the collection, capture, calculation, and reporting of eCQMs.

Stakeholders with an account on the ONC Project Tracking System can monitor, review and comment on proposed eCQM changes through the eCQM Issue Tracker project during the two week period following the date the issue is posted in the eCQM Issue Tracker. To participate in the CRP, users must have an ONC Project Tracking System account. New users can create an account via the ONC Project Tracking System website.

The following table reflects the eCQM issues open on the eCQM Issue Tracker as of September 14, 2022 and their scheduled comment closing dates

Issues Open for Public Comment As of 9/14/2022

CMS eCQM Identifier and Measure Title	CRP Issue Title	Issue Number and Link	Issue Type	Goal of Review	Public Comment Open Date	Public Comment Close Date
Multiple measures	Incorporate ‘Diagnosis’ datatype to capture Hospice Care	CQM-5561	Logic; Value Set	Obtain clinical and technical feedback	09/07/2022	09/21/2022
CMS128: Anti-depressant Medication Management; CMS136: Follow-Up Care for Children Prescribed ADHD Medication (ADD); CMS156: Use of High-Risk Medications in Older Adults	Update Cumulative Medication Duration function to calculate maximum daily frequency	CQM-5562	Logic	Obtain technical feedback	09/07/2022	09/21/2022
Multiple measures	Expand codes using ‘Diagnosis’ datatype to capture Palliative Care	CQM-5563	Logic; Value Set	Obtain clinical and technical feedback	09/07/2022	09/21/2022
Multiple measures	Require 2 indications of frailty to meet exclusion	CQM-5564	Header; Logic; Measure Intent Clarification	Obtain clinical feedback	09/07/2022	09/21/2022
CMS127: Pneumococcal Vaccination Status for Older Adults	Expand numerator to allow for pneumococcal vaccination since 19 years of age	CQM-5565	Header; Logic; Measure Intent Clarification	Obtain clinical feedback	09/07/2022	09/21/2022

eCQM Issue Tracker Open Issues As Of September 14, 2022

As proposed eCQM changes are posted for public comment as CRP issues. ONC informs eCQM accountholders of the proposed change or eCQM issue by posting for review in the ONC Project Tracking System. Accountholders only have two weeks after ONC posts a proposed eCQM to comment on the posted issue. Stakeholders interested in commenting on a particular issue must submit their comment in accordance with the directions within this two week period.

More Information

We hope this update is helpful. For more information about the these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

A Fellow in the American College of Employee Benefit Counsel, Vice Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on health and managed care industry legal, public policy and operational concerns.

Ms. Stamer’s work throughout her 30 plus year career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here.

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access of this publication.

Learn About DOJ Federal Antitrust Health Industry Market Competition Enforcement & Latest On $2.67 Billion BCBS Class Action Antitrust Settlement In 9/8 JCEB Webex

September 2, 2022

As qualifying individuals and companies that purchased or received health insurance await instructions on how to claim their share of the $2.67 billion In re: Blue Cross Blue Shield Antitrust Litigation private federal class action civil antitrust lawsuit settlement (“Settlement”) finally approved August 9, 2022 against the Blue Cross Blue Shield Association (“BCBSA”) and other settling individual Blue Cross Plans, employers and other plan sponsors, health care systems and providers, health insurers, pharmacy benefit managers, brokerages, and other health and health insurance market participants need to keep in mind that the private antitrust judgements are not their only exposure under federal antitrust laws. Health insurance and health industry market participants that engage in anticompetitive conduct or business transactions also risk investigation and prosecution under federal antitrust laws by the U.S. Department of Justice, the Federal Trade Commission and state regulators or attorneys general.

Market participants and others with health or health insurance industry market competitiveness concerns or interests should register and attend the September 8, 2022 Justice Department Health Industry Antitrust Enforcement Update to learn about key federal antitrust statutes regulating or prohibiting anticompetitive conduct and business transactions and hear how the Department of Justice uses these laws to promote market competition in the health care and health insurance marketplaces.

Hosted by the American Bar Association Joint Committee on Employee Benefits, the webinar will feature a discussion by U.S. Department of Justice Civil Division Healthcare and Consumer Products Section Antitrust Attorney Natalie Melada of basic federal antitrust rules and principles the Justice Department relies upon to safeguard market competitiveness and discusses selected Justice Department antitrust litigation and other compliance and enforcement initiatives the Department of Justice has undertaken to protect competition in the healthcare industry. Attorney and Solutions Law Press, Inc. editor and author Cynthia Marcotte Stamer also will provide an update on the In re: Blue Cross Blue Shield Antitrust Litigation and resulting $2.67 billion settlement approved August 9.

For more details and to register for the program, see here.

More Information

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and following and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here.

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Leave a Comment » | Academic medicine, Anethesiology, Antitrust, ASC, Childrens Health Insurance Program, Conditions of Participation, Cyber crime, data breach, Direct Primary Care, Durable Medical Equipment, E-Prescribing, Electronic Medical Records, Employee Benefits, Federal Sentencing Guidelines, Health Apps, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Quality, Health Insurance, Health Insurance Exchange, Health IT, Health Plan, Health Plans, healthcare, HHS, HIPAA, HIPAA Cyber Crime, HITECH Act, Home Health, home health, Hospice, Hospital, Hospital, hospitals, Indian Health, Inpatient Rehabilitation, Inpatient Rehabilitation Facility, managed care, Medical Licensure, Medical Records, Medicare, Mental Health, Mental Heatlh, nursing home, occupational health, OCR, Outpatient, participating provider, Pharmaceudical, Pharmacy, Physician, Physician Licensing, physician licensure, Prescription Drugs, Privacy, Psychiatric, public health, Reproductive Rights, Rural Health Care, Self-Insured Group health Plans, Skilled Nursing Facility, substance abuse treatment | Tagged: Antitrust, Association, competition, Department of Justice, Employers, Group Purchasing Organizations, Health Care, Health Insurance, Health Plans, PBMs, Physician, Prescription Drugs, Protected Health Information | Permalink
Posted by Cynthia Marcotte Stamer

HIPAA Covered Entity Nailed With $300,000+ HIPAA Settlement For Improper PHI Disposal

August 23, 2022

A Massachusetts dermatology practice’s Health Insurance Portability & Accountability Act (“HIPAA”) $300,000 plus settlement with the Department of Health & Human Services Office for Civil Rights (OCR) reminds health care providers, health plans, health care clearinghouses and their business associates (“Covered Entities”) to use proper practices and safeguards when disposing of protected health information (“PHI”).

Following up on other OCR enforcement involving improper protection and disposal of paper and electronic PHI, the settlement with New England Dermatology P.C., d/b/a New England Dermatology and Laser Center (“NDELC”) OCR announced today (August 23, 2022) resolves charges that NDELC violated the HIPAA Privacy Rules when it placed specimen containers with patient identifying PHI in its parking lot garbage bin.

OCR interprets HIPAA as requiring Covered Entities to appropriate steps to ensure that safeguards are in place when disposing of patient information to keep it from being accessible by the public. ”Improper disposal of protected health information creates an unnecessary risk to patient privacy,” said Acting OCR Director Melanie Fontes Rainer.

On May 11, 2021, NEDLC filed a breach report with OCR that reported empty specimen containers with the PHI on labels were placed in a garbage bin in their parking lot. The containers’ labels included patient names and dates of birth, dates of sample collection, and name of the provider who took the specimen. On March 31, 2021, a third-party security guard found one specimen container bearing a label containing patient names, dates of birth, dates of sample collection, and name of the provider who took the specimen. During the investigation, NEDLC stated that from February 4, 2011 until March 31, 2021, it regularly discarded specimen containers with an attached label that contained PHI as regular waste, bagged and placed in an exterior dumpster accessible via the parking lot, without alteration to the PHI containing label.

OCR’s New England Regional Office found the practice of disposing of specimen containers with their labels containing PHI violated the HIPAA Privacy Rule including the impermissible use and disclosure of PHI and failure to maintain appropriate safeguards to protect the privacy of PHI.

Under the NEDLC Resolution Agreement negotiated to settle the alleged violations, NEDLC paid $300,640 to OCR and agreed to implement a “robust” corrective action plan that includes two years of OCR monitoring. Among other things, the corrective action plan requires NEDLC to:

Within 60 days, develop, maintain, and revise, as needed and present for OCR review its written policies and procedures to comply with the physical safeguard and disposal of PHI created, received or maintained by or on behalf of NEDLC and all other HIPAA Privacy, Security and Breach Notification and training protocols to ensure workforce member compliance with these policies; and sanctions for workforce members violating these requirements;
Implement the updated policies and procedures within 30 days of receipt of HHS approval;
Distribute the policies to existing members of its workforce within 30 days of receipt of HHS approval of the policies and subsequently to new members of the workforce within 30 days of their beginning of service and obtain a signed written or electronic initial compliance certification from all members of the workforce and relevant business associates stating that the workforce members have read, understand, and shall abide by such policies and procedures;
Assess, update, and revise, as necessary, the policies and procedures at least annually or as needed, provide the revised policies and procedures to HHS for review and approval, and redistribute to and obtained new compliance certifications from workforce members and business associates within 30 days of HHS approval;
If it receives information during the Compliance Term that a workforce member or business associate may have failed to comply with its policies and procedures for safeguarding PHI, promptly investigate and it the investigation finds a violation, notify HHS within 30 days of the violation and corrective action taken;
Comply with specified breach investigation and notification requirements;
Provide reports certified by a designated leader of the organization its implementation of the corrective action plan, annually and upon the occurrence of certain other events during the two-year monitoring period.

The NEDLC Resolution Agreement is not the first time OCR has nailed a Covered Entity for improper disposal of PHI. In 2015 Cornell Prescription Pharmacy paid OCR $125,000 and implemented a correction action plan to correct alleged HIPAA violations after an OCR investigation of a local news report confirmed unsecured paper documents containing PHI of more than 1600 patients were disposed of in an unlocked, open container on Cornell’s premises. The documents were not shredded and contained identifiable information regarding specific patients. See Cornell Prescription Pharmacy Resolution Agreement. See also $800,000 HIPAA Settlement in Medical Records Dumping Case.

To reduce their own exposure to potential HIPAA liability arising from improper disposal of PHI, covered entities should evaluate the adequacy of the PHI handling, security and disposal policies, procedures, training and compliance for potential weaknesses and take appropriate, timely documented corrective action to tighten their compliance with OCR’s regulations, OCR’s Frequently Asked Questions About the Disposal and other OCR enforcement actions and guidance on PHI disposal.

Since these evaluations could uncover past or ongoing compliance concerns, Covered Entities and business associates should consider engaging legal counsel experienced with HIPAA compliance to advise and aid the Covered Entity to structure, conduct, evaluate findings and determine and implement any corrective actions that the review reveals as required or advisable within the scope of attorney client privilege.

Effective protection and disposal of PHI requires that Covered Entities recognize and keep track of all PHI in the various phases of its lifecycle in the organization including when it is being disposed or or migrating through various systems. Sanctions for disposal of specimen bottles containing PHI labels should raise the need for awareness of disposal practices for other patient labeled items including identification bracelets, medication containers and labels, meal trays and the plethora of other items containing patient specific information. PHI disposal issues also can arise out of the disposal of files, storage containers, computers, copiers or other devices. For instance, under the Affinity Health Plan, Inc. Resolution Agreement, Affinity Health paid OCR $1,215,780 to settle potential HIPAA Civil Monetary Sanctions after OCR found it exposed the PHI of up to 344,579 individuals by returning photocopiers to a leasing agent without erasing the data contained on the copier hard drives.

Because HIPAA obligations continue even when a Covered Entity or business associate goes out of business, Covered Entities also need to take appropriate steps to provide for ongoing management, protection and disposal of PHI when they or a business associate ceases business. Thus, in the FileFax Resolution Agreement, for instance the receiver appointed to liquidate the assets of Filefax, Inc. agreed to pay $ 100,000 out of the receivership estate to OCR to settle potential HIPAA violations after Filefax shut its doors during the course of OCR’s investigation into alleged HIPAA violations.

Covered Entities must understand that these responsibilities generally cannot be met merely through adoption of a standard set of policies and procedures from a third-party. The HIPAA Privacy Rule requires all Covered Entities to prepare and document risk assessments and develop and enforce appropriate privacy and security policies and procedures. Security and disposal practices and procedures are among the elements of HIPAA compliance that OCR expects Covered Entities to address in the documented risk assessments the regulations require Covered Entities to prepare and maintain. See $750,000 HIPAA Settlement Underscores the Need for Organization Wide Risk Analysis. As with other HIPAA compliance responsibilities, OCR regulations require that Covered Entities include their documented assessment and decision-making about the adequacy and reasonableness of their PHI protection and destruction practices under HIPAA as part of their overall HIPAA risk assessment plan and practices.

While OCR guidance provides some examples of several practices that a Covered Entity might use that could or could not meet the destruction standards, these examples are not safe harbors. The regulations and guidance expect Covered Entities to conduct a documented review and assessment “of their own circumstances to determine what steps are reasonable to safeguard PHI through disposal and develop and implement policies and procedures to carry out those steps.” OCR guidance directs that Covered Entities should assess potential risks to patient privacy, as well as consider such issues as the form, type, and amount of PHI to be disposed. Covered entities are responsible for conducting and documenting their analysis as well as their adoption, implementation and enforcement of the resulting policies and procedures.

If circumstances come to light that indicate a breach of the standards in the course of the disposal compliance assessment or otherwise, Covered Entities also promptly should work with legal counsel timely to investigate, determine and provide any required notifications or other corrective action and document their actions to meet applicable HIPAA and other legal obligations and mitigate liability.

Of course, Covered Entities and their leaders always must keep in mind that their responsibilities and potential liability for mishandling PHI could extend well beyond HIPAA. In addition to the civil monetary penalties HIPAA authorizes, mishandling the collection, protection or disposal of PHI or other sensitive data also can trigger other legal exposures. For instance, as HIPAA compliance is part of the Conditions of Participation that Medicare participating Covered Entities and Medicare Advantage Plans must meet to qualify for program participation, noncompliance could trigger program exclusion, False Claims Act or related exposures. Deficiencies in security or destruction of credit card, banking or other PHI that also qualifies as personal financial information could trigger exposure under Federal Trade Commission, state identity theft and privacy or other laws. Public companies and their leaders also may need to evaluate if deficiencies in their security or destruction protocols trigger investor disclosure obligations under Securities and Exchange Commission rules or other federal or state laws. Considering these and other exposures, documented, compliance and defensibility of PHI and other sensitive information use, protection, disclosure and destruction should rank high among the priorities of all Covered Entities and their leaders.

More Information

About the Author

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here.

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Leave a Comment » | Academic medicine, Anethesiology, ASC, Childrens Health Insurance Program, Conditions of Participation, Cyber crime, data breach, Direct Primary Care, Durable Medical Equipment, E-Prescribing, Electronic Medical Records, Employee Benefits, Health Apps, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Quality, Health Insurance, Health Insurance Exchange, Health IT, Health Plan, Health Plans, healthcare, HHS, HIPAA, HIPAA Cyber Crime, HITECH Act, Home Health, home health, Hospice, Hospital, Hospital, hospitals, Indian Health, Inpatient Rehabilitation, Inpatient Rehabilitation Facility, managed care, Medical Licensure, Medical Records, Medicare, Mental Health, Mental Heatlh, nursing home, occupational health, OCR, Outpatient, participating provider, Pharmaceudical, Pharmacy, Physician, Physician Licensing, physician licensure, Prescription Drugs, Privacy, Psychiatric, public health, Reproductive Rights, Rural Health Care, Self-Insured Group health Plans, Skilled Nursing Facility, substance abuse treatment | Tagged: Abortion, dobbs, Health Care, HIPAA, Physician, Protected Health Information, Reproductive Rights | Permalink
Posted by Cynthia Marcotte Stamer

6 Texas Physicians Face Federal Health Care Fraud Charges For Alleged Improper Kickbacks & Lab Testing Claims

May 29, 2022

The Department of Justice sent another strong warning to physicians and other health care provides not to violate the False Claims Act by making improper patient referrals in violation of the Anti-Kickback Statute and the Stark Law, billing federal health care programs for medically unnecessary laboratory testing or other services or both when charged six Texas physicians with federal health care fraud this week. The prosecution of the physicians for laboratory tests arranged and billed through management services organizations also reminds physicians and other providers that reliance upon management services or other third-party service providers generally does not protect a physician participating in prohibited laboratory or other testing, durable medical equipment, facility, physical therapy or other health care billing or referral arrangements from liability.

Charges Against Texas Physicians

This week, the Justice Department added the following six physicians as defendants to criminal charges filed in a False Claims Act complaint filed in January 2022 against former True Health Diagnostics LLC (THD) CEO Christopher Grottenthaler, former Boston Heart Diagnostics Corporation (BHD) CEO Susan Hertzberg, former LRH CEO Jeffrey Madison, and others:

Doyce Cartrett, Jr., M.D., of Silsbee, Texas, allegedly received over $320,000 from LRH and two management services organizations or “MSOs,” Ascend MSO of TX LLC (Ascend) and Eridanus MG LLC (Eridanus), in return for his referrals.
Elizabeth Seymour, M.D., of Corinth, Texas, allegedly received over $280,000 from two MSOs, Ascend and Eridanus, in return for her referrals.
Emanuel Paul “E.P.” Descant, II, M.D., of Spring, Texas, allegedly received over $125,000 from two MSOs, North Houston MSO and Tomball Medical Management Inc., in return for his referrals.
Frederick Brown, M.D., of Missouri City, Texas, allegedly received over $190,000 from two MSOs, Ascend and Indus MG LLC (Indus), in return for his referrals.
Heriberto Salinas, M.D., of Cleburne, Texas, allegedly received over $75,000 from two MSOs, Ascend and Herculis MG LLC (Herculis), in return for his referrals.
Hong Davis, M.D., of Lewisville, Texas, allegedly received over $70,000 from two MSOs, Ascend and Herculis, in return for her referrals.

The complaint in United States, et al. ex rel. STF, LLC v. True Health Diagnostics, LLC, et al., No. 4:16-cv-547 (E.D. Tex.) charges that small Texas hospitals including Rockdale Hospital dba Little River Healthcare (LRH), THD, BHD, the six physicians and others conspired to pay physicians to induce referrals to the hospitals for laboratory testing performed by THD or BHD. The charges stem from allegations made under the qui tam or whistleblower provisions of the False Claims Act by STF LLC by Felice Gersh, M.D. and Chris Riedel. The United States intervened in the qui tam action in December 2021.

The complaint alleges the charged hospitals paid a portion of their laboratory profits to recruiters, who in turn kicked back those funds to the referring physicians through MSOs allegedly set up by the recruiters to make payments to referring physicians. The Justice Department charges the alleged kickbacks were disguised as investment returns but actually were based on, and offered in exchange for, the physicians’ referrals. The complaint alleges that laboratory tests resulting from this referral scheme were billed to various federal health care programs, and that the claims not only were tainted by improper inducements but, in many cases, also involved tests that were not reasonable and necessary.

The Justice Department reports that before adding charges against the six physicians to the complaint this week, the Justice Department recovered more than $31 million relating to conduct involving BHD, THD and LRH, including False Claims Act settlements with 29 physicians, two health care executives and a laboratory company.

Health Care Fraud Liability Under False Claims Act, Anti-Kickback Statute, Stark Law

The Anti-Kickback Statute prohibits offering, paying, soliciting or receiving remuneration to induce referrals of items or services covered by Medicare, Medicaid and other federally-funded programs. The Stark Law forbids a hospital or laboratory from billing Medicare for certain services referred by physicians that have a financial relationship with the hospital or laboratory. The Anti-Kickback Statute and the Stark Law seek to ensure that medical providers’ judgments are not compromised by improper financial incentives and are instead based on the best interests of their patients.

The False Claims Act prohibits health care providers from billing federal health care programs for services resulting from referrals prohibited by the Anti-Kickback Statute or the Stark law.

Under the False Claims Act, a private party can file an action on behalf of the United States and receive a portion of the recovery. The False Claims Act also allows the Justice Department to intervene in such lawsuits and add claims and defendants, as happened in this litigation. The qui tam case is captioned United States, et al. ex rel. STF, LLC v. True Health Diagnostics, LLC, et al., No. 4:16-cv-547 (E.D. Tex.). If a defendant is found liable for violating the act, the United States may recover three times the amount of its losses plus applicable penalties.

The United States’ pursuit of this lawsuit illustrates the government’s emphasis on combating health care fraud generally with a special emphasis on physicians. For instance, U.S. Attorney Brit Featherston is quoted as saying, “Schemes that funnel health care referrals do not work without the participation of physicians. … They are not merely passive players in these elaborate schemes, but an integral part, without which the scheme could not exist. Our office is committed to rooting out health care fraud by pursuing all players involved the scheme, from the laboratories and their leaders to the marketers and the physicians who make it all possible. Naming these physicians in the complaint is evidence of that commitment.”

Given this clear warning, physicians and other prescribers, as well as recruiting, billing and management services organizations, laboratories and others involved in recruiting and marketing, providing or billing for laboratory or other services to double check the appropriateness of their referral and other practices keeping in mind that the Anti-Kickback Statute and Stark Law prohibitions against direct and indirect compensation can reach to a wide range of subtle value and benefits in addition to the obvious payment of cash or gifts delivered in a multitude of ways. The prosecution of these physicians for referrals made and compensation delivered under management services contracts also clearly warns physicians and other providers against expecting their reliance upon billing, management services or other staff or management service providers to shield them from liability if an improper referral or payment happens.

More Information

About the Author

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here.

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Leave a Comment » | Anti-KickBack, billing, Centers For Disease Control, Conditions of Participation, DME, Doctor, Durable Medical Equipment, E-Prescribing, false claims act, Federal Sentencing Guidelines, Health Care, Health care coding, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Quality, health care reimbursement, healthcare, HHS, Home Health, home health, Hospice, Hospital, Hospital, hospitals, Laboratory tests, Licensing, Medical Licensure, Medical Malpractice, Medicare, Medicare Advantage, Medicare Prescription Drug Program, Money Laundering, nursing home, OIG, Opiates, Pharmaceudical, Physician, Physician Licensing, Reimbursement, Stark, Substance Abuse | Tagged: Federal Sentencing Guidelines, Opiate, pain management, Physician | Permalink
Posted by Cynthia Marcotte Stamer

SCOTUS: Emotional Injury Damages Not Recoverable In Patient’s Private Rehab Act and ACA Disability Discrimination Lawsuit But Other Significant Liability Risks Remain

May 2, 2022

Today’s Supreme Court ruling that emotional distress damages are not recoverable in a private action to enforce the disability discrimination and accommodation requirements of either the Rehabilitation Act of 1973 (“Rehab Act”) or the Patient Protection and Affordable Care Act (“ACA”) prevents health care and other businesses subject to these requirements against the risk of large emotional injury awards in private actions for discrimination based on these laws. However, health care providers and other organizations subject to these requirements should use care to maintain compliance to avoid large actual damage awards to plaintiffs bringing private lawsuits, program exclusion, penalties or other governmental sanctions or both.

Cummings Supreme Court Ruling

The May 1, 2022 United States Supreme Court ruling in Cummings v. Premier Rehab Keller authored by Supreme Court Justice John Roberts resulted from a suit that sought emotional distress damages brought by filed by a deaf and legally blind woman, Jane Cummings against Premier Rehab Keller after it denied her request that it provide an American Sign Language interpreter at her physical therapy sessions. Premier Rehab told Cummings the therapist could communicate with her through other means, Claiming Premier Rehab’s failure to provide an ASL interpreter constituted discrimination on the basis of disability in violation of the Rehab Act and Section 1557 of the ACA, Cummings sued Premier Rehab seeking various damages and other relief, including emotional distress damages.

The Supreme Court took notice that Premier Rehab was subject to these laws because its receipt of Medicare and Medicaid payments qualified as federal financial assistance triggering their applicability.

The Supreme Court affirmed the previous District Court and Fifth Circuit Court of Appeals’ rulings that emotional distress damages are not recoverable in a private action to enforce either the Rehab Act or the ACA.

The Supreme Court Majority based its decision on its finding that the Rehab Act and Act both are spending statutes that condition their offer of federal funding on a promise by the recipient not to discriminate creating what amounts essentially to a contract between the Government and the recipient of funds. Following previously established Supreme Court precedent for “private spending clause actions,” the Court ruled the emotional distress or other remedy is not available unless “the funding recipient is on notice that by accepting federal funding, it exposes itself to liability of that nature.”

To decide whether emotional distress damages are available under the Spending Clause statutes in this case, the Court therefore asked if a prospective funding recipient deciding whether to accept
federal funds would have had “clear notice” regarding that liability. Because the two statutes are silent on the availability of emotional injury damages, the Supreme Court followed prior precedent by looking to whether the emotional damages sought by Cummings were the type of damages traditionally available in suits for breach of contract so as to put Premier Rehab and other defendants on notice of their exposure to such damages from actions under the Rehab Act or ACA. While acknowledging some exceptional circumstances where punitive damages may be recovered where “the conduct constituting the breach is also a tort for which punitive damages are recoverable,” the Court found such damages “are generally not available for breach of contract.” Concluding that the recognized exception to the general rule was insufficient to give funding recipients the requisite notice that they could face such damages. the Supreme Court ruled that funding recipients under the Rehab Act and the ACA “have not, merely by accepting funds, implicitly consented to liability for punitive damages.”

To read the full Majority opinion and related consenting and dissenting opinions, see here.

Liability Risks Remain Substantial Despite Cummings Ruling

While the Supreme Court’s ruling means private litigants cannot recover emotional injury damages in discrimination actions brought to enforce the Rehabilitation Act or the ACA, health industry and other organizations remain subject to other substantial liability risks for improper discrimination in violation of those laws. Beyond recoveries for actual damages, attorneys’ fees and costs recoverable by private litigants, covered organizations also can face substantial civil monetary penalties, program disqualification, in some instances even False Claims Act liability for billing in violation of program conditions of participation and other risks. As federal agencies continue to make enforcement of these sanctions a priority, organization covered by either of these laws should use care to maintain appropriate compliance and risk management to ensure their ability to defend against any potential charges.

For instance, HHS recently reaffirmed its continued commitment and prioritization of protecting disabled individuals against disability discrimination by its publication of its February 4, 2022 FAQs for Healthcare Providers during the COVID-19 Public Health Emergency: Federal Civil Rights Protections for Individuals with Disabilities under Section 504 and Section 1557. Published to remind health care providers of their obligations under law and provide examples of applicability, HHS clarifies in that guidance that federal civil rights laws apply to health care providers, including those administering COVID-19 testing, medical supplies, and medication. These rules also apply to entities providing hospitalization, long-term care, intensive treatments, and critical care, such as oxygen therapy and mechanical ventilators. HHS also confirm that federal civil rights laws apply to state Crisis Standard of Care plans, procedures, and related standards for triaging scarce resources that hospitals are required to follow. HHS Issues New Guidance for Health Care Providers on Civil Rights Protections for People with Disabilities. See also New Guidance to Boost Accessibility and Equity in COVID-19 Vaccine Programs (December 22, 2021); HHS Takes Action to Prevent Discrimination and Strengthen Civil Rights (November 18, 2021); HHS and DOJ Issue Guidance on “Long COVID” and Disability Rights Under the ADA, Section 504, and Section 1557 (July 26, 2021); OCR Provides Technical Assistance to the State of Arizona to Ensure Crisis Standards of Care Protect Against Age and Disability Discrimination (May 25, 2021); HHS Announces Prohibition on Sex Discrimination Includes Discrimination on the Basis of Sexual Orientation and Gender Identity (May 10, 2021); New Legal Guidance and Resources to Ensure — and Expand — Access to COVID-19 Vaccines for People with Disabilities and Older Adults (April 13, 2021).

HHS’ guidance announcements all include a warning like the one from OCR Director Lisa J. Pino in the February 4, 2022 announcment that “OCR will continue our robust enforcement of federal civil rights laws that protect people with disabilities from discrimination, including when Crisis Standards of Care are in effect.”

The current and historical enforcement record of HHS demonstrates the teeth behind this commitment. OCR has a long and continuing history of extracting substantial settlements or civil monetary penalties from health care or other organizations receiving Medicare, Medicaid or other federal funds administered by HSS for engaging in conduct OCR finds inconsistent with the ACA or Rehabilitation Act discrimination requirements. See, e.g., Settlement Agreement Reached with Rhode Island Department of Children, Youth and Families to Address Discrimination Against Parents with Disabilities (March 30, 2022); Massachusetts Healthcare Provider Resolves Allegations of Discriminatory Practices Regarding Patients Needing Opioid Use Disorder Treatment (December 22, 2021); HHS Office for Civil Rights and U.S. Attorney’s Office for the District of Massachusetts Settle Disability Discrimination Case with Baystate Medical Center (November 17, 2021); HHS Office for Civil Rights and U.S. Attorney’s Office Settle Disability Discrimination Case with Backus Hospital (October 5, 2021); Rhode Island, Massachusetts Healthcare Provider Resolves Allegations of Discriminatory Practices Regarding Patients Needing Opioid Use Disorder Treatment (August 9, 2021).

These OCR guidance and enforcement actions and similar activities by other federal agencies send a strong message that OCR and other federal agencies will continue and expand their zealous investigation and enforcement of disability and other violations by health care providers and other public and private organizations covered by the Rehabilitation Act, the ACA or other federal discrimination and civil rights laws. Health care providers and others regulated by these federal discrimination laws should consider auditing the adequacy of existing practices, reaffirming their own and their business partners’ compliance, retraining workforce and taking other appropriate steps to help prevent illegal discrimination within their organization and to position their organization to respond and defend against potential discrimination investigations or charges.

For Additional Information Or Assistance

If you need have questions or need assistance with health, health or other insurance, employee benefit, payroll, investment or other data, systems or other privacy or security related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help. Longtime scribe for the American Bar Association Joint Committee on Employee Benefits agency meeting with OCR and author of leading publications on HIPAA and other privacy and data security concerns, Ms. Stamer regularly assists clients and provides input to Congress, OCR and other agencies, publishes and speaks extensively on medical and other privacy and cybersecurity, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns.

Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. Her insights on HIPAA risk management and compliance frequently appear in medical privacy related publications of a broad range of health care, health plan and other industry publications. She also is a highly-sought out speaker on privacy and data security who serves on the planning faculty and speaks for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others. You can get more information about her HIPAA and other experience here. If you need assistance with these or other compliance concerns, wish to inquire about arranging for compliance audit or training, or need legal representation on other matters, e-mail Ms. Stamer or call (214) 452-8297.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here.

Important Information About This Communication

Leave a Comment » | 1335 Waiver, Academic medicine, ADA, air ambulance, Ambulatory care, Childrens Health Insurance Program, Civil Rights, Conditions of Participation, Corporate Compliance, Covid, Disability Discrimination, Discrimination, DME, early childhood education, Emergency Care, Employee Benefits, Employment, false claims act, Health Care, Health Care Fraud, Health Care Provider, health care reimbursement, Health Plan, Health Plans, healthcare, HHS, Home Health, home health, Hospice, Hospital, Hospital, hospitals, Indian Health, Inpatient Rehabilitation, Inpatient Rehabilitation Facility, Labor Law, Laws, Life Sciences, Medicaid, Medicare, Medicare Advantage, Medicare Prescription Drug Program, Mental Health, Mental Heatlh, nursing home, occupational health, OCR, OIG, Opiates, Outpatient, Pharmaceudical, Pharmacy, Physician, Physician Licensing, Prescription Drugs, Reimbursement, Section 1557 | Permalink
Posted by Cynthia Marcotte Stamer

Federal Convictions Of Physicians Highlight Need For Care In Opiate & Other Pain Management Prescribing & Billing

March 4, 2022

Physicians and other health care prescribers must remain hyper vigilant when prescribing, documenting, billing and managing opiate and other pain management prescriptions and patients. That’s the clear message sent by the ever-growing wave of federal prosecutions and convictions like the March 2, 2022 federal conviction of Tennessee physician Mark Murphy and his wife, Jennifer Murphy and his wife for unlawfully distributing opioids, providing unnecessary services and defrauding insurers from their now-shuttered North Alabama Pain Services clinics (“NAPS”) and March 1, 2022 sentencing of former physician Patrick Titus to 20 years in prison for his conviction of unlawful distribution of opioid drug outside the usual scope of professional practice and not for legitimate medical purposes as part of the his internal medicine practice.

Tennessee Doctor & Wife Convicted of Pain Management Related Unlawful Opioid Distribution, Health Care Fraud & Other Criminal Charges

The March 2 federal jury conviction of Dr. and Ms. Murphy stemmed from their ownership and operation of their now-defunct pain management clinics resulted from evidence gathered through a joint investigation by the Federal Bureau of Investigation, the Department of Health & Human Services Office of Inspector General, the Internal Revenue Service, and the Drug Enforcement Agency.

During the resulting jury trial, federal prosecutors presented evidence that during the five-year period leading up to the clinic closing its Alabama locations in 2017, Dr. Murphy and Ms. Murphy, who was the office manager, caused over $50 million in fraudulent or unnecessary medical services to be charged to Medicare, TRICARE, Blue Cross Blue Shield of Alabama and others. Evidence at trial showed that NAPS provided pre-signed prescriptions to thousands of patients a month, including prescriptions written outside the usual course of professional practice without a legitimate medical purpose. Federal prosecutors also introduced evidence that the Murphys also solicited and received unlawful payments for referring fraudulent or unnecessary services to patients.

Based on the evidence, the jury found both Dr. and Ms. Murphy guilty on numerous criminal charges including:

Conspiracy to unlawfully distribute and unlawful distribution of controlled substances;
Conspiracy to commit and commission of health care fraud;
Conspiracy to defraud the United States; and
Receiving illegal kickbacks in violation of the Anti-Kickback Statute.

Ms. Murphy also was convicted of tax-related charges for underreporting clinic income.

Currently scheduled for sentencing in June, the Murphys each face a maximum of 20 years in prison for the drug charges and a maximum of 10 years in prison for the health care fraud charges. Both defendants also face a maximum of five years in prison for charges stemming from violations of the Anti-Kickback Statute, and Ms. Murphy faces up to three years in prison for the tax charges.

Former Delaware Doctor Sentenced to 20 Years in Prison for Unlawful Opioid Distribution

The Murphy’s jury conviction came one day after the sentencing of former to 20 years in prison for his July 2021 federal jury conviction on 13 counts of unlawfully distributing and dispensing controlled substances and one count of maintaining a drug-involved premises.

Federal prosecutors presented evidence in court documents and trial that Dr. Titus unlawfully distributed or dispensed opioid drugs including fentanyl, morphine, methadone, OxyContin and oxycodone outside the usual scope of professional practice and not for legitimate medical purposes as part of the his internal medicine practice. The Justice Department charged Dr. Titus frequently prescribed these dangerous controlled substances in high dosages, sometimes in combination with each other or in other dangerous combinations, mostly in exchange for cash. Evidence at trial showed he distributed over 1 million opioid pills without providing any meaningful medical care and to patients he knew were suffering from substance use disorder and/or who demonstrated clear signs that the prescribed drugs were being abused, diverted or sold on the street.

Health Care Fraud Task Force Targeting Opioid Distribution, Billing, & Related Misconduct

Both the Murphy and Titus prosecutions and convictions are two of a growing series of convictions resulted from investigations into opioid and other pain management prescribing conducted as part of efforts targeting physicians and other health care providers involved in prohibited the federal Health Care Fraud Strike Force Program. See e.g., Medical Director Convicted in $110 Million Addiction Treatment Fraud Scheme.

The Federal agencies made a point of warning to other physicians not to overprescribe, bill or engage in other prohibited dealings involving opioids or other controlled substances when announcing the Titus sentencing.

“As we continue the fight against the opioid crisis, this case serves as an important reminder that health care professionals have a duty to prescribe medication responsibly to ensure the well-being of individuals under their care. Failing to do so can endanger patients and undermines critical, ongoing public health measures,” said Special Agent in Charge Maureen Dixon of the U.S. Department of Health and Human Services, Office of the Inspector General (HHS-OIG). “HHS-OIG will continue to work with our law enforcement partners to hold bad actors accountable.”

“This sentence is a reminder that the Department of Justice will hold accountable those doctors who are illegitimately prescribing opioids and fueling the country’s opioid crisis,” said Assistant Attorney General Kenneth A. Polite Jr. of the Justice Department’s Criminal Division. “Doctors who commit these unlawful acts exploit their roles as stewards of their patients’ care for their own profit.”

“DEA-registered medical practitioners have an important role in our communities to treat patients compassionately and responsibly,” said DEA Administrator Anne Milgram. “Today’s sentencing makes clear that medical professionals who recklessly prescribe opioids and endanger the safety and health of patients will be held accountable.”

More Information

About the Author

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here.

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Leave a Comment » | billing, Centers For Disease Control, Conditions of Participation, Controlled Substances, Corporate Compliance, DEA, Doctor, drug treatment, E-Prescribing, Evidence Based Medicine, false claims act, FDA, Federal Sentencing Guidelines, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Quality, health care reimbursement, Health Plan, Health Plans, healthcare, hemp, HHS, Home Health, home health, Hospice, Hospital, Hospital, hospitals, Licensing, managed care, marijuana, Medical Licensure, Medical Malpractice, Medical Records, Medicare, Medicare Advantage, Medicare Prescription Drug Program, Mental Heatlh, Money Laundering, Monopoly, OIG, Opiates, pain management, Physician, Physician Licensing, Prescription Drugs, Reimbursement, Substance Abuse | Tagged: Federal Sentencing Guidelines, Opiate, pain management, Physician | Permalink
Posted by Cynthia Marcotte Stamer

CMS Updates COVID-19 Guidance For Visiting Nursing Homes & LTC Facility Vaccination During Omicron Surge

January 13, 2022

CMS recently updated its Nursing Home Resource Centerwith new pieces of informational guidance on visitation and vaccines in response to the recent surge in Omicron cases.

Visitation

As of January 6, CMS updated the Nursing Home Visitation FAQs (PDF) to give additional guidance about visitation during the Omicron surge and also created an infographic (PDF) to graphically represent how to safely conduct visits to nursing homes during this time of spiking COVID cases around the country. Nursing home providers, patients, caregivers, and CMS partners can use these 2 new resources to stay informed about CMS’ latest thinking for keeping nursing homes safe in the current COVID climate.

CMS also continues to urge long-term care settings, like nursing homes, assisted living, residential care communities, group homes, and senior housing, to ensure residents and staff get COVID-19 vaccine primary series and booster shots.

Vaccination

while long-term care and other Medicare and Medicaid participating healthcare providers continue to await the Supreme Court’s decision on the enforceability and validity of the Biden administration vaccine mandate for program participation, CMS continues to urge long-term care providers to coordinate access to COVID-19 vaccines, either in the local community or on-site using the newest CDC resources.

As a reminder, through enforcement discretion, CMS allows Medicare-enrolled immunizers, including but not limited to pharmacies working with the U.S., to bill directly and get direct reimbursement from the Medicare program for vaccinating Medicare skilled nursing facility residents. See, Medicare billing and payment information.

Long-term care another healthcare providers also need to continue to ensure that they meet all other contagious disease and related requirements for participation in these federal programs as well as our meeting and managing their occupational health and safety, occupational injury, sick and disability leave, employee benefit, accommodation and anti retaliation mandates. See, e.g. SCOTUS To Hear Oral Arguments on OSHA COVID-19 Vaccination Rule Enforceability On January 7; COVID-19 Vaccination Rule Injunctions Leave Employers With Significant Liability Challenges Even As OSHA Extends Comment Period on OSHA COVID-19 Vaccine ETS

More Information

About the Author

Past Board President of the Richardson Development Program for Children ECE and Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, Vice Chair of the ABA International Section Life Sciences Committee, past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and the ABA RPTE Employee Benefits & Other Compensation Group, Ms. Stamer is most widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on health industry legal, public policy and operational concerns.

As a part of this work, she has continuously and extensively worked with domestic and international health plans, their sponsors, fiduciaries, administrators, and insurers; managed care and insurance organizations; hospitals, health care systems, clinics, skilled nursing, long term care, rehabilitation and other health care providers and facilities; medical staff, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; EHR, claims, payroll and other technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, self-insured health and other employee benefit plans, their sponsors, fiduciaries, administrators and service providers, insurers and other payers, health industry advocacy and other service providers and groups and other health and managed care industry clients as well as federal and state legislative, regulatory, investigatory and enforcement bodies and agencies.

This involvement encompasses helping health care systems and organizations, schools, ECEs, group and individual health care providers, health plans and insurers, health IT, life sciences and other health industry clients prevent, investigate, manage and resolve sexual assault, abuse, harassment and other organizational, provider and employee misconduct and other performance and behavior; manage Section 1557, Civil Rights Act and other discrimination and accommodation, and other regulatory, contractual and other compliance; vendors and suppliers; contracting and other terms of participation, medical billing, reimbursement, claims administration and coordination, Medicare, Medicaid, CHIP, Medicare/Medicaid Advantage, ERISA and other payers and other provider-payer relations, contracting, compliance and enforcement; Form 990 and other nonprofit and tax-exemption; fundraising, investors, joint venture, and other business partners; quality and other performance measurement, management, discipline and reporting; physician and other workforce recruiting, performance management, peer review and other investigations and discipline, wage and hour, payroll, gain-sharing and other pay-for performance and other compensation, training, outsourcing and other human resources and workforce matters; board, medical staff and other governance; strategic planning, process and quality improvement; meaningful use, EHR, HIPAA and other technology, data security and breach and other health IT and data; STARK, ant kickback, insurance, and other fraud prevention, investigation, defense and enforcement; audits, investigations, and enforcement actions; trade secrets and other intellectual property; crisis preparedness and response; internal, government and third-party licensure, credentialing, accreditation, HCQIA and other peer review and quality reporting, audits, investigations, enforcement and defense; patient relations and care; internal controls and regulatory compliance; payer-provider, provider-provider, vendor, patient, governmental and community relations; facilities, practice, products and other sales, mergers, acquisitions and other business and commercial transactions; government procurement and contracting; grants; tax-exemption and not-for-profit; privacy and data security; training; risk and change management; regulatory affairs and public policy; process, product and service improvement, development and innovation, and other legal and operational compliance and risk management, government and regulatory affairs and operations concerns. to establish, administer and defend workforce and staffing, quality, and other compliance, risk management and operational practices, policies and actions; comply with requirements; investigate and respond to Board of Medicine, Health, Nursing, Pharmacy, Chiropractic, and other licensing agencies, Department of Aging & Disability, FDA, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; JCHO and other accreditation and quality organizations; private litigation and other federal and state health care industry actions: regulatory and public policy advocacy; training and discipline; enforcement; and other strategic and operational concerns.

Author of a multitude of health industry and other highly regarded publications and presentations, the American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting and a former Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here.

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Leave a Comment » | ASC, Centers For Disease Control, Conditions of Participation, Coronavirus, Corporate Compliance, Covid, Employee Benefits, Employer, Employment, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Quality, health care reimbursement, Health Plan, healthcare, HHS, Hospice, Inpatient Rehabilitation, Inpatient Rehabilitation Facility, Life Sciences, long-term care, Medicaid, Medicaid Advantage, Medicare, Medicare Advantage, occupational health, OSHA, Pandemic, participating provider, Provider contracting | Permalink
Posted by Cynthia Marcotte Stamer

Justice Department COVID & Other Health Care Fraud Enforcement Thriving Despite Pandemic Emergency

November 23, 2021

Federal health care fraud prosecution continues to thrive despite the ongoing COVID-19 health care emergency.

Recently announced prosecutions and other enforcement actions include Fraud & Abuse, False Claims Act and other health care fraud prosecutions commonly pursued by the Justice Department in recent decades as well as a host of new prosecutions of abuses of Covid-19 relief programs. Examples include:

These and other actions send a clear message to health care and life science organizations to continue vigorous health care fraud compliance and risk management activities as well as stay vigilant for signs of new audit and enforcement activities.

More Information

About the Author

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here.

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Leave a Comment » | Academic medicine, American Rescue Plan Act of 2021, Anti-KickBack, ASC, Centers For Disease Control, Conditions of Participation, Coronavirus, Corporate Compliance, Covid, COVID-19, Electronic Health Records, Employer, false claims act, Health Care, Health care coding, Health Care Fraud, Health Care Provider, Health Care Quality, health care reimbursement, healthcare, HHS, Home Health, home health, Hospice, Hospital, hospitals, Life Sciences, long-term care, Medicaid, Medicaid Advantage, Medicare, Medicare Advantage, Mental Heatlh, Money Laundering, OIG, Pandemic, Pharmacy, Physician, physician licensure, Reimbursement, retaliation, Skilled Nursing Facility, Stark, substance abuse treatment | Permalink
Posted by Cynthia Marcotte Stamer

ONC Extends SVAP Comment Period To May 2, 2022; Announces Schedule For Future Regulatory Updates

October 6, 2021

May 2, 2022 is the new deadline for comments on the office of the National Coordinator (“ONC”) Standards Version Advancement Process (SVAP).

ONC has established the voluntary Standards Version Advancement Process (SVAP)¹ to enable health IT developers’ ability to incorporate newer versions of Secretary-adopted standards and implementation specifications, as part of the “Real World Testing” Condition and Maintenance of Certification requirement in Section § 170.405 of the 21st Century Cures Act.

Using SVAP, certified health IT developers may voluntarily use a more advanced version of the standard(s) and implementation specification(s) approved by the National Coordinator, than adopted in the ONC 2015 Edition Certification Criteria. Currently, ONC limits flexibility to standards and implementation specifications adopted in the certification criteria required to meet “Real World Testing” condition of certification, which include Act § 170.315(b), (c)(1) through (c)(3), (e)(1), (f), (g)(7) through (g)(10), and (h).

Health IT developers taking advantage of the SVAP flexibility must ensure their real world testing plans and results of the certified health modules use these updated standards and implementation specifications and provide advance notice to their clients and their ONC-Authorized Certification Body (ONC-ACB) before adopting the new standards.

Beginning with the current (2021) SVAP and continuing into future years, ONC says it plans to announce annual approved standards for SVAP in June followed by a comment period from January to May each year with adopted standards taking effect in August.

In anticipation of this schedule, ONC extended the SVAP public comment period to May 2, 2022 to align with the planned schedule for standards development activities.

Interested developers and others wishing to review comment on the entire SVAP or on individual standards may access them here.

Interested persons wishing to monitor future developments also may wish to register to receive updates and calendar the scheduled ONC activities for upcoming year as part of their ongoing compliance plans.

More Information

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications. As a significant part of her work, Ms. Stamer has worked extensively on pandemic, business and other crisis planning, preparedness and response for more than 30 years.

Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, Vice Chair of the ABA International Section Life Sciences Committee, past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and the ABA RPTE Employee Benefits & Other Compensation Group, Ms. Stamer is most widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on health and other privacy and data security and other health industry legal, public policy and operational concerns. Ms. Stamer’s work throughout her 30 plus year career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. As a part of this work, she has continuously and extensively worked with domestic and international health plans, their sponsors, fiduciaries, administrators, and insurers; managed care and insurance organizations; hospitals, health care systems, clinics, skilled nursing, long term care, rehabilitation and other health care providers and facilities; medical staff, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; EHR, claims, payroll and other technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, self-insured health and other employee benefit plans, their sponsors, fiduciaries, administrators and service providers, insurers and other payers, health industry advocacy and other service providers and groups and other health and managed care industry clients as well as federal and state legislative, regulatory, investigatory and enforcement bodies and agencies.

This involvement encompasses helping health care systems and organizations, group and individual health care providers, health plans and insurers, health IT, life sciences and other health industry clients prevent, investigate, manage and resolve sexual assault, abuse, harassment and other organizational, provider and employee misconduct and other performance and behavior; manage Section 1557, Civil Rights Act and other discrimination and accommodation, and other regulatory, contractual and other compliance; vendors and suppliers; contracting and other terms of participation, medical billing, reimbursement, claims administration and coordination, Medicare, Medicaid, CHIP, Medicare/Medicaid Advantage, ERISA and other payers and other provider-payer relations, contracting, compliance and enforcement; Form 990 and other nonprofit and tax-exemption; fundraising, investors, joint venture, and other business partners; quality and other performance measurement, management, discipline and reporting; physician and other workforce recruiting, performance management, peer review and other investigations and discipline, wage and hour, payroll, gain-sharing and other pay-for performance and other compensation, training, outsourcing and other human resources and workforce matters; board, medical staff and other governance; strategic planning, process and quality improvement; meaningful use, EHR, HIPAA and other technology, data security and breach and other health IT and data; STARK, ant kickback, insurance, and other fraud prevention, investigation, defense and enforcement; audits, investigations, and enforcement actions; trade secrets and other intellectual property; crisis preparedness and response; internal, government and third-party licensure, credentialing, accreditation, HCQIA and other peer review and quality reporting, audits, investigations, enforcement and defense; patient relations and care; internal controls and regulatory compliance; payer-provider, provider-provider, vendor, patient, governmental and community relations; facilities, practice, products and other sales, mergers, acquisitions and other business and commercial transactions; government procurement and contracting; grants; tax-exemption and not-for-profit; privacy and data security; training; risk and change management; regulatory affairs and public policy; process, product and service improvement, development and innovation, and other legal and operational compliance and risk management, government and regulatory affairs and operations concerns. to establish, administer and defend workforce and staffing, quality, and other compliance, risk management and operational practices, policies and actions; comply with requirements; investigate and respond to Board of Medicine, Health, Nursing, Pharmacy, Chiropractic, and other licensing agencies, Department of Aging & Disability, FDA, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; JCHO and other accreditation and quality organizations; private litigation and other federal and state health care industry actions: regulatory and public policy advocacy; training and discipline; enforcement; and other strategic and operational concerns.

Author of “Privacy and the Pandemic Workshop” for the Association of State and Territorial Health Plans, as well as a multitude of other health industry matters, workforce and health care change and crisis management and other highly regarded publications and presentations, the American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting and a former Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here.

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Leave a Comment » | 21st century cures act, Conditions of Participation, Corporate Compliance, Cyber crime, data breach, data security, E-Prescribing, Electronic Health Records, Electronic Medical Records, Evidence Based Medicine, Health Care, Health Care Qulity, Health Care Reform, Health Insurance, Health IT, HHS, HITECH Act, Life Sciences, Medical Privacy, Medical Records, NIOSH, NIST, ONC, Technology, Telemedicine, templates | Permalink
Posted by Cynthia Marcotte Stamer

Biden-Harris Administration to Expand Vaccination Requirements for Health Care and Many Other Employers

September 9, 2021

All Medicare and Medicaid certified health care facilities, and a broad range of other employers must prepare to meet impending new federal COVID-19 vaccine mandates announced by the Biden-Harris Administration today.

According to today’s announcements all healthcare facilities participating in Medicare or Medicaid or employing 100 or more employees will be required to ensure all staff are vaccinated against COVID-19.

The Biden-Harris Administration says the new health industry COVID-19 vaccine mandates will be implemented through emergency regulations to be issued in October.

According to today’s announcement, the Centers for Medicare & Medicaid Service (“CMS”) in collaboration with the Centers for Disease Control (“CDC”) is developing an Interim Final Rule with Comment Period that will be issued in October that will extend vaccine mandates originally announced last month for all Medicare and Medicaid participating nursing home workers to include hospitals, dialysis facilities, ambulatory surgical settings, and home health agencies, among others, as a condition for participating in the Medicare and Medicaid programs. See CMS/CDC Mandating COVID Vaccination For All Nursing Home Staff.

The announcement of the vaccine mandates for healthcare workers coincides with the Biden-Harris Administration’s announcement of sweeping new vaccine mandates for all government workers, government contractors and employers employing more than 100 employees.

The two mandates will force most health care facilities to impose mask mandates for all staff in order to meet the requirement all staff be vaccinated.

CMS and CDC say the decision was based on the continued and growing spread of the virus in health care settings, especially in parts of the U.S. with higher incidence of COVID-19. They claim the action will protect patients of the 50,000 providers and over 17 million health care workers in Medicare and Medicaid certified facilities.

According to the CDC, nursing homes with an overall staff vaccination rate of 75% or lower experience higher rates of preventable COVID infection. In CMS’s review of available data, the agency is seeing lower staff vaccination rates among hospital and End Stage Renal Disease (ESRD) facilities. To combat this issue, CMS is using its authority to establish vaccine requirements for all providers and suppliers that participate in the Medicare and Medicaid programs. Vaccinations have proven to reduce the risk of severe illness and death from COVID-19 and are effective against the Delta variant.

In it’s announcement of the impending vaccination requirements, CDC urged health care facilities to prepare now to meet the new mandate in October. CMS expects certified Medicare and Medicaid facilities to act in the best interest of patients and staff by complying with new COVID-19 vaccination requirements.

CDC also urged any health care workers employed in these facilities who are not currently vaccinated are urged to begin the process immediately and facilities to use all available resources to support employee vaccinations, including employee education and clinics, as they work to meet new federal requirements.

While legal challenges to the mandate requirements are likely, most facilities that have not already adopted vaccine mandates are expected to adopt these mandates rather than risk losing eligibility for Medicare and Medicaid reimbursement and other sanctions.

Beyondprogram disqualification and attendant financial pressures, announcement of the new vaccine mandates adds vaccination to the list of safety safeguards that healthcare facilities as employers can expect to be required to enforce as part of the occupational safety rules of the Occupational Safety and Health Administration (”OSHA”).

OSHA already is sanctioning employers for violating COVID-19 related OSHA requirements. For instance, OSHA nailed Lakewood Resource and Referral Center Inc., dba Center for Education Medicine and Dentistry (CHEMED) with heavy fines for allegedly violating applicable COVID-19 safety guidelines in January, 2021.

In a July 23, 2021 citation letter, OSH proposes to fine CHEMED $273,064.00 for willfully violating OSHA by not providing a medical evaluation to determine each employee’s ability to use a N95 respirator, before the employee was fit tested or required to use the respirator in the workplace to protect against SARS-CoV-2 virus while testing suspected COVID-19 individuals.

In addition to the proposed fine, the citation also orders CHEMED to take a series of corrective actions and to post notices in the workplace informing workers of the violation.

Along with the CHEMED citation, OSH also cited a staffing agency contracted to provide nursing staffing to CHEMED, Homecare Therapies for also failing to conduct medical evaluations and fit tests. It received two violations and a proposed fine of $13,653.

In the face of these potential consequences, most covered health care facilities and other employers impacted by the mandate are likely to implement mandates unless and until these requirements are struct down by the courts or withdrawn.

Assuming the Administration follows appropriate procedures to adopt the rules, most legal commentators do not expect the legal challenges opposing the mandate orders to be successful in the courts particularly after the Supreme Court refused to overturn or hear arguments for overturning a unanimous decision of a three-judge panel of the United States Court of Appeals for the Seventh Circuit in Klassen v. Trustees of Indiana University that refused to enjoin a vaccine mandate imposed by Indiana University as a condition of student or staff in person participation in classes or other activities.

While most healthcare and other covered businesses are not expected to challenge the rules, compliance us likely to trigger backlash from some unvaccinated workers strongly opposed to becoming vaccinated. Employers may find that some employees will resign their employment or take other tactics to avoid becoming vaccinated. Even those who elect to become vaccinated to retain their employment are likely to express opposition and dissatisfaction that could create liability exposures for the employers if it becomes a basis for retaliation claim.

Employers in Texas and certain other states that have adopted rules restricting or prohibiting vaccine, mask or other mandates also may face challenges based on the state rules.

In light of these and other uncertainties and challenges, Healthcare and Other or Employers generally should seek legal advice and assistance from legal counsel experienced with the relevant health care, labor and employment, privacy and other concerns.

More Information

This article is republished by permission of the author, Cynthia Marcotte Stamer. To review the original work, see here.

Solutions Law Press, Inc. invites you to receive future updates by registering here and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here. For specific information about the these or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years working as an on demand, special project, consulting, general counsel or other basis with domestic and international business, charitable, community and government organizations of all types, sizes and industries and their leaders on labor and employment and other workforce compliance, performance management, internal controls and governance, compensation and benefits, regulatory compliance, investigations and audits, change management and restructuring, disaster preparedness and response and other operational, risk management and tactical concerns.

Most widely recognized for her work with health care, life sciences, insurance and data and technology organizations, she also has worked extensively with health plan and insurance, employee benefits, financial, transportation, manufacturing, energy, real estate, accounting and other services, public and private academic and other education, hospitality, charitable, civic and other business, government and community organizations. and their leaders.

Ms. Stamer has extensive experience advising, representing, defending, and training domestic and international public and private business, charitable, community and governmental organizations and their leaders, employers, employee benefit plans, their fiduciaries and service providers, insurers, and others has published and spoken extensively on these concerns. As part of these involvements, she has worked, published and spoken extensively on these and other human resources, employee benefits, compensation, worker classification and other workforce and other services; insurance; health care; workers’ compensation and occupational disease; business reengineering, disaster and distress; and many other performance, risk management, compliance, public policy and regulatory affairs, and other operational concerns.

A former lead advisor to the Government of Bolivia on its pension project, Ms. Stamer also has worked internationally and domestically as an advisor to business, community and government leaders on these and other legislative, regulatory and other legislative and regulatory design, drafting, interpretation and enforcement, as well as regularly advises and represents organizations on the design, administration and defense of workforce, employee benefit and compensation, safety, discipline, reengineering, regulatory and operational compliance and other management practices and actions.

Ms. Stamer also serves in leadership of a broad range of professional and civic organizations and provides insights and thought leadership through her extensive publications, public speaking and volunteer service with a diverse range of organizations including as Chair of the American Bar Association (“ABA”) Intellectual Property Section Law Practice Management Committee, Vice Chair of the International Section Life Sciences and Health Committee, Past ABA RPTE Employee Benefits & Other Compensation Group Chair and Council Representative and current Welfare Benefit Committee Co-Chair, Past Chair of the ABA Managed Care & Insurance Interest Group, past Region IV Chair and national Society of Human Resources Management Consultant Forum Board Member, past Texas Association of Business BACPAC Chair, Regional Chair and Dallas Chapter Chair, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation and many others.

For more information about these concerns or Ms. Stamer’s work, experience, involvements, other publications, or programs, see www.cynthiastamer.com, on Facebook, on LinkedIn or Twitter or e-mail here.

About Solutions Law Press, Inc.™

Leave a Comment » | Accreditation, ambulance, Ambulatory care, Anethesiology, Biological Warfare, CDC, Centers For Disease Control, Child Care, Conditions of Participation, Coronavirus, Corporate Compliance, Covid, Direct Primary Care, Disease Management, DME, Doctor, early childhood education, Emergency Care, Employer, Employment law, Health Care, Health Care Provider, Health Care Quality, health care reimbursement, Health Plan, healthcare, HHS, Home Health, home health, Hospice, Hospital, hospitals, Indian Health, Laboratory tests, Life Sciences, Medicaid, Medicaid Advantage, Medical Licensure, Medicare, Medicare Advantage, Medicare Fee Schedule, Mental Heatlh, nursing home, occupational health, OSHA, Pandemic, Peer Review, Physician, Reimbursement, Union, vaccination | Tagged: ARRA, Corporate Compliance, Covid, DOJ, Health Care, Health Care Fraud, Health Care Provider, HEAT, Hospital, Medicaid, Medicare, Medicare Fraud Task Force, OCR, Pharma, pharmacist, pharmacy, Physician, Physicians, Privacy, Reimbursement, vaccine, vaccine mandate | Permalink
Posted by Cynthia Marcotte Stamer

CMS/CDC Mandating COVID Vaccination For All Nursing Home Staff

August 18, 2021

The Centers for Medicare & Medicaid Services (CMS), in collaboration with the Centers for Disease Control and Prevention (CDC), announced today plans to mandate COVID-19 vaccination for all Medicare and Medicaid-participating nursing home staff.

The joint announcement released today states the agencies are developing an emergency regulation requiring staff vaccinations within the nation’s more than 15,000 Medicare and Medicaid-participating nursing homes.

The agencies view the new requirement as a key component of protecting the health and safety of nursing home residents and staff.

Today’s action is in keeping with CMS’s authority to establish requirements to ensure the health and safety of individuals receiving care from all providers and suppliers participating in the Medicare and Medicaid programs. About 62% of nursing home staff are currently vaccinated as of August 8 nationally, and vaccination among staff at the state level ranges from a high of 88% to a low of 44%. The emergence of the Delta variant in the United States has driven a rise in cases among nursing home residents from a low of 319 cases on June 27, to 2,696 cases on August 8, with many of the recent outbreaks occurring in facilities located in areas of the United States with the lowest staff vaccination rates.

In May, the Agency issued new regulations that require Long-Term Care (LTC) facilities and Intermediate Care Facilities for Individuals with Intellectual Disabilities (ICFs/IID) to educate residents, clients, and staff about COVID-19 vaccination and, when available, offer a COVID-19 vaccine to these individuals. These regulations also mandate that LTC facilities report weekly COVID-19 vaccination data for residents and staff to the CDC’s National Healthcare Safety Network (NHSN).

Today’s announcement states the agencies will continue to analyze vaccination data for residents and staff from the CDC’s National Healthcare Safety Network (NHSN) data as an additional method of compliance monitoring and in keeping with current practice, as well as deploy the Quality Improvement Organizations (QIOs)—operated under the Medicare Quality Improvement Program—to educate and engage nursing homes with low rates of vaccinations.

Meanwhile, the announcement strongly encourages nursing home residents and staff members to get vaccinated as the Agency undergoes the necessary steps in the rule-making process over the course of the next several weeks. CMS expects nursing home operators to act in the best interest of residents and their staff by complying with these new rules, which the Agency expects to issue in September.

According to today’s announcement, CMS also expects nursing home operators to use all available resources to support employees in getting vaccinated, including employee education and vaccination clinics, as they work to meet this staff vaccination requirement.

More Information

This article is republished by permission of the author, Cynthia Marcotte Stamer. To review the original work, see here.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years working as an on demand, special project, consulting, general counsel or other basis with domestic and international business, charitable, community and government organizations of all types, sizes and industries and their leaders on labor and employment and other workforce compliance, performance management, internal controls and governance, compensation and benefits, regulatory compliance, investigations and audits, change management and restructuring, disaster preparedness and response and other operational, risk management and tactical concerns.

About Solutions Law Press, Inc.™

Leave a Comment » | Academic medicine, Centers For Disease Control, Conditions of Participation, Covid, Doctor, Employer, Employment, Employment law, Federal Health Center, Health Care, Health Care Finance, Health Care Provider, Health Care Quality, health care reimbursement, Health Policy, healthcare, HHS, Hospice, Hospital, hospitals, Inpatient Rehabilitation, Inpatient Rehabilitation Facility, Licensing, long-term care, Medicaid, Medicaid Advantage, Medicare, Medicare Advantage, Mental Health, nursing home, OSHA, Physician, Public Policy, quality reporting, Reimbursement, Skilled Nursing Facility, substance abuse treatment, Whistleblower | Tagged: Health Care, Hospital, Covid, Long-term care, Medicare, nursing home, Physician, vaccination | Permalink
Posted by Cynthia Marcotte Stamer

OCR Guidance Urges Cyber Security Response To Kaseya VSA Supply-Chain Ransomware Attack

July 8, 2021

Responding to the July 2, announcement by IT software management company Kaseya VSA an that a supply-chain ransomware attack leveraged a vulnerability in the Kaseya RMM Tool against multiple managed service providers (MSPs) and their customers, the Office of Civil Rights (“OCR”) is urging health care providers, health plans, health care clearinghouses and their managed service providers (“MSPs”) and other business associates to follow guidance from the Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (“FBI”) for customers affected by the Kaseya VSA Supply-Chain ransomware attack.

Organizations that used or used service providers that used these tools should review and take appropriate action in response to the guidance from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI); and the Kaseya advisory.

CISA and FBI also recommend affected MSPs and other parties

Contact Kaseya at support@kaseya.com with the subject “Compromise Detection Tool Request” to obtain and run Kaseya’s Compromise Detection Tool available to Kaseya VSA customers. The tool is designed to help MSPs assess the status of their systems and their customers’ systems.
Enable and enforce multi-factor authentication (MFA) on every single account that is under the control of the organization, and—to the maximum extent possible—enable and enforce MFA for customer-facing services.
Implement allow listing to limit communication with remote monitoring and management (RMM) capabilities to known IP address pairs, and/or
Place administrative interfaces of RMM behind a virtual private network (VPN) or a firewall on a dedicated administrative network.

CISA and FBI recommend affected MSP customers ensure backups are up to date and stored in an easily retrievable location that is air-gapped from the organizational network;

CISA and FBI also recommend MSP customers affected by this attack take immediate action to implement the following cybersecurity best practices. Note: These actions are especially important for MSP customer who do not currently have their RMM service running due to the Kaseya attack.For guidance specific to this incident from the cybersecurity community, see Cado Security’s GitHub page,Resources for DFIR Professionals Responding to the REvil Ransomware Kaseya Supply Chain Attack.Note: Due to the urgency to share this information, CISA and FBI have not yet validated this content.

For advice from the cybersecurity community on securing against MSP ransomware attacks, see Gavin Stone’s article, How secure is your RMM, and what can you do to better secure it?.

For general incident response guidance, CISA encourages users and administrators to see Joint Cybersecurity Advisory AA20-245A: Technical Approaches to Uncovering and Remediating Malicious Activity.

More Information

If you are interested in a more detailed information about this or other developments discussed in this article, see here.

If you would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here. For specific information or counsel about the these or other legal, management or public policy developments, Ms. Stamer’s work, experience, involvements, other publications, or programs, contact Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297, follow her on Facebook, LinkedIn or Twitter or see Cynthia Marcotte Stamer, P.C. Website.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years working as an on demand, special project, consulting, general counsel or other basis with domestic and international business, charitable, community and government organizations of all types, sizes and industries and their leaders on labor and employment and other workforce compliance, performance management, internal controls and governance, compensation and benefits, regulatory compliance, investigations and audits, change management and restructuring, disaster preparedness and response and other operational, risk management and tactical concerns.

Ms. Stamer has extensive experience advising, representing, defending and training domestic and international public and private health care and life sciences, charitable, community and governmental, and other business organizations and their leaders, employee benefit plans, their fiduciaries and service providers, insurers, and others. A widely published author and popular speaker, Ms. Stamer also has published and spoken extensively on wage and other and other health care, human resources, employee benefits and other workforce and services; insurance; workers’ compensation and occupational disease; business reengineering, disaster and distress; and many other compliance, governance, risk management, operational and public and regulatory affairs concerns.

A former lead advisor to the Government of Bolivia on its pension project, Ms. Stamer also has worked internationally and domestically as an advisor to health, managed care, insurance, and other business, community and government leaders on these and other legislative, regulatory and other legislative and regulatory design, drafting, interpretation and enforcement, as well as regularly advises and represents organizations on the design, administration and defense of workforce, employee benefit and compensation, safety, discipline, reengineering, regulatory and operational compliance and other management practices and actions.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here. ©2021 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™

Leave a Comment » | Corporate Compliance, Cyber crime, data breach, data security, E-Prescribing, Electronic Health Records, Electronic Medical Records, Health Care, Health Care Provider, Health Care Quality, Health Insurance, Health IT, Health Plan, Health Plans, healthcare, HHS, HIPAA, HIPAA Cyber Crime, HITECH Act, NIST, Uncategorized | Permalink
Posted by Cynthia Marcotte Stamer

CMS Updates COVID-19 Accelerated and Advance Payments FAQs

July 8, 2021

Providers that received COVID-19 accelerated and advance payments should read the Centers for Medicare and Medicaid Services (“CMS”) updated FAQs (PDF) about repayment of COVID-19 accelerated and advance payments to learn how recoupment works and how it affects the provider’s Medicare claims payment amounts.

The new FAQ updates the Repayment of COVID-19 Accelerated and Advance Payments Began on March 30, 2021 (PDF) guidance.

For more information and to follow future updates, see the COVID-19 Accelerated and Advance Payments webpage or contact the author of this update.

More Information

If you are interested in a more detailed description of this or other developments discussed in this article, see here.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years working as an on demand, special project, consulting, general counsel or other basis with domestic and international business, charitable, community and government organizations of all types, sizes and industries and their leaders on labor and employment and other workforce compliance, performance management, internal controls and governance, compensation and benefits, regulatory compliance, investigations and audits, change management and restructuring, disaster preparedness and response and other operational, risk management and tactical concerns.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:

Leave a Comment » | Academic medicine, American Rescue Plan Act of 2021, Anti-KickBack, billing, Centers For Disease Control, compensation, Conditions of Participation, Coronavirus, Corporate Compliance, COVID-19, Doctor, E-Prescribing, Emergency Care, Health Care, Health care coding, Health Care Finance, Health Care Fraud, Health Care Provider, Health Insurance, Health Plan, Health Plans, healthcare, HHS, Home Health, home health, Hospital, hospitals, Indian Health, Medicaid, Medicare, Medicare Advantage, Medicare Fee Schedule, OIG, Pandemic, Physician, public health, Reimbursement, Uncategorized | Tagged: COVID-19, Health Care, Health Care Fraud, Medicare, Physician, recoupment, Reimbursement | Permalink
Posted by Cynthia Marcotte Stamer

Biden-Harris Plan To Beat COVID-19 Includes Plan To Expand Medicare, Other Health Care Plans

January 21, 2021

Newly sworn in President Joe Biden chose to make an executive order outlining the core principles for his Administration’s policy for fighting COVID-19 the first signed in his new administration.

The text of the COVID-19: The Biden-Harris plan to beat COVID-19 reads as follows:

The American people deserve an urgent, robust, and professional response to the growing public health and economic crisis caused by the coronavirus (COVID-19) outbreak. President Biden believes that the federal government must act swiftly and aggressively to help protect and support our families, small businesses, first responders, and caregivers essential to help us face this challenge, those who are most vulnerable to health and economic impacts, and our broader communities – not to blame others or bail out corporations.

The Biden-Harris administration will always:

Listen to science
Ensure public health decisions are informed by public health professionals
Promote trust, transparency, common purpose, and accountability in our government
President Biden and Vice President Harris have a seven-point plan to beat COVID-19.

Ensure all Americans have access to regular, reliable, and free testing.

Double the number of drive-through testing sites.
Invest in next-generation testing, including at home tests and instant tests, so we can scale up our testing capacity by orders of magnitude.
Stand up a Pandemic Testing Board like Roosevelt’s War Production Board. It’s how we produced tanks, planes, uniforms, and supplies in record time, and it’s how we will produce and distribute tens of millions of tests.
Establish a U.S. Public Health Jobs Corps to mobilize at least 100,000 Americans across the country with support from trusted local organizations in communities most at risk to perform culturally competent approaches to contact tracing and protecting at-risk populations.
Fix personal protective equipment (PPE) problems for good.

President Biden is taking responsibility and giving states, cities, tribes, and territories the critical supplies they need.

Fully use the Defense Production Act to ramp up production of masks, face shields, and other PPE so that the national supply of personal protective equipment exceeds demand and our stores and stockpiles — especially in hard-hit areas that serve disproportionately vulnerable populations — are fully replenished.
Build immediately toward a future, flexible American-sourced and manufactured capability to ensure we are not dependent on other countries in a crisis.
Provide clear, consistent, evidence-based guidance for how communities should navigate the pandemic – and the resources for schools, small businesses, and families to make it through.

Social distancing is not a light switch. It is a dial. President Biden will direct the CDC to provide specific evidence-based guidance for how to turn the dial up or down relative to the level of risk and degree of viral spread in a community, including when to open or close certain businesses, bars, restaurants, and other spaces; when to open or close schools, and what steps they need to take to make classrooms and facilities safe; appropriate restrictions on size of gatherings; when to issue stay-at-home restrictions.
Establish a renewable fund for state and local governments to help prevent budget shortfalls, which may cause states to face steep cuts to teachers and first responders.
Call on Congress to pass an emergency package to ensure schools have the additional resources they need to adapt effectively to COVID-19.
Provide a “restart package” that helps small businesses cover the costs of operating safely, including things like plexiglass and PPE.
“THIS ISN’T ABOUT POLITICS. IT’S ABOUT SAVING LIVES.”

PRESIDENT BIDEN, SEPTEMBER 16, 2020
Plan for the effective, equitable distribution of treatments and vaccines — because development isn’t enough if they aren’t effectively distributed.

Invest $25 billion in a vaccine manufacturing and distribution plan that will guarantee it gets to every American, cost-free.
Ensure that politics plays no role in determining the safety and efficacy of any vaccine. The following 3 principles will guide the Biden-Harris administration: Put scientists in charge of all decisions on safety and efficacy; publicly release clinical data for any vaccine the FDA approves; and authorize career staff to write a written report for public review and permit them to appear before Congress and speak publicly uncensored.
Ensure everyone — not just the wealthy and well-connected — in America receives the protection and care they deserve, and consumers are not price gouged as new drugs and therapies come to market.
Protect older Americans and others at high risk.

President Biden understands that older Americans and others at high-risk are most vulnerable to COVID-19.

Establish a COVID-19 Racial and Ethnic Disparities Task Force, as proposed by Vice President Harris, to provide recommendations and oversight on disparities in the public health and economic response. At the end of this health crisis, it will transition to a permanent Infectious Disease Racial Disparities Task Force.
Create the Nationwide Pandemic Dashboard that Americans can check in real-time to help them gauge whether local transmission is actively occurring in their zip codes. This information is critical to helping all individuals, but especially older Americans and others at high risk, understand what level of precaution to take.
Rebuild and expand defenses to predict, prevent, and mitigate pandemic threats, including those coming from China.

Immediately restore the White House National Security Council Directorate for Global Health Security and Biodefense, originally established by the Obama-Biden administration.
Immediately restore our relationship with the World Health Organization, which — while not perfect — is essential to coordinating a global response during a pandemic.
Re-launch and strengthen U.S. Agency for International Development’s pathogen-tracking program called PREDICT.
Expand the number of CDC’s deployed disease detectives so we have eyes and ears on the ground, including rebuilding the office in Beijing.
Implement mask mandates nationwide by working with governors and mayors and by asking the American people to do what they do best: step up in a time of crisis.

Experts agree that tens of thousands of lives can be saved if Americans wear masks. President Biden will continue to call on:

Every American to wear a mask when they are around people outside their household.
Every Governor to make that mandatory in their state.
Local authorities to also make it mandatory to buttress their state orders.
Once we succeed in getting beyond this pandemic, we must ensure that the millions of Americans who suffer long-term side effects from COVID don’t face higher premiums or denial of health insurance because of this new pre-existing condition. The Biden-Harris Administration will work to ensure that the protections for those with pre-existing conditions that were won with Obamacare are protected. And, they will work to lower health care costs and expand access to quality, affordable health care through a Medicare-like public option.

As the new Administration and Congress get down to work, health industry organizations as well as all other U.S. organizations and communities, their leaders, and individual employees and citizens should carefully follow, and share their input to the Administration, members of Congress, and other federal, state and local officials on the actions and proposals taken to implement this and other policy that impact their interests. The need for careful attention and scrutiny is particularly important for health, managed care and insurance and management organizations as President Biden made clear throughout his campaign his intent to pursue legislative and regulatory reforms that would reverse actions of the previous administration as well as implement addition reforms to expand coverage and regulation of health care, workforce and other critical policies.

More Information

About the Author

An attorney board certified in labor and employment law by the Texas Board of Legal Specialization and Fellow in the American College of Employee Benefit Counsel, Ms. Stamer has worked as an on demand, special project, consulting, general counsel or other basis with health care providers, health insurers, employer and other management organizations, health and other employee benefit plans, their sponsors, insurers, administrators, providers and others and others has published and spoken extensively on these concerns.

A former lead advisor to the Government of Bolivia on its pension project, Ms. Stamer also has worked internationally and domestically as an advisor and advocate for employer and other plan sponsors, fiduciaries, administrators, insurers, technology and other service providers, managed care organizations, direct primary care and other health care providers and others on these and other legislative, regulatory and other legislative and regulatory design, drafting, interpretation and enforcement, as well as regularly advises and represents organizations on the design, administration and defense of workforce, employee benefit and compensation, safety, discipline, reengineering, regulatory and operational compliance and other management practices and actions.

For more information about these concerns or Ms. Stamer’s work, experience, involvements, other publications, or programs, see www.cynthiastamer.com or contact Ms. Stamer via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:

Leave a Comment » | CDC, Centers For Disease Control, Consumer Driven Health Care, Coronavirus, Corporate Compliance, COVID-19, Cultural diversity, Direct Primary Care, Disability Discrimination, DME, Doctor, Emergency Care, Employee Benefits, Employer, Employment, Employment law, ERISA, Evidence Based Medicine, Fast Track Approval, FDA, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Quality, Health Care Reform, health care reimbursement, Health Insurance, Health Plan, Health Plans, healthcare, HHS, home health, Hospice, Hospital, hospitals, Labor Law, Laws, managed care, Medicare, Medicare Advantage, Medicare Prescription Drug Program, Pandemic, Pharmaceudical, Physician, Reimbursement, Uncategorized | Tagged: Biden Administration, COVID-19, Health Care | Permalink
Posted by Cynthia Marcotte Stamer

Pennsylvania OCR Settlement Warns Others Against Disability Or Other Civil Rights Discrimination In COVID-19 Resource Allocation & Other Response

April 30, 2020

OCR Says “No” To Allocating Respirators & Other Scarce COVID-19 Care Based On Pre-Existing Medical Conditions

This week’s Department of Health and Human Services (“HHS”) Office of Civil Rights (“OCR”) announcement of that the Pennsylvania Department of Health (PDH) has agreed to using a list of preexisting health care conditions to decide patient priority for access to respirators and other scarce resources during the COVID-19 health care emergency flags potential civil rights discrimination violations by the multitude of other State, local, tribal, and territorial public health policymakers, healthcare systems leadership, and other public emergency decision-makers and other public or private HHS funds recipients (collectively “COVID responders”) whose pandemic emergency response plans call for the use pre-existing health conditions or other civil rights act protected status of patients to ration scarce medical resources like ventilators or other scarce resources.

Coupled with other recent guidance warning COVID responders against discrimination and to provide all legally required accommodations for individuals with pre-existing conditions or disorders constituting disabilities, English as a second language, religion, age or other protected status under Section 504 of the Rehabilitation Act of 1973 (“Section 504”), Title II of the Americans with Disabilities Act (the “ADA”), Section 1557 of the Patient Protection and Affordable Care Act (“Section 1557”) and other federal civil rights laws, health care providers, public health authorities and other COVID-19 responders should act immediately to review and take any action needed to correct civil rights law deficiencies in their own COVID-19 emergency policies or operations.

PDH Enforcement Shows Agencies’ Serious About COVID-19 Civil Rights Enforcement

OCR’s April 28, 2020, OCR announcement of PDH’s agreement to revise its Interim Pennsylvania Crisis Standards of Care for Pandemic Guidelines (CSC Guidelines) to revolve an April 3, 2020 civil rights complaint that PDH’s COVID-19 pandemic response plan illegally discriminated against patients with disabilities by denying or lowing the care priority of patients with certain listed preexisting health conditions shows that OCR and other federal agencies are carrying through on promises to take quick enforcement action against COVID-19 responders that violate federal discrimination and other civil rights laws when dealing with the COVID-19 public health emergency in the March 14, 2020 Crisis Standards of Care and Civil Rights Laws guidance (“CSC Guidelines”) and in OCR’s March 28, 2020 Civil Rights, HIPAA, and the Coronavirus Disease 2019 Bulletin (the “Bulletin”).

The CSC Guidelines jointly issued by the Health Care Resilience Taskforce (composed of HHS, FEMA, and the Army Corps of Engineers) warned public health, health care providers and other pandemic decisionmakers against adopting or applying policies in for managing ventilators or other constricted resources during the COVID-19 or other emergencies that negatively impact vulnerable populations (e.g., older adults and persons with disabilities). After reminding state, local, tribal, and territorial policymakers, healthcare systems leadership, and other decision-makers that civil rights laws are not suspended or waived in times of disaster, the CSC Guidelines cautioned “Federal civil rights laws and regulations apply, and have not been suspended, during the COVID19 national health emergency. Federal fund recipients must comply with those requirements.”

OCR reaffirmed the CSC Guidelines warnings in its March 28, 2020 Bulletin reminding health care providers and other HHS fund recipients the laudable goal of providing care quickly and efficiently during the COVID-19 health care emergency still must comply with federal civil rights prohibitions against disability discrimination in HHS funded programs under Section 1557, Section 504, and other civil rights laws, stating:

“persons with disabilities should not be denied medical care on the basis of stereotypes, assessments of quality of life, or judgments about a person’s relative “worth” based on the presence or absence of disabilities or age. Decisions by covered entities concerning whether an individual is a candidate for treatment should be based on an individualized assessment of the patient based on the best available objective medical evidence.”

The PDH disability discrimination investigation and resolution announced April 28^th resulted from OCR’s investigation of a civil rights complaint filed less than a week after OCR released the Bulletin by Disability Rights Pennsylvania and other disability rights groups. Like many other regional and facility pandemic response plans, the CSC Guidelines listed specific impairments or disabilities that would lead to greater deprioritization of patients for care during a pandemic emergency. The April 3 complaint against PDH charged that Pennsylvania’s CSC Guidelines violated Section 504, Title II, and Section 1557 by unlawfully authorizing the denial of treatment to individuals with disabilities when prioritizing access to critical care and ventilators. The complaint also alleged that the guidelines did not require an individualized assessment, but instead used “preexisting conditions that are disabilities” to determine a priority score.

OCR PDH COVID-19 Civil Rights Investigation & Settlement

Consistent with the warning provided in the Bulletin, OCR moved with rare speed to investigate the complaint and notify PDH of its civil rights concerns. To resolve potential OCR civil rights charges, OCR announced April 28, 2020 that PDH agreed to accept technical assistance from OCR and make the following revisions to its CDC guidelines:

Remove criteria that automatically deprioritized persons on the basis of particular disabilities,
Require individualized assessments based on the best available, relevant, and objective medical evidence to support triaging decisions, and
Ensure at no one is denied care based on stereotypes, assessments of quality of life, or judgments about a person’s “worth” based on the presence or absence of disabilities.

Based on these “responsive actions and the revisions” to its guidelines in response to OCR’s concern, the OCR announcement states that OCR is closing its complaint investigation as satisfactorily resolved without a finding of liability while noting that this does not preclude future OCR enforcement in cases of potential discriminatory implementation of Pennsylvania’s policies by any covered health care provider.

Other Public Health, Health Care & Other COVID Responders Should Confirm COVID-19 Civil Rights Response Compliance

The PDH announcement provides a strong warning to health care providers, public health authorities and other COVID-19 responders to act quickly to evaluate and make any necessary adjustments to redress any questionable disability or other civil rights concerns in their own COVID-19 or other emergency response plans or practices.

Even before the COVID-19 health care emergency, disability and other civil rights law enforcment already was a high priority for OCR and other federal agencies. See e.g., Civil Rights Settlement Highlights Health Industry Discrimination Risks As OCR Prepares To Broaden Requirements; OCR’s Proposed Sex & Other Discrimination Rules Spell Headaches & New Risks For Health Care Providers, Insurers & Others; Check Defensibility Of Policies & Practices Given New HHS/DOJ Joint Disability Law Technical Assistance; Important Lessons For Health Care Providers From Michigan State Settlement Of OCR Larry Nassar Sexual Abuse Investigation; Cognitive Disability Exclusion from Heart Transplant List Placement Prohibited.

The PDH announcement clearly alerts other health care providers and COVID-19 responders that OCR does not plan to slacken civil rights discrimination investigation or enforcement against health care providers or others because of the COVID-19 health care emergency. Rather, the PDH investigaiton and resolution make clear that COVID-19 responders need to use particular care take the well-documented steps necessary to ensure they can defend their ongoing compliance with disability discrimination and other federal civil rights laws throughout the COVID-19 health care emergency.

In this respect, OCR’s PDH announcement makes a point of clearly warning other public health, health care providers and other recipients of HHS funding across the nation against using preexisting conditions or other prohibited stereotypes or classifications of patients without individual assessments to triage and prioritize access to care or other resources for purposes of their COVID-19 or other pandemic planning or response. To emphasize the importance of continued compliance with these civil rights laws, the Bulletin quotes OCR Director Roger Severino, as stating: “Triage decisions must be based on objective and individualized evidence, not discriminatory assumptions about the prognoses of persons with disabilities” and “we must ensure that triage decisions are free from discrimination both in their creation and their application, and we will remain vigilant in achieving that goal.”

These warnings and OCR’s quick enforcement action make clear that OCR’s commitment to hold health care providers, state and local public health, and other COVID-19 responders accountable for ensuring their COVID-19 pandemic plans and operations don’t impermissibly discriminate against individuals with or needing accommodations for disabilities, limited English skills, religious beliefs, age or other status protected by HHS’ civil rights rules. Meanwhile, OCR’s reported willingness to accept PHD’s prompt corrective action without imposing financial sanctions also signals the probable willingness of OCR to show similar leniency to other health care providers or COVID-19 responders that for acting promptly to self-identify and redress potentially questionable past COVID-19 restricted resource allocation practices in response to the PDH announcement and other COVID-19 civil rights compliance guidance.

Given the often multimillion dollar penalties and other heavy sanctions that OCR already regularly imposes against a long and ever-growing list of state and other health care, child care, elder care, insurance and other entities for violating its civil rights nondiscrimination and accommodation requirements and the often significant judgements awarded to private litigant victims, state and local public health, health care providers and other COVID providers generally will want to review and tighten as advisable their existing practices to reduce the risk of being incuring penalties or judgments, being sanctioned, excluded or a combination of these consequences for violation of these nondiscrimination and other civil rights requirements by among other things:

Auditing the adequacy of their pandemic response and other plans, policies, practices and actions for allocating scarce resources and care during the COVID-19 health emergency and in other scarce resource situations;
Developing a strategy and procedures for receiving, investigating and responding with appropriate documentation to complaints or other indicators of potential civil rights violations or risks;
Taking prompt, documented action to reform and strengthen civil rights policies, practices and controls, training, investigations and other compliance and risk management;
Explore potential strategies, if any, to mitigate potential liability exposure to OCR or private litigant investigations or enforcement from past, ongoing or future policies or actions; and
Other actions to maintain and demonstrate their organization-wide culture of compliance with applicable civil rights laws.

Since organization and their leaders likely will be required to uncover and discuss legally and politically sensitive information in the course of these activities, public health, health care and other COVID responders are encouraged to consider engaging qualified legal counsel with relevant experience to advise and guide them in conducting, maintaining and using attorney-client privilege and other procedures to safeguard sensitive analysis, discussions and work product from avoidable discovery and other processes to promote the legal effectiveness and defensibility of their actions.

More Information & Resources

We hope this update is helpful. If you need assistance reviewing or responding to these or other health care related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, may be able to help. In addition to this update, the author of this article also is extensively published and frequent speaker on pandemic and other infectious disease, and other health industry crisis preparedness and response, and many other regulatory compliance, risk management and operations, public policy and other concerns. For more information about the these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

Solutions Law Press, Inc. also invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Cynthia Marcotte Stamer is a practicing attorney, management and regulatory affairs consultant, author and lecturer, who has worked extensively on pandemic and other crisis planning, preparedness and response and other business change, risk, compliance and operation management throughout her 30 plus year career.

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, and a Fellow in the American Bar Foundation, the Texas Bar Foundation and the American College of Employee Benefit Counsel, Ms. Stamer is widely recognized for her pragmatic, leading edge work, scholarship and thought leadership on domestic and international, public and private sector health care and managed care, workforce and performance, safety, legal and operational compliance and risk management, crisis preparedness and response, and other essential legal and operational concerns.

Her experience includes extensive work domestically and internationally with hospitals, health care systems, clinics, skilled nursing and other long term care, rehabilitation and other health care facilities; physicians, medical staff and other health care providers and organizations; accreditation, peer review and quality committees and organizations; health care management and technology and other health and managed care industry clients; self-insured and insured health and other employee benefit plans, their sponsors, fiduciaries, administrators, insurers and service providers and other payers; employers; billing, utilization management, quality, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; EHR, claims, payroll and other technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; health industry advocacy and other service providers and groups and other health and managed care industry clients as well as federal and state legislative, regulatory, investigatory and enforcement bodies and agencies.

Board Certified in Labor and Employment Law by the Texas Board of Legal Specialization and the author of “Privacy and the Pandemic Workshop” for the Association of State and Territorial Health Plans and a multitude of other publications and workshops on health and other disaster and other crisis preparedness, risk management and response, as well as a multitude of other health care, workforce and other management and regulatory affairs publications and presentations, Ms. Stamer also shares her thought leadership through her extensive and diverse involvement in a broad range of other professional and civic organizations. Examples of these involvements include her service as the current American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting and a former JCEB Council Representative; past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group; former ABA RPTE Employee Benefits & Other Compensation Group Chair and Past Chair and current Co-Chair of its Welfare Benefits Committee; former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas; former technical advisor to the National Physicians Council on Health Care Policy; former member of the Stem Cell Advisory Committee; and in a multitude of other professional, trade, civic and community service organizations . For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides consulting, publications and other information, education, coaching, training, tools and other resources on leadership, governance, health care, human resources, employee benefits, insurance, public policy and regulatory affairs, data security and privacy and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here. ©2020 Cynthia Marcotte Stamer. Limited non-exclusive license to republish granted to SOlSolutions Law Press, Inc.™ All other rights reserved.

Leave a Comment » | 21st century cures act, ADA, air ambulance, Biological Wafar3e, Civil Rights, Consumer Driven Health Care, Coronavirus, Corporate Compliance, COVID-19, Cultural diversity, Diabetes, Disability Discrimination, Disease Management, DME, Doctor, drug treatment, ebola, Emergency Care, English as A Second Language, Health Care Provider, Health Care Quality, healthcare, HHS, Home Health, Hospice, Hospital, hospitals, Inpatient Rehabilitation, Inpatient Rehabilitation Facility, Life Sciences, long-term care, managed care, medical devices, Pandemic, Uncategorized | Permalink
Posted by Cynthia Marcotte Stamer

CMS Steps Up Nursing Home Inspections & Tightens Inspections In Response To Continuing COVID-19 Outbreaks & Deaths

April 3, 2020

Skilled nursing and other long term care facilities commonly known as “nursing homes” (“LTC facilities”),[i] rehabilitation, assisted living, retirement and other facilities and communities caring for elderly, disabled, aged or other infirm patients or residents should use recently released tools to confirm the adequacy of and update their current COVID-19 and other infectious disease prevention and control and other key policies and practices with the latest Centers for Medicare & Medicaid Services (CMS) and Centers for Disease Control and Prevention (CDC) requirements and guidelines in light of recently announced changes to CMS nursing home inspection policies (the “Targeted Inspection Policy”)[iii] that target nursing homes with COVID-19 outbreaks or death for likely inspection announced March 23, 2020 including all existing requirements including new “recommendations” on nursing homes on COVID-19 preparedness and response announced April 2, 2020 (the “April Recommendations”).[iii]

Prompted by the continuing explosive growth in COVID-19 infection and deaths among nursing home residents and widespread deficiencies found during recent inspections at the Kirkland, Washington Life Care Center nursing homes (the “Kirkland Facilities”) made notorious by the death of 23 people and other nursing homes with COVID-19 inspections, the Targeted Inspection Policy and April Recommendations supplement and give more teeth to the CMS Guidance for Infection Control and Prevention of Coronavirus Disease 2019 (COVID-19) in Nursing Homes (the “3/3 Directive”)[iv] previously released by CMS released in conjunction with President Trump’s Proclamation on Declaring a National Emergency Concerning the Novel Coronavirus Disease (COVID-19) Outbreak (“COVID Emergency Declaration”) in response to concerns raised by reports of 19 COVID-19 related deaths at the Kirkland Facilities[v] on March 13, 2020.

Despite CMS and CDC’s efforts to reign in nursing home based COVID-19 infections and deaths by ordering nursing homes in the Nursing Home Directive to limit outside visitors and take other precautions outlined in the Nursing Home Directive and release of other guidance and tools, nursing home based COVID-19 infections and deaths have continued to soar since March 13, 2020.[vi] Meanwhile, onsite audits at the Kirkland Facilities and other facilities during March uncovered concerning deficiencies in the compliance at the Kirkland Facilities and many other nursing homes across the nation, as well as the need to address other weaknesses in current CMS and CDC practices and guidelines that the agencies determined were perpetuating practices that left nursing home residents exposed to COVID-19.

The new Targeted Inspection Policy and April Recommendations attempt to address these compliance and other concerns by updating, clarifying and supplementing previously established requirements and guidance, providing new tools for nursing homes and their inspectors to use to assess nursing home compliance with the latest standards and stepping up inspections and enforcement of nursing homes that experience COVID-19 outbreaks.[vii]

April Recommendations Send Warnings, Share New Tools

To this end, the just announced April Recommendations urge nursing homes to move quickly to clean up their practices by:

Urging nursing homes to immediately ensure that they are complying with all CMS and CDC guidance related to COVID-19 and other infection control and other requirements;
Urging nursing homes immediately to implement symptom screening for all staff, residents, and visitors – including temperature checks; [viii]
Urging nursing homes to ensure all staff are using appropriate PPE when interacting with patients and residents, to the extent PPE is available and per CDC guidance on conservation of PPE;
Confirming the availability of Medicare coverage of Medicare enrolled residents performed by laboratories and that facilities can allow laboratory personnel into facilities to perform the tests;
Urging State and local leaders to consider the needs of long term care facilities with respect to supplies of PPE and COVID-19 tests as nursing homes are a critical part of the healthcare system, and because of the ease of spread in long term care facilities and the severity of illness that occurs in residents with COVID-19,
Recommending facilities use separate staffing teams for residents to the best of their ability to avoid transmission within nursing homes in response to evidence that using staff shared between multiple facilities helped to fuel the COVID-19 outbreak in the Kirkland Facilities;
Consistent previously published guidance and resources on the CDC Isolation Sites and Alternative Care Sites webpage,[ix] urging nursing homes to work with State and local leaders to designate separate facilities or units within a facility to separate COVID-19 negative residents from COVID-19 positive residents and individuals with unknown COVID-19 status; and
Encouraging facilities to use new targeted survey assessment tools adopted by CMS to guide inspections under the Targeted Inspection Program to self-assess and make appropriate adjustments to tighten their facility compliance with applicable requirements and guidelines promptly.

While characterized as “recommendations,” the reaffirmation in the April Recommendations that CMS intends to continue to follow the new Targeted Inspection Policy announced March 23, 2020 sends a strong message to all nursing homes that CMS does not view compliance with the recommendations as optional.

Under the Targeted Inspection Policy, CMS intends to conduct targeted inspections giving prioritization for Immediate Jeopardy investigations over recertification surveys for Clinical Laboratory Improvement Amendment (CLIA) laboratories.

According to CMS’ announcement regarding the Targeted Inspection Policy, only the following types of federal inspections will be prioritized and conducted over the next few weeks:

Complaint inspections: State survey agencies will continue to conduct inspections related to complaints and facility-reported incidents that are triaged at the Immediate Jeopardy level. Inspectors will use a streamlined Infection Control review tool, regardless of the Immediate Jeopardy allegation.
Targeted Infection Control inspections: Federal and state inspectors will conduct targeted infection control inspections of providers identified through CMS collaboration with the Centers for Disease Control and Prevention (CDC). These inspectors will use a streamlined targeted review checklist to minimize the impact on provider activities, while ensuring providers are implementing actions to protect health and safety. This will consist of both onsite and offsite inspections.
Self-Assessments: The Infection Control checklist referenced above will also be shared with providers and suppliers, to allow for self-assessment of their Infection Control plans. This may be the best solution in some cases when there is a lack of personal protective equipment or state surveyors available.

During this time frame, CMS has indicated it will not conduct the following inspections:

Standard inspections for nursing homes, hospitals, home health agencies, intermediate care facilities for individuals with intellectual disabilities, and hospices; and

Revisit inspections not associated with Immediate Jeopardy.

In addition to redefining the priorities and scope for conducting inspections in the new Targeted Inspection Policy, CMS also refocused the inspection process that surveyors are expected to use when conducting inspections under the Targeted Inspection Policy which includes existing components of CMS’s infection control inspection process updated to include the latest CDC and CMS guidance. Under the Targeted Inspection Policy CMS and state inspectors will be guided by a newly developed and updated targeted assessment tool in assessing if certain facilities are prepared to meet CMS’s expectations for preventing the spread of COVID-19. When gaps are identified, CMS warns that facilities will be required to take corrective actions to close the gaps.

Facilities are well advised to follow the recommendation of CMS to use the new surveyor tools to self-assess their own ability to prevent the spread of COVID-19 in accordance with applicable CMS requirements both to mitigate potential exposures to CMS sanctions and because CMS also is encouraging residents and families to be proactive about nursing home safety by among other things asking facility staff how the facility performed on its self-assessment. Facilities and their leaders at all times should keep in mind the significant risks that they are likely to incur if significant deficiencies are found from an inspection. While the March 23, 2020 announcement of the Targeted Inspection Policy states that CMS is not seeking to be punitive, but rather to respond to urgent issues while proactively ensuring providers are compliant with federal health and safety standards. Accordingly, CMS has indicated that CMS intends to exercise enforcement discretion, unless Immediate Jeopardy situations arise. Given the conclusions announced regarding Immediate Jeopardy findings found from the inspection at the Kirkland Facility, however, nursing homes are well advised to assume that the occurrence of COVID-19 related deaths or infections at their facilities might create a significant risk of Immediate Jeopardy findings with regard to their facilities which could result in significant sanctions.

CMS and other agencies continue to tailor their response to the COVID-19 outbreak. In addition to verifying and maintaining their compliance with current COVID-19 and other CMS, CDC and state and local requirements and guidelines, nursing homes and their leaders also should continue to monitor emerging developments and guidance from CMS, CDC, the Federal Emergency Management Agency (“FEMA”) and their state and local regulatory bodies.

[i] Nursing homes (also known as “skilled nursing facilities” under the Medicare program and “nursing facilities” under Medicaid; or “long-term care facilities”).

[ii] Press release Trump Administration Issues Key Recommendations to Nursing Homes, State and Local Governments, CMS (2020), https://www.cms.gov/newsroom/press-releases/trump-administration-issues-key-recommendations-nursing-homes-state-and-local-governments (last visited Apr 2, 2020).

[iii] Fact sheet Kirkland, Washington Update and Survey Prioritization Fact Sheet, CMS (2020), https://www.cms.gov/newsroom/fact-sheets/kirkland-washington-update-and-survey-prioritization-fact-sheet (last visited Mar 31, 2020).

[iv] Guidance For Infection Control and Prevention of Coronavirus Disease 2019 (COVID-19) in Nursing Homes, DEPARTMENT OF HEALTH & HUMAN SERVICES (2020), https://www.cms.gov/files/document/3-13-2020-nursing-home-guidance-covid-19.pdf (last visited Mar 30, 2020).

[iv] Nursing home with the biggest cluster of covid-19 deaths to date in the U.S. thought it was facing an influenza outbreak, a spokesman says, https://www.msn.com/en-us/news/us/nursing-home-with-the-biggest-cluster-of-covid-19-deaths-to-date-in-the-us-thought-it-was-facing-an-influenza-outbreak-a-spokesman-says/ar-BB11fvgj (last visited Mar 30, 2020).

[vi] See e.g., Guidance for Infection Control and Prevention of Coronavirus Disease 2019 (COVID-19) in Nursing Homes (REVISED), CMS (2020), https://www.cms.gov/files/document/qso-20-14-nh-revised.pdf (last visited Apr 2, 2020).

[vii] In the initial wave of surveys during the week of March 30, CMS reports finding 36 percent of facilities inspected in recent days did not follow proper hand washing guidelines and 25 percent failed to demonstrate proper use of personal protective equipment (PPE) required by longstanding federal regulations. Press release Trump Administration Issues Key Recommendations to Nursing Homes, State and Local Governments, CMS (2020), https://www.cms.gov/newsroom/press-releases/trump-administration-issues-key-recommendations-nursing-homes-state-and-local-governments (last visited Apr 3, 2020).

[viii] Facilities that have not already done so should consult with experienced legal counsel for assistance about the advisability of providing or posting notifications and/or securing consents to these screening procedures, advisable or recommended procedures regarding the collection, use, or disclosure of screenings or their results, or other safeguards to manage relevant privacy or other legal rights or risks.

[ix] See Alternate Care Sites and Isolation Sites (March 25, 2020) https://www.cdc.gov/coronavirus/2019-ncov/healthcare-facilities/alternative-care-sites.html. Also see Topic Collection: Alternate Care Sites (including shelter medical care) https://asprtracie.hhs.gov/technical-resources/48/alternate-care-sites-including-shelter-medical-care/47.

More Information

We hope this update is helpful. In addition to this update, the author also has prepared a more comprehensive discussion of these concerns scheduled for publication by the American Bar Association Health Publication in April, 2020. To request access for a prepublication unofficial manuscript of that upcoming publication or of more information about the these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

About the Author

Scribe for the ABA JCEB Annual Agency Meeting with OCR, Vice Chair of the ABA International Section Life Sciences Committee, past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and the ABA RPTE Employee Benefits & Other Compensation Group, Ms. Stamer is most widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on health and other privacy and data security and other health industry legal, public policy and operational concerns. Ms. Stamer’s work throughout her 30 plus year career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. As a part of this work, she has continuously and extensively worked with domestic and international health plans, their sponsors, fiduciaries, administrators, and insurers; managed care and insurance organizations; hospitals, health care systems, clinics, skilled nursing, long term care, rehabilitation and other health care providers and facilities; medical staff, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; EHR, claims, payroll and other technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, self-insured health and other employee benefit plans, their sponsors, fiduciaries, administrators and service providers, insurers and other payers, health industry advocacy and other service providers and groups and other health and managed care industry clients as well as federal and state legislative, regulatory, investigatory and enforcement bodies and agencies.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here. ©2020 Cynthia Marcotte Stamer. Limited non-exclusive license to republish granted to Solutions Law Press, Inc.™ All other rights reserved.

Leave a Comment » | 1335 Waiver, Biological Warfare, Centers For Disease Control, Conditions of Participation, Coronavirus, Corporate Compliance, COVID-19, Disaster Relief, Disease Management, drug treatment, Durable Medical Equipment, Federal Health Center, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Quality, HHS, home health, Hospice, Hospital, Hospital, hospitals, Inpatient Rehabilitation, Inpatient Rehabilitation Facility, Laboratory tests, Licensing, long-term care, Medicaid, Medicare, Medicare Advantage, Mental Heatlh, nursing home, Pandemic, Patient Empowerment, Physician, public health, Public Policy, quality reporting, Reimbursement, Skilled Nursing Facility, Uncategorized, Veterans Health, Veterans Health Care | Permalink
Posted by Cynthia Marcotte Stamer

Gastroenterology Practices Pays $100K For HIPAA Noncompliance

March 3, 2020

The $100,000 settlement payment the medical practice of Steven A. Porter, M.D., has agreed to pay $100,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services to settle a potential violation of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule Serves as a warning to other physicians and healthcare providers that they too could pay big bucks for failing to comply with HIPAA. The resolution agreement and corrective action plan may be found here.

Dr. Porter’s medical practice provides gastroenterological services to over 3,000 patients per year in Ogden, Utah.

OCR began investigating Dr. Porter’s medical practice after it filed a breach report with OCR related to a dispute with a business associate. OCR’s investigation determined that Dr. Porter had never conducted a risk analysis at the time of the breach report, and despite significant technical assistance throughout the investigation, had failed to complete an accurate and thorough risk analysis after the breach and failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.

Many physician and other small healthcare providers underestimate their responsibilities or their exposure for noncompliance. Many have never conducted the necessary risk analysis or initially adopted the requisite policies and procedures to comply. Furthermore, practices relying upon outsourced management or compliance services for their HIPAA compliance need to ensure that they have appropriate business associates agreements with those and all other service providers. While OCR typically takes into account efforts to obtain services as evidence of a culture of compliance, when breaches happen in the practice or at the business associate, A physician or other healthcare provider can expect OCR to investigate their compliance and potentially their culpability for the breach. physicians and other healthcare providers also should not assume that their engagement of a service HIPAA to comply with or provide HIPAA compliant services equates to making that service provider accountable for the quality in adequacy of the services.Typically service providers and consultants limit their liability contractually and otherwise when providing these services, often do not have adequate compliance themselves, or both. Licensing agreements and other services contracts typically include various provisions excusing or limiting the service provider from liability for deficiencies in compliance resulting from inadequacies in their procedures, operational noncompliance or both. In some instances, business associates may include provisions in their business associate agreement or other related agreements that actually obligate the healthcare provider to defend and indemnify the service provider for breaches and other liabilities arising out of HIPAA noncompliance. Since the cost of investigating and defending an alleged complaint can be very expensive even if no penalties are sought by OCR, most physicians and other healthcare providers should explore the availability of insurance coverage to help protect against these expenses.

“All health care providers, large and small, need to take their HIPAA obligations seriously,” said OCR Director Roger Severino. “The failure to implement basic HIPAA requirements, such as an accurate and thorough risk analysis and risk management plan, continues to be an unacceptable and disturbing trend within the health care industry.”

In addition to the monetary settlement, Dr. Porter will undertake a corrective action plan that includes two years of monitoring.

Physicians and other healthcare providers need to keep in mind that OCR penalties are not the only risk of HIPAA violations. Noncompliance with these requirements also commonly gives rise to licensing board, peer review, and other professional, employment or contractual consequences as well as negative publicity.

The resolution agreement demonstrates OCR requires physicians shouldn’t expect OCR to look the other way when they violate HIPAA. Given the potential professional and monetary liability risk that result from complaints and violations, physicians and other healthcare Should consult with qualified legal counsel for assistance with assessing the adequacy of their current clients within the scope of attorney-client privilege. Additionally, in the event of a complaint or threaten complaint, physicians and other healthcare providers should take appropriate steps to conduct a documentary investigation. As discussions and activities conducted in association with such investigations can involve sensitive communications and information, it also is advisable to consult with legal counsel at the beginning of an issue to determine whether the investigation or other activities should be conducted within the scope of attorney-client privilege so as to minimize exposure of sensitive communications as admissions or another discoverable evidence for administrative or litigation proceedings.

More Information

About the Author

Author of leading works on HIPAA and a multitude of other health care, health plan and other health industry matters, the American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting and a former Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:

Leave a Comment » | ambulance, ASC, data security, Direct Primary Care, Doctor, drug treatment, Durable Medical Equipment, E-Prescribing, Electronic Health Records, Electronic Medical Records, Emergency Care, FACTA, Federal Health Center, Genetic Information, GINA, Health Care Fraud, Health Care Provider, Health IT, HHS, HIPAA, HIPAA Cyber Crime, HITECH Act, Home Health, home health, Hospice, Hospital, hospitals, Licensing, long-term care, Medical Privacy, Medical Records, OCR, participating provider, Pharmacy, Physician, Physician Licensing, Privacy, Substance Abuse, Uncategorized | Permalink
Posted by Cynthia Marcotte Stamer

ONC Adds Reducing Provider EHR Burdens & Promoting Electronic Health Data Use In Research To Health IT Priorities

February 25, 2020

Reducing health care providers burdens from using electronic health records (“EHRs”) and promoting the better uses of electronic medical data in medical research are the focus of two new health information technology (“health IT”) policy documents released this week by the Department of Health & Human Services (“HHS”) Office of the National Coordinator for Health Information Technology (“ONC”). Health care providers, health researchers, health plans, health care clearinghouses and other health data collectors or users, as well as health IT providers and other interested persons will want to evaluate carefully these new ONC releases for insights about policy and other efforts ONC is promoting to shape the use of health IT and data.

Reducing Health IT and EHR Burdens On Providers

On February 21, 2020, ONC moved forward on its efforts to implement “a comprehensive strategy to reduce the regulatory and administrative burden related to the use of health IT, including EHRs” by publishing its “Strategy on Reducing Regulatory and Administrative Burdens Relating to the Use of Health IT and EHRs” (the “EHR Report”) targets burdens tied to regulatory and administrative requirements that HHS can directly impact through the rulemaking process. A collaborative effort between ONC and the Centers for Medicare & Medicaid Services (CMS), the report’s strategies was developed in response to a Congressional mandate in the 21^st Century Cures Act, which directed HHS to develop a plan of action to reduce regulatory and administrative burden relating to the use of health IT and EHRs and finalizes the draft version of this strategy ONC released in November 2018. Based on stakeholder input, the final HER Report outlines three overarching goals designed to reduce clinician burden:

Reduce the effort and time required to record health information in EHRs for clinicians;
Reduce the effort and time required to meet regulatory reporting requirements for clinicians, hospitals, and healthcare organizations; and
Improve the functionality and ease of use of EHRs.

ONC says reducing unnecessary regulatory burden will alleviate time spent on administrative tasks. For example, during listening sessions with clinicians, we heard criticism that the documentation guidelines for Evaluation and Management (E/M) visits were a source of EHR-related burden and overly complicated. They told us these requirements result in “pajama time,” where physicians spend hours after clinic sessions and on weekends entering data to satisfy billing and quality reporting requirements. Poor usability features within EHRs can further exacerbate this issue, as clinicians find it difficult to navigate long records within the EHR interface. Based on this feedback, the report covers four key areas:

Clinical documentation
Health IT usability (or ease of use of health IT tools and systems)
Federal health IT and EHR reporting requirements
Public health reporting (including coordination with prescription drug reporting programs and electronic prescribing of controlled substances).

In addition to responding to the direction included in the EHR Report, health care and health IT providers also will want to continue to monitor and communicate with ONC. While moving forward on the implementation of the objectives identified in the EHR Report, ONC says it plans to continue to reach out and engage the clinician community and other key stakeholder communities and to monitor emerging and ongoing burdens related to the use of EHRs, such as burdens related to EHR inbox management and other efforts to enable further automation in health care, with a focus on prior authorization, quality reporting, and other aspects of our current system that can reduce time spent using health IT.

Leveraging Health IT For Research

On February 24, 2020, ONC followed up by releasing its National Health IT Priorities for Research: A Policy and Development Agenda. The Agenda articulates its latest vision of a health information technology infrastructure that supports alignment between the clinical and research ecosystems in research.

The Agenda identifies two overarching goals along with nine associated priority areas ONC believes stakeholders can take to achieve the respective visions more quickly and effectively:

Read the Agenda here.

More Information

The Agenda is the latest in a series of priorities, agendas and other initiatives adopted by ONC since its establishment in furtherance of its legislative mandate under the Health Information Technology for Economic and Clinical Health Act (HITECH Act) of 2009 to improve the health and well-being of individuals and communities through the use of technology and health information.

Health care providers, plans, technology vendors and providers and other stakeholders impacted by ONC and other electronic medical record or health IT systems should take into account the likely implications of these and other ONC pronouncements on their programs and practices when planning and updating them.

About the Author

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:

Comments Off on ONC Adds Reducing Provider EHR Burdens & Promoting Electronic Health Data Use In Research To Health IT Priorities | Academic medicine, ambulance, Conditions of Participation, Consumer Driven Health Care, Corporate Compliance, Disease Management, DME, Doctor, drug treatment, Durable Medical Equipment, Electronic Health Records, Electronic Medical Records, Evidence Based Medicine, FDA, Health Care, Health care coding, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Quality, Health Care Reform, health care reimbursement, Health Insurance, Health IT, Health Plan, Health Plans, Health Policy, healthcare, HHS, HITECH Act, Home Health, home health, Hospice, Hospital, hospitals, Human Subjects Research, Meaningful Use, Medicare Advantage, Medicare Prescription Drug Program, Mental Health, NIOSH, occupational health, OCR, ONC, Outcomes Data, pain management, Pharmacy, Physician, Prescription Drugs, Prospective Payment, public health, Public Policy, quality reporting, Reimbursement, research, Technology, Telemedicine, Uncategorized, Veterans Health, Veterans Health Care, Wellness | Permalink
Posted by Cynthia Marcotte Stamer

Omnicare & CVS Accused Of Health Care Fraud In Long Term Care Pharmacies

December 17, 2019

The Department of Justice today sued the nation’s largest long term care pharmacy provider, Omnicare, and its parent company, CVS Healthcare Corporation seeking seeks damages and civil penalties under the False Claims Act for fraudulently billing federal healthcare programs for hundreds of thousands of non-controlled prescription drugs DOJ says Omnicare illegally dispensed to elderly and disabled individuals in assisted living facilities, group homes, independent living communities, and other non-skilled residential long-term care facilities (“LTC facilities”).

In the civil health care fraud complaint the DOJ filed a New York Federal District Court, the Omnicare illegally dispensed and billed the federal government and patients for antipsychotics, anticonvulsants, and antidepressants to elderly and disabled residents in LTC facilities without proper prescriptions. DOJ’s lawsuit alleges that instead of obtaining new prescriptions from patients’ doctors after the old ones had expired or run out of refills, Omnicare just assigned a new number to the old prescription and kept on dispensing drugs for months, and sometimes years, after the prescriptions expired. DOJ’s complaint alleges that Omnicare internally referred to these renumbered expired prescriptions as “rollover” prescriptions. The DOJ complaint also charges that Omnicare also submitted, or caused to be submitted false claims for payment for medications dispensed based on invalid prescriptions it internally referred to as “rollover” prescriptions” to Medicare, Medicaid, and TRICARE in violation of the False Claims Act.

Omnicare is the country’s largest provider of pharmacy services to LTC facilities. It currently operates approximately 160 pharmacies in 47 states across the United States, which dispense tens of millions of prescription drugs to LTC facilities that serve elderly and disabled individuals. CVS acquired Omnicare in May 2015, and shortly thereafter assumed an active role in overseeing Omnicare’s operations, including pharmacy dispensing practices and systems.

According to the DOJ complaint failed today, from 2010 until 2018, Omnicare and CVS allowed Omnicare pharmacies to dispense non-controlled prescription drugs to tens of thousands of elderly and disabled individuals living in LTC facilities based on prescriptions that had expired, were out of refills, or were otherwise invalid. Omnicare repeatedly disregarded prescription refill limitations and expiration dates that required doctor visits to reevaluate whether the drug should be renewed. Instead of requesting new prescriptions when old ones expired, Omnicare allowed prescriptions to “roll over.” At Omnicare, “rolling over” a prescription meant that when a prescription expired, Omnicare’s computer systems would assign the old prescription a new number and the pharmacy would continue to dispense the drug indefinitely without the need for a prescription renewal. Depending on the computer system used, Omnicare also sometimes assigned a fake number of authorized refills to a prescription – usually 99 allowable refills for Medicare patients – to allow for continuous refilling. DOJ claims that Omnicare pharmacies “rolled over” prescriptions for elderly and disabled individuals living in more than 3,000 residential long-term care facilities, including assisted living facilities operated by the largest long-term care providers in the country, such as Brookdale Senior Living, Atria Senior Living, Sunrise Senior Living Services, and Five Star Senior Living. DOJ also claims Omnicare managers exerted pressure on overwhelmed pharmacy staff to fill prescriptions quickly so that Omnicare could submit claims and collect payments.

According to the DOJ, Senior management at Omnicare and CVS knew of the practices. The DOJ complaint charges among other things that the Omnicare’s Compliance Department succinctly acknowledged the problem in an internal April 2015 email in which one Regional Compliance Officer stated: “An issue that I am running into more and more in multiple states concerns the ability of our systems to allow prescriptions to continue to roll after a year to a new prescription number without any documentation or pharmacist intervention.” A compliance officer then forwarded the email to the head of Omnicare’s Third Party Audit group, who responded that she had a “potential solution (programmed last year) but no one is rolling it out now.”

DOJ says Omnicare’s practice of illegally dispensing drugs to elderly and disabled individuals living in LTC facilities exposed these vulnerable individuals to a significant risk of harm. In contrast to traditional skilled nursing homes, where residents have access to 24-hour medical care supervised by doctors, assisted living and other non-skilled residential facilities offer more limited medical care, or none at all. In particular, these LTC facilities generally do not have doctors on staff to oversee and monitor residents’ drug therapy.

Many of the prescription drugs dispensed by Omnicare without valid prescriptions treat serious, chronic conditions, such as dementia, depression, and heart disease. They include antipsychotics, anticonvulsants, cardiovascular medications, anti-depressants, and other drugs that can have dangerous side effects and need to be closely monitored by doctors, particularly when taken in combination with other drugs by elderly patients. By repeatedly dispensing potent drugs without current and valid prescriptions, Omnicare jeopardized the health and safety of tens of thousands of individuals who continued to take the same drugs for months, and sometimes years, without consulting their doctors to determine whether the medications were still clinically appropriate.

A large percentage of the long-term care residents served by Omnicare are beneficiaries of federal healthcare programs. By dispensing drugs without valid prescriptions, Omnicare presented, or caused to be presented, hundreds of thousands of false claims to Medicare, Medicaid, and TRICARE. These claims were ineligible for payment. In addition, Omnicare knowingly transmitted false information to these federal healthcare programs that made it appear that drug dispensations were supported by current, valid prescriptions from physicians when in fact they were not.

The DOJ lawsuit resulted from the DOJ’s intervention in whistleblower lawsuits filed by former employees.

In today’s announcement of the lawsuit, Manhattan U.S. Attorney Geoffrey S. Berman said: “As alleged, Omnicare put at risk the health of tens of thousands of elderly and disabled individuals living in assisted living and other residential long-term care facilities by dispensing drugs for months, and sometimes years, without obtaining current, valid prescriptions from doctors. A pharmacy’s fundamental obligation is to ensure that drugs are dispensed only under the supervision of treating doctors who monitor patients’ drug therapies. Omnicare blatantly ignored this obligation in favor of pushing drugs out the door as quickly as possible to make more money. This Office will continue to hold accountable those who put at risk people’s health and safety just to turn a profit.”

Meanwhile, HHS-OIG Special Agent in Charge Scott J. Lampert said: “Failing to consult doctors as to whether prescriptions should be refilled places patients’ health and medical care at serious risk. These automatic rollover refills could have significant consequences for vulnerable people in long term-care facilities. We will continue working with law enforcement partners to protect people depending on these taxpayer-funded government health programs.”

More information is expected to be forthcoming.

For More Information

We hope this update is helpful. For more information about this or other labor and employment developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

Scribe for the ABA JCEB Annual Agency Meeting with OCR, Vice Chair of the ABA International Section Life Sciences Committee, past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and the ABA RPTE Employee Benefits & Other Compensation Group, Ms. Stamer’s work throughout her 30 plus year career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. As a part of this work, she has continuously and extensively worked with domestic and international hospitals, health care systems, clinics, skilled nursing, long term care, rehabilitation and other health care providers and facilities; medical staff, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; EMR, claims, payroll and other technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, self-insured health and other employee benefit plans, their sponsors, fiduciaries, administrators and service providers, insurers and other payers, health industry advocacy and other service providers and groups and other health and managed care industry clients as well as federal and state legislative, regulatory, investigatory and enforcement bodies and agencies.

Ms. Stamer is most widely recognized for her decades-long leading edge work, scholarship and thought leadership on health and other privacy and data security and other health industry legal, public policy and operational concerns. This involvement encompasses helping health care systems and organizations, group and individual health care providers, health plans and insurers, health IT, life sciences and other health industry clients prevent, investigate, manage and resolve fraud, substandard quality, safety, unprofessional conduct, sexual assault, abuse, harassment and other organizational, provider and employee misconduct and other performance and behavior; manage Section 1557, Civil Rights Act and other discrimination and accommodation, and other regulatory, contractual and other compliance; vendors and suppliers; contracting and other terms of participation, medical billing, reimbursement, claims administration and coordination, Medicare, Medicaid, CHIP, Medicare/Medicaid Advantage, ERISA and other payers and other provider-payer relations, contracting, compliance and enforcement; Form 990 and other nonprofit and tax-exemption; fundraising, investors, joint venture, and other business partners; quality and other performance measurement, management, discipline and reporting; physician and other workforce recruiting, performance management, peer review and other investigations and discipline, wage and hour, payroll, gain-sharing and other pay-for performance and other compensation, training, outsourcing and other human resources and workforce matters; board, medical staff and other governance; strategic planning, process and quality improvement; meaningful use, EMR, HIPAA and other technology, data security and breach and other health IT and data; STARK, antikickback, insurance, and other fraud prevention, investigation, defense and enforcement; audits, investigations, and enforcement actions; trade secrets and other intellectual property; crisis preparedness and response; internal, government and third-party licensure, credentialing, accreditation, HCQIA and other peer review and quality reporting, audits, investigations, enforcement and defense; patient relations and care; internal controls and regulatory compliance; payer-provider, provider-provider, vendor, patient, governmental and community relations; facilities, practice, products and other sales, mergers, acquisitions and other business and commercial transactions; government procurement and contracting; grants; tax-exemption and not-for-profit; privacy and data security; training; risk and change management; regulatory affairs and public policy; process, product and service improvement, development and innovation, and other legal and operational compliance and risk management, government and regulatory affairs and operations concerns. to establish, administer and defend workforce and staffing, quality, and other compliance, risk management and operational practices, policies and actions; comply with requirements; investigate and respond to Board of Medicine, Health, Nursing, Pharmacy, Chiropractic, and other licensing agencies, Department of Aging & Disability, FDA, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; JCHO and other accreditation and quality organizations; private litigation and other federal and state health care industry actions: regulatory and public policy advocacy; training and discipline; enforcement; and other strategic and operational concerns.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc. disclaim, and have no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2019 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.

Leave a Comment » | Conditions of Participation, Controlled Substances, Corporate Compliance, DEA, Doctor, drug treatment, E-Prescribing, false claims act, FDA, Federal Sentencing Guidelines, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Quality, health care reimbursement, Health Insurance, Health Plan, Health Plans, healthcare, HHS, Hospice, long-term care, Medicare Prescription Drug Program, OIG, Patient Empowerment, Pharmaceudical, Pharmacy, Prescription Drugs, Reimbursement, Uncategorized, Veterans Health, Veterans Health Administration, Veterans Health Care | Tagged: controlled substance, cvs, DEA, drugs, false claims act, Health Care, Health Care Fraud, Health Care Provider, HEAT, Medicaid, omnicare, pharmacist, pharmacy | Permalink
Posted by Cynthia Marcotte Stamer

Air Ambulance Bills Drawing Congressional “Surprise Billing” Scrutiny

July 31, 2019

Congress is looking into air ambulance rates. The top Republican on the House Ways and Means Committee Kevin Brady (R-TX) and Committee Chairman Richard E. Neal (D-MA) sent a letter to Department of Transportation (DOT) Secretary Elaine Chao, urging her to comply with congressional requirements and promptly convene the Air Ambulance and Patient Billing (AAPB) Advisory Committee.

Part of continuing Congressional concern about reports that patients and their families suffer financial hardship from “surprise bills” for emergency care, Congress directed DOT to establish this task force within 60 days of enactment of the FAA Reauthorization Act of 2018, but 10 months have passed since the President signed the bill into law and the advisory committee still has not met. The task force’s purpose is to inform Congress on air ambulance medical patient billing as Ways and Means Committee leaders work to address the issue of balance billing.

The Government Accountability Office (GAO) issued a report this year that found that nearly 70 percent of analyzed air ambulance transports conducted in 2017 for privately insured patients were out-of-network, a significantly higher rate than other emergency services. The cost of these out-of-network air ambulance services are leaving patients exposed to unexpectedly high out-of-pocket bills.

The AAPB Advisory Committee is required to provide Congress, DOT, and the Department of Health and Human Services with recommendations to protect consumers from balance billing for air ambulance transports, requirements for the disclosure of charges and fees for these services, and consumer protection and enforcement authorities of both the DOT and states. “This information is critical as Congress considers appropriate steps to find the best solution to protect consumers from surprise bills,” wrote Brady and Neal. “However, the committee has failed to convene, let alone produce a report. Additionally, Congress mandated the Secretary of DOT to submit a report to the appropriate committees of Congress on air ambulance oversight, which has also yet to be provided.”

Brady and Neal requested that, within 14 days, DOT provide updated deadlines for the appointment of individuals to the task force, along with a timeline for convening the advisory committee and providing recommendations and a final report.

Patients using air ambulance and other services used in emergency circumstances generally don’t have the option of choosing network participating providers and often their health plans may not cover or only provide limited coverage for that transportation. On the other hand, air ambulance operators point out that the services are costly to own and operate requiring substantial investment in equipment, staff, regulations and other operating costs on standby and ready to respond on demand. They also point out that limited coverage for their services already creates a high uncollectible debt load. Because of these and other challenges many cities, counties and other governmental entities assume or subsidize these operating costs to help preserve the availability of services. They caution that increased regulation likely would adversely impact the availability of these services in rural or other areas where prompt transportation can mean the difference between life and death for critical patients.

About the Author

Ms. Stamer’s legal, management, governmental affairs work and speaking and publications have focused on helping health industry, health benefit and other organizations and their management use the law, performance and risk management tools and process to manage people, performance, quality, compliance, operations and risk.

Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer supports these organizations and their leaders on both a real-time, “on demand” basis as well as outsourced operations or special counsel on an interim, special project, or ongoing basis with strategic planning and product and services development and innovation; workforce and operations management, crisis preparedness and response as well as to prevent, stabilize and cleanup legal and operational crises large and small that arise in the course of operations.

As core components of this work, Ms. Stamer helps health industry, health plans and insurers, health IT, life sciences and other health industry clients manage regulatory, contractual and other compliance; vendors and suppliers; Medicare, Medicaid, CHIP, Medicare/Medicaid Advantage, ERISA and other private payer and other terms of participation, medical billing, reimbursement, claims administration and coordination, and other provider-payer relations, contracting, compliance and enforcement; Form 990 and other nonprofit and tax-exemption; fundraising, investors, joint venture, and other business partners; quality and other performance measurement, management, discipline and reporting; physician and other workforce recruiting, performance management, peer review and other investigations and discipline, wage and hour, payroll, gain-sharing and other pay-for performance and other compensation, training, outsourcing and other human resources and workforce matters; board, medical staff and other governance; strategic planning, process and quality improvement; meaningful use, EMR, HIPAA and other technology, data security and breach and other health IT and data; STARK, antikickback, insurance, and other fraud prevention, investigation, defense and enforcement; audits, investigations, and enforcement actions; trade secrets and other intellectual property; crisis preparedness and response; internal, government and third-party licensure, credentialing, accreditation, HCQIA and other peer review and quality reporting, audits, investigations, enforcement and defense; patient relations and care; internal controls and regulatory compliance; payer-provider, provider-provider, vendor, patient, governmental and community relations; facilities, practice, products and other sales, mergers, acquisitions and other business and commercial transactions; government procurement and contracting; grants; tax-exemption and not-for-profit; 1557 and other Civil Rights; privacy and data security; training; risk and change management; regulatory affairs and public policy; process, product and service improvement, development and innovation, and other legal and operational compliance and risk management, government and regulatory affairs and operations concerns.

Her clients include public and private, domestic and international hospitals, health care systems, clinics, skilled nursing, long term care, rehabilitation and other health care providers and facilities; medical staff, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, insurers, self-insured health plans and other payers; and other health industry clients to establish and administer compliance and risk management policies; comply with requirements, investigate and respond to Board of Medicine, Health, Nursing, Pharmacy, Chiropractic, and other licensing agencies, Department of Aging & Disability, FDA, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; JCHO and other accreditation and quality organizations; private litigation and other federal and state health care industry investigation, enforcement including insurance or other liability management and allocation; process and product development, contracting, deployment and defense; evaluation, commenting or seeking modification of regulatory guidance, and other regulatory and public policy advocacy; training and discipline; enforcement, and a host of other related concerns for public and private health care providers, health insurers, health plans, technology and other vendors, employers, and others.and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns.

Author of leading works on a multitude of health care, health plan and other health industry matters, the American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting, former Vice President of the North Texas Health Care Compliance Professionals Association, past Chair of the ABA Health Law Section Managed Care & Insurance Section, past ABA JCEB Council Representative and CLE and Marketing Committee Chair, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer’s health industry clients include public health organizations; public and private hospitals, healthcare systems, clinics and other health care facilities; physicians, physician practices, medical staff, and other provider organizations; skilled nursing, long term care, assisted living, home health, ambulatory surgery, dialysis, telemedicine, DME, Pharma, clinics, and other health care providers; billing, management and other administrative services organizations; insured, self-insured, association and other health plans; PPOs, HMOs and other managed care organizations, insurance, claims administration, utilization management, and other health care payers; public and private peer review, quality assurance, accreditation and licensing; technology and other outsourcing; healthcare clearinghouse and other data; research; public and private social and community organizations; real estate, technology, clinical pathways, and other developers; investors, banks and financial institutions; audit, accounting, law firm; consulting; document management and recordkeeping, business associates, vendors, and service providers and other professional and other health industry organizations; academic medicine; trade associations; legislative and other law making bodies and others.

Past Chair of the ABA Managed Care & Insurance Interest Group and, a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also has extensive health care reimbursement and insurance experience advising and defending health care providers, payers, and others about Medicare, Medicaid, Medicare and Medicaid Advantage, Tri-Care, self-insured group, association, individual and group and other health benefit programs and coverages including but not limited to advising public and private payers about coverage and program design and documentation, advising and defending providers, payers and systems and billing services entities about systems and process design, audits, and other processes; provider credentialing, and contracting; providers and payer billing, reimbursement, claims audits, denials and appeals, coverage coordination, reporting, direct contracting, False Claims Act, Medicare & Medicaid, ERISA, state Prompt Pay, out-of-network and other nonpar insured, and other health care claims, prepayment, post-payment and other coverage, claims denials, appeals, billing and fraud investigations and actions and other reimbursement and payment related investigation, enforcement, litigation and actions.

Heavily involved in health care and health information technology, data and related process and systems development, policy and operations innovation and a Scribe for ABA JCEB annual agency meeting with OCR for many years who has authored numerous highly-regarded works and training programs on HIPAA and other data security, privacy and use, Ms. Stamer also is widely recognized for her extensive work and leadership on leading edge health care and benefit policy and operational issues including meaningful use and EMR, billing and reimbursement, quality measurement and reimbursement, HIPAA, FACTA, PCI, trade secret, physician and other medical confidentiality and privacy, federal and state data security and data breach and other information privacy and data security rules and many other concerns. Her work includes both regulatory and public policy advocacy and thought leadership, as well as advising and representing a broad range of health industry and other clients about policy design, drafting, administration, business associate and other contracting, risk assessments, audits and other risk prevention and mitigation, investigation, reporting, mitigation and resolution of known or suspected violations or other incidents and responding to and defending investigations or other actions by plaintiffs, DOJ, OCR, FTC, state attorneys’ general and other federal or state agencies, other business partners, patients and others.

Ms. Stamer has worked extensively with health care providers, health plans, health care clearinghouses, their business associates, employers and other plan sponsors, banks and other financial institutions, and others on risk management and compliance with HIPAA, FACTA, trade secret and other information privacy and data security rules, including the establishment, documentation, implementation, audit and enforcement of policies, procedures, systems and safeguards, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and and enforcement, and a host of other related concerns. Her clients include public and private health care providers, health insurers, health plans, technology and other vendors, and others. In addition to representing and advising these organizations, she also has conducted training on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, MGMA, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

A former lead consultant to the Government of Bolivia on its Pension Privatization Project with extensive domestic and international public policy concerns in Pensions, healthcare, workforce, immigration, tax, education and other areas.

A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, privacy and data security, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her thought leadership, experience and advocacy on these and other related concerns by her service in the leadership of the Solutions Law Press, Inc. Coalition for Responsible Health Policy, its PROJECT COPE: Coalition on Patient Empowerment, and a broad range of other professional and civic organizations including North Texas Healthcare Compliance Association, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children (now Warren Center For Children); current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, past Representative and chair of various committees of ABA Joint Committee on Employee Benefits; a ABA Health Law Coordinating Council representative, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.

For more information about Ms. Stamer or her health industry and other experience and involvements, see here or contact Ms. Stamer via telephone at (469) 767-8872 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advise or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Leave a Comment » | air ambulance, ambulance, balance billing, Emergency Care, Employee Benefits, Employer, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Reform, health care reimbursement, Health Plan, HHS, Hospital, Reimbursement, Rural Health Care, Uncategorized | Permalink
Posted by Cynthia Marcotte Stamer

Cognitive Disability Exclusion from Heart Transplant List Placement Prohibited

February 13, 2019

Exclusion of a cognitively impaired patient from its heart transplant list landed University of North Carolina Healthcare System (“UNC Healthcare”) in hot water with the Department of Health and Human Services Office of Civil Rights (OCR). The OCR enforcement action highlights the need for health care organizations to re-evaluate long-standing practices for limiting or denying access to transplants, research or other restricted treatment based on cognitive, mental or other impairments of the patient.

OCR announced February 12 that it resolved a complaint against UNC Health Care alleging that it unlawfully denied an individual the opportunity to be placed on the United Network for Organ Sharing (UNOS) list on the basis of their disability. UNC Health Care is a public academic medical center comprised of North Carolina Memorial Hospital, North Carolina Children’s Hospital, North Carolina Neurosciences Hospital, and North Carolina Women’s Hospital.

Federal law generally prohibits health care providers from discriminating against patients based on disability. Section 504 of the Rehabilitation Act of 1973, 29 U.S.C. § 794 (“Section 504”) prohibits discrimination on the basis of disability by recipients of Federal financial assistance.

In addition, the Americans with Disabilities Act of 1990, 42 U.S.C. § 12101 et seq. (“ADA”), prohibits discrimination on the basis of disability by both public and private entities, whether or not they receive Federal financial assistance. Providers covered by Section 504 and/or the ADA may not deny benefits or services to qualified individuals with disabilities or provide lesser benefits than they provide to others. In general, an individual with a disability is “qualified” if that person meets the essential eligibility requirements for receipt of services or participation in the program or activity with or without reasonable modification to rules, policies or practices. The purpose of these laws is to ensure that covered programs are as accessible to persons with disabilities as they are to nondisabled individuals.

In September 2018, OCR received a complaint alleging that an individual with an intellectual disability was in need of a heart transplant, but a doctor on staff at UNC Health Care determined that they were not a good candidate for heart transplant because of their developmental learning disabilities and because they do not live independently. The complainant asserted that without the transplant, they would eventually die.

OCR used the Early Complaint Resolution (ECR) process to achieve a successful resolution of this matter. ECR is a facilitated negotiation between the parties to an OCR complaint with the goal of achieving a resolution that quickly provides a remedy to the individual that has been allegedly discriminated against as well as securing additional measures that can be implemented to reduce the likelihood of future incidents of alleged discrimination.

In January 2019, UNC Health Care agreed that the individual’s medical records will be amended to clarify that they are eligible to be considered for placement on the UNOS transplant list. OCR will provide technical assistance to UNC Health Care in the development of their transplant eligibility policy.

The UNC Healthcare enforcement and resolution is the latest in a lengthy and growing list of disability discrimination enforcement actions OCR has taken against health care providers and plans. Cognitive disorders and mental disabilities are frequently the basis of these actions. Additionally health care providers and health plans also can incur liability from private lawsuits for prohibited discrimination. In the light of growing awareness and enforcement of these disability discrimination prohibitions, health care providers should review and correct procedures to mitigate risks.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: Erisa & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of managed care and other health industry, health and other benefit and insurance, workforce and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

Past Chair of the ABA Managed Care & Insurance Interest Group and, a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer has been continuously involved the design, regulation, administration and defense of managed care and other health and employee benefit, health care, human resources and other staffing and workforce arrangements, contracts, systems, and processes. As a continuous component of this work, Ms. Stamer has worked closely with these and other clients on the design, development, administration, defense, and breach and data recovery of health care, workforce, insurance and financial services, trade secret and other information technology, data and related process and systems development, policy and operations throughout her career.

Scribe of the ABA JCEB annual Office of Civil Rights agency meeting, Ms. Stamer also is widely recognized for her extensive work and leadership on leading edge health care and benefit policy and operational issues.

Ms. Stamer’s clients include public and private, domestic and international hospitals, health care systems, clinics, skilled nursing, long-term care, rehabilitation and other health care providers and facilities; medical staff, health care accreditation, peer review and quality committees and organizations; employers and other workforce management organizations; employer, union, association, government and other insured and self-insured health and other employee benefit plan sponsors, benefit plans, fiduciaries, administrators, and other plan vendors; managed care organizations, insurers, self-insured health plans and other payers and their management; managed care organizations, insurers, third-party administrative services organizations and other payer organizations; billing, utilization management, management services organizations; group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; claims, billing and other health care and insurance technology and data service organizations; other health, employee benefit, insurance and financial services product and solutions consultants, developers and vendors; and other health, employee benefit, insurance, technology, government and other management clients.

A former lead consultant to the Government of Bolivia on its Pension Privatization Project with extensive domestic and international public policy concerns in pensions, healthcare, workforce, immigration, tax, education and other areas, Ms. Stamer has been extensively involved in U.S. federal, state and local health care and other legislative and regulatory reform impacting these concerns throughout her career. Her public policy and regulatory affairs experience encompasses advising and representing domestic and multinational private sector health, insurance, employee benefit, employer, staffing and other outsourced service providers, and other clients in dealings with Congress, state legislatures, and federal, state and local regulators and government entities, as well as providing advice and input to U.S. and foreign government leaders on these and other policy concerns.

Beyond her public policy and regulatory affairs involvement, Ms. Stamer also has extensive experience helping these and other clients to design, implement, document, administer and defend workforce, employee benefit, insurance and risk management, health and safety, and other programs, products and solutions, and practices; establish and administer compliance and risk management policies; comply with requirements, investigate and respond to government; accreditation and quality organizations; private litigation and other federal and state health care industry investigations and enforcement actions; evaluate and influence legislative and regulatory reforms and other regulatory and public policy advocacy; training and discipline; enforcement, and a host of other related concerns. Ms. Stamer’s experience in these matters includes supporting these organizations and their leaders on both a real-time, “on demand” basis with crisis preparedness, intervention and response as well as consulting and representing clients on ongoing compliance and risk management; plan and program design; vendor and employee credentialing, selection, contracting, performance management and other dealings; strategic planning; policy, program, product and services development and innovation; mergers, acquisitions, and change management; workforce and operations management, and other opportunities and challenges arising in the course of their operations.

Ms. Stamer also has extensive health care reimbursement and insurance experience advising and defending plan sponsors, administrators, insurance and managed care organizations, health care providers, payers, and others about Medicare, Medicaid, Medicare and Medicaid Advantage, Tri-Care, self-insured group, association, individual and employer and association group and other health benefit programs and coverages including but not limited to advising public and private payers about coverage and program design and documentation, advising and defending providers, payers and systems and billing services entities about systems and process design, audits, and other processes; provider credentialing, and contracting; providers and payer billing, reimbursement, claims audits, denials and appeals, coverage coordination, reporting, direct contracting, False Claims Act, Medicare & Medicaid, ERISA, state Prompt Pay, out-of-network and other nonpar insured, and other health care claims, prepayment, post-payment and other coverage, claims denials, appeals, billing and fraud investigations and actions and other reimbursement and payment related investigation, enforcement, litigation and actions. Scribe for the ABA JCEB annual agency meeting with HHS OCR, she also has worked extensively on health and health benefit coding, billing and claims, meaningful use and EMR, billing and reimbursement, quality measurement and reimbursement, HIPAA, FACTA, PCI, trade secret, physician and other medical, workforce, consumer financial and other data confidentiality and privacy, federal and state data security, data breach and mitigation, and other information privacy and data security concerns.

Author of leading works on a multitude of health care, health plan and other health industry matters, the American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting, former Vice President of the North Texas Health Care Compliance Professionals Association, past Chair of the ABA Health Law Section Managed Care & Insurance Section, past ABA JCEB Council Representative and CLE and Marketing Committee Chair, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer’s health industry clients include public health organizations; public and private hospitals, healthcare systems, clinics and other health care facilities; physicians, physician practices, medical staff, and other provider organizations; skilled nursing, long-term care, assisted living, home health, ambulatory surgery, dialysis, telemedicine, DME, Pharma, clinics, and other health care providers; billing, management and other administrative services organizations; insured, self-insured, association and other health plans; PPOs, HMOs and other managed care organizations, insurance, claims administration, utilization management, and other health care payers; public and private peer review, quality assurance, accreditation and licensing; technology and other outsourcing; healthcare clearinghouse and other data; research; public and private social and community organizations; real estate, technology, clinical pathways, and other developers; investors, banks and financial institutions; audit, accounting, law firm; consulting; document management and recordkeeping, business associates, vendors, and service providers and other professional and other health industry organizations; academic medicine; trade associations; legislative and other law making bodies and others.

A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about contracting, credentialing and quality assurance, compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, privacy and data security, and other risk management and operational matters. Author of works on Payer and Provider Contracting and many other managed care concerns, Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her thought leadership, experience and advocacy on these and other related concerns by her service in the leadership of the Solutions Law Press, Inc. Coalition for Responsible Health Policy, its PROJECT COPE: Coalition on Patient Empowerment, and a broad range of other professional and civic organizations including North Texas Healthcare Compliance Association, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children (now Warren Center For Children); current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, past Representative and chair of various committees of ABA Joint Committee on Employee Benefits; an ABA Health Law Coordinating Council representative, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.

For more information about Ms. Stamer or her health industry and other experience and involvements, see here or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources here such as:

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advise or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

©2019. Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.

Leave a Comment » | Academic medicine, ADA, ASC, Conditions of Participation, Cultural diversity, Disability Discrimination, Discrimination, DME, Doctor, Employer, Health Care, Health Care Provider, Health Care Quality, HHS, Home Health, home health, Hospice, Hospital, hospitals, Mental Health, OCR, Pharmaceudical, Pharmacy, Physician, research, transplant, Uncategorized | Permalink
Posted by Cynthia Marcotte Stamer

Year-End $3 Million HIPAA Settlement Pushes 2018 OCR HIPAA Recoveries Over $28 Million; Act Promptly To Strengthen Compliance & Share Ideas For Simplification

February 7, 2019

Health care providers, health plans, health care clearinghouse and their business associates (“Covered Entities”) should reconfirm the adequacy of their organization’s Health Insurance Portability and Accountability Act (“HIPAA”) compliance in light the U.S Department of Health and Human Services Office of Civil Rights (“OCR”) February 7, 2019 announcement that OCR reached a 2018 year-end $3 Million Resolution Agreement with California-based Cottage Health that pushed OCR’s already record-setting 2018 enforcement HIPAA recoveries to more than $28.7 million in a year already distinguished by OCR’s record-setting $16 million resolution payment collection from Anthem.

Along with acting to ensure their own organization’s ability to defend their HIPAA compliance, Covered Entities and their leaders also should take advantage of the opportunity to provide input to OCR on opportunities for simplifying and improving OCR’s HIPAA regulations and enforcement by submitting relevant comments by February 12, 2019 in response to a Request for Information published by OCR in December that invites public input.

Learn more de

2018 Cottage Health Resolution Agreement

According to OCR’s February 7, 2019 announcement, Cottage Health agreed in OCR’s final settlement of 2017 to pay OCR $3 million and to adopt a substantial corrective action plan to settle charges of HIPAA violations resulting from OCR’s investigations into two HIPAA Breach notifications Cottage Health filed regarding breaches of unsecured electronic protected health information (ePHI) affecting over 62,500 individuals.

A December 2, 2013 breach notification that the removal of electronic security protections by a Cottage Health contractor rendered ePHI such as patient names, addresses, dates of birth, diagnoses/conditions, lab results and other treatment information of 33,349 individuals on a Cottage Health server accessible for download without a username or password from the internet to anyone outside Cottage Health. In an update to its original report filed on July 2, 2014, Cottage Health increased the number of individuals affected by this breach to 50,917. OCR’s investigation determined that security configuration settings of the Windows operating system permitted access to files containing ePHI without requiring a username and password. As a result, patient names, addresses, dates of birth, diagnoses, conditions, lab results and other treatment information were available to anyone with access to Cottage Health’s server.
A December 1, 2015, that the misconfiguration of a server following an IT response to a troubleshooting ticket, exposed unsecured ePHI including patient names, addresses, dates of birth, social security numbers, diagnoses, conditions, and other treatment information of 11,608 individuals over the internet.

Based upon its investigation into the two breach reports, OCR concluded Cottage Health violated HIPAA by failing to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the ePHI; failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level; failed to perform periodic technical and non-technical evaluations in response to environmental or operational changes affecting the security of ePHI; and failed to obtain a written business associate agreement with a contractor that maintained ePHI on its behalf.

To resolve its exposure to potentially must greater civil monetary sanctions that OCR might seek for such potential violations under HIPAA’s civil monetary sanction rules, Cottage Health entered into December, 2018 Resolution Agreement to pay the $3 million settlement and undertake what OCR characterizes as “a robust corrective action plan to comply with the HIPAA Rules.” Among other things, the corrective action plan requires Cottage Health to:

Conduct an enterprise-wide risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by Cottage Health (“Risk Analysis”) that OCR views as satisfactory to meet the requirements of 45 CFR 164.308(a)(1)(ii)(A);
Develop and implement a risk management plan to address and mitigate any security risks and vulnerabilities identified in the Risk Analysis acceptable to OCR;
Implement a process for regularly evaluating environmental and operational changes that affect the security of Cottage Health’s ePHI;
Develop, maintain, and revise, as necessary, written policies and procedures to comply with the Federal standards that govern the privacy and security of individually identifiable health information under 45 C.F.R. Part 160 and Subparts A, C, and E of Part 164 (the “Privacy Rule” and “Security Rule”).
Distribute to and conduct training on the HIPAA policies and procedures from all existing and new members of the Cottage Health workforce with access to PHI. Additionally, Cottage Health require all workforce members that have access to PHI to certify their receipt of, understanding and commitment to comply with the HIPAA Policies before allowing access to PHI and must deny access to PHI to any workforce member that has not provided the required certification.
Submit to ongoing notification and reporting requirements to keep OCR informed about its compliance efforts.

2018 Record Setting HIPAA Enforcement Year

The final Resolution Agreement negotiated by OCR in 2018, the $3 million Cottage Health Resolution Agreement signed on December 11, 2018 added to an already record-setting year of HIPAA enforcement recoveries by OCR. In addition to recovering the single largest individual HIPAA settlement in history of $16 million with Anthem, Inc. OCR’s recovery of the following HIPAA settlements and fines totaling nearly $28.7 million surpassed its previous 2016 record of $23.5 million by 22 percent.

Date	Name	Amount
Jan. 2018	Filefax, Inc (settlement)	$ 100,000
Jan. 2018	Fresenius Medical Care North America (settlement)	$ 3,500,000
June 2018	MD Anderson (judgment)	$ 4,348,000
Aug. 2018	Boston Medical Center (settlement)	$ 100,000
Sep. 2018	Brigham and Women’s Hospital (settlement)	$ 384,000
Sep. 2018	Massachusetts General Hospital (settlement)	$ 515,000
Sep. 2018	Advanced Care Hospitalists (settlement)	$ 500,000
Oct. 2018	Allergy Associates of Hartford (settlement)	$ 125,000
Oct. 2018	Anthem, Inc (settlement)	$ 16,000,000
Nov. 2018	Pagosa Springs (settlement)	$ 111,400
Dec. 2018	Cottage Health (settlement)	$ 3,000,000
Total (settlements and judgment)		$ 28,683,400

Aside from the previously discussed Cottage Health Resolution Agreement OCR announced on February 7, 2019, these OCR 2018 enforcement recoveries included:

FileFax Resolution Agreement. In January 2018, OCR settled for $100,000 with Filefax, Inc., a medical records maintenance, storage, and delivery services provider. OCR’s investigation found that Filefax impermissibly disclosed protected health information (PHI) by leaving the PHI in an unlocked truck in the Filefax parking lot, or by granting permission to an unauthorized person to remove the PHI from Filefax, and leaving the PHI unsecured outside the Filefax facility.
Fresenius Medical Care North America Resolution Agreement. In January 2018, OCR also settled for $3.5 million with Fresenius Medical Care North America (FMCNA), a provider of products and services for people with chronic kidney failure. FMCNA filed five breach reports for separate incidents occurring between February 23, 2012 and July 18, 2012, implicating the electronic protected health information (ePHI) of five FMCNA owned covered entities. OCR’s investigation revealed that FMCNA failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of its ePHI. Additional potential violations included failure to implement policies and procedures and failure to implement a mechanism to encrypt and decrypt ePHI, when it was reasonable and appropriate to do so under the circumstances.
MD Anderson ALJ Ruling. In June 2018, an HHS Administrative Law Judge ruled in favor of OCR and required The University of Texas MD Anderson Cancer Center (MD Anderson), a Texas cancer center, to pay $4.3 million in civil money penalties for HIPAA violations. OCR investigated MD Anderson following three separate data breach reports in 2012 and 2013 involving the theft of an unencrypted laptop from the residence of an MD Anderson employee and the loss of two unencrypted universal serial bus (USB) thumb drives containing the unencrypted ePHI of over 33,500 individuals. OCR’s investigation found that MD Anderson had written encryption policies going back to 2006 and that MD Anderson’s own risk analyses had found that the lack of device-level encryption posed a high risk to the security of ePHI. Despite the encryption policies and high risk findings, MD Anderson did not begin to adopt an enterprise-wide solution to encrypt ePHI until 2011, and even then it failed to encrypt its inventory of electronic devices containing ePHI between March 24, 2011 and January 25, 2013. This matter is under appeal with the HHS Departmental Appeals Board.
MMC/BWH/MGH Resolution Agreements. In September 2018, OCR announced that it has reached separate settlements totaling $999,000, with Boston Medical Center (BMC), Brigham and Women’s Hospital (BWH), and Massachusetts General Hospital (MGH) for compromising the privacy of patients’ PHI by inviting film crews on premises to film an ABC television network documentary series, without first obtaining authorization from patients.
ACH Resolution Agreement. In September 2018, OCR also settled with Advanced Care Hospitalists (ACH), a contractor physician group, for $500,000. ACH filed a breach report confirming that ACH patient information was viewable on a medical billing services’ website. OCR’s investigation revealed that ACH never had a business associate agreement with the individual providing medical billing services to ACH, and failed to adopt any policy requiring business associate agreements until April 2014. Although ACH had been in operation since 2005, it had not conducted a risk analysis or implemented security measures or any other written HIPAA policies or procedures before 2014.
Allergy Associates Resolution Agreement. In October 2018, OCR settled with Allergy Associates, a health care practice that specializes in treating individuals with allergies, for $125,000. In February 2015, a patient of Allergy Associates contacted a local television station to speak about a dispute that had occurred between the patient and an Allergy Associates’ doctor. OCR’s investigation found that the reporter subsequently contacted the doctor for comment and the doctor impermissibly disclosed the patient’s PHI to the reporter.
Anthem Resolution Agreement. In October 2018, Anthem, Inc. also paid $16 million to OCR and agreed to take substantial corrective action to settle potential violations of the HIPAA Rules after a series of cyberattacks led to the largest U.S. health data breach in history. Anthem filed a breach report after discovering cyber-attackers had gained access to their IT system via an undetected continuous and targeted cyberattack for the apparent purpose of extracting data, otherwise known as an advanced persistent threat attack. After filing their breach report, Anthem discovered cyber-attackers had infiltrated their system through spear phishing emails sent to an Anthem subsidiary after at least one employee responded to the malicious email and opened the door to further attacks. OCR’s investigation revealed that between December 2, 2014 and January 27, 2015, the cyber-attackers stole the ePHI of almost 79 million individuals, including names, social security numbers, medical identification numbers, addresses, dates of birth, email addresses, and employment information.
Pegosa Springs Medical Center. In November 2018, Pagosa Springs Medical Center (PSMC), a critical access hospital, paid $111,400 to OCR to resolve potential violations concerning a former PSMC employee that continued to have remote access to PSMC’s web-based scheduling calendar, which contained patients’ ePHI, after separation of employment. OCR’s investigation revealed that PSMC impermissibly disclosed the ePHI of 557 individuals to its former employee and to the web-based scheduling calendar vendor without a business associate agreement in place.

These 2018 Resolution Agreements reaffirm the growing risks that Covered Entities and their business associates run by failing to take adequate steps to prevent and respond to breaches of ePHI and otherwise to maintain their compliance with HIPAA. Covered entities and business associates and their leaders should recognize and respond to these growing risks by reevaluating and strengthening their HIPAA compliance and risk management efforts to minimize the likelihood of violations and enhance their ability to mitigate potential liability that can result from breaches of HIPAA by responding efficiently and effectively.

Other Regulatory & Enforcement Developments

In addition to reaffirming their ongoing compliance with the longstanding requirements of HIPAA and other related federal and state laws, Covered Entities also should use care to carefully monitor and respond to new regulatory and other developments that might create new responsibilities or new opportunities to simplify their HIPAA compliance. In this respect, Covered Entities should take note of the 2018 and ongoing efforts by OCR to develop and publish new rules and other guidance intended to help health care providers and other Covered Entities, patients and caregivers and others understand their rights and responsibilities when dealing with protected health information in relation to patients afflicted with substance abuse and mental illness. Undertaken as part of the Trump Administration’s broader effort to combat opiate and other substance abuse within the United States, OCR in October published a package of guidance on How HIPAA Allows Doctors To Respond To The Opioid Crisis. Covered Entities and others concerned with the management of patients afflicted with substance abuse and mental illness should evaluate this guidance to understand and tailor their practices to respond to OCR’s perspectives of how HIPAA impacts the use, access and disclosure of protected health information as part of these efforts.

Covered Entities and others concerned about HIPAA compliance and interpretation also should carefully monitor and provide appropriate and timely input on developing HIPAA guidance that could impact their operations. In this regard, Covered Entities with ideas about opportunities for improving existing HIPAA guidance are encouraged to submit comments to OCR by February 12, 2019 in response to its Request for Information on improving care coordination and reducing the regulatory burdens of the HIPAA Rules published on December 12, 2018. In that RFI, OCR invites input from the public on how the HIPAA Privacy Rule, could be modified to:

Encourage information-sharing for treatment and care coordination;
Facilitate parental involvement in care;
Address the opioid crisis and serious mental illness;
Account for disclosures of PHI for treatment, payment, and health care operations as required by the HITECH Act;
Change the current requirement for certain providers to make a good faith effort to obtain an acknowledgment of receipt of the Notice of Privacy Practices; and/or
Otherwise simplify or improve the existing HIPAA rules.

As a part of these efforts, Covered Entities and other concerned parties also should anticipate that OCR will be focusing heavily in the upcoming year on the potential HIPAA privacy and security implications of efforts by its sister agency, the Office of the National Coordinator for Health Information Technology (“ONC”), to promote greater interoperability of electronic medical records discussed in ONC’s recent 2018 Report to Congress: Annual Update on the Adoption of a Nationwide System for the Electronic Use and Exchange of Health Information (“Report”).

Under the 21st Century Cures Act, Congress gave ONC authority to enhance innovation, scientific discovery, and expand the access and use of health information through provisions related to:

The development and use of upgraded health IT capabilities;
Transparent expectations for data sharing, including through open application programming interfaces (APIs); and
Improvement of the health IT end-user experience, including by reducing administrative burden.

These priorities seek to increase nationwide interoperability of health information and reduce clinician burden. The Report says increases in the adoption of health IT means most Americans receiving health care services now have their health data recorded electronically. However, this information is not always accessible across systems and by all end users—such as patients, health care providers, and payers—in the market in productive ways. While the Report states ONC intends to move forward to promote efforts to help ensure that electronic health information can be shared safely and securely where appropriate to improve the health and care of all Americans, these activities inherently will raise many HIPAA concerns and challenges. Covered Entities and others concerned with these activities will want to carefully monitor the concurrent activities of OCR and ONC as these efforts progress, both to help tailor their planning and compliance efforts to respond to the anticipated demand for greater interoperability as required by ONC and to help shape these rules by providing timely input as appropriate in response to these developments.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: Erisa & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of managed care and other health industry, health and other benefit and insurance, workforce and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

Past Chair of the ABA Managed Care & Insurance Interest Group and, a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer has been continuously involved the design, regulation, administration and defense of managed care and other health and employee benefit, health care, human resources and other staffing and workforce arrangements, contracts, systems, and processes. As a continuous component of this work, Ms. Stamer has worked closely with these and other clients on the design, development, administration, defense, and breach and data recovery of health care, workforce, insurance and financial services, trade secret and other information technology, data and related process and systems development, policy and operations throughout her career.

Author of leading works on a multitude of health care, health plan and other health industry matters, the American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting, former Vice President of the North Texas Health Care Compliance Professionals Association, past Chair of the ABA Health Law Section Managed Care & Insurance Section, past ABA JCEB Council Representative and CLE and Marketing Committee Chair, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer’s health industry clients include public health organizations; public and private hospitals, healthcare systems, clinics and other health care facilities; physicians, physician practices, medical staff, and other provider organizations; skilled nursing, long-term care, assisted living, home health, ambulatory surgery, dialysis, telemedicine, DME, Pharma, clinics, and other health care providers; billing, management and other administrative services organizations; insured, self-insured, association and other health plans; PPOs, HMOs and other managed care organizations, insurance, claims administration, utilization management, and other health care payers; public and private peer review, quality assurance, accreditation and licensing; technology and other outsourcing; healthcare clearinghouse and other data; research; public and private social and community organizations; real estate, technology, clinical pathways, and other developers; investors, banks and financial institutions; audit, accounting, law firm; consulting; document management and recordkeeping, business associates, vendors, and service providers and other professional and other health industry organizations; academic medicine; trade associations; legislative and other law making bodies and others.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her thought leadership, experience and advocacy on these and other related concerns by her service in the leadership of the Solutions Law Press, Inc. Coalition for Responsible Health Policy, its PROJECT COPE: Coalition on Patient Empowerment, and a broad range of other professional and civic organizations including North Texas Healthcare Compliance Association, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children (now Warren Center For Children); current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, past Representative and chair of various committees of ABA Joint Committee on Employee Benefits; an ABA Health Law Coordinating Council representative, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.

For more information about Ms. Stamer or her health industry and other experience and involvements, see here or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources here such as:

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advise or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Leave a Comment » | 21st century cures act, Academic medicine, ADA, ASC, Consumer Driven Health Care, Controlled Substances, Corporate Compliance, Cyber crime, data breach, Direct Primary Care, Disease Management, DME, Doctor, drug treatment, Durable Medical Equipment, E-Prescribing, Electronic Health Records, Electronic Medical Records, Employee Benefits, Employer, ERISA, Evidence Based Medicine, FACTA, FDA, Federal Health Center, Genetic Information, GINA, Health Care, Health care coding, Health Care Finance, Health Care Provider, Health Care Quality, health care reimbursement, Health Insurance, Health Insurance Exchange, Health IT, Health Plan, Health Plans, healthcare, HHS, HIPAA, HIPAA Cyber Crime, HITECH Act, Home Health, home health, Hospice, Hospital, hospitals, Human Subjects Research, Indian Health, Inpatient Rehabilitation, Joint Commission, Laws, legal epidemiology, managed care, Meaningful Use, Medicaid, medical devices, Medical Licensure, Medical Privacy, Medical Records, Medicare, Medicare Advantage, Medicare Fee Schedule, Mental Health, Mental Heatlh, NIOSH, NIST, OCR, Opiates, Outpatient, participating provider, Physician, Prescription Drugs, Privacy, Prospective Payment, Provider contracting, public health, Public Policy, quality reporting, quality repoting, Reimbursement, research, Skilled Nursing Facility, Substance Abuse, Technology, Telemedicine, Veterans Health, Veterans Health Care, Wellness | Tagged: Health Care, Health IT, Medicare, ONC, Physician | Permalink
Posted by Cynthia Marcotte Stamer

ONC Report Signals New Interoperability Demands Coming

January 8, 2019

Interoperability will be a key priority for the Office of the National Coordinator for Health Information Technology (“ONC”) going forward.

That’s the message in the just released 2018 Report to Congress: Annual Update on the Adoption of a Nationwide System for the Electronic Use and Exchange of Health Information (“Report”).

The plan to promote interoperability raises new business and compliance planning opportunities for health care providers, health insurers and other payers, health data and information technology (IT) providers and others.

The Report describes barriers, actions taken, and recommendations as well as ONC’s path forward to implement the 21st Century Cures Act.

Under the 21st Century Cures Act, Congress gave HHS authority to enhance innovation, scientific discovery, and expand the access and use of health information through provisions related to:

The development and use of upgraded health IT capabilities;
Transparent expectations for data sharing, including through open application programming interfaces (APIs); and
Improvement of the health IT end user experience, including by reducing administrative burden.

These priorities seek to increase nationwide interoperability of health information and reduce clinician burden..

Current Status

The Report says increases in the adoption of health IT means most Americans receiving health care services now have their health data recorded electronically. However, this information is not always accessible across systems and by all end users—such as patients, health care providers, and payers—in the market in productive ways. For example:

Despite the individual right to access health information about themselves established by the HIPAA Privacy Rule, patients often lack access to their own health information, which hinders their ability to manage their health and shop for medical care at lower prices;

Health care providers often lack access to patient data at the point of care, particularly when multiple health care providers maintain different pieces of data, own different systems, or use health IT solutions purchased from different developers; and

Payers often lack access to clinical data on groups of covered individuals to assess the value of services provided to their customers.

The Report says these limitations create several problems, including:

Patients should be able to easily and securely access their medical data through their smartphones. Currently, patients electronically access their health information through patient portals that prevent them from easily pulling from multiple sources or health care providers. Patient access to their electronic health information also requires repeated use of logins and manual data updates.

For health care providers and payers, interoperable access and exchange of health records is focused on accessing one record at a time.
Payers cannot effectively represent their members if they lack computational visibility into which health care providers offer the highest quality care at the lowest cost. Without the capability to access multiple records across a population of patients, health care providers and payers will not benefit from the value of using modern computing solutions—such as machine learning and artificial intelligence—to inform care decisions and identify trends.
Payers and employer group health plans which purchase health care have little information on health outcomes. Often, health care providers and payers negotiate contracts based on the health care provider’s reputation rather than on the quality of care that health care provider offers to patients. Health care providers should instead compete based on the entire scope of the quality and value of care they provide, not on how exclusively they can craft their networks. Outcome data will allow payers to apply machine learning and artificial intelligence to have better insight into the value of the care they purchase.

Current Barriers

According to the Report, HHS heard from stakeholders over the past year that barriers to interoperable access to health information remain, including technical, financial, trust, and business practice barriers. These barriers impede the movement of health information to where it is needed across the care continuum. In addition, burden arising from quality reporting, documentation, administrative, and billing requirements that prescribe how health IT systems are designed also hamper the innovative usability of health IT.

Current and Upcoming Actions

The Report states HHS has many efforts to help ensure that electronic health information can be shared safely and securely where appropriate to improve the health and care of all Americans.

ONC also reports Federal agencies, states, and industry have taken steps to address technical, trust, and financial challenges to interoperable health information access, exchange, and use for patients, health care providers, and payers (including insurers). HHS aims to build on these successes through the ONC Health IT Certification Program, HHS rulemaking, health IT innovation projects, and health IT coordination.

In accordance with the Cures Act, HHS is actively leading and coordinating a number of key programs and projects. These include continued work to deter and penalize poor business practices and that HHS conducted multiple outreach efforts to engage the clinical community and health IT stakeholders to better understand these barriers, challenges, and health care provider burden.

Recommendations

The Report makes the following overarching recommendations for future actions HHS plans to support through its policies and that the health IT community as a whole can take to accelerate progress:

Focus on improving interoperability and upgrading technical capabilities of health IT, so patients can securely access, aggregate, and move their health information using their smartphones (or other devices) and health care providers can easily send, receive, and analyze patient data.

Increase transparency in data sharing practices and strengthen technical capabilities of health IT so payers can access population-level clinical data to promote economic transparency and operational efficiency to lower the cost of care and administrative costs.

Prioritize improving health IT and reducing documentation burden, time inefficiencies, and hassle for health care providers, so they can focus on their patients rather than their computers.

The Report also says interoperable access underpins HHS’s efforts to pursue a health care system where data are available when and where needed.

ONC intends to particularly focus on promoting open APIs. Open APIs are technology that allow one software program to access the services provided by another software program and can improve access and exchange of health information. ONC says APIs can:

Support patients’ ability to have more access to information electronically through, for example, smartphones and mobile applications. HHS applauds the emergence of patient-facing applications that allow patients to access, aggregate, and act on their health information; and

Allow payers to receive necessary and appropriate information on a group of members without having to access one record at a time.
Increase institutional accountability, support value- based care models, and lead to competitive medical care pricing that benefits patients.

The Report claims patients, health care providers, and payers with appropriate access to health information can use modern computing solutions to generate value from the data. Improved interoperability can strengthen market competition, result in greater quality, safety, and value for the healthcare system, and enable patients, health care providers, and payers to experience the benefits of health IT.

Prepare For Enhanced Operability Requirements

ONC’s plan to achieve greater interoperability presents new business and compliance planning opportunities and challenges for health care providers, health insurers and other payers, health data and information technology (IT) providers and others. Among other things, participants in the healthcare system and their suppliers will need to prepare to comply with new expectations and mandates for interoperability. Meeting these demands will require financial expenditures as well as present technological challenges.The increased availability and access to electronica medical records and information resulting from these changes also a can be expected to drive new challenges and demands. Among other things, businesses relying on control of health information or records to influence or control patience, reimbursement, or other business value need to reevaluate and adjust their business models accordingly.

Improve accessibility and interoperability also is likely to create new expectations and demands by patients, payers, other providers and perhaps most significantly for providers and payers, regulators. Participants in the system will need to understand these applications and prepare to both defend their business performance as well as their compliance taking into account these new demands.

Amid all of this, of course, providers, pears, and their business associates can anticipate continued if not enhanced demands for enhanced data security and privacy protections and accompanying enforcement of these standards.

As ONC move forward on its plans to enhance interoperability, all concerned stakeholders will want to monitor developments and provide thoughtful and timely input. The time to get started is now. ONC and it’s sister agency, the Office of Civil Rights currently are inviting public comments about how to achieve these and other health IT and privacy improvements. Those interested in providing input should make sure their comments are submitted by the applicable deadlines next month.

Read the full Report here and share your input by the specified deadlines.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: Erisa & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of managed care and other health industry, health and other benefit and insurance, workforce and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

Past Chair of the ABA Managed Care & Insurance Interest Group and, a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer has been continuously involved the design, regulation, administration and defense of managed care and other health and employee benefit, health care, human resources and other staffing and workforce arrangements, contracts, systems, and processes. As a continuous component of this work, Ms. Stamer has worked closely with these and other clients on the design, development, administration, defense, and breach and data recovery of health care, workforce, insurance and financial services, trade secret and other information technology, data and related process and systems development, policy and operations throughout her career.

Ms. Stamer’s clients include employers and other workforce management organizations; employer, union, association, government and other insured and self-insured health and other employee benefit plan sponsors, benefit plans, fiduciaries, administrators, and other plan vendors; managed care organizations, insurers, self-insured health plans and other payers and their management; public and private, domestic and international hospitals, health care systems, clinics, skilled nursing, long-term care, rehabilitation and other health care providers and facilities; medical staff, health care accreditation, peer review and quality committees and organizations; managed care organizations, insurers, third-party administrative services organizations and other payer organizations; billing, utilization management, management services organizations; group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; claims, billing and other health care and insurance technology and data service organizations; other health, employee benefit, insurance and financial services product and solutions consultants, developers and vendors; and other health, employee benefit, insurance, technology, government and other management clients.

Author of leading works on a multitude of health care, health plan and other health industry matters, the American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting, former Vice President of the North Texas Health Care Compliance Professionals Association, past Chair of the ABA Health Law Section Managed Care & Insurance Section, past ABA JCEB Council Representative and CLE and Marketing Committee Chair, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer’s health industry clients include public health organizations; public and private hospitals, healthcare systems, clinics and other health care facilities; physicians, physician practices, medical staff, and other provider organizations; skilled nursing, long-term care, assisted living, home health, ambulatory surgery, dialysis, telemedicine, DME, Pharma, clinics, and other health care providers; billing, management and other administrative services organizations; insured, self-insured, association and other health plans; PPOs, HMOs and other managed care organizations, insurance, claims administration, utilization management, and other health care payers; public and private peer review, quality assurance, accreditation and licensing; technology and other outsourcing; healthcare clearinghouse and other data; research; public and private social and community organizations; real estate, technology, clinical pathways, and other developers; investors, banks and financial institutions; audit, accounting, law firm; consulting; document management and recordkeeping, business associates, vendors, and service providers and other professional and other health industry organizations; academic medicine; trade associations; legislative and other law making bodies and others.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her thought leadership, experience and advocacy on these and other related concerns by her service in the leadership of the Solutions Law Press, Inc. Coalition for Responsible Health Policy, its PROJECT COPE: Coalition on Patient Empowerment, and a broad range of other professional and civic organizations including North Texas Healthcare Compliance Association, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children (now Warren Center For Children); current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, past Representative and chair of various committees of ABA Joint Committee on Employee Benefits; an ABA Health Law Coordinating Council representative, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.

For more information about Ms. Stamer or her health industry and other experience and involvements, see here or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources here such as:

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advise or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Apply for 2019 CDC Externships in Public Health Law By 1/31/19

November 21, 2018

Now is the time to apply for selection to participate in the Center for Disease Control (CDC) Public Health Law Program (PHLP).

The PHLP offers externships in public health law, tribal public health law, and public health administration and communications. The externships consist of 9–14 weeks of professional work experience with PHLP in Atlanta, Georgia. With rolling start and completion dates during the academic year, unpaid externships must qualify for academic credit as authorized by law and public health schools. Applications for summer 2019 positions are due by January 31, 2019.

About the Author

Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer’s clients include public and private, domestic and international hospitals, health care systems, clinics, skilled nursing, long term care, rehabilitation and other health care providers and facilities; medical staff, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, insurers, self-insured health plans and other payers; and other health industry clients as well as a diverse array of other business and government entities. Ms. Stamer’s health industry clients include public health organizations; public and private hospitals, healthcare systems, clinics and other health care facilities; physicians, physician practices, medical staff, and other provider organizations; skilled nursing, long term care, assisted living, home health, ambulatory surgery, dialysis, telemedicine, DME, Pharma, clinics, and other health care providers; billing, management and other administrative services organizations; insured, self-insured, association and other health plans; PPOs, HMOs and other managed care organizations, insurance, claims administration, utilization management, and other health care payers; public and private peer review, quality assurance, accreditation and licensing; technology and other outsourcing; healthcare clearinghouse and other data; research; public and private social and community organizations; real estate, technology, clinical pathways, and other developers; investors, banks and financial institutions; audit, accounting, law firm; consulting; document management and recordkeeping, business associates, vendors, and service providers and other professional and other health industry organizations; academic medicine; trade associations; legislative and other law making bodies and others.

Ms. Stamer supports these organizations and their leaders on both a real-time, “on demand” basis as well as outsourced operations or special counsel on an interim, special project, or ongoing basis with operational compliance and risk management; strategic planning; product and services development and innovation; workforce and operations management: crisis preparedness and response; public and regulatory affairs and host of other concerns.

As part of this work, Ms. Stamer continuously advises clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, privacy and data security, and other risk management and operational matters. She helps clients to establish and administer compliance and risk management policies; comply with requirements, investigate and respond to Board of Medicine, Health, Nursing, Pharmacy, Chiropractic, and other licensing agencies, Department of Aging & Disability, FDA, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; JCHO and other accreditation and quality organizations; private litigation and other federal and state health care industry investigation, enforcement including insurance or other liability management and allocation; process and product development, contracting, deployment and defense; evaluation, commenting or seeking modification of regulatory guidance, and other regulatory and public policy advocacy; training and discipline; enforcement, and a host of other related concerns for public and private health care providers, health insurers, health plans, technology and other vendors, employers, and others.and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. She also helps health industry, health plans and insurers, health IT, life sciences and other health industry clients manage regulatory, contractual and other legal and operational compliance; vendors and suppliers; Medicare, Medicaid, CHIP, Medicare/Medicaid Advantage, ERISA and other private payer and other terms of participation, medical billing, reimbursement, claims administration and coordination, and other provider-payer relations, contracting, compliance and enforcement; Form 990 and other nonprofit and tax-exemption; fundraising, investors, joint venture, and other business partners; quality and other performance measurement, management, discipline and reporting; physician and other workforce recruiting, performance management, peer review and other investigations and discipline, wage and hour, payroll, gain-sharing and other pay-for performance and other compensation, training, outsourcing and other human resources and workforce matters; board, medical staff and other governance; strategic planning, process and quality improvement; meaningful use, EMR, HIPAA and other technology, data security and breach and other health IT and data; STARK, antikickback, insurance, and other fraud prevention, investigation, defense and enforcement; audits, investigations, and enforcement actions; trade secrets and other intellectual property; crisis preparedness and response; internal, government and third-party licensure, credentialing, accreditation, HCQIA and other peer review and quality reporting, audits, investigations, enforcement and defense; patient relations and care; internal controls and regulatory compliance; payer-provider, provider-provider, vendor, patient, governmental and community relations; facilities, practice, products and other sales, mergers, acquisitions and other business and commercial transactions; government procurement and contracting; grants; tax-exemption and not-for-profit; 1557 and other Civil Rights; privacy and data security; training; risk and change management; regulatory affairs and public policy; process, product and service improvement, development and innovation, and other legal and operational compliance and risk management, government and regulatory affairs and operations concerns.

As part of this work, Ms. Stamer has worked extensively with health care providers, health plans, health care clearinghouses, their business associates, employers and other plan sponsors, banks and other financial institutions, and others on risk management and compliance with HIPAA, FACTA, trade secret and other information privacy and data security rules, including the establishment, documentation, implementation, audit and enforcement of policies, procedures, systems and safeguards, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and and enforcement, and a host of other related concerns. Her clients include public and private health care providers, health insurers, health plans, technology and other vendors, and others. In addition to representing and advising these organizations, she also has conducted training on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, MGMA, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

Author of leading works on a multitude of these and other concerns, the American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting, former Vice President of the North Texas Health Care Compliance Professionals Association, past Chair of the ABA Health Law Section Managed Care & Insurance Section, past ABA JCEB Council Representative and CLE and Marketing Committee Chair, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, and Board Certified by the Texas Board of Legal Specialization in Labor and Employment Law, Ms. Stamer also shares her thought leadership, experience and advocacy on these and other related concerns by her service in the leadership of the Solutions Law Press, Inc. Coalition for Responsible Health Policy, its PROJECT COPE: Coalition on Patient Empowerment, and a broad range of other professional and civic organizations including North Texas Healthcare Compliance Association, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children (now Warren Center For Children); current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, past Representative and chair of various committees of ABA Joint Committee on Employee Benefits; a ABA Health Law Coordinating Council representative, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.

For more information about Ms. Stamer or experience publications, speaking, public advocacy or other involvements, see here or contact Ms. Stamer via telephone at (469) 767-8872 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advise or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

©2018 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.

Leave a Comment » | Academic medicine, Anethesiology, billing, Border Health, CDC, Centers For Disease Control, Consumer Driven Health Care, Controlled Substances, Corporate Compliance, DEA, Doctor, drug treatment, E-Prescribing, FDA, Health Care, Health Care Finance, Health Care Provider, Health Care Quality, Health Care Reform, Health Plan, Health Plans, healthcare, HHS, Hospice, Hospital, hospitals, Human Subjects Research, Laws, Medicaid, Medical Malpractice, Medical Records, Medicare, Medicare Advantage, Medicare Prescription Drug Program, Mental Health, Mental Heatlh, Opiates, pain management, Patient Empowerment, Pharmacy, Physician, Prescription Drugs, Psychiatric, public health, Public Policy, Reimbursement, Second Amendment, Substance Abuse, substance abuse treatment, Uncategorized, Wellness | Permalink
Posted by Cynthia Marcotte Stamer

CMS Hosts EDGE Server Webinar Series VIII for Health Insurers, TPAs

November 1, 2018

The Centers for Medicare & Medicaid Servhces (CMS) will conduct a webinar session on the EDGE Server 29.0 Maintenance Release Detail and Global Reference Data Updates on Tuesday, November 6, 2018 from 11:30 a.m. – 12:30 p.m. ET.

CMS will conduct this session using two (2)-way audio conferencing for

Health Insurance Issuers of Marketplace and Non-Marketplace Plans § Amazon and On-Premise EDGE server Issuers

Health Plan Third Party Administrators (TPAs)

Register here at least 24 hours prior to the scheduled session.

Leave a Comment » | Affordable Care Act, Consumer Driven Health Care, Corporate Compliance, Electronic Health Records, Employee Benefits, ERISA, Health IT, Health Plan, Health Plans, healthcare, HHS, Medicare Advantage, Reimbursement, Uncategorized | Permalink
Posted by Cynthia Marcotte Stamer

Trump Signs Sweeping Opiate Prescription & Treatment Reform Bill Into Law

October 24, 2018

Today (October 24, 2018), President Trump signed into law bill he and Congress hope will combat the opioid crisis, H.R. 6, the Substance Use-Disorder Prevention that Promotes Opioid Recovery and Treatment (SUPPORT) for Patients and Communities Act.

The bipartisan law takes aim at the U.S. Opiate Addiction Epidemic by combining over 70 bills from the House and Senate to combat the opioid crisis, including:

H.R. 5773, Preventing Addiction for Susceptible Seniors (PASS) Act, which ombines several member bills that aim to prevent opioid overuse by increasing program integrity efforts and resources for beneficiaries to help ensure that they are properly adhering to their prescribed pain medications.

H.R. 5775, Providing Reliable Options for Patients and Educational Resources (PROPER) Act, which combines several member bills that aim to increase educational resources for Medicare beneficiaries. These resources ensure beneficiaries are aware of the adverse effects of prolonged opioid use and their coverage options for the treatment of pain. The PROPER ACT also eliminates pain-related questions from required patient satisfaction surveys in hospitals.

H.R. 5774, Combating Opioid Abuse for Care in Hospitals (COACH) Act, which combines several member bills that aim to educate providers and beneficiaries to reduce opioid use, and promotes the development and adoption of quality measure related to opioid use and opioid use disorder treatments.

H.R. 6110, Dr. Todd Graham Pain Management, Treatment, and Recovery Act, which combines several member bills that aim to eliminate Medicare payment incentives to prescribe opioids instead of non-opioid pain management treatments and expand access to non-opioid alternatives and substance use disorder treatment, including in underserved and rural areas.

H.R. 5723, Expanding Oversight of Opioid Prescribing and Payment Act, which examines incentives under Medicare hospital payments for prescribing of opioids relative to non-opioid alternatives and the ability to track and monitor opioid use through Medicare claims.

H.R. 5676, Stop Excessive Narcotics in our Retirement (SENIOR) Communities Protection Act, which extends the authority of Medicare Prescription Drug Plans to suspend payments pending an investigation of a credible allegation of fraud against the provider or supplier in the same manner already available under Medicare fee-for-service today.

H.R. 5788, Synthetics Trafficking and Overdose Prevention Act of 2018 (STOP Act of 2018), which requires the United States Postal Service to obtain advance electronic data on international mail shipments, which will allow U.S. Customs and Border Protection to target high-risk shipments – including those containing synthetic opioids – for inspection and seizure at the border.

The above bills included measures from many of the following pieces of legislation:

H.R. 5675, To amend title XVIII of the Social Security Act to require prescription drug plan sponsors under the Medicare program to establish drug management programs for at-risk beneficiaries.

H.R 4841, Standardizing Electronic Prior Authorization for Safe Prescribing.

H.R. 5676, Stop Excessive Narcotics in our Retirement (SENIOR) Communities Protection Act.

H.R.5684, Protecting Seniors from Opioid Abuse Act.

H.R. 5699, Hospital Opioid Solutions Toolkit (HOST) Act.

H.R . T 5686, Medicare Clear Health Options in Care for Enrollees (CHOICE) Act.

H.R. 5715, Strengthening Partnerships to Prevent Opioid Abuse Act.

H.R. 5716, Commit to Opioid Medical Prescriber Accountability and Safety for Seniors (COMPASS) Act.

H.R. 5723, Expanding Oversight of Opioid Prescribing and Payment Act.

H.R. 5718, Perioperative Reduction of Opioids (PRO) Act.

H.R. 5714, Education for Disposal of Unused (EDU) Opioids Act.

H.R. 5719, Reduce Overprescribing Opioids in Treatment (ROOT) Act.

H.R. 5725, Benefit Evaluation of Safe Treatment (BEST) Act.

H.R. 5722, Dr. Todd Graham Pain Management Improvement Act of 2018.

H.R. 5779, Promoting Quality of Care in Pain Management Act.

H.R. 5777, Centralized Opioid Guidance (COG) Act of 2018.

H.R. 5790, A bill to amend title XI of the Social Security Act to provide for clinical psychologist services models to be tested by the Center for Medicare and Medicaid Innovation, and for other purposes.

H.R. 5769, Expanding Access to Treatment Act of 2018.

H.R. 5080, A bill based on the Comprehensive Opioid Management and Bundled Addiction Treatment (COMBAT) Act of 2018.

H.R. 5778, Promoting Outpatient Access to Non-Opioid Treatments Act.

The sweeping legislation will significantly impact the responsibilities of providers prescribing opiates as well as impact the legal and illegal access of patients to these medications, treatment for opiate dependency, and reimbursement for opiate and other related care.

About the Author

Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer’s clients include public and private, domestic and international hospitals, health care systems, clinics, skilled nursing, long term care, rehabilitation and other health care providers and facilities; medical staff, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, insurers, self-insured health plans and other payers; and other health industry clients as well as a diverse array of other business and government entities. Ms. Stamer’s health industry clients include public health organizations; public and private hospitals, healthcare systems, clinics and other health care facilities; physicians, physician practices, medical staff, and other provider organizations; skilled nursing, long term care, assisted living, home health, ambulatory surgery, dialysis, telemedicine, DME, Pharma, clinics, and other health care providers; billing, management and other administrative services organizations; insured, self-insured, association and other health plans; PPOs, HMOs and other managed care organizations, insurance, claims administration, utilization management, and other health care payers; public and private peer review, quality assurance, accreditation and licensing; technology and other outsourcing; healthcare clearinghouse and other data; research; public and private social and community organizations; real estate, technology, clinical pathways, and other developers; investors, banks and financial institutions; audit, accounting, law firm; consulting; document management and recordkeeping, business associates, vendors, and service providers and other professional and other health industry organizations; academic medicine; trade associations; legislative and other law making bodies and others.

For more information about Ms. Stamer or experience publications, speaking, public advocacy or other involvements, see here or contact Ms. Stamer via telephone at (469) 767-8872 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advise or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Leave a Comment » | Academic medicine, Anethesiology, billing, Centers For Disease Control, Controlled Substances, Corporate Compliance, DEA, Doctor, drug treatment, E-Prescribing, FDA, Health Care, Health Care Finance, Health Care Provider, Health Care Quality, Health Care Reform, Health Plan, Health Plans, HHS, Hospice, Hospital, hospitals, Laws, Medicaid, Medical Malpractice, Medical Records, Medicare, Medicare Advantage, Medicare Prescription Drug Program, Mental Health, Mental Heatlh, Opiates, pain management, Pharmacy, Physician, Prescription Drugs, Psychiatric, Reimbursement, Substance Abuse, substance abuse treatment, Uncategorized, Wellness | Permalink
Posted by Cynthia Marcotte Stamer

Record $16M HIPAA Sanction Shows Need For Current Enterprise Risk Assessment; ONC/OCR Share New Tool To Help HIPAA Covered Entities Comply

October 17, 2018

Following on the heels of Monday’s announcement that Anthem, Inc. is paying a record setting $16 million to resolve charges its violations of the enterprise risk assessment and other requirements of the Health Insurance Portability & Accountability Act (HIPAA) Security Rule allowed cybercriminals to breach the electronic protected health information (ePHI) of more than 79 million patients, physicians and other health care providers, health plans and health insurers, health care clearinghouses (covered entities) and their service providers acting as their business associates (business associates) (hereafter collectively “HIPAA Entities”) should reconfirm their own and their business associates’ compliance with the HIPAA Security Rule’s enterprise risk assessment and other ePHI security requirements.

When conducting these assessments, HIPAA Entities generally will want to ensure that their new enterprise risk assessment documents their consideration of the newly updated Security Risk Assessment (SRA) Tool jointly announced yesterday (October 16, 2018) by the Department of Health & Human Services (HHS) Office of the National Coordinator for Health Information Technology (ONC) and OCR, lessons shared in OCR’s $16 million Anthem, Inc. resolution agreement, $5.55 million resolution agreement with Memorial Healthcare System and other OCR HIPAA resolution agreements, civil monetary penalty assessments and other Security Rule guidance, as well as other emergent internal and external data suggesting potential susceptibilities of their own systems and data to breach or loss.

HIPAA Entities are reminded that HIPAA requires that all HIPAA covered entities and business associates to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by their organization. Any HIPAA Entity that hasn’t already conducted a recent, appropriately documented enterprise wide risk analysis or updated their analysis in response to changes in equipment, vendors or emerging threats and developments should do so as soon as possible.

HIPAA’s requirement that HIPAA entities conduct and maintain an appropriately comprehensive and timely updated enterprise-wide risk analysis of potential security threats to ePHI both an affirmative requirement of the HIPAA Security Rule and an indispensable process to help healthcare organizations understand their security posture to prevent, detect, respond to and mitigate potential legal, operational and reputational costs that commonly result when ePHI or other sensitive information is breached or destroyed.

The importance of HIPAA entities having and being able to produce in the event of a breach or OCR audit an up-to-date, comprehensively enterprise risk assessment and response plan cannot be overstated. Beyond OCR’s publication of extensive regulatory guidance and educational outreach discussing the responsibility to conduct and maintain documentation of appropriate enterprise risk assessments, virtually every announced HIPAA Security Rule civil monetary penalty assessment and other enforcement action identifies violation of the HIPAA Security Rule’s enterprise risk assessment requirements among the material transgressions committed and required to be corrected by HIPAA entities like Anthem, Inc. subjected to Security Rule enforcement.

The updated SRA Tool jointly released by OCR and ONC on October 16, 2018 further reinforces the importance of complying with the enterprise wide risk assessment requirement while simultaneously encouraging and facilitating compliance by small to medium sized health care practices. Particularly designed with an eye to helping health care providers that work as solo practitioners or in groups with 10 or less health care providers and their business associates identify risks and vulnerabilities to ePHI, OCR says the updated SRA Tool “provides enhanced functionality to document how such organizations can implement or plan to implement appropriate security measures to protect ePHI” and incorporates new features to make the tool “more user friendly.” New features OCR hopes will make the SRA tool more user friendly include:

Enhanced User Interface
Modular workflow with question branching logic
Custom Assessment Logic
Progress Tracker
Improved Threats & Vulnerabilities Rating
Detailed Reports
Business Associate and Asset Tracking
Overall improvement of the user experience

HIPAA Entities should take note, however, that as of its October 16, 2018 released date, the updated version of the SRA Tool currently is only available in Windows format. OCR has indicated that the OCR and ONC have not yet updated the OS iPad version of the previously published version of the SRA Tool. While the previous OS iPad version remains available at the Apple App Store exit disclaimer icon (search under “HHS SRA Tool”), HIPAA Entities that presently use or plan to use the OS iPad tool should consider comparing the prior tool against the updated Windows SRA Tool to verify the continued suitability of its continued use and any adjustments in understanding or application that might be warranted by these differences. Additionally, HIPAA Entities also should review the revised User Guide available on the SRA Tool’s website before starting the assessment.

While the SRA Tool provides valuable guidance to help HIPAA Entities to conduct their own enterprise wide risk assessment, HIPAA Entities should keep in mind that the responsibility to assess their enterprise wide risk and to update their security safeguards to respond to these risks is a continuous one. While using the SRA Tool is an excellent starting point for beginning this assessment, HIPAA Entities need to realize that OCR expects HIPAA Entities to tailor their assessments to identify and respond to the full range of risks and exposures to their ePHI and associated systems and to constantly reevaluate and adjust these assessments in response to emerging system and ePHI threats identified in the course of their operations as well as external developments suggesting previously unidentified or inadequately appreciated threats. Moreover, in addition to conducting the risk assessment, OCR regulatory guidance and guidance drawn from OCR’s civil monetary settlements resolution agreements and other enforcement and audit activities also make clear that in addition to conducting the enterprise wide risk analysis, HIPAA entities also need to be prepared to produce documentation that their organizations took appropriate and timely action to address the risks identified in the risk assessment in accordance with the HIPAA Security Rule.

In addition to mitigate their exposure to potentially substantial HIPAA civil monetary penalties for violating the HIPAA Security Rule, HIPAA Entities also should keep in mind the potential role that their conduct and maintenance of appropriately comprehensive enterprise wide security risk assessments can play in helping to mitigate other legal, financial, operational and reputational risks that commonly also arise along with the HIPAA exposures associated with a breach of HIPAA. In addition to HIPAA’s Security Rules for ePHI, HIPAA Entities typically also are subject to a hodgepodge of non-HIPAA statutory, regulatory and/or contractual obligations to safeguard patient, employee, business partners and other individual, financial, health, tax, peer review and credentialing, trade secrets and other confidential information against improper use, access, destruction or disclosure. Examples of such obligations include the privacy and data security rules of the Fair and Accurate Credit Transaction Act (FACTA), the Internal Revenue Code and other tax laws, federal and state consumer debt and information, electronic crime, data security and identity theft statutes; federal and state trade secret and intellectual property laws; and others, for which violations often equal or substantially exceed the civil monetary penalty liability that commonly arise under the HIPAA Security Rule. The experience of Anthem, Inc. illustrates this point. While the $16 million resolution payment that OCR announced Anthem, Inc. is paying to resolve its HIPAA civil monetary penalty exposures for allowing the breach of the ePHI of 79 million individuals, this payment reflects only a very small portion of the overall liability that Anthem, Inc. incurred from data breach that lead to this resolution payment. Anthem, Inc. also separately already reportedly also has paid more than $115 million to settle other statutory and contractual liabilities arising from the breach separate as well as substantial investigatory and defense costs in addition to the HIPAA liabilities settled under the resolution agreement announced Monday. Other HIPAA Entities subjected to HIPAA civil monetary penalties or paying resolution payments to OCR also typically also have incurred substantial non-HIPAA sanctions and settlements, as well as other defense, investigation, operational and reputational losses as a result of their breaches. HIPAA Entities should strive to ensure that their HIPAA enterprise wide risk assessment and compliance efforts are properly coordinated and administered to manage these overall risks and responsibilities in addition to their HIPAA-specific responsibilities and liabilities.

Because enterprise wide risk assessments and discussions of their structuring, scope and findings are likely to produce legally sensitive evidence, HIPAA Entities are encouraged to seek the advice of qualified and suitably experienced legal counsel about the advisability of conducting all or certain aspects of an enterprise wide risk analysis and their documentation of their risk evaluation and response to take advantage of possible attorney-client privilege, work-product or other evidentiary rules before or throughout the risk assessment and response process and deliberations.

About The Author

A practicing attorney and Managing Shareholder of Cynthia Marcotte Stamer, P.C, Cynthia Marcotte Stamer’s more than 30 years’ of leading edge work as an practicing attorney, author, lecturer and industry and policy thought leader have resulted in her recognition as a “Top” attorney in employee benefits, labor and employment and health care law.

Board certified in labor and employment law by the Texas Board of Legal Specialization, a Fellow in the American College of Employee Benefit Counsel, Scribe for the American Bar Association (ABA) Joint Committee on Employee Benefits (JCEB) Annual Agency Meeting with the Office of Civil Rights and a former JCEB Council Representative; former Chair of the ABA Health Law Section Managed Care & Insurance Interest Group; and past Chair, former Welfare Benefit Committee Co-Chair and current Fiduciary Responsibility Committee Co-Chair of the American Bar Association (ABA) RPTE Section Employee Benefits Group, former Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, Ms. Stamer is recognized nationally and internationally for her practical and creative insights and leadership on HIPAA and other health care, managed care and insurance, and other employee benefit, human resources, and related antitrust, corporate, privacy and data security, tax and other internal controls, regulatory affairs and public policy concerns.

Ms. Stamer’s legal and management consulting work throughout her career has focused on helping organizations and their management use the law and process to manage people, process, compliance, operations and risk. Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer helps public and private, domestic and international health, insurance and financial security, and other businesses, governments, and other organizations and their leaders manage their employees, vendors and suppliers, and other workforce members, customers and other’ performance, compliance, compensation and benefits, operations, risks and liabilities, as well as to prevent, stabilize and cleanup legal and operational crises large and small that arise in the course of operations.

In this respect, Ms. Stamer works with businesses and their management, employee benefit plans, governments and other organizations deal with all aspects of human resources and workforce, regulatory compliance and operational and performance management. She supports her clients both on a real time, “on demand” basis and with longer term basis to deal with daily performance management and operations, emerging crises, strategic planning, process improvement and change management, investigations, defending litigation, audits, investigations or other enforcement challenges, government affairs and public policy.

Well known for her extensive work with health care, insurance and other highly regulated entities on corporate compliance, internal controls and risk management, her clients range from highly regulated entities like employers, contractors and their employee benefit plans, their sponsors, management, administrators, insurers, fiduciaries and advisors, technology and data service providers, health care, managed care and insurance, financial services, government contractors and government entities, as well as retail, manufacturing, construction, consulting and a host of other domestic and international businesses of all types and sizes.

As a key part of this work, Ms. Stamer uses her deep and highly specialized health, insurance, labor and employment and other knowledge and experience to help health industry, insurance and financial services and other employers and other employee benefit plan sponsors; health, pension and other employee benefit plans, their fiduciaries, administrators and service providers, insurers, and others design legally compliant, effective compliance and internal controls, risk management, human resources and other workforce performance, discipline, compensation, employee benefits and related programs, products and arrangements.

In the course of this work, Ms. Stamer has accumulated an impressive resume of experience advising and representing clients on HIPAA and other privacy and data security concerns. The scribe for the American Bar Association (ABA) Joint Committee on Employee Benefits annual agency meeting with the Department of Health & Human Services Office of Civil Rights for several years, Ms. Stamer has worked extensively with health plans, health care providers, health care clearinghouses, their business associates, employer and other sponsors, banks and other financial institutions, and others on risk management and compliance with HIPAA and other information privacy and data security rules, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and enforcement, and a host of other related concerns. Her clients include public and private health plans, health insurers, health care providers, banking, technology and other vendors, and others. Beyond advising these and other clients on privacy and data security compliance, risk management, investigations and data breach response and remediation, Ms. Stamer also advises and represents clients on OCR and other HHS, Department of Labor, IRS, FTC, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. She also is the author of numerous highly acclaimed publications, workshops and tools for HIPAA or other compliance including training programs on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

Ms. Stamer also is deeply involved in helping to influence the health care, workforce, insurance and financial services, employee benefit, privacy and data security and other federal, state and local laws, regulations and enforcement actions. She both helps her clients respond to and resolve emerging regulations and laws, government investigations and enforcement actions and helps them shape the rules through dealings with Congress and other legislatures, regulators and government officials domestically and internationally. A former lead consultant to the Government of Bolivia on its Social Security reform law and most recognized for her leadership on U.S. health and pension, wage and hour, tax, education and immigration policy reform, Ms. Stamer works with U.S. and foreign businesses, governments, trade associations, and others on workforce, social security and severance, health care, immigration, privacy and data security, tax, ethics and other laws and regulations. Founder and Executive Director of the Coalition for Responsible Healthcare Policy and its PROJECT COPE: the Coalition on Patient Empowerment and a Fellow in the American Bar Foundation and State Bar of Texas. She also works as a policy advisor and advocate to health, insurance and financial services, employee benefits and other business, professional and civic organizations.

Author of the thousands of publications and workshops these and other employment, employee benefits, health care, insurance, workforce and other management matters, Ms. Stamer also is a highly sought out speaker and industry thought leader known for empowering audiences and readers. Ms. Stamer’s insights on employee benefits, insurance, health care and workforce matters in Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, Modern Healthcare, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications. Ms. Stamer also regularly serves on the faculty and planning committees for symposia of LexisNexis, the American Bar Association, ALIABA, the Society of Employee Benefits Administrators, the American Law Institute, ISSA, HIMMs, and many other prominent educational and training organizations and conducts training and speaks on these and other management, compliance and public policy concerns.

Ms. Stamer also has a lifelong history of involvement with and service with a diverse range of professional, community and charitable organizations and causes including as founder and Executive Director of the Coalition for Responsible Health Care Policy and its PROJECT COPE: Coalition for Patient Empowerment; technical advisor to the National Physicians’ Council for Health Care Policy; a founding Board Member and President of the Alliance for Healthcare Excellence and its Patient Empowerment and Health Care Heroes Projects; a Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; the Board President of the early childhood development intervention agency, The Richardson Development Center for Children; a member of the Dallas United Way Long Range Planning Committee; as well as leadership involvement in the ABA Joint Committee on Employee Benefits Council, the North Texas Healthcare Compliance Professionals Association; the ABA RPTE Employee Benefits & Other Compensation Committee, the ABA Health Law Section, the ABA International Section Life Sciences Committee, and the ABA TIPS Employee Benefit Committee; TEGE Coordinator of the Gulf Coast TEGE Council TE Division; Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee; a member of the Board of Directors of the Southwest Benefits Association; Dallas, Regional and State BACPAC Chair of the Texas Association of Business; SHRM Regional Chair and National Advisory Board Chair; WEB Network of Benefits Professionals National and Dallas Boards; as a contributing author and the Advisory Board member of the BNA EBCD CD, InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications and as chair or planning faculty of a multitude of symposia.. For additional information about Ms. Stamer, see www.cynthiastamer.com, or contact Ms. Stamer via email here or via telephone to (214) 452.8297.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also may be interested reviewing other Solutions Law Press, Inc.™ resources at www.solutionslawpress.com such as:

Leave a Comment » | Ambulatory care, Anethesiology, Cyber crime, data breach, Doctor, Electronic Medical Records, Employer, ERISA, FACTA, Fiduciary Responsibility, Health Care, Health care coding, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Quality, Health Care Qulity, health care reimbursement, Health Insurance, Health Insurance Exchange, Health IT, Health Plan, healthcare, HHS, HIPAA, HIPAA Cyber Crime, HITECH Act, Home Health, home health, Hospital, Indian Health, Uncategorized | Permalink
Posted by Cynthia Marcotte Stamer

Device Manufacturers & Health Care Providers Should Update Audits & Controls For New NIST Data Security Guidance

August 23, 2018

Medical device manufacturers whose physical devices include technology that allows them to connect to the internet or other electronic system to communicate with other devices or systems “connected medical devices”) and health care providers installing, providing or using these devices should check out the guidance on connected medical device security provided by the just released 375 page NIST Special Publication 1800-8 (Guidance) from the National Institute of Standards and Technology (NIST).

While the Guidance’s title of “Securing Wireless Infusion Pumps,” suggests a more narrow focus, the Guidance clearly can be read as relevant if not generally applicable to all connected medical devices.

Unlike prior medical devices that were once standalone instruments, today’s wireless infusion pumps and other connected medical devices transmit and/or connect to a variety of electronic health records (EHRs) and other healthcare systems, networks, and other devices. While this connectivity often helps improve certain healthcare delivery processes, a medical device’s connectivity capabilities also can create significant cybersecurity risk, which could lead to health care privacy, operational or safety risks. Tampering or other intentional or inadvertent access or interference with the data sent or received from connected medical devices can expose health care providers and their healthcare enterprises to series risks including, for example:

A breach of electronic protected health information (ePHI) in violation of the privacy and security standards of the Health Insurance Portability & Accountability Act (HIPAA);
Loss or disruption of healthcare services;
Malicious access by malicious actors;
Loss or corruption of enterprise information and patient data and health records; and
Resulting damage to an organization’s reputation, productivity, and bottom-line revenue.

The Guide includes a variety of information NIST intends to help organizations manage these and other risks to connected medical devices and their ePHI and other data. It provides an example that:

Illustrates cybersecurity standards and best-practice guidelines for better securing the wireless infusion pump ecosystem, such as the hardening of operating systems, segmenting the network, file and program whitelisting, code-signing, and using certificates for both authorization and encryption, maintaining the performance and usability of wireless infusion pumps and other connected mobile devices;
Discusses risks and opportunities to reduce risks from the compromise of information, including the potential for a breach or loss of ePHI, as well as not allowing these medical devices to be used for anything other than the intended purposes;
Documentation of a defense-in-depth strategy to introduce layers of cybersecurity controls that avoid a single point of failure and provide strong support for availability that may include a variety of tactics: using network segmentation to isolate business units and user access; applying firewalls to manage and control network traffic; hardening and enabling device security features to reduce zero-day exploits; and implementing strong network authentication protocols and proper network encryption, monitoring, auditing, and intrusion detection systems (IDS) and intrusion prevention systems (IPS);
Highlights best practices for the procurement of wireless infusion pumps, by including the need for cybersecurity features at the point of purchase; and
Calls upon industry to create new best practices for healthcare providers to consider when onboarding medical devices, with a focus on elements such as asset inventory, certificate management, device hardening and configuration, and a clean-room environment to limit the possibility of zero-day vulnerabilities.

As the patient identifiable ePHI these connected medical devices send, store or receive are considered subject to HIPAA’s privacy, security and breach notification rules, health care providers, medical device manufacturers acting as their business associates and other entities covered by these rules as covered entities or business associates are responsible for protecting and safeguarding this ePHI in accordance with HIPAA’s requirements. Since the Department of Health & Human Services Office of Civil Rights (OCR) often points to the NIST guidance as a relevant touchstone for HIPAA covered entities and business associates to comply with HIPAA security requirements, HIPAA covered entities can anticipate that OCR will look to and be influenced by the Guidance in formulating and applying HIPAA to connected mobile devices. Consequently, health care providers and other HIPAA covered entities and their business associates should be prepared to demonstrate their consideration and use of the standards and practices suggested in the Guidance including their analysis and justification for not following those criteria as part of their HIPAA security rule assessments. Meanwhile, connected mobile device manufacturers also will want to evaluate the Guidance and update their products and practices both to meet customer demands and to mitigate their risks as manufacturers to potential product liability claims and associated claims likely to rise from breaches or other events that may result from the failure to address the security and other risks identified in the Guidance as well as, when applicable, their specific business associate risk under HIPAA.

To accomplish this, impacted health care providers, manufacturers and other responsible parties generally will want to assess and confirm within the scope of attorney-client privilege the compliance of the ePHI safeguards of their current connected medical devices as well as require documented verification that any connected medical devices not yet deployed take into account these new standards. To the extent that deficiencies exist in the adherence of currently in use connected medical devices, HIPAA covered entities and their business associates should consult with qualified legal counsel experienced in addressing these HIPAA compliance and risk management concerns about the defensibility and exposures potential arising from the continued use of the devices, if any, and develop an appropriate compliance and risk management plan accordingly.

About the Author

Recognized repeatedly by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: Erisa & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of health industry, health and other benefit, workforce and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer’s clients include employer, associations, government and other health benefit sponsors and administrators, public and private, domestic and international hospitals, health care systems, clinics, skilled nursing, long term care, rehabilitation and other health care providers and facilities; medical staff, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, insurers, self-insured health plans and other payers; and other health industry, insurance, technology, government and other management clients.

Beyond her public policy and regulatory affairs involvement, Ms. Stamer also has extensive experience helping these and other clients to design and reform programs and practices; establish and administer compliance and risk management policies; comply with requirements, investigate and respond to government; accreditation and quality organizations; private litigation and other federal and state health care industry investigations and enforcement actions; evaluate and influence legislative and regulatory reforms and other regulatory and public policy advocacy; training and discipline; enforcement, and a host of other related concerns. supports these organizations and their leaders on both a real-time, “on demand” basis as well as outsourced operations or special counsel on an interim, special project, or ongoing basis with strategic planning and product and services development and innovation; workforce and operations management, crisis preparedness and response as well as to prevent, stabilize and cleanup legal and operational crises large and small that arise in the course of operations.

Past Chair of the ABA Managed Care & Insurance Interest Group and, a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer has extensive health care reimbursement and insurance experience advising and defending health care providers, payers, and others about Medicare, Medicaid, Medicare and Medicaid Advantage, Tri-Care, self-insured group, association, individual and employer and association group and other health benefit programs and coverages including but not limited to advising public and private payers about coverage and program design and documentation, advising and defending providers, payers and systems and billing services entities about systems and process design, audits, and other processes; provider credentialing, and contracting; providers and payer billing, reimbursement, claims audits, denials and appeals, coverage coordination, reporting, direct contracting, False Claims Act, Medicare & Medicaid, ERISA, state Prompt Pay, out-of-network and other nonpar insured, and other health care claims, prepayment, post-payment and other coverage, claims denials, appeals, billing and fraud investigations and actions and other reimbursement and payment related investigation, enforcement, litigation and actions.

Ms. Stamer helps health industry, health plans and insurers, health IT, life sciences and other health industry clients design, document and enforce plans, practices, policies, systems and solutions; manage regulatory, contractual and other legal and operational compliance; vendors and suppliers; Medicare, Medicaid, CHIP, Medicare/Medicaid Advantage, ERISA and other private payer and other terms of participation, medical billing, reimbursement, claims administration and coordination, and other provider-payer relations, contracting, compliance and enforcement; Form 990 and other nonprofit and tax-exemption; fundraising, investors, joint venture, and other business partners; quality and other performance measurement, management, discipline and reporting; physician and other workforce recruiting, performance management, peer review and other investigations and discipline, wage and hour, payroll, gain-sharing and other pay-for performance and other compensation, training, outsourcing and other human resources and workforce matters; board, medical staff and other governance; strategic planning, process and quality improvement; meaningful use, EMR, HIPAA and other technology, data security and breach and other health IT and data; STARK, antikickback, insurance, and other fraud prevention, investigation, defense and enforcement; audits, investigations, and enforcement actions; trade secrets and other intellectual property; crisis preparedness and response; internal, government and third-party licensure, credentialing, accreditation, HCQIA and other peer review and quality reporting, audits, investigations, enforcement and defense; patient relations and care; internal controls and regulatory compliance; payer-provider, provider-provider, vendor, patient, governmental and community relations; facilities, practice, products and other sales, mergers, acquisitions and other business and commercial transactions; government procurement and contracting; grants; tax-exemption and not-for-profit; 1557 and other Civil Rights; privacy and data security; training; risk and change management; regulatory affairs and public policy; process, product and service improvement, development and innovation, and other legal and operational compliance and risk management, government and regulatory affairs and operations concerns.

For more information about Ms. Stamer or her health industry and other experience and involvements, see here or contact Ms. Stamer via telephone at (469) 767-8872 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advise or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Leave a Comment » | Academic medicine, data breach, data security, Durable Medical Equipment, Electronic Health Records, Genetic Information, GINA, Health Care, Health care coding, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Quality, Health IT, healthcare, HHS, HIPAA, home health, Hospital, hospitals, Human Subjects Research, Immigration, Inpatient Rehabilitation Facility, Life Sciences, medical devices, Medical Privacy, Medical Records, NIST, Privacy, Uncategorized, Veterans Health Administration | Tagged: connected medical device, Data Breach, Data Privacy Day, Data Security, EPHI, FTC Act, Health Care, health care data security, health care privacy, HIPAA, medical device, NIST, product liability, Technology | Permalink
Posted by Cynthia Marcotte Stamer

Key House Committee Votes To Advance HSA & Other Health Choice Reforms; Plans 7/17 Health Care Fraud Hearings

July 13, 2018

A flurry of activity in the House Ways & Means Committee and other Congressional committees over the past few weeks signals the advisability of keeping a close eye on health care and health benefit reform proposals this Summer in anticipation of both the Fall health benefit enrollment and renewal season and the mid-term November Congressional elections.

Certainly continued Congressional commitment to pursue reform is evident from the House Ways & Means Committee’s health care heavy agenda of hearings and votes that this week alone resulted in its voting in favor of 11 health care reform bills promising new flexibility for employers about how to design their health plans and American families more health care choices and choice about how to pay for it and what coverage to buy popular with many providers, patients and employer and other health plan sponsors. While it remains to be seen if the House and Senate can agree on any or all of these proposal, the bi-partisan sponsorship of many of these proposals and the intensity of the focus of the Committee and others in Congress reflects a strong interest in health care reform by both parties leading up to November that could impact health benefit and other health care choices for providers, employers and American families in the Fall annual enrollment season.

The legislation passed by the Ways & Means Committee this weeks include bills that would:

Provide relief for employers relief from the Obamacare’s employer mandate and delay for an additional year the effective date of the widely disliked “Cadillac Tax;”
Overrule the “Use it Or Lose It” requirement in current Internal Revenue Regulations for healthcare flexible spending arrangement plans (HFSAs) that currently forces employers sponsoring HFSAs to draft their plans to require employees to forfeit unused salary reduction contributions in their HFSA accounts at the end of the year;
Offer individuals and families eligible for Obamacare created health premium subsidies more choice about where to obtain that coverage using their subsidies; and
Expand expand the availability and usability of HSAs in a multitude of ways.

While the recurrent stalling of past reform efforts over the past few years calls into question whether any or all of these proposals can make it through the highly politicized and divided Congress, bi-partisian sponsorship of most of the bills reported out this week at least raises the possibility that some of these proposals enjoy sufficient bi-partisan support to potentially pass before the elections. With both parties viewing health care reform as a key issue in the upcoming elections, voter feedback on these proposals could play a big role in determining the prospects for passage this Summer.

Passage of any or all of these proposed reforms between now and year end likely will fuel the need for last minute reconsideration and potential adjustments in plan design choices of employers and other health plan sponsors and administrators, reconsideration of health benefit enrollment choices of individual Americans and their families and a reconsideration of practice billing and health plan participation decisions of physicians and other health care providers. Accordingly, health care providers, employers and other health plan sponsors, American taxpayers and their families and others impacted by health care and health benefit policies will want to carefully monitor these reforms as the Summer progresses:

To provide timely input to Congress on proposed reforms of particular benefit or concern;
To help plan for and deal with rules changes that could impact their options and choices during the upcoming health plan renewal and enrollment season this Fall and going forward; and
To be prepared to make informed choices when voting in the upcoming mid-term Congressional elections in November.

To learn more details about this proposed legislation, its potential implications or other related concerns, see here or contact the author.

About the Author

After holding hearings on health savings account reforms and passing a flurry of health care reform bills intended to give employers relief from two key Obamacare mandates, to allow Obamacare subsidy-eligible Americans the choice to use the subsidies to purchase health care coverage not offered by the Obamacare exchanges, and a host of bills that would expand availability and usability of health savings account (HSA) and health care flexible spending account (HFSA) programs this week, the House Ways and Means Committee will turn its attention to health care fraud oversight and reform next week by holding hearings Tuesday on those health concerns. Health care providers, employer and other health plan sponsors, individual Americans and their families, and others interested in health benefit and health care reform will want to keep a close eye on these and other developments as Congress continues to debate health care reform in the runup to the upcoming 2018 health benefit plan renewal and annual enrollment season and November’s mid-term elections.

Committee Approved 11 Health Care Reform Bills This Week

As a part of its health reform efforts this week, the Committee voted to advance 11 health care reform bills offering new flexibility for employers about how to design their health plans and American families more health care choices and choice about how to pay for it and what coverage to buy popular with many providers, patients and employer and other health plan sponsors.

Among the approved legislation is a bill that would provide key relief for employers from certain key Obamacare mandates that have been widely unpopular with employers. H.R. 4616, the “Employer Relief Act of 2018,” sponsored by Rep. Devin Nunes (R-CA) and Rep. Mike Kelly (R-PA), which would give employers sponsoring health plans for their employees retroactive relief from Obamacare’s onerous employer mandate and delay for an additional year the effective date of another Obamacare requirement that when effective, will forces employers to pay the 40 percent tax on amounts paid for employer sponsored health care coverage that exceeds cost limits specified in the Obamacare legislation commonly known as the “Cadillac Tax.” Relief from the Cadillac Tax is widely perceived as benefiting bother employers and their employees, as its provisions penalize employers for spending more for employee health coverage than limits specified in the Obamacare law. These provisions also are particularly viewed by many as unfair because rising health plan costs since Obamacare’s passage make it likely that many employers will incur the tax penalty simply by sponsoring relatively basic health plans meeting the Obamacare mandates.

In addition to H.R. 4616, the Committee also voted to approve H.R. 6313, the “Responsible Additions and Increases to Sustain Employee Health Benefits Act of 2018,” sponsored by Rep. Steve Stivers (R-OH), which would overrule the “Use it Or Lose It” requirement in current Internal Revenue Regulations for HFSAs. Currently, this rule forces employers sponsoring HFSAs to draft their plans to require employees to forfeit unused salary reduction contributions in their HFSA accounts at the end of the year. The bill would allow employers to eliminate this forfeiture requirement so that employees could carry over any remaining unused balances in their HFSAs at the end of the year to use in a later year.

The Committee also voted to advance legislation to offer individuals and families eligible for Obamacare created health premium subsidies more choice about where to obtain that coverage. H.R. 6311, the “Increasing Access to Lower Premium Plans Act of 2018,” sponsored by Chairman Peter Roskam (R-IL) and Rep. Michael C. Burgess, M.D. (R-TX), would provide individuals receiving subsidies to help purchase health care coverage through the Obamacare-created health insurance exchange the option to use their premium tax credit to purchase health care coverage from qualified plans offered outside of the exchanges. Currently, subsidies may only be used to purchase coverage from health plans offered through the exchange, which often are much more costly and offer substantially fewer coverage options and less provider choice. In addition, the bill would expand access to the lowest-premium plans available for all individuals purchasing coverage in the individual market and allows the premium tax credit to be used to offset the cost of such plans.

Along with these reforms, the Committee also voted to pass a host of bills that would expand the availability and usability of HSAs including:

H.R. 6301, the “Promoting High-Value Health Care Through Flexibility for High Deductible Health Plans Act of 2018,” co-sponsored by Health Subcommittee Chairman Peter Roskam (R-IL) and Rep. Mike Thompson (D-CA), which seeks to expand access and enhance the utility of Health Savings Accounts (HSAs) by offering patients greater flexibility in designing their plan design while still being able to maintain their eligibility for HSA contributions.
H.R. 6305, the “Bipartisan HSA Improvement Act of 2018,” sponsored by Rep. Mike Kelly (R-PA) and Rep. Earl Blumenauer (D-OR), which also would expand HSA access and utility by allowing spouses to also make contributions to HSAs is their spouse has an FSA and lets employers offer certain services to employees through on-site or retail clinics.
H.R. 6317, the “Primary Care Enhancement Act of 2018,” co-sponsored by Rep. Erik Paulsen (R-MN) and Rep. Earl Blumenauer (D-OR), which seeks to protect HSA-eligible individuals who participate in a direct primary care (DPC) arrangement from losing their HSA-eligibility merely because of their participation in a DPC. In addition, it allows DPC provider fees to be covered with HSAs.
H.R. 6312, the “Personal Health Investment Today (PHIT) Act,” sponsored by Rep. Jason Smith (R-MO) and Rep. Ron Kind (D-WI), which seeks to fight obesity and promote wellness by allowing taxpayers to use tax-preferred accounts to pay costs of gym membership or exercise classes, children’s school sports programs and certain other wellness programs and activities.
H.R. 6309, the “Allowing Working Seniors to Keep Their Health Savings Accounts Act of 2018,” sponsored by Rep. Erik Paulsen (R-MN), which would expand HSA eligibility to include Medicare eligible seniors who are still in the workforce.
H.R.6199, the “Restoring Access to Medication Act of 2018,” sponsored by Rep. Lynn Jenkins (R-KS) and Rep. Grace Meng (D-NY), which would reverse Obamacare’s prohibition on using tax-favored health accounts to purchase over-the-counter medical products and would add feminine products to the list of qualified medical expenses for the purposes of these tax-favored health accounts.
H.R. 6306, the “Improve the Rules with Respect to Health Savings Accounts,” sponsored by Rep. Erik Paulsen (R-MN), which would increase the contribution limits for HSAs and further enhances flexibility in plans by allowing both spouses to contribute to make catch-up contributions to the same account and creating a new grace period for medical expenses incurred before the HSA was established.
H.R. 6314, the “Health Savings Act of 2018,” sponsored by Rep. Burgess (R-TX) and Rep. Roskam (R-IL), would expand eligibility and access to HSAs by allowing plans categorized as “catastrophic” and “bronze” in the exchanges to qualify for HSA contributions.

Committee Considers Health Care Fraud Next Week

The Committee next week will turn its attention to health care fraud by holding two hearings on Tuesday.

Tuesday morning, the Ways and Means Committee Oversight Subcommittee plans to hold a Hearing on Combating Fraud in Medicare: A Strategy for Success beginning at 10:00 AM Eastern Time; and
Tuesday afternoon, the Ways and Means Committee Subcommittee plans to hold a Hearing on Modernizing Stark Law to Ensure the Successful Transition from Volume to Value in the Medicare Program beginning at 2:00 PM.

Both hearings are scheduled to take place in Room 1100 Longworth and their proceedings will be live streamed on YouTube.

The Committee’s health care reform focus this week and next are reflective of the continued emphasis of members of Congress in both parties on health care reform legislation as they prepare for the impending mid-term elections in November. As a part of these efforts, the House and Senate already over the past several months have held a wide range of hearings in various committees and key votes on a multitude of reform proposals. Numerous other hearings and votes are planned over the next several months as Congressional leaders from both parties work to advance their health care agendas in anticipation of the upcoming elections.

Key health care and health benefit reform proposals that the Republican Majority has designated for priority consideration include:

Prescription drug costs by checking perceived negative effects of health industry and health plan consolidations involving large health insurers, pharmacy benefit management companies (PBMs), pharmacy companies and other health industry and health insurance organizations on health care costs and patient, plan sponsor and plan sponsor choice and health care quality;
Oversight and reform of existing STARK, anti-kickback and other federal health care rules and exemptions relied upon by PBMs and other health industry organizations;
Efforts to understand and address health care treatment, health care and coverage costs and related social concerns associated with mental health and opioid and other substance abuse conditions and their treatment;
Efforts promote health benefit and health care choice, affordability and coverage; improve patient and employer choice; promote broader health care access and quality; reduce counterproductive regulation; and other health insurance and care improvements through expanded availability of health savings accounts, direct primary care and other consumer directed health care options, association health plan and other program options, streamlining quality reporting and regulation, billing and coding, physician and other health care provider electronic billing and recordkeeping, and other provider, payer, employer, individual and other health insurance mandates and other federal health care and health plan rules; and
More.

Health care providers, employers and other health plan sponsors, American taxpayers and their families and others will want to carefully monitor these reforms as the Summer progresses:

To provide timely input to Congress on proposed reforms of particular benefit or concern;
To help plan for and deal with rules changes that could impact their options and choices during the upcoming health plan renewal and enrollment season this Fall and going forward; and
To be prepared to make informed choices when voting in the upcoming mid-term Congressional elections in November.

About the Author

Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer’s clients include employer, associations, government and other health benefit sponsors and administrators, public and private, domestic and international hospitals, health care systems, clinics, skilled nursing, long term care, rehabilitation and other health care providers and facilities; medical staff, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, insurers, self-insured health plans and other payers; and other health industry, insurance, technology, government and other management clients.

Past Chair of the ABA Managed Care & Insurance Interest Group and, a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer has extensive health care reimbursement and insurance experience advising and defending health care providers, payers, and others about Medicare, Medicaid, Medicare and Medicaid Advantage, Tri-Care, self-insured group, association, individual and employer and association group and other health benefit programs and coverages including but not limited to advising public and private payers about coverage and program design and documentation, advising and defending providers, payers and systems and billing services entities about systems and process design, audits, and other processes; provider credentialing, and contracting; providers and payer billing, reimbursement, claims audits, denials and appeals, coverage coordination, reporting, direct contracting, False Claims Act, Medicare & Medicaid, ERISA, state Prompt Pay, out-of-network and other nonpar insured, and other health care claims, prepayment, post-payment and other coverage, claims denials, appeals, billing and fraud investigations and actions and other reimbursement and payment related investigation, enforcement, litigation and actions.

For more information about Ms. Stamer or her health industry and other experience and involvements, see here or contact Ms. Stamer via telephone at (469) 767-8872 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advise or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Leave a Comment » | Affordable Care Act, Anti-KickBack, Antitrust, Child Care, Consumer Driven Health Care, Controlled Substances, Corporate Compliance, Direct Primary Care, E-Prescribing, Employee Benefits, Employment, Evidence Based Medicine, FDA, Fiduciary Responsibility, Health Care, Health care coding, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Quality, Health Care Reform, health care reimbursement, Health Insurance, Health Insurance Exchange, Health IT, Health Plan, Health Plans, Health Policy, healthcare, HHS, Home Health, home health, Hospital, hospitals, managed care, Medicaid, Medical Licensure, Medicare, Medicare Advantage, Medicare Fee Schedule, Medicare Prescription Drug Program, Mental Health, Mental Heatlh, Patient Empowerment, Pharmaceudical, Pharmacy, Physician, Preexisting Condition Insurance Plan, Prescription Drugs, Psychiatric, Public Policy, quality reporting, Reimbursement, Rural Health Care, substance abuse treatment, Tax, Tax-Exemption, Uncategorized, Veterans Health, Veterans Health Administration, Veterans Health Care | Permalink
Posted by Cynthia Marcotte Stamer

Check Out CMS 2018 Qualified Clinical Data Registry

February 23, 2018

Physicians and other practitioners should check out the measure specifications for the approved 2018 Qualified Clinical Data Registry (QCDR) measures posted by the Centers for Medicare & Medicaid Services (CMS) yesterday (February 22, 2018).

Rather than being grouped by QCDR, this file allows users to group measures by specialty and topic to see what QCDR measures are most applicable to their practice and/or specialty.

CMS also says, the posting of this specification file will act as a reference tool for existing and potential new QCDR vendors who may be interested in developing their own QCDR measures, and should help them to avoid developing and submitting measures that are duplicative of existing QCDR measures.

About The Author

Repeatedly recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, a Fellow in the American College of Employee Benefit Council, the American Bar Foundation and the Texas Bar Foundation and board certified in labor and employment law by the Texas Board of Legal Specialization, Cynthia Marcotte Stamer is a practicing attorney, management consultant, author, public policy advocate and lecturer widely known for health and managed care, employee benefits, insurance and financial services, data and technology and other management work, public policy leadership and advocacy, coaching, teachings, and publications. Nationally recognized for her work, experience, leadership and publications on HIPAA and other medical privacy and data use and security, FACTA, GLB, trade secrets and other privacy and data security concerns, Ms. Stamer has worked extensively with health care providers, health plans, insurers and financial services, and other clients and the government on cybersecurity, technology and processes and other issues involved in the use and management of medical, insurance and other financial, workforce, trade secrets and other sensitive data and information throughout her career. Scribe or co-scribe of the ABA Joint Committee on Employee Benefits Agency meeting with OCR since 2011 and author of a multitude of highly regarded publications on HIPAA and other health care, insurance, financial and other privacy and data security, Ms. Stamer is widely known for her extensive and leading edge experience, advising, representing, training and coaching health care providers, health plans, healthcare clearinghouses, business associates, their information technology and other solutions providers and vendors, and others on HIPAA and other privacy, data security and cybersecurity design, documentation, administration, audit and oversight, business associate and other data and technology contracting, breach investigation and response, and other related concerns including extensive involvement representing clients in dealings with OCR and other Health & Human Services, Federal Trade Commission, Department of Labor, Department of Treasury, state health, insurance and attorneys’ general, Congress and state legislators and other federal officials.

Ms. Stamer also has an extensive contributes her leadership and insights with other professionals, industry leaders and lawmakers. Her insights on HIPAA risk management and compliance often appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, SHRM, HIMMS, the American Bar Association, the Health Care Compliance Association, a multitude of health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others. You can get more information about her HIPAA and other experience here. For additional information about Ms. Stamer, see here, e-mail her here or telephone Ms. Stamer at (214) 452-8297.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources here including:

Fresenius Medical Care Pays $3.5 Million HIPAA Settlement

CDC Director Fitzgerald Resigns

Development of Potentially Preventable Hospitalization Measures for Home Health Agencies Panelist Nominations Due 9/22

MAC Operations Continue During Shutdown

HHS Proposes “Conscience Rule” Expanding Abortion And Other Religious Choice

New Medicaid Guidance Gives States More Flexibility On Abortion

New Trump Executive Order Directs More Veterans Health Care Choice, Mental Health Care

Bankrupt Oncology Provider’s $2.3M Settlement Payment & Other HIPAA Breach Consequences Shows Why To Prioritize HIPAA Compliance In 2018

Bill Allowing FDA Emergency Use Authorizations To Protect Military From Biological Warfare Threats Sent to President

OIG Tells Texas Stop Paying Medicaid MCOs For Dead Patients

Michigan Doctor Pleads Guilty To Billing Medicare For Illegally Prescribed Drugs

Anesthesiology Practice Nailed For Improperly Billing For Moderate Sedation

Florida Doctor Sentenced For Multi-Million Dollar Drug & Alcohol Addiction Treatment Health Care Fraud, Money Laundering & Forced Prostitution Scheme

CMS Announces New Medicare Provider Ombudsman

Comment By 1/8 on Guidance for Industry on Expedited Programs for Serious Conditions– Drugs and Biologics

Time To Tighten Business Travel Policies

DOL Spending Reports Required As Taxpayer Tool Need Improvement

Check & Protect Health & Other Electronic Systems & Data Against New Security Threat

Success 2018

April 1 New Deadline To Update Benefit Plan Disability Determination Claims & Appeals Procedures; Hear More on 1/26

Arizona Proposal To Ban Sexual Harassment Confidentiality Agreements Sign Of Growing Employer Risks

$23M Penalty Small Part of 21st Century’s Data Breach Fallout; Offers Data Breach Lessons For Other Businesses

Take Care of Your Good People

Read Tax Cuts and Jobs Act Conference Report For Tax Reform From Source

Check How IRS 2018 Retirement & Saving Plan Limits and Amounts Cost Of Living Adjustments Impact Your HR & Retirement Plan Administration & Planning

Confirm Your Benefit Plans Ready For New Disability Determination Rules on 1/1/18

Individual Accountability For Performance Matters

Give NLRB Your Input On Union Representation Election Regulations

IRS Prepares To Nail Employers Under Obamacare Mandate While Giving Some Individual Mandate Relief

HHS Picks Hargan As Acting HHS Secretary

OCR Gives Health Care Providers, Other Covered Entities Post-Las Vegas Shooting HIPAA Medical Privacy Guidance On Disclosures To Family, Media & Others For Notification & Other Purposes

RAISE Act Immigration Visa, Visa Holder Public Benefit Limits Create Potential Health Industry Concerns

SCOTUS Bars State Law Restrictions On Health, Other Arbitration Agreement Enforceability

Health Care, Health Plan & Other Health IT Systems Warned of E-Mail Cyber Attack

$2.4M HIPAA Settlement Warns Providers About Media Disclosures Of P HI

CardioNet $2.5M HIPAA Resolution Agreement Schools HIPAA Entities To Clean Up Their Acts

Medical Clinic HIPAA Resolution Agreement Shows Need For Current Business Associate Agreements

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Leave a Comment » | Academic medicine, Accreditation, Affordable Care Act, Ambulatory care, Anethesiology, billing, Conditions of Participation, Corporate Compliance, DME, Doctor, Durable Medical Equipment, Electronic Medical Records, Evidence Based Medicine, false claims act, Health Care, Health care coding, Health Care Fraud, Health Care Provider, Health Care Quality, health care reimbursement, Health Plan, Health Plans, healthcare, HHS, Home Health, home health, Hospice, Hospital, hospitals, Inpatient Rehabilitation, Inpatient Rehabilitation Facility, managed care, Meaningful Use, Medicare Advantage, Medicare Fee Schedule, Outcomes Data, Physician, quality reporting, quality repoting, Reimbursement, Rural Health Care, Skilled Nursing Facility, Uncategorized | Permalink
Posted by Cynthia Marcotte Stamer

HIPAA Lessons Every Health Plan, Health Care Provider & Business Associate Should Learn From Bankrupt FileFax’s HIPAA Settlement

February 16, 2018

Health care providers, health plans and insurers, health care clearinghouses (Covered Entities) and their business associates within the meaning of the Health Insurance Portability & Accountability Act (HIPAA) should heed the warnings contained in the new Resolution Agreement (FileFax Resolution Agreement) with former HIPAA business associate FileFax, Inc. announced by the Department of Health & Human Services (HHS) Office of Civil Rights (OCR) about their own need to ensure that they and their business associates comply with HIPAA’s business associate and other Privacy, Security, Breach Notification rules as well as the advisability of tightening up their risk management and oversight of business associates that handle protected health information (PHI).

Significant for business associates as what appears to be the first announced resolution agreement with a business associate directly charged by OCR with violating HIPAA and the second resolution agreement pursued and reached with a HIPAA-regulated entity in bankruptcy, the FileFax, Inc. Resolution Agreement OCR announced February 13, 2018 also contains critical lessons for Covered Entities about their dealings with their own business associates when read in conjunction with the April, 2017 resolution agreement the Center for Children’s Digestive Health (CCDH) agreed to resolve OCR charges CCDC, as a Covered Entity, violated HIPAA by allowing FileFax, Inc. to act as its business associate without adequately complying with HIPAA’s business associate requirements.

With widespread media coverage over large scale breaches of health care and other sensitive information placing further pressure upon OCR and other governmental agencies to act to protect Americans’ privacy and data fueling even greater demands for OCR and other agencies to take meaningful action to enforce HIPAA and other privacy and data security requirements, health plans, health care providers, health care clearinghouses (Covered Entities) and their business associates can expect OCR and other agencies to continue to turn up the heat on investigation and enforcement of HIPAA compliance.

In the face of these developments, Covered Entities, their business associates and those responsible for their leadership and operations need to recognize and take the necessary steps both effectively to manage their own HIPAA compliance and risk management as well as to anticipate and make provision to deal with the likelihood that they may face HIPAA responsibilities, exposures and other fallout from their own or another business partner’s breach of PHI or other sensitive data or other HIPAA violations, bankruptcy or other business distress, or other compliance or business event.

HIPAA Privacy, Security & Breach Notification Rule Responsibilities & Risks

The Privacy Rule requires that Covered Entities and their vendors that qualify as “business associates” under HIPAA comply with detailed requirements concerning the protection, use, access, destruction and disclosure of PHI. As part of these requirements, Covered Entities and their business associates must adopt, administer and enforce detailed policies and practices, assess, monitor and maintain the security of electronic protected health information (ePHI) and other protected health information, provide notices of privacy practices and breaches of “unsecured” ePHI, afford individuals that are the subject of protected health information certain rights and comply with other requirements as specified by the Privacy, Security and Breach Notification Rules. In addition, Covered Entities and business associates also must enter into a written and signed business associate agreement that contains the elements specified in Privacy Rule § 164.504(e) before the business associate creates, uses, accesses or discloses PHI of the Covered Entity. Furthermore, the Privacy Rule includes extensive documentation and keeping requirements require that Covered Entities and BAs maintain copies of these BAAs for a minimum of six years and to provide that documentation to OCR upon demand.

Violations of the Privacy Rule can carry stiff civil monetary penalties or even criminal penalties. Pursuant to amendments to HIPAA enacted as part of the HITECH Act, civil penalties typically do not apply to violations punished under the criminal penalty rules of HIPAA set forth in Social Security Act , 42 U.S.C § 1320d-6 (Section 1177).

Resolution Agreements the just announced FileFax Resolution Agreement allow Covered Entities and business associates to resolve potentially substantially larger civil monetary penalty liabilities that OCR can impose under the civil enforcement provisions of HIPAA for HIPAA violations through a negotiated settlement process. As amended by the HITECH Act, the civil enforcement provisions of HIPAA empower OCR to impose Civil Monetary Penalties on both Covered Entities and BAs for violations of any of the requirements of the Privacy or Security Rules. The penalty ranges for civil violations depends upon the circumstances associated with the violations and are subject to upward adjustment for inflation. As most recently adjusted here effective September 6, 2016, the following currently are the progressively increasing Civil Monetary Penalty tiers:

A minimum penalty of $100 and a maximum penalty of $50,000 per violation, for violations which the CE or BA “did not know, and by exercising reasonable diligence would not have known” about using “the business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances;”
A minimum penalty of $1,000 and a maximum penalty of $50,000 per violation, for violations for “reasonable cause” which do not rise to the level of “willful neglect” where “reasonable cause” means the “circumstances that would make it unreasonable for the Covered Entity, despite the exercise of ordinary business care and prudence, to comply with the violated Privacy Rule requirement;”
A minimum penalty of $10,000 and a maximum penalty of $50,000 per violation, for violations attributed to “willful neglect,” defined as “the conscious, intentional failure or reckless indifference to the obligation to comply” with the requirement or prohibition; and
A minimum penalty of $50,000 and a maximum penalty of $1.5 million per violation, for violations attributed to “willful neglect” not remedied within 30 days of the date that the Covered Entity or BA knew or should have known of the violation.

For continuing violations such as failing to implement a required BAA, OCR can treat each day of noncompliance as a separate violation. However, sanctions under each of these tiers generally are subject to a maximum penalty of $1,500,000 for violations of identical requirements or prohibitions during a calendar year. For violations such as the failure to implement and maintain a required BAA where more than one Covered Entity bears responsibility for the violation, OCR an impose Civil Monetary Penalties against each culpable party. OCR considers a variety of mitigating and aggravating facts and circumstances when arriving at the amount of the penalty within each of these applicable tiers to impose.

In addition to these potential civil liability exposures, Covered Entities, their business associates and other individuals or organizations that wrongfully use, access or disclose electronic or other protected health information also can face civil liability under various circumstances. The criminal enforcement provisions of HIPAA authorize the Justice Department to prosecute a person who knowingly in violation of the Privacy Rule (1) uses or causes to be used a unique health identifier; (2) obtains individually identifiable health information relating to an individual; or (3) discloses individually identifiable health information to another person, punishable by the following criminal sanctions and penalties:

A fine of up to $50,000, imprisoned not more than 1 year, or both;
If the offense is committed under false pretenses, a fine of up to $100,000, imprisonment of not more than 5 years, or both; and
If the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, a fine of up to $250,000, imprisoned not more than 10 years, or both.

Because HIPAA Privacy Rule criminal violations are Class A Misdemeanors or felonies, Covered Entities and business associates should include HIPAA compliance in their Federal Sentencing Guideline Compliance Programs and practices and need to be concerned both about criminal exposure for their own direct violations, as well as imputed organizational liability for violations committed by their employees or agents under the Federal Sentencing Guidelines, particularly where their failure to implement or administer these required compliance policies and practices or failure to properly investigate or redress potential violations enables, perpetuates or covers up the criminal breach.

FileFax, Inc. Breach & Resolution Agreement

While Congress amended the Civil Monetary Penalty provisions of HIPAA enforced by OCR to make many of the requirements and Civil Monetary Penalty sanctions of HIPAA directly enforceable by OCR against business associates as part of the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, the FileFax Resolution Agreement appears to be the first HIPAA resolution agreement with a business associate announced by OCR.

Indeed, OCR’s enforcement action that resulted in the FileFax Resolution Agreement would never have occurred had FileFax, Inc. not become involved in handling medical records containing PHI in the capacity of a business associate for Covered Entities.

Before filing for bankruptcy in 2016, FileFax, Inc. advertised it provided HIPAA-compliant storage, maintenance, and delivery of medical records for HIPAA Covered Entities including Illinois based health care provider CCDC, which entered into a resolution agreement with OCR in April, 2017 to resolve OCR charges that it violated HIPAA by allowing FileFax, Inc. to handle PHI without fulfilling HIPAA’s business associate agreement requirements.

Like the CCDC Resolution Agreement, the FileFax, Inc. Resolution Agreement resulted from an investigation of FileFax, Inc. that OCR began in response to a February 10, 2015 anonymous complaint filed with OCR about FileFax, Inc. about deficiencies in its delivery of these HIPAA services in its capacity as a business associate to Covered Entities. The complaint to OCR alleged that FileFax, Inc. violated these requirements because an individual transported medical records obtained from FileFax, Inc. to a shredding and recycling facility to sell on February 6 and 9, 2015.

OCR’s investigation of the complaint against FileFax, Inc. confirmed that an individual had left medical records of approximately 2,150 patients at the shredding and recycling facility, and that these medical records contained patients’ PHI. OCR’s investigation additionally found that between January 28, 2015, and February 14, 2015, FileFax, Inc. impermissibly disclosed the PHI of 2,150 individuals by leaving the PHI in an unlocked truck in the FileFax, Inc. parking lot, or by granting permission to an unauthorized person to remove the PHI from FileFax, Inc. and leaving the PHI unsecured outside the FileFax, Inc. facility.

After OCR commenced its investigation of the complaint, FileFax, Inc. was placed into bankruptcy and a receiver was appointed to liquidate FileFax, Inc.’s assets for distribution to creditors and others in 2016. Despite the bankruptcy, OCR continued to pursue enforcement against FileFax, Inc. for the HIPAA violations it found through its investigation. On February 13, 2018, OCR announced that that the receiver on behalf of FileFax, Inc. had agreed in the FileFax Resolution Agreement to pay a $100,000 monetary settlement out of the bankruptcy estate and to arrange to properly store and dispose of remaining medical records found at FileFax, Inc.’s facility in compliance with HIPAA to resolve OCR’s HIPAA charges against FileFax, Inc.

OCR Previously Sanctioned Covered Entity For Involvement With FileFax, Inc.

Beyond affirming the exposure business associates to OCR civil monetary penalties or other enforcement for violating HIPAA, the FileFax Resolution Agreement in conjunction with OCR’s previously announced April 20, 2017 resolution agreement (CCDC Resolution Agreement) with CCDC also demonstrates the need for Covered Entities to recognize that their organizations are likely to face HIPAA investigations or enforcement from HIPAA violations by or OCR audits or investigations of the conduct of their business associates.

In fact, this is exactly what happened to CCDC. A small, Illinois based Covered Entity, CCDC used FileFax, Inc. to store and dispose of medical records. As a consequence of the FileFax, Inc. investigation, OCR conducted a compliance review of CCDC. OCR reports that its compliance review revealed that while CCDC had disclosed to and allowed FileFax, Inc. to store records containing PHI for CCDC since in 2003, neither party could produce a signed business associate agreement (BAA) prior to October 12, 2015. As a consequence, OCR charged CCDC with violating HIPAA by disclosing PHI to FileFax, Inc. in violation of HIPAA’s business associate requirements.

To resolve its exposure to potentially much greater civil monetary penalties associated with this charge, CCDC agreed under the CCDC Resolution Agreement to pay OCR a $31,000 resolution payment and take a variety of corrective actions. Beyond requiring CCDC to implement and maintain written business associate agreements before allowing business associates to possess or access PHI, the corrective action plan imposed as part of the CCDC Resolution Agreement also expressly requires CCDC to promptly investigate information of a possible violation of its HIPAA policies and procedures by a “workforce member,” which the Privacy Rule defines to include a business associate, and if the investigation reveals a violation, to report the violation and corrective action taken to OCR.

OCR Enforces HIPAA Against Covered Entities & Business Associates In Bankruptcy

OCR’s announcement of the FileFax Resolution Agreement also is significant in its reaffirmation of OCR to its commitment to HIPAA enforcement, even if the HIPAA-violating Covered Entity or business associate goes bankruptcy.

OCR’s enforcement action against FileFax, Inc. despite its bankruptcy and its successful negotiation of the FileFax Resolution Agreement within the bankruptcy should alert Covered Entities and business associates that OCR does not consider the bankruptcy of a Covered Entity or business associate as an obstacle to OCR enforcement against Covered Entities or business associates that violate HIPAA. The seriousness of OCR’s commitment to enforcement, even in the face of bankruptcy is driven home by its announcement of the FileFax Resolution Agreement on the heels of its December, 2017 announcement of its first OCR HIPAA resolution agreement secured with the formal approval of a bankruptcy court, a resolution agreement (21CO Resolution Agreement) against bankrupt health care provider, 21CO.

Secured with bankruptcy court approval, the 21CO Resolution Agreement resolved potentially much larger civil monetary penalties that the Fort Myers, Florida based provider of cancer care services and radiation oncology could have faced for alleged HIPAA breaches OCR charged it committed in connection with its failure to adequately act to prevent and respond to hacking and misappropriation of records containing sensitive electronic protected health information (ePHI) of up to 2,213597 individuals.

The OCR charges against 21CO arose from an OCR investigation commenced after the Federal Bureau of Investigation (FBI) notified 21CO on November 13, 2015 and a second time on December 13, 2015 than unauthorized third party illegally obtained 21CO sensitive patient information and produced 21CO patient files purchased by a FBI informant. As part of its internal investigation, 21CO hired a third party forensic auditing firm in November 2015. 21CO determined that the attacker may have accessed 21CO’s network SQL database as early as October 3, 2015, through Remote Desktop Protocol from an Exchange Server within 21CO’s network. 21CO determined that it is possible that 2,213,597 individuals may have been affected by the impermissible access to their names, social security numbers, physicians’ names, diagnoses, treatment and insurance information.

Although it knew of the breaches in November and December, 2015, 21CO waited more than three months after the FBI notified it of the breaches before it sent HIPAA or other breach notifications about the data breach to patients or notified investors in March, 2016. Its March 4, 2016 Securities and Exchange Commission 8-K on Data Security Incident (Breach 8-K) states 21CO delayed notification at the request of the FBI to avoid interfering in the criminal investigation of the breach.

When announcing the breach, 21CO provided all individuals affected by the breach with a free one-year subscription to the Experian ProtectMyID fraud protection service. At that time, 21CO said it had no evidence that any patient information actually had been misused. However some victims of the breach subsequently have claimed being victimized by a variety of scams since the breach in news reports and lawsuits about the breach.

At the time of the breach and its March 4, 2016 announcement of the breach, 21CO already was working to resolve other compliance issues. On December 16, 2015, 21CO announced that a 21CO subsidiary had agreed to pay $19.75 million to the United States and $528,000 in attorneys’ fees and costs and comply with a corporate integrity agreement related to a qui tam action in which it was accused of making false claims to Medicare and other federal health programs. See 21CO 8-K Re: Entry into a Material Definitive Agreement (December 22, 2015). Among other things, the corporate integrity agreement required by that settlement required 21CO to appoint a compliance officer and take other steps to maintain compliance with federal health care laws. In addition, five days after releasing the March 4, 2017 Breach 8-K, 21CO notified investors that its subsidiary, 21st Century Oncology, Inc. (“21C”), had agreed to pay $37.4 million to settle health care fraud law charges relating to billing and other protocols of certain staff in the utilization of state-of-the-art radiation dose calculation system used by radiation oncologists called GAMMA. See 21CO 8-K Re: GAMMA Settlement March 9, 2016 ; See also United States Settles False Claims Act Allegations Against 21st Century Oncology for $34.7 Million.

Based on OCR’s subsequent investigation into these breaches, OCR found:

21CO impermissibly disclosed certain PHI of 2,213,597 of its patients in violation of 45 C.F.R. § 164.502(a);
21CO failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the electronic protected health information (ePHI) held by 21CO in violation of 45 C.F.R. § 164.308(a)(1)(ii)(A);
21CO failed to implement certain security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with 45 C.F.R. § 164.306(A) in violation of 45 C.F.R. § 164.308(a)(1)(ii)(B);
21CO failed to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports as required by 45 C.F.R. §164.308(a)(1)(ii)(D);
21CO disclosed protected health information to a third party vendors, acting as its business associates, without obtaining satisfactory assurances in the form of a written business associate agreement in violation of HIPAA’s business associate rule requirements under 45 C.F.R. §§ 164.502(e) and 164.308(b)(3).

In return for OCR’s agreement not to further pursue charges or penalties relating to the breach investigation, the Resolution Agreement entered into with the approval of the Bankruptcy Court requires that 21CO pay OCR a $2.3 million Resolution Amount and implement to OCR’s satisfaction a corrective action plan that among other things requires that 21CO complete a detailed series of corrective actions to the satisfaction of OCR.

In addition to the OCR investigation that lead to the 21CO Resolution Agreement announced by OCR on December 28, 2017, 21CO experienced other fallout following its March 4, 2016 public disclosure of the breach. Not surprisingly, the breach notification led to a multitude of class-action civil lawsuits by breach victims and shareholders. See, e.g., 16 Data Breach Class Action Lawsuits Filed Against 21st Century Oncology Consolidated; 21st Century Oncology data breach prompts multiple lawsuits. Reports of spoofing and other misleading contacts made to 21CO patients following the breach prompted the Federal Trade Commission (FTC) to issue a specific notice alerting victims about potential false breach notifications and other misleading contacts. See April 4, 2016 FTC Announcement Re: 21st Century Oncology breach exposes patients’ info.

These and other developments also had significant consequences on 21CO’s financial status and leadership. By March 31, 2015, 21CO notified the SEC and investors that it needed added time to complete its financial statements. Subsequent SEC filings document its restatement of financial statements, the departure of board members and other leaders, default on credit terms, and ultimately its filing for Chapter 11 bankruptcy protection in the United States Bankruptcy Court for the Southern District of New York on May 25, 2017.

Because 21CO sought bankruptcy court protection from the fallout of its HIPAA breaches and other compliance and business issues, the 21CO Resolution Agreement required bankruptcy court approval. Funds for payment of the required $2.3 million resolution payment and other charges associated with the investigation apparently are being provided in part from breach liability insurance coverage provided under a policy issued by Beazley Insurance, as the Bankruptcy Court order directs Beazley Breach Response Policy No. W140E2150301 to make immediate payment to the OCR of the resolution amount and the payment of fees incurred by 21CO in connection with regulatory defense issues.

HIPAA & Data Breach Enforcement & Other Risks Growing

Covered Entities, their business associates, their leaders, investors and members of their workforce need to recognize that the FileFax, CCDC, 21CO and other resolution agreements are part of a growing trend, rather than isolated incidents of enforcement and that their exposure to investigation and enforcement is likely to continue to rise in the face of growing public and Congressional concern about privacy and data security.

While civil monetary penalty enforcement remains much more common than criminal prosecution, Covered Entities, their business associates and members of their workforce must understand that HIPAA enforcement and resulting liability is growing and that this trend is likely to continue if not increase.

While Department of Justice federal criminal prosecutions and convictions under HIPAA remain relatively rare, they occur and are growing. See e.g., Former Hospital Employee Sentenced for HIPAA Violations (Texas man sentenced to 18 months in federal prison for obtaining protected health information with the intent to use it for personal gain); Three Life Sentences Imposed On Man Following Convictions For Drug Trafficking, Kidnapping, Using Firearms and HIPAA Violations (drug king pin gets multiple 10 year consecutive prison terms for unauthorized access to private health information in violation of HIPAA; his health care worker friend sentenced for accessing electronic medical files and reporting information to him); Former Therapist Charged In HIPAA Case; Hefty Prison Sentence in ID Theft Case (former assisted living facility worker gets 37 months in prison after pleading guilty to wrongful disclosure of HIPAA protected information and other charges); Hefty Prison Sentence in ID Theft Case (former medical supply company owner sentenced to 12 years for HIPAA violations and fraud). While the harshest sentences tend to be associated with health care fraud or other criminal conduct, lighter criminal sentences are imposed against defendants in other cases as well. See e.g., Sentencing In S.C. Medicaid Breach Case (former South Carolina state employee sentenced to three years’ probation, plus community service, for sending personal information about more than 228,000 Medicaid recipients to his personal e-mail account.); HIPAA Violation Leads To Prison Term (former UCLA Healthcare System surgeon gets four months in prison after admitting he illegally read private electronic medical records of celebrities and others.)

While criminal enforcement of HIPAA remains relatively rare and OCR to date only actually has assessed HIPAA civil monetary penalties against certain Covered Entities for violating HIPAA in a couple isolated instances, the growing list of multi-million dollar resolution payments against Covered Entities and with the FileFax Resolution Agreement announcement, now also business associates for violating HIPAA make clear that HIPAA enforcement is both meaningful and growing. See e.g., Learn From Children’s New $3.2M+ HIPAA CMP For “Knowing” Violation of HIPAA Security Rules ($3.2 million Children’s Medical Center HIPAA Civil Monetary Penalty); 1st HIPAA Privacy Civil Penalty of $4.3 Million Signals CMS Serious About HIPAA Enforcement; $400K HIPAA Settlement Shows Need To Conduct Timely & Appropriate Risk Assessments; $5.5M Memorial HIPAA Resolution Agreement Shows Need To Audit. For more examples, also see here.

The experiences of FileFax, Inc., CCDC, 21CO and these other OCR HIPAA Resolution Agreements provide strong evidence that that health plans and other Covered Entities and their business associates can anticipate that OCR will continue to zealously investigate HIPAA breaches and other HIPAA violations. Aside from OCR’s recurrent affirmations of its commitment to HIPAA enforcement, Covered Entities, their business associates and their leaders must recognize that public and Congressional privacy and data security concerns fueled by the ever growing stream of massive data breaches at Alteryx, eBay, Paypal owner TIO Networks, Uber, Equifax and a long list of other previously trusted prominent businesses are creating additional pressure upon OCR and other agencies to pursue even stronger and more aggressive HIPAA oversight and enforcement. Amid this growing concern, OCR, the FTC and other federal and state agencies with regulatory or enforcement authority over HIPAA or other data security and privacy concerns face increasing scrutiny and pressure to take meaningful action to regulate and enforce HIPAA and other laws intended to protect sensitive data even as private litigants enjoy increasing success in obtaining civil judgments from damages resulting from breaches of their PHI or other sensitive personal information using an expanding arsenal of legal theories of recovery. In the face of these growing concerns about privacy and data security, OCR can be expected to continue, if not increase its HIPAA compliance enforcement and oversight by OCR.

Furthermore, the experiences of FileFax, Inc., 21CO, CCDC and other Covered Entities and business associates that already have become the subject of OCR investigation or enforcement also reflect that HIPAA resolution payments or penalties paid to OCR and other costs and expenses associated with the defense and resolution of OCR’s investigations and enforcement actions typically only a portion of the financial and other business consequences that Covered Entities or business associates might expect to incur as a consequence of a breach of PHI or other substantial HIPAA violation or charge.

Beyond their potential HIPAA enforcement exposures following a HIPAA covered data breach or other violation, health care or other Covered Entities and members of their workforce experiencing breaches of ePHI or other PHI often also face FTC or other government investigations and enforcement relating their data breaches under the Fair and Accurate Credit Transactions Act (FACTA) and other federal or state identity theft, data privacy and security, electronic crimes and other laws. They or members of their workforce may face licensing board, credentialing, accreditation, contractual or other investigations or sanctions. Victims, business partners, investors and others often bring civil litigation to address losses or other injures associated with the breach or other misconduct. In addition, losses and disruptions in patients, plan member, vendor, investor, employee, management and other business relationships, and other business disruptions also are common.

Where the breach of other HIPAA violation involves a health plan, health plans, their fiduciaries and sponsors also need to give due consideration to the implications and exposures that might arise under the fiduciary responsibility rules of the Employee Retirement Income Security Act (ERISA). Beyond the direct exposure of their health plan to HIPAA and other compliance liabilities, health plan fiduciaries generally will want to consider whether their fiduciary responsibility under ERISA requires that prudent or other steps be taken to safeguard health plan information and maintain and administer their health plan in accordance with HIPAA and other laws. As a consequence, fiduciaries generally will want to ensure that they take and document prudent steps to evaluate, monitor and address HIPAA and other privacy and data security safeguards to minimize not only the liability exposures of their health plans, but also to help mitigate their own potential personal liability exposures that could arise or be asserted in response to a HIPAA breach or other HIPAA violation involving their health plans.

In the face of these growing risks and liabilities, Covered Entities and their business leaders face a strong imperative to clean up and maintain their HIPAA compliance and other data security to minimize their exposure to similar consequences. In addition to reaffirming the need for Covered Entities and their business associates to take the necessary steps to maintain and effectively demonstrate the adequacy of their own HIPAA compliance, the CCDC and FileFax Resolution Agreements alert Covered Entities and business associates of the advisability of greater oversight and risk management of their dealings and relationships with the other Covered Entities and business associates with access to or involvement with their PHI or other critical functions.

In light of these rises, leaders, investors, insurers, lenders and others involved with Covered Entities and their business associates should take steps to verify that the Covered Entities and their business associates not only maintain compliance with HIPAA and its business associate and other privacy, data security and breach notification and response requirements, but also maintain appropriate practices, insurance and other safeguards to prevent, respond to and mitigate exposures in the event of a breach of protected health information or other sensitive data. The bankruptcies and other financial and business fallout of HIPAA or other data breaches experienced by FileFax, Inc. 21CO and other HIPAA-covered and non-HIPAA regulated entities also makes clear that Covered Entities and business associates should anticipate that their own fallout from a breach or other HIPAA event and resulting responsibilities and consequences could be impacted by their own or a business associate’s financial distress or bankruptcy. Beyond the risk that their own or another entity’s breach, compliance issues, or other financial or business issues could trigger breach investigation, notice or other responsibilities for their own organizations, Covered Entities, business associates and their leaders also should evaluate and revise their HIPAA risk assessments and security plans to address foreseeable threats to the availability, access, retention and security of PHI and associated records and systems.

The Bankruptcy Court’s order to 21CO’s cyber liability insurer to pay the resolution payment required under the 21CO Resolution Agreement and other costs of investigation and defense also strongly suggests that the purchase of insurance and other arrangements for funding costs of defense or settlement should be included in these evaluations.

As part of these efforts, Covered Entities and their business associates should ensure that they have conducted, and maintain and are ready to produce appropriate policies and procedures backed up by a well-documented, up-to-date industry wide risk assessment of their organization’s susceptibility to breaches or other misuse of electronic or other protected health information. The starting point of these efforts should be to adopt and enforce updated written policies, procedures, technical and physical safeguards, processes and training to prevent the improper use, access, destruction or disclosure of patient PHI. Processes also should create, retain and be designed to cost effectively track, capture, and retain both all protected health information, its use, access, protection, destruction and disclosure, and the requisite supportive documentation supporting the appropriateness of those action to position the organization cost-effectively and quickly to fulfill required accounting, reporting and other needs in the event of a data breach, audit, participant inquiry or other event.

As part of this process, Covered Entities and business associates should maintain strong and ongoing processes for assessing and monitoring the adequacy of their policies and practices. In addition to ensuring that their organization has a comprehensive risk management and compliance assessment, Covered Entities and business associates need to conduct documented periodic audits and spot HIPAA audits and assessments. In doing so, they must use care to look outside the four corners of their Privacy Policies and core operating systems to ensure that their policies, practices, oversight and training address all protected health information within their operations on an entity wide basis. This entity-wide assessment should include communications and requests for information normally addressed to the Privacy Officer as well as requests and communications that could arise in the course of media or other public relations, practice transition, workforce communication and other operations not typically under the direct oversight and management of the Privacy Officer.

In connection with these efforts, the enforcement actions make clear that Covered Entities and business associates should adopt, implement and monitor PHI privacy, and security on an entity wide basis. These efforts should include general policies, practices and procedures as well as specifically tailored policies, processes and training to protect PHI and preserve HIPAA compliance throughout their organization. Testing and analysis should be conducted on a regular basis. Documented reassessments and testing should be performed in response to software, hardware or other changes or events that could impact security or other operations. Beyond security, attention also should cover business or system interruption including losses that might occur from the bankruptcy, termination of business or other disruptions of business associates or other parties. Attention should be paid both to protecting access and use of PHI and ePHI in the course of business as well as the transmission, transport, storage and destruction of records or systems containing such information.

Careful attention should be devoted to ensuring that business associate agreements as well and other processes provide for HIPAA compliance with respect to all PHI created, used, accessed or disclosed to business associates or others not part of their direct workforce or operating outside the core boundaries of their facilities.

Covered entities and their business associates also must recognize and design their compliance efforts and documentation recognizing that HIPAA compliance is a living process, which require both constant diligence about changes in systems or other events that may require reevaluation or adjustments, whether from changes in software, systems or processes or external threats.

Because the cost of responding to and investigating breaches or other compliance concern can be quite burdensome, Covered Entities and their business associates also generally will want to pursue options to plan for and minimize potential expenses in the design and administration of their programs as well as to minimize and cover the potentially extraordinary costs of breach or other compliance investigation and results that commonly arise following a breach or other compliance event. As a part of this planning, Covered Entities and their business associates also generally will want to add consideration of changes to federal tax rules on the deductibility of compliance penalty and other related compliance expenditures.

While the Internal Revenue Code traditionally has prohibited businesses and individuals from deducting penalties, fines and other expenditures arising from violations of federal or state laws under Section 162(f) of the Internal Revenue Code, Section 13306 of the Tax Cuts and Jobs Creation Act creates a new exception for amounts (other than amounts paid or incurred any amount paid or incurred as reimbursement to the government or entity for the costs of any investigation or litigation) that a taxpayer establishes meet the following requirements:

Constitute restitution (including remediation of property) for damage or harm which was or may be caused by the violation of any law or the potential violation of any law, or
Are paid to come into compliance with any law which was violated or otherwise involved in the investigation or inquiry into a violation or potential violation of any law;
Are identified as restitution or as an amount paid to come into compliance with such law, as the case may be, in the court order or settlement agreement, and
In the case of any amount of restitution for failure to pay any tax imposed under this title in the same manner as if such amount were such tax, would have been allowed as a deduction under this chapter if it had been timely paid.

Because the true effect of these modifications will be impacted by implementing regulations and a number of other special conditions and rules may impact the deductibility of these payments and the reporting obligations attached to their payment, Covered Entities will want to consult with legal counsel about these rules and monitor their implementation to understand their potential implications on compliance expenditures and penalties.

About The Author

Ms. Stamer also has an extensive contributes her leadership and insights with other professionals, industry leaders and lawmakers. Her insights on HIPAA risk management and compliance often appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, SHRM, HIMMS, the American Bar Association, the Health Care Compliance Association, a multitude of health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others. You can get more information about her HIPAA and other experience here. For additional information about Ms. Stamer, see here, e-mail her here or telephone Ms. Stamer at (214) 452-8297.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources here including:

Leave a Comment » | Academic medicine, Ambulatory care, Anethesiology, Centers For Disease Control, Childrens Health Insurance Program, Civil Rights, Conditions of Participation, Corporate Compliance, Cyber crime, data breach, data security, Doctor, E-Prescribing, Electronic Health Records, Electronic Medical Records, Employee Benefits, Employer, ERISA, FACTA, Federal Health Center, Federal Sentencing Guidelines, Fiduciary Responsibility, Genetic Information, Health Care, Health care coding, Health Care Provider, health care reimbursement, Health Insurance Exchange, Health IT, Health Plan, Health Plans, Health Policy, healthcare, HHS, HIPAA, HIPAA Cyber Crime, home health, Hospital, Indian Health, Inpatient Rehabilitation, Inpatient Rehabilitation Facility, Joint Commission, Medical Privacy, Medical Records, Mental Health, Pharmaceudical, Pharmacy, Privacy, Public Policy, Technology, Uncategorized | Permalink
Posted by Cynthia Marcotte Stamer

HHS Proposes “Conscience Rule” Expanding Abortion And Other Religious Choice

January 19, 2018

The Department of Health and Human Services (HHS) today (January 19, 2018) announced two additional actions to protect life and the conscience rights of Americans.

First, HHS’ Centers for Medicare & Medicaid Services (CMS) issued new guidance to state Medicaid directors restoring state flexibility to decide program standards. The letter to State Medicaid Directors issued today rescinds 2016 guidance that specifically restricted states’ ability to take certain actions against family-planning providers that offer abortion services.

Additionally, HHS’ Office for Civil Rights (OCR) also announced it is issuing a new proposed s rule (“Conscience Rule”) to enforce 25 existing statutory conscience protections for Americans involved in HHS-funded programs, which protect people from being coerced into participating in activities that violate their consciences, such as abortion, sterilization, or assisted suicide.

Modeled on existing regulations for other civil rights laws, the proposed rule provides protections for Americans’ conscience rights. Interested persons will have 60 days to comment on the proposed rule. However since President Trump took office OCR already has stepped up enforcement of these conscience statutes, many of which saw little to no enforcement activity under the previous administration.

The proposed rule when finalized will apply to entities that receive funds through programs funded or administered in whole or in part through HHS. It requires, for instance, that entities applying for federal grants certify that they are complying with the above-mentioned conscience-protection statutes.

The release of the proposed rule was accompanied by the rescission by the Centers for Medicare and Medicaid Services of a letter to State Medicaid Directors rescinding restrictions on state flexibility to decide when and how their state Medicaid programs cover abortion and certain other reproductive care. It also follows the Trump Administration’s announcement of plans to found a new division within the Office of Civil Rights that will focus on enforcement of conscience and religious rights.

About the Author

Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer supports these organizations and their leaders on both a real-time, “on demand” basis as well as outsourced operations or special counsel on an interim, special project, or ongoing basis with strategic planning and product and services development and innovation; workforce and operations management, crisis preparedness and response as well as to prevent, stabilize and cleanup legal and operational crises large and small that arise in the course of operations.

For more information about Ms. Stamer or her health industry and other experience and involvements, see here or contact Ms. Stamer via telephone at (469) 767-8872 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advise or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Leave a Comment » | Abortion, Birth Control, Civil Rights, Cultural diversity, Health Care, Health Care Finance, Health Care Provider, Health Care Quality, Health Care Reform, health care reimbursement, Health Plan, Health Plans, healthcare, HHS, home health, Hospital, hospitals, Medicaid, Medicare, Mental Heatlh, OCR, Physician, Reimbursement, Rural Health Care, Uncategorized | Permalink
Posted by Cynthia Marcotte Stamer

New Medicaid Guidance Gives States More Flexibility On Abortion

January 19, 2018

On Friday, January 19, 2018, The Centers for Medicare and Medicaid Services (CMS) issued a State Medicaid Director Letter restoring state flexibility to establish reasonable standards for their Medicaid programs regarding abortion.

The letter rescinds State Medicaid Directors Letter #16-005 that limited states’ long-standing authority to regulate providers operating within their states issued in April 2016.

The 2016 letter had said that states that attempted to protect the integrity of their program standards by disqualifying abortion providers from their Medicaid programs would come under CMS scrutiny, and would be required to present to CMS evidence of criminal action or unfitness to perform healthcare services.

The letter to State Medicaid directors published Friday states CMS is concerned that the 2016 letter may have gone beyond merely interpreting what the statute and current regulations require.

The new letter returns CMS policy to what it was prior to the issuance of the 2016 letter while requiring States to comply with all applicable statutory and regulatory requirements, including the requirement that provider qualification standards be reasonable.

Concurrent with the issuance of the letter, CMS also is issuing new regulations requiring certain conscience protections in programs and facilities funded in whole or part by the Department of Health and Human Services and follows the Trump Administration’s announcement Thursday of a new Conscience and Religious Freedom Division within the HHS Office of Civil Rights.

In addition to these regulatory actions, legislation regarding Medicaid abortion coverage also has been introduced. See, e.g., H.R. 4848 (requiring States Report Medicaid payments for abortion); H.R. 4844 (to ensure that women seeking an abortion receive an ultrasound and the opportunity to review the ultrasound before giving informed consent to receive an abortion).

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: Erisa & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of health care, workforce, employee benefits and compensation, insurance and financial services,and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer supports these organizations and their leaders on both a real-time, “on demand” basis as well as outsourced operations or special counsel on an interim, special project, or ongoing basis with strategic planning and product and services development and innovation; workforce and operations management, crisis preparedness and response as well as to prevent, stabilize and cleanup legal and operational crises large and small that arise in the course of operations.

As core components of this work, Ms. Stamer helps U.S. and international private sector and government health industry, health and managed care plans and insurers, health IT, life sciences and other clients manage regulatory, contractual and other compliance; vendors and suppliers; Medicare, Medicaid, CHIP, Medicare/Medicaid Advantage, ERISA and other private payer and other terms of participation, medical billing, reimbursement, claims administration and coordination, and other provider-payer relations, contracting, compliance and enforcement; Form 990 and other nonprofit and tax-exemption; fundraising, investors, joint venture, and other business partners; quality and other performance measurement, management, discipline and reporting; physician and other workforce recruiting, performance management, peer review and other investigations and discipline, wage and hour, payroll, gain-sharing and other pay-for performance and other compensation, training, outsourcing and other human resources and workforce matters; board, medical staff and other governance; strategic planning, process and quality improvement; meaningful use, EMR, HIPAA and other technology, data security and breach and other health IT and data; STARK, antikickback, insurance, and other fraud prevention, investigation, defense and enforcement; audits, investigations, and enforcement actions; trade secrets and other intellectual property; crisis preparedness and response; internal, government and third-party licensure, credentialing, accreditation, HCQIA and other peer review and quality reporting, audits, investigations, enforcement and defense; patient relations and care; internal controls and regulatory compliance; payer-provider, provider-provider, vendor, patient, governmental and community relations; facilities, practice, products and other sales, mergers, acquisitions and other business and commercial transactions; government procurement and contracting; grants; tax-exemption and not-for-profit; 1557 and other Civil Rights; privacy and data security; training; risk and change management; regulatory affairs and public policy; process, product and service improvement, development and innovation, and other legal and operational compliance and risk management, government and regulatory affairs and operations concerns.

For more information about Ms. Stamer or her health industry and other experience and involvements, see here or contact Ms. Stamer via telephone at (469) 767-8872 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advise or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Leave a Comment » | Abortion, Ambulatory care, Birth Control, Childrens Health Insurance Program, Civil Rights, Conditions of Participation, Corporate Compliance, Cultural diversity, Doctor, Federal Health Center, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Quality, Health Care Reform, health care reimbursement, Health Plan, Health Plans, healthcare, HHS, Home Health, home health, Hospital, Medicare, Medicare Advantage, Medicare Fee Schedule, Physician, Prescription Drugs, Reimbursement, Uncategorized | Permalink
Posted by Cynthia Marcotte Stamer

Review Your Provider Performance Data

December 13, 2017

January 3 is Deadline for Inpatient Rehabilitation Facility (IRF) and Long-term Care Hospital (LTCH) providers to review their Medicare performance data on each quality measure based on Quarter 2 -2016 to Quarter 1 – 2017 data, before the March 2018 IRF and LTCH Compare refresh, during which this data will be publicly displayed.

Providers have until January 3, 2018 to review their performance data.

Corrections to the underlying data will not be permitted during this time. However, providers can request a CMS review during the preview period if they believe their data is inaccurate.

For more information, see:

IRF Quality Public Reporting webpage, IRF Compare, and Preview Report Access Instructions
LTCH Quality Public Reporting webpage, LTCH Compare and Preview Report Access Instructions

About the Author

Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer supports these organizations and their leaders on both a real-time, “on demand” basis as well as outsourced operations or special counsel on an interim, special project, or ongoing basis with strategic planning and product and services development and innovation; workforce and operations management, crisis preparedness and response as well as to prevent, stabilize and cleanup legal and operational crises large and small that arise in the course of operations.

For more information about Ms. Stamer or her health industry and other experience and involvements, see here or contact Ms. Stamer via telephone at (469) 767-8872 or via e-mail here.

Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources here including

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advise or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Leave a Comment » | Clinical pathway, Electronic Medical Records, Health care coding, health care reimbursement, HHS, Hospital, hospitals, Inpatient Rehabilitation, Inpatient Rehabilitation Facility, Medicare Fee Schedule, quality reporting, Reimbursement, Uncategorized | Tagged: CMS, Health Care Compliance, Health Care Policy, health care quality, Health Care Reimbursement, Hospitals, Reimbursement | Permalink
Posted by Cynthia Marcotte Stamer

HHS Picks Hargan As Acting HHS Secretary

October 11, 2017

President Trump has appointed Eric D. Hargan Acting Secretary of the U.S. Department of Health and Human Services (HHS).

Hargan, who was just sworn into office as Deputy Secretary of HHS on Oct. 6, 2017, takes over the duties of former Secretary Dr. Tom Price, who recently resigned in response to criticism about his expenditures for charter flights.

Before joining HHS, Mr. Hargan was an attorney, most recently a shareholder in Greenberg Traurig’s Chicago office in the Health and FDA Business department, where he focused his practice on transactions, healthcare regulations and government relations. He represented investors, companies, and individuals in healthcare investments and issues across the entire sector.

From 2003 to 2007, Mr. Hargan served at HHS in a variety of capacities, ultimately holding the position of Acting Deputy Secretary. During his tenure at HHS, Mr. Hargan also served as the Department’s Regulatory Policy Officer, overseeing the development and approval of all HHS, CMS, and FDA regulations and significant guidances.

Prior to this role, he served HHS as Deputy General Counsel. More recently, he was tapped by Governor Bruce Rauner to serve during transition as lead co-chair for Gov. Rauner’s Healthcare and Human Services committee.

During his time in Illinois, Mr. Hargan taught at Loyola Law School in Chicago, focusing on administrative law and healthcare regulations. He was a member of the U.S. government team at the inaugural U.S.-China Strategic Economic Dialogue in Beijing in 2006-2007, worked with the State Department’s Bureau of Arms Control to advance biosecurity in developing nations, and initiated and led the HHS team that developed the first responses to international food safety and importation issues in 2007.

He received his B.A. cum laude from Harvard University, and his J.D. from Columbia University Law School, where he was Senior Editor of the Columbia Law Review. Mr. Hargan also received a Certificate in International Law from the Parker School of Foreign and Comparative Law at Columbia University.

Before returning to Washington, D.C., Mr. Hargan lived in the suburbs of Chicago with his wife, Emily, and their two sons.

About The Author

Ms. Stamer works with health industry and related businesses and their management, employee benefit plans, governments and other organizations deal with all aspects of human resources and workforce, internal controls and regulatory compliance, change management, disaster and other crisis preparedness and response, and other performance and operations management and compliance. Her experienced includes career long involvement in advising and defending health industry and other organizations about disaster and other crisis preparation, response and mitigation arising from natural and man-made disasters, government enforcement, financial distress, workplace emergencies and accidents, data breach and other cybersecurity and other events. For additional information about Ms. Stamer, see here, e-mail her here or telephone Ms. Stamer at (214) 452-8297.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advise or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and publisher disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Leave a Comment » | Academic medicine, Affordable Care Act, Anti-KickBack, ASC, Centers For Disease Control, Childrens Health Insurance Program, Conditions of Participation, data breach, data security, DEA, Doctor, Electronic Medical Records, EMTALA, FDA, Federal Health Center, Federal Sentencing Guidelines, Health Care, Health care coding, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Quality, Health Care Reform, health care reimbursement, Health Insurance Exchange, Health IT, Health Plan, Health Plans, healthcare, HHS, HIPAA, HIPAA Cyber Crime, HITECH Act, Home Health, Hospice, Hospital, hospitals, Indian Health, Inpatient Rehabilitation, Inpatient Rehabilitation Facility, managed care, Meaningful Use, Medicaid, Medical Privacy, Medical Records, Medicare, Medicare Advantage, Medicare Fee Schedule, Medicare Prescription Drug Program, Mental Health, Mental Heatlh, OCR, OIG, Outcomes Data, Outpatient, Peer Review, Pharmaceudical, Pharmacy, Physician, Preexisting Condition Insurance Plan, Prescription Drugs, Privacy, Prospective Payment, Psychiatric, public health, Public Policy, quality reporting, Reimbursement, Reproductive Rights, Rural Health Care, Skilled Nursing Facility, Stark, Substance Abuse, substance abuse treatment, Telemarketing, Telemedicine, Uncategorized, Wellness | Tagged: Affordable Care Act, controlled substance, drugs, false claims act, Health Care, Health Care Compliance, Health Care Fraud, Health Care Provider, Health Care Reimbursement, Health Plans, HEAT, HHS, HIPAA, Hospital, Medicaid, Medicare, OCR, pain management, pharmacist, pharmacy, Physician, Physicians, Privacy, Reimbursement | Permalink
Posted by Cynthia Marcotte Stamer

Total Nurse Staffing

CMS Tightening LTC Assessments

Temporary Limited Exceptions

Implementation Deadlines

CMS Nursing Home Staffing Campaign

Begin Preparing Now

For Additional Information

About the Author

About Solutions Laws Press, Inc.™

IMPORTANT NOTICE

Share this:

For More Information

About the Author

About Solutions Laws Press, Inc.™

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Share this:

Duty To Guard Against Malware

Green Ridge Ransomeware Breach

First Malware Settlement

Warning To All Covered Entities

For More Informational

About the Author

About Solutions Law Press, Inc.™

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Share this:

For More Information

About the Author

About Solutions Law Press, Inc.™

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Share this:

Proposed HHS Grants Rule Overview

For More Information

About the Author

About Solutions Law Press, Inc.™

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Share this:

Banner Health Settlement

More Information

About the Author

About Solutions Law Press, Inc.™

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Share this:

eCQMs As Measure of Health Care Quality

2022 eCQMs Updates

More Information

About the Author

About Solutions Law Press, Inc.™

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Share this:

Share this:

More Information

About the Author

About Solutions Law Press, Inc.™

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Share this:

More Information

About the Author

About Solutions Law Press, Inc.™

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Share this:

More Information

About the Author

About Solutions Law Press, Inc.™

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Share this:

About Solutions Law Press, Inc.™

Important Information About This Communication

Share this:

More Information

About the Author

About Solutions Law Press, Inc.™

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Share this:

Visitation

Vaccination

More Information

About the Author

About Solutions Law Press, Inc.™

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Share this: