2/11/19 Deadline To Comment On Reducing HIPAA Regulatory Burden

December 13, 2018

February 12, 2019 is the deadline for health care providers, health plans, health care clearinghouses, their business associates, health care consumers, employer and other plan sponsors and fiduciaries, and other concerned persons to provide input on reducing the regulatory burdens of the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security and Breach Notification Rules in response to the December 12, 2018 invitation of the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR).

OCR issued the invitation for public comment in a December 12, 2019 Request for Information (RFI).  The RIF seeks input from the public on how OCR’s HIPAA Privacy and other Rules could be modified to further the HHS Secretary’s goal of promoting coordinated, value-based healthcare. This RFI is a part of the Regulatory Sprint to Coordinated Care, an initiative led by HHS Deputy Secretary Eric Hargan.

HHS developed the HIPAA Rules to protect individuals’ health information privacy and security interests, while permitting information sharing needed for important purposes. However, in recent years, OCR has heard calls to revisit aspects of the Rules that may limit or discourage information sharing needed for coordinated care or to facilitate the transformation to value-based health care. The RFI requests information on any provisions of the HIPAA Rules that may present obstacles to these goals without meaningfully contributing to the privacy and security of protected health information (PHI) and/or patients’ ability to exercise their rights with respect to their PHI.

OCR’s December 12, 2018 press release concerning the RFI indicates that OCR is looking for candid feedback about how the existing HIPAA regulations are working in the real world and how OCR can improve them to improve quality of care and eliminate undue burdens on covered entities while maintaining robust privacy and security protections for individuals’ health information.

In addition to requesting broad input on the HIPAA Rules, the RFI also seeks comments on specific areas of the HIPAA Privacy Rule, including:

  • Encouraging information-sharing for treatment and care coordination
  • Facilitating parental involvement in care
  • Addressing the opioid crisis and serious mental illness
  • Accounting for disclosures of PHI for treatment, payment, and health care operations as required by the HITECH Act
  • Changing the current requirement for certain providers to make a good faith effort to obtain an acknowledgment of receipt of the Notice of Privacy Practices

Public comments on the RFI are due by February 11, 2019.

The RFI follows up on OCR’s announcement of another series of high dollar resolution agreements against covered entities and business associates for alleged breaches of HIPAA’s Privacy or Security Rules, as well as publication of various new guidance intended to help patients, their families, covered entities, business associates and others understand when HIPAA restricts or allows the release of protected health information by covered entities and business associates in mass shooting or other disaster situations, when dealing with patients with substance abuse or mental health conditions and in various other scenarios.  Covered entities, their business associates as well as employer and other health plan sponsors, fiduciaries and others involved with protected health information transactions and disclosures should review this new guidance and evaluate its implications on their actions and practices in addition to sharing input with OCR about opportunities to improve existing HIPAA Rules.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: Erisa & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of managed care and other health industry, health and other benefit and insurance, workforce and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

Past Chair of the ABA Managed Care & Insurance Interest Group and, a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer has been continuously involved the design, regulation, administration and defense of managed care and other health care and health benefit arrangements, contracts, systems, and processes throughout her career.  In addition to her extensive provider and payer contracting work, Ms. Stamer also is recognized for her knowledge, experience and leadership on health benefit, health care, health, financial and other information technology, data and related process and systems development, policy and operations throughout her career, and scribe of the ABA JCEB annual Office of Civil Rights agency meeting, Ms. Stamer also is widely recognized for her extensive work and leadership on leading edge health care and benefit policy and operational issues. Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer’s clients include employers and other workforce management organizations; employer, union, association, government and other insured and self-insured health and other employee benefit plan sponsors, benefit plans, fiduciaries, administrators, and other plan vendors;  managed care organizations, insurers, self-insured health plans and other payers and their management; public and private, domestic and international hospitals, health care systems, clinics, skilled nursing, long-term care, rehabilitation and other health care providers and facilities; medical staff, health care accreditation, peer review and quality committees and organizations; managed care organizations, insurers, third-party administrative services organizations and other payer organizations; billing, utilization management, management services organizations; group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; claims, billing and other health care and insurance technology and data service organizations; other health, employee benefit, insurance and financial services product and solutions consultants, developers and vendors; and other health, employee benefit, insurance, technology, government and other management clients.

A former lead consultant to the Government of Bolivia on its Pension Privatization Project with extensive domestic and international public policy concerns in pensions, healthcare, workforce, immigration, tax, education and other areas, Ms. Stamer has been extensively involved in U.S. federal, state and local health care and other legislative and regulatory reform impacting these concerns throughout her career. Her public policy and regulatory affairs experience encompasses advising and representing domestic and multinational private sector health, insurance, employee benefit, employer, staffing and other outsourced service providers, and other clients in dealings with Congress, state legislatures, and federal, state and local regulators and government entities, as well as providing advice and input to U.S. and foreign government leaders on these and other policy concerns.

Beyond her public policy and regulatory affairs involvement, Ms. Stamer also has extensive experience helping these and other clients to design, implement, document, administer and defend workforce, employee benefit, insurance and risk management, health and safety, and other programs, products and solutions, and practices; establish and administer compliance and risk management policies; comply with requirements, investigate and respond to government; accreditation and quality organizations; private litigation and other federal and state health care industry investigations and enforcement actions; evaluate and influence legislative and regulatory reforms and other regulatory and public policy advocacy; training and discipline; enforcement, and a host of other related concerns. Ms. Stamer’s experience in these matters includes supporting these organizations and their leaders on both a real-time, “on demand” basis with crisis preparedness, intervention and response as well as consulting and representing clients on ongoing compliance and risk management; plan and program design; vendor and employee credentialing, selection, contracting, performance management and other dealings; strategic planning; policy, program, product and services development and innovation; mergers, acquisitions, and change management; workforce and operations management, and other opportunities and challenges arising in the course of their operations.

As a key part of this work, Ms. Stamer throughout her career regularly has worked with health care providers and payers, employer and other health benefit plan sponsors and vendors, health industry, insurers, health IT, life sciences and other health and insurance industry clients design, document and enforce managed care and other contracts, benefit plans and insurance arrangements, practices, policies, systems and solutions; manage regulatory, contractual and other legal and operational compliance; vendors, supplier, and patient and member relations and requirements; deal with Medicare, Medicaid, CHIP, Medicare/Medicaid Advantage, ERISA, state insurance law and other private payer rules and requirements; contracting; licensing; terms of participation; medical billing, reimbursement, claims administration and coordination, and other provider-payer relations; reporting and disclosure, government investigations and enforcement, privacy and data security; and other compliance and enforcement; Form 990 and other nonprofit and tax-exemption; fundraising, investors, joint venture, and other business partners; quality and other performance measurement, management, discipline and reporting; physician and other workforce recruiting, performance management, peer review and other investigations and discipline, wage and hour, payroll, gain-sharing and other pay-for performance and other compensation, training, outsourcing and other human resources and workforce matters; board, medical staff and other governance; strategic planning, process and quality improvement; HIPAA administrative simplification, meaningful use, EMR, HIPAA and other technology, data security and breach and other health IT and data; STARK, antikickback, insurance, and other fraud prevention, investigation, defense and enforcement; audits, investigations, and enforcement actions; trade secrets and other intellectual property; crisis preparedness and response; internal, government and third-party licensure, credentialing, accreditation, HCQIA, HEDIS and other peer review and quality reporting, audits, investigations, enforcement and defense; patient relations and care; internal controls and regulatory compliance; payer-provider, provider-provider, vendor, patient, governmental and community relations; facilities, practice, products and other sales, mergers, acquisitions and other business and commercial transactions; government procurement and contracting; grants; tax-exemption and not-for-profit; 1557 and other Civil Rights; privacy and data security; training; risk and change management; regulatory affairs and public policy; process, product and service improvement, development and innovation, and other legal and operational compliance and risk management, government and regulatory affairs and operations concerns.

Ms. Stamer also has extensive health care reimbursement and insurance experience advising and defending plan sponsors, administrators, insurance and managed care organizations, health care providers, payers, and others about Medicare, Medicaid, Medicare and Medicaid Advantage, Tri-Care, self-insured group, association, individual and employer and association group and other health benefit programs and coverages including but not limited to advising public and private payers about coverage and program design and documentation, advising and defending providers, payers and systems and billing services entities about systems and process design, audits, and other processes; provider credentialing, and contracting; providers and payer billing, reimbursement, claims audits, denials and appeals, coverage coordination, reporting, direct contracting, False Claims Act, Medicare & Medicaid, ERISA, state Prompt Pay, out-of-network and other nonpar insured, and other health care claims, prepayment, post-payment and other coverage, claims denials, appeals, billing and fraud investigations and actions and other reimbursement and payment related investigation, enforcement, litigation and actions. Scribe for the ABA JCEB annual agency meeting with HHS OCR, she also has worked extensively on health and health benefit coding, billing and claims, meaningful use and EMR, billing and reimbursement, quality measurement and reimbursement, HIPAA, FACTA, PCI, trade secret, physician and other medical, workforce, consumer financial and other data confidentiality and privacy, federal and state data security, data breach and mitigation, and other information privacy and data security concerns.

Author of leading works on a multitude of health care, health plan and other health industry matters, the American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting, former Vice President of the North Texas Health Care Compliance Professionals Association, past Chair of the ABA Health Law Section Managed Care & Insurance Section, past ABA JCEB Council Representative and CLE and Marketing Committee Chair, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer’s health industry clients include public health organizations; public and private hospitals, healthcare systems, clinics and other health care facilities; physicians, physician practices, medical staff, and other provider organizations; skilled nursing, long-term care, assisted living, home health, ambulatory surgery, dialysis, telemedicine, DME, Pharma, clinics, and other health care providers; billing, management and other administrative services organizations; insured, self-insured, association and other health plans; PPOs, HMOs and other managed care organizations, insurance, claims administration, utilization management, and other health care payers; public and private peer review, quality assurance, accreditation and licensing; technology and other outsourcing; healthcare clearinghouse and other data; research; public and private social and community organizations; real estate, technology, clinical pathways, and other developers; investors, banks and financial institutions; audit, accounting, law firm; consulting; document management and recordkeeping, business associates, vendors, and service providers and other professional and other health industry organizations; academic medicine; trade associations; legislative and other law making bodies and others.

A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about contracting, credentialing and quality assurance,  compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, privacy and data security, and other risk management and operational matters. Author of works on Payer and Provider Contracting and many other managed care concerns, Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her thought leadership, experience and advocacy on these and other related concerns by her service in the leadership of the Solutions Law Press, Inc. Coalition for Responsible Health Policy, its PROJECT COPE: Coalition on Patient Empowerment, and a broad range of other professional and civic organizations including North Texas Healthcare Compliance Association, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children (now Warren Center For Children); current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, past Representative and chair of various committees of ABA Joint Committee on Employee Benefits; an ABA Health Law Coordinating Council representative, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.

For more information about Ms. Stamer or her health industry and other experience and involvements, see here or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources here such as:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advise or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2018 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.


Allergy Practice $125,000 Settlement Reminds Health Care Providers, Other HIPAA Entities Of Press-Related HIPAA Risk

November 27, 2018

Physician practices and other health care providers, health plans and insurers, health care clearinghouses (“Covered Entities”) and their business associates should learn from the costly schooling the Allergy Associates of Hartford, P.C. (“Allergy Associates”) is paying to settle charges that its physician violated the Privacy Rules of the Health Insurance Portability and Accountability Act (“HIPAA”) by commenting to a reporter on a patient complaint under a Resolution Agreement and Corrective Action Plan (“Resolution Agreement”) announced by the Department of Health & Human Services (HHS) Office of Civil Rights (“OCR”) yesterday (November 26, 2018).  The latest in a series of OCR HIPAA settlements arising from health care providers improperly discussing or disclosing protected health information (PHI) with the press or other media, the Resolution Agreement reminds health care providers and other HIPAA-Covered Entities and their business associates not to discuss or disclose PHI  with the media or others without first obtaining a HIPAA compliant authorization even to respond to accusations made by the patient or others.

Allergy Associates HIPAA Complaint Charge & Resolution

On November 26, 2018, OCR announced  that Allergy Associates, a three doctor health care practice that specializes in treating individuals with allergies at four locations across Connecticut, has agreed to pay OCR $125,000 and take corrective action under the Resolution Agreement to resolve charges that the comments a physician made to a reporter on a patient dispute with the practice in 2015 violated HIPAA.

According to OCR, the disclosure of patient information that prompted OCR’s HIPAA charges resulted from a physician associated with the practice commenting to a local television station reporter doing on a story about a disabled patient’s complaint to the station that Allergy Associates turned her away from a scheduled appointment because of her use of a service animal.  After the patient contacted the television statement to complain about being turned away by the practice when accompanied by her service animal, the Resolution Agreement indicates that the station contacted the doctor for comment about the dispute between the Allergy Associates’ doctor and the patient.  Although OCR reports its investigation revealed that Allergy Associates’ Privacy Officer instructed the doctor to either not respond to the media or respond with “no comment,” the doctor nevertheless accepted the television station reporter’s invitation to comment and discussed the dispute with the reporter.

The physician’s comments to the reporter were brought to the attention of OCR when OCR received a copy of an October 6, 2015, HHS civil rights complaint filed on behalf of the patient with the Department of Justice, Connecticut, U.S. Attorney’s Office (DOJ) by the Connecticut Office of Protection and Advocacy for Persons with Disabilities (OPA).  In response to this complaint, OCR initiated a joint investigation with DOJ into the civil rights allegations against Allergy Associates. The complaint also alleged that Allergy Associates impermissibly disclosed the patient’s PHI in violation of HIPAA.

OCR found the physician’s discussion of the patient’s complaint without first obtaining a HIPAA-complaint authorization from the patient both violated HIPAA and demonstrated a reckless disregard for the patient’s HIPAA privacy rights.  Additionally, Resolution Agreement also states that OCR’s investigation revealed that Allergy Associates did not take any disciplinary or other corrective action against the doctor after learning of his impermissible disclosure to the media.

To resolve the HIPAA charges, Allergy Associates agrees in the Resolution Agreement and Corrective Action Plan to pay $125,000 as well as to undertake a corrective action plan that includes two years of monitoring their compliance with the HIPAA Rules.

Other Providers Also Paid High Price To OCR For Sharing PHI With Media

Of course, OCR enforcement action against and Resolution Agreement with Allergy Associates is just one of several reported OCR actions against health care providers for improperly disclosing or allowing the press or other media access to PHI without patient authorization.

For instance, a Resolution Agreement announced by OCR on June 14, 2013 required Shasta Regional Medical Center (SRMC) to pay OCR $275,000 and implement a series of corrective actions for using and disclosing to the media PHI of a patient while trying to perform public relations damage control against accusations reported in the media that SRMC had engaged in fraud or other misconduct when dealing with the patient.   That Resolution Agreement resulted from OCR investigating a January 4, 2012 Los Angeles Times article report that two SRMC senior leaders had met with media to discuss medical services provided to a patient.  OCR’s investigation indicated that SRMC failed to safeguard the patient’s PHI from impermissible disclosure by intentionally disclosing PHI to multiple media outlets on at least three separate occasions, without a valid written authorization. OCR’s review also revealed senior management at SRMC impermissibly shared details about the patient’s medical condition, diagnosis and treatment in an email to the entire workforce.  Further, SRMC failed to sanction its workforce members for impermissibly disclosing the patient’s records pursuant to its internal sanctions policy.

The sanctions were even greater in the May 10, 2017 Resolution Agreement and Corrective Action Plan OCR announced with the largest not-for-profit health system in Southeast Texas, Memorial Hermann Health System (MHHS) for issuing a press release with the name and other PHI  about a patient arrested and charged with presenting an allegedly fraudulent identification card to MHHS office staff to fraudulently obtain care without first obtaining a HIPAA-compliant authorization from the patient. MHHS paid OCR a $2.4 million resolution payment to resolve HIPAA charges OCR brought against MHHS as well as agreed to implement a detailed corrective action plan.  See $2.4M HIPAA Settlement Warns Providers About Media Disclosures Of PHI.

The costs of resolution have been even higher when OCR has addressed disclosures to media made by health care providers or other Covered Entities that allowed their desire for media publicity and coverage of their organizations ahead of patient privacy.  For instance, OCR collected a $2.2 million resolution payment from New York Presbyterian Hospital (NYP) for allowing unauthorized filming and photographing of patients in its facility by a television film crew and other staff filming for the television program “NY Med”  in the hospital.  See $2 Million+ HIPAA Settlement, FAQ Warn Providers Protect PHI From Media, Other Recording Or Use.

Furthermore, earlier this year OCR collected a total of $999,0000 from Boston Medical Center (BMC), Brigham and Women’s Hospital (BWH), and Massachusetts General Hospital (MGH)(collectively, the “Hospitals”) for putting publicity before patient privacy by allowing ABC News documentary film crews to film patients and access other patient information for a news documentary without obtaining prior patient authorization under three settlement agreements with the Hospitals announced by OCR in September, 2018.  The payments were made under three separate settlement agreements between OCR and each respective Hospital made public by OCR in connection with the September 20, 2018 announcement stemming from the Hospital’s allowing ABC film crews to film in patient treatment and other areas for  the ABC medical documentary “Save My Life: Boston Trauma” series.  See $999K Price Hospitals Pay To Settle HIPAA Privacy Charges From Allowing ABC To Film Patients Without Authorization.

OCR’s concern about and intolerance for improper disclosures of PHI to the media by health care providers and other Covered Entities is further demonstrated by OCR’s publication of  its 2016 Frequently Asked Question (Media FAQ) addressing Covered Entities’ responsibilities when dealing with the media coincident with OCR’s announcement of its Resolution Agreement with NYP in 2016.   The Allergy Associates’ Resolution Agreement further reinforces OCR’s continuing commitment to hold health care providers and other Covered Entities and their business associates accountable for complying with HIPAA when dealing with the press and other media.  In the fact of this commitment, health care providers and other Covered Entities must take the necessary steps to implement the appropriate policies, training and controls to ensure that they and their staff and representatives comply with these directives when dealing with press and other media.

Resolution Agreement Also Highlights Need For Sensitivity When Dealing With Disabled Patients With Service Animals

Beyond the HIPAA charges and settlement discussed in the Resolution Agreement, health care providers and other Covered Entities also should heed the factual circumstances that prompted the television interview of the Allergy Associates’ physician that prompted the OCR HIPAA enforcement action as a precautionary warning to ensure that their policies, procedures and staff training for dealing with disabled patients supported by service animals are defensible legally and in the court of public opinion.

The Allergy Associates Resolution Agreement states that OCR’s HIPAA investigation was conducted in response to and in tandem with a Department of Justice (“Justice Department”) Office of Civil Rights investigation of a complaint that Allergy Associates violated the patient’s civil rights by improperly refusing to allow the patient’s service animal to accompany the patient during the patient’s appointment.  The patient’s complaint about the practice that the television reporter asked for and obtained the comments from the Allergy Associates’ physician that OCR found violated HIPAA related to Allergy Associates refusing to allow the patient to be accompanied by her service animal during her appointment with Allergy Associates.

While research as of the date of the publication of this article did not uncover any published record of any Justice Department prosecution or settlement or other official notification concerning the Justice Department civil rights investigation against Allergy Associates, the Justice Department Office of Civil Rights as well as the HHS OCR Civil Rights Division have in the past pursued enforcement action against health care providers and others for improperly restricting or denying access to care or facilities by disabled persons based on their accompaniment by service animals.

Title III of the Americans With Disabilities Act (“ADA”) generally prohibits places of public accommodations, including the professional office of a health care provider, from discriminating against any individual on the basis of disability in the full and equal enjoyment of the goods, services, facilities, privileges, advantages, or accommodations of any place of public accommodation, by any person who owns, leases (or leases to), or operates a place of public accommodation, including health care services. 42 U.S.C. § 12182(a); 28 C.F.R. § 36.201. The ADA also requires that such entities make reasonable modifications in policies, practices, or procedures to permit the use of service animals by people with disabilities. 42 U.S.C. § 12182(b)(2)(A)(ii); 28 C.F.R. § 36.302(c).  Health care providers also generally are prohibited from discriminating against and required to provide accommodation to individuals with disabilities under the Rehabilitation Act and the Medicare statutes.

The Justice Department, HHS and courts have interpreted these disability prohibition and accommodation laws as making it illegal for a health care provider or its agent to fail to make reasonable accommodations for a person with a service animal unless the health care provider proves (1) the accommodations would fundamentally alter the nature of the facility or service it provides; or (2) based upon an individual assessment, the hospital determines that the service animal poses a substantial and direct threat to health or safety which cannot be mitigated by reasonable accommodations.  See, e.g., Tamara v. El Comino Hospital, 964 F.Supp.2d 1077 (N.D.Ca. 2013).

While other types of discriminatory actions by health care providers found to be in violation of these rules often trigger substantial damage awards, administrative penalties, disqualification or restriction of Medicare and other federal program participation for violation of Conditions of Participation, to date the reported agency and judicial enforcement actions brought against health care providers for improperly refusing to allow service animals to accompany patients when accessing facilities or receiving care generally have ordered injunctive or other corrective action but have not imposed substantial damage or administrative penalties upon the culpable provider.  Health care providers should avoid the temptation to underestimate the potential seriousness or liability that their organization is likely to incur based on the current lack of substantial financial damage awards or administrative sanctions, however.  The 11th Circuit’s ruling in Sheely v. MRI Radiology Network, P.A., 505 F.3d 1173 (11th Cir. 2007), that noneconomic compensatory damages were available as a remedy for the emotional distressed caused by the violation under the Rehabilitation Act and that the voluntary correction of its policies during the pendency of the litigation did not render moot Sheely’s claim for monetary relief clearly opens the door for a jury to award substantial damages against a health care provider when the jury perceives the circumstances warrant.   Furthermore, health care providers need to keep in mind the typically financial and operational burdens of defending litigation or a Justice Department or HHS OCR Civil Rights investigation and costs of implementation and compliance with administrative or injunctive orders to take corrective action as well as the negative public relations attend these types of complaints, their investigation and resolution. Moreover, health care providers participating in Medicare, Medicaid or other federal health care programs also need to take into account the possibility that an alleged violation of these nondiscrimination rules also can serve as a basis for investigation of compliance with applicable Conditions of Participation for program participation and reimbursement.  Considering these risks, physician and other health care providers should heed the reminder of their obligations to offer and provide proper accommodation to allow appropriate access to disabled individuals with disabilities  requiring service animal support and take steps to review and update their policies, practices and staff training to minimize the risk of potential charges of violation of these requirements.

Health Care Providers, Other Covered Entities Encouraged To Act To Manage HIPAA & Disability Accommodation Risks

The Allergy Associates and other HIPAA Resolution Agreements arising from improper sharing of PHI with the press or other media make clear the need for health care providers and other Covered Entities to exercise great care when dealing with the press and other media.

Clearly, health care providers and other Covered Entities should heed the warning by conducting a risk assessment of their organization’s susceptibility to potential improper disclosures to media or others and reviewing and implementing necessary written policies, procedures and training to prevent the improper disclosure of patient PHI to media or others unless the Covered Entity either secures prior HIPAA-compliant authorization from the patient or can prove the disclosure falls squarely under an exception to the Privacy Rule’s prohibition against disclosure of PHI without authorization except as allowed by the Privacy Rule.

Based on experiences reported in the Allergy Associates and other Resolution Agreements and OCR guidance concerning media disclosures, Covered Entities also generally will want to ensure that their policies, procedures and training extend to all potential sources of communications that could involve patient information and make clear that the Privacy Rule restrictions must be followed even if the circumstances involve allegations of misconduct, special performance by healthcare providers or others that it would benefit the organization or certain individuals to have known to the public, or other circumstances likely to be of interest to the media or other parties.

As part of this process, health care providers and other Covered Entities should ensure they look outside the four corners of their Privacy Policies to ensure that appropriate management, supervision, training and direction is provided to address media, practice transition, workforce communication and other policies and practices that may be covered by pre-existing or other policies of other departments or operational elements not typically under the direct oversight and management of the Privacy Officer such as media relations. Media relations, physician and patients affairs, outside legal counsel, media relations, marketing and other internal and external departments and consultants dealing with the media, the public or other inquiries or disputes should carefully include and coordinate with the privacy officer both to ensure appropriate policies and procedures are followed and proper documentation created and retained to show authorization, account, or meet other requirements.

In conducting this analysis and risk assessment, it also is important that Covered Entities include, but also look beyond the four corners of their Privacy Policies to ensure that their review and risk assessment identifies and assesses and addresses compliance risks on an entity wide basis. This entity-wide assessment should include both communications and requests for information normally addressed to the Privacy Officer as well as requests and communications that could arise in the course of media or other public relations, practice transition, workforce communication and other operations not typically under the direct oversight and management of the Privacy Officer.

For this reason, Covered Entities also generally will not only to adopt and implement specific policies, processes and training in these other departments to prohibit and prevent inappropriate disclosures of PHI in the course of those departments operations. As part of these processes, Covered Entities generally will want to implement a  pre-established process for reviewing media or other communications for potential PHI content which includes a requirement for  prior review of any proposed public relations and other internal or external communications containing patient PHI or other information by the privacy officer, legal counsel or another suitably qualified party.

Because of the high risk that the preparation or review of media or other public communications reports will involve the use and disclosure of PHI, Covered Entities also generally should verify that all outside media or public relations, legal, or other outside service providers participating in the investigation, response or preparation or review of communications to the media or others both are covered by signed business associate agreements that fulfill the Privacy Rule and other requirements of HIPAA as well as possess detailed knowledge and understanding of the Privacy and Security Rules suitable to participate in and help safeguard the Covered Entity against violations of these and other Privacy Rules. See e.g., Latest HIPAA Resolution Agreement Drives Home Importance Of Maintaining Current, Signed Business Associate Agreements.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: Erisa & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of managed care and other health industry, health and other benefit and insurance, workforce and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

Past Chair of the ABA Managed Care & Insurance Interest Group and, a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer has been continuously involved the design, regulation, administration and defense of managed care and other health care and health benefit arrangements, contracts, systems, and processes throughout her career.  In addition to her extensive provider and payer contracting work, Ms. Stamer also is recognized for her knowledge, experience and leadership on health benefit, health care, health, financial and other information technology, data and related process and systems development, policy and operations throughout her career, and scribe of the ABA JCEB annual Office of Civil Rights agency meeting, Ms. Stamer also is widely recognized for her extensive work and leadership on leading edge health care and benefit policy and operational issues. Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer’s clients include employers and other workforce management organizations; employer, union, association, government and other insured and self-insured health and other employee benefit plan sponsors, benefit plans, fiduciaries, administrators, and other plan vendors;  managed care organizations, insurers, self-insured health plans and other payers and their management; public and private, domestic and international hospitals, health care systems, clinics, skilled nursing, long-term care, rehabilitation and other health care providers and facilities; medical staff, health care accreditation, peer review and quality committees and organizations; managed care organizations, insurers, third-party administrative services organizations and other payer organizations; billing, utilization management, management services organizations; group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; claims, billing and other health care and insurance technology and data service organizations; other health, employee benefit, insurance and financial services product and solutions consultants, developers and vendors; and other health, employee benefit, insurance, technology, government and other management clients.

A former lead consultant to the Government of Bolivia on its Pension Privatization Project with extensive domestic and international public policy concerns in pensions, healthcare, workforce, immigration, tax, education and other areas, Ms. Stamer has been extensively involved in U.S. federal, state and local health care and other legislative and regulatory reform impacting these concerns throughout her career. Her public policy and regulatory affairs experience encompasses advising and representing domestic and multinational private sector health, insurance, employee benefit, employer, staffing and other outsourced service providers, and other clients in dealings with Congress, state legislatures, and federal, state and local regulators and government entities, as well as providing advice and input to U.S. and foreign government leaders on these and other policy concerns.

Beyond her public policy and regulatory affairs involvement, Ms. Stamer also has extensive experience helping these and other clients to design, implement, document, administer and defend workforce, employee benefit, insurance and risk management, health and safety, and other programs, products and solutions, and practices; establish and administer compliance and risk management policies; comply with requirements, investigate and respond to government; accreditation and quality organizations; private litigation and other federal and state health care industry investigations and enforcement actions; evaluate and influence legislative and regulatory reforms and other regulatory and public policy advocacy; training and discipline; enforcement, and a host of other related concerns. Ms. Stamer’s experience in these matters includes supporting these organizations and their leaders on both a real-time, “on demand” basis with crisis preparedness, intervention and response as well as consulting and representing clients on ongoing compliance and risk management; plan and program design; vendor and employee credentialing, selection, contracting, performance management and other dealings; strategic planning; policy, program, product and services development and innovation; mergers, acquisitions, and change management; workforce and operations management, and other opportunities and challenges arising in the course of their operations.

As a key part of this work, Ms. Stamer throughout her career regularly has worked with health care providers and payers, employer and other health benefit plan sponsors and vendors, health industry, insurers, health IT, life sciences and other health and insurance industry clients design, document and enforce managed care and other contracts, benefit plans and insurance arrangements, practices, policies, systems and solutions; manage regulatory, contractual and other legal and operational compliance; vendors, supplier, and patient and member relations and requirements; deal with Medicare, Medicaid, CHIP, Medicare/Medicaid Advantage, ERISA, state insurance law and other private payer rules and requirements; contracting; licensing; terms of participation; medical billing, reimbursement, claims administration and coordination, and other provider-payer relations; reporting and disclosure, government investigations and enforcement, privacy and data security; and other compliance and enforcement; Form 990 and other nonprofit and tax-exemption; fundraising, investors, joint venture, and other business partners; quality and other performance measurement, management, discipline and reporting; physician and other workforce recruiting, performance management, peer review and other investigations and discipline, wage and hour, payroll, gain-sharing and other pay-for performance and other compensation, training, outsourcing and other human resources and workforce matters; board, medical staff and other governance; strategic planning, process and quality improvement; HIPAA administrative simplification, meaningful use, EMR, HIPAA and other technology, data security and breach and other health IT and data; STARK, antikickback, insurance, and other fraud prevention, investigation, defense and enforcement; audits, investigations, and enforcement actions; trade secrets and other intellectual property; crisis preparedness and response; internal, government and third-party licensure, credentialing, accreditation, HCQIA, HEDIS and other peer review and quality reporting, audits, investigations, enforcement and defense; patient relations and care; internal controls and regulatory compliance; payer-provider, provider-provider, vendor, patient, governmental and community relations; facilities, practice, products and other sales, mergers, acquisitions and other business and commercial transactions; government procurement and contracting; grants; tax-exemption and not-for-profit; 1557 and other Civil Rights; privacy and data security; training; risk and change management; regulatory affairs and public policy; process, product and service improvement, development and innovation, and other legal and operational compliance and risk management, government and regulatory affairs and operations concerns.

Ms. Stamer also has extensive health care reimbursement and insurance experience advising and defending plan sponsors, administrators, insurance and managed care organizations, health care providers, payers, and others about Medicare, Medicaid, Medicare and Medicaid Advantage, Tri-Care, self-insured group, association, individual and employer and association group and other health benefit programs and coverages including but not limited to advising public and private payers about coverage and program design and documentation, advising and defending providers, payers and systems and billing services entities about systems and process design, audits, and other processes; provider credentialing, and contracting; providers and payer billing, reimbursement, claims audits, denials and appeals, coverage coordination, reporting, direct contracting, False Claims Act, Medicare & Medicaid, ERISA, state Prompt Pay, out-of-network and other nonpar insured, and other health care claims, prepayment, post-payment and other coverage, claims denials, appeals, billing and fraud investigations and actions and other reimbursement and payment related investigation, enforcement, litigation and actions. Scribe for the ABA JCEB annual agency meeting with HHS OCR, she also has worked extensively on health and health benefit coding, billing and claims, meaningful use and EMR, billing and reimbursement, quality measurement and reimbursement, HIPAA, FACTA, PCI, trade secret, physician and other medical, workforce, consumer financial and other data confidentiality and privacy, federal and state data security, data breach and mitigation, and other information privacy and data security concerns.

Author of leading works on a multitude of health care, health plan and other health industry matters, the American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting, former Vice President of the North Texas Health Care Compliance Professionals Association, past Chair of the ABA Health Law Section Managed Care & Insurance Section, past ABA JCEB Council Representative and CLE and Marketing Committee Chair, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer’s health industry clients include public health organizations; public and private hospitals, healthcare systems, clinics and other health care facilities; physicians, physician practices, medical staff, and other provider organizations; skilled nursing, long-term care, assisted living, home health, ambulatory surgery, dialysis, telemedicine, DME, Pharma, clinics, and other health care providers; billing, management and other administrative services organizations; insured, self-insured, association and other health plans; PPOs, HMOs and other managed care organizations, insurance, claims administration, utilization management, and other health care payers; public and private peer review, quality assurance, accreditation and licensing; technology and other outsourcing; healthcare clearinghouse and other data; research; public and private social and community organizations; real estate, technology, clinical pathways, and other developers; investors, banks and financial institutions; audit, accounting, law firm; consulting; document management and recordkeeping, business associates, vendors, and service providers and other professional and other health industry organizations; academic medicine; trade associations; legislative and other law making bodies and others.

A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about contracting, credentialing and quality assurance,  compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, privacy and data security, and other risk management and operational matters. Author of works on Payer and Provider Contracting and many other managed care concerns, Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her thought leadership, experience and advocacy on these and other related concerns by her service in the leadership of the Solutions Law Press, Inc. Coalition for Responsible Health Policy, its PROJECT COPE: Coalition on Patient Empowerment, and a broad range of other professional and civic organizations including North Texas Healthcare Compliance Association, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children (now Warren Center For Children); current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, past Representative and chair of various committees of ABA Joint Committee on Employee Benefits; an ABA Health Law Coordinating Council representative, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.

For more information about Ms. Stamer or her health industry and other experience and involvements, see here or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources here such as:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advise or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2018 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.


Record $16M HIPAA Sanction Shows Need For Current Enterprise Risk Assessment; ONC/OCR Share New Tool To Help HIPAA Covered Entities Comply

October 17, 2018

Following on the heels of Monday’s announcement that Anthem, Inc. is paying a record setting $16 million to resolve charges its violations of the enterprise risk assessment and other requirements of the Health Insurance Portability & Accountability Act (HIPAA) Security Rule allowed cybercriminals to breach the electronic protected health information (ePHI) of more than 79 million patients, physicians and other health care providers, health plans and health insurers, health care clearinghouses (covered entities) and their service providers acting as their business associates (business associates) (hereafter collectively “HIPAA Entities”) should reconfirm their own and their business associates’ compliance with the HIPAA Security Rule’s enterprise risk assessment and other ePHI security requirements.

When conducting these assessments, HIPAA Entities generally will want to ensure that their new enterprise risk assessment documents their consideration of the newly updated Security Risk Assessment (SRA) Tool jointly announced yesterday (October 16, 2018) by the Department of Health & Human Services (HHS) Office of the National Coordinator for Health Information Technology (ONC) and OCR, lessons shared in OCR’s $16 million Anthem, Inc. resolution agreement, $5.55 million resolution agreement with Memorial Healthcare System and other OCR HIPAA resolution agreements, civil monetary penalty assessments and other Security Rule guidance, as well as other emergent internal and external data suggesting potential susceptibilities of their own systems and data to breach or loss.

HIPAA Entities are reminded that HIPAA requires that all HIPAA covered entities and business associates to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by their organization.  Any HIPAA Entity that hasn’t already conducted a recent, appropriately documented enterprise wide risk analysis or updated their analysis in response to changes in equipment, vendors or emerging threats and developments should do so as soon as possible.

HIPAA’s requirement that HIPAA entities conduct and maintain an appropriately comprehensive and timely updated enterprise-wide risk analysis of potential security threats to ePHI both an affirmative requirement of the HIPAA Security Rule and an indispensable process to help healthcare organizations understand their security posture to prevent, detect, respond to and mitigate potential legal, operational and reputational costs that commonly result when ePHI or other sensitive information is breached or destroyed.

The importance of HIPAA entities having and being able to produce in the event of a breach or OCR audit an up-to-date, comprehensively enterprise risk assessment and response plan cannot be overstated.  Beyond OCR’s publication of extensive regulatory guidance and educational outreach discussing the responsibility to conduct and maintain documentation of appropriate enterprise risk assessments, virtually every announced HIPAA Security Rule civil monetary penalty assessment and other enforcement action identifies violation of the HIPAA Security Rule’s enterprise risk assessment requirements among the material transgressions committed and required to be corrected by HIPAA entities like Anthem, Inc. subjected to Security Rule enforcement.

The updated SRA Tool jointly released by OCR and ONC on October 16, 2018 further reinforces the importance of complying with the enterprise wide risk assessment requirement while simultaneously encouraging and facilitating compliance by small to medium sized health care practices.  Particularly designed with an eye to helping health care providers that work as solo practitioners or in groups with 10 or less health care providers and their business associates identify risks and vulnerabilities to ePHI, OCR says the updated SRA Tool “provides enhanced functionality to document how such organizations can implement or plan to implement appropriate security measures to protect ePHI” and incorporates new features to make the tool “more user friendly.” New features OCR hopes will make the SRA tool more user friendly include:

  • Enhanced User Interface
  • Modular workflow with question branching logic
  • Custom Assessment Logic
  • Progress Tracker
  • Improved Threats & Vulnerabilities Rating
  • Detailed Reports
  • Business Associate and Asset Tracking
  • Overall improvement of the user experience

HIPAA Entities should take note, however, that as of its October 16, 2018 released date, the updated version of the SRA Tool currently is only available in Windows format.  OCR has indicated that the OCR and ONC have not yet updated the OS iPad version of the previously published version of the SRA Tool. While the previous OS iPad version remains available at the Apple App Store exit disclaimer icon (search under “HHS SRA Tool”), HIPAA Entities that presently use or plan to use the OS iPad tool should consider comparing the prior tool against the updated Windows SRA Tool to verify the continued suitability of its continued use and any adjustments in understanding or application that might be warranted by these differences.  Additionally, HIPAA Entities also should review the revised User Guide available on the SRA Tool’s website before starting the assessment.

While the SRA Tool provides valuable guidance to help HIPAA Entities to conduct their own enterprise wide risk assessment, HIPAA Entities should keep in mind that the responsibility to assess their enterprise wide risk and to update their security safeguards to respond to these risks is a continuous one.  While using the SRA Tool is an excellent starting point for beginning this assessment, HIPAA Entities need to realize that OCR expects HIPAA Entities to tailor their assessments to identify and respond to the full range of risks and exposures to their ePHI and associated systems and to constantly reevaluate and adjust these assessments in response to emerging system and ePHI threats identified in the course of their operations as well as external developments suggesting previously unidentified or inadequately appreciated threats.  Moreover, in addition to conducting the risk assessment, OCR regulatory guidance and guidance drawn from OCR’s civil monetary settlements resolution agreements and other enforcement and audit activities also make clear that in addition to conducting the enterprise wide risk analysis, HIPAA entities also need to be prepared to produce documentation that their organizations took appropriate and timely action to address the risks identified in the risk assessment in accordance with the HIPAA Security Rule.

In addition to mitigate their exposure to potentially substantial HIPAA civil monetary penalties for violating the HIPAA Security Rule, HIPAA Entities also should keep in mind the potential role that their conduct and maintenance of appropriately comprehensive enterprise wide security risk assessments can play in helping to mitigate other legal, financial, operational and reputational risks that commonly also arise along with the HIPAA exposures associated with a breach of HIPAA.  In addition to HIPAA’s Security Rules for ePHI, HIPAA Entities typically also are subject to a hodgepodge of non-HIPAA statutory, regulatory and/or contractual obligations to safeguard patient, employee, business partners and other individual, financial, health, tax, peer review and credentialing, trade secrets and other confidential information against improper use, access, destruction or disclosure.  Examples of such obligations include the privacy and data security rules of the Fair and Accurate Credit Transaction Act (FACTA), the Internal Revenue Code and other tax laws, federal and state consumer debt and information, electronic crime, data security and identity theft statutes; federal and state trade secret and intellectual property laws; and others, for which violations often equal or substantially exceed the civil monetary penalty liability that commonly arise under the HIPAA Security Rule.  The experience of Anthem, Inc. illustrates this point.  While the $16 million resolution payment that OCR announced Anthem, Inc. is paying to resolve its HIPAA civil monetary penalty exposures for allowing the breach of the ePHI of 79 million individuals, this payment reflects only a very small portion of the overall liability that Anthem, Inc. incurred from data breach that lead to this resolution payment.  Anthem, Inc. also separately already reportedly also has paid more than $115 million to settle other statutory and contractual liabilities arising from the breach separate as well as substantial investigatory and defense costs in addition to the HIPAA liabilities settled under the resolution agreement announced Monday.  Other HIPAA Entities subjected to HIPAA civil monetary penalties or paying resolution payments to OCR also typically also have incurred substantial non-HIPAA sanctions and settlements, as well as other defense, investigation, operational and reputational losses as a result of their breaches.  HIPAA Entities should strive to ensure that their HIPAA enterprise wide risk assessment and compliance efforts are properly coordinated and administered to manage these overall risks and responsibilities in addition to their HIPAA-specific responsibilities and liabilities.

Because enterprise wide risk assessments and discussions of their structuring, scope and findings are likely to produce legally sensitive evidence, HIPAA Entities are encouraged to seek the advice of qualified and suitably experienced legal counsel about the advisability of conducting all or certain aspects of an enterprise wide risk analysis and their documentation of their risk evaluation and response to take advantage of possible attorney-client privilege, work-product or other evidentiary rules before or throughout the risk assessment and response process and deliberations.

About The Author

A practicing attorney and Managing Shareholder of Cynthia Marcotte Stamer, P.C, Cynthia Marcotte Stamer’s more than 30 years’ of leading edge work as an practicing attorney, author, lecturer and industry and policy thought leader have resulted in her recognition as a “Top” attorney in employee benefits, labor and employment and health care law.

Board certified in labor and employment law by the Texas Board of Legal Specialization, a Fellow in the American College of Employee Benefit Counsel, Scribe for the American Bar Association (ABA) Joint Committee on Employee Benefits (JCEB) Annual Agency Meeting with the Office of Civil Rights and a former JCEB Council Representative; former Chair of the ABA Health Law Section Managed Care & Insurance Interest Group; and past Chair, former Welfare Benefit Committee Co-Chair and current Fiduciary Responsibility Committee Co-Chair of the American Bar Association (ABA) RPTE Section Employee Benefits Group, former Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, Ms. Stamer is recognized nationally and internationally for her practical and creative insights and leadership on HIPAA and other health care, managed care and insurance, and other employee benefit, human resources, and related antitrust, corporate, privacy and data security, tax and other internal controls, regulatory affairs and public policy concerns.

Ms. Stamer’s legal and management consulting work throughout her career has focused on helping organizations and their management use the law and process to manage people, process, compliance, operations and risk. Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer helps public and private, domestic and international health, insurance and financial security, and other businesses, governments, and other organizations and their leaders manage their employees, vendors and suppliers, and other workforce members, customers and other’ performance, compliance, compensation and benefits, operations, risks and liabilities, as well as to prevent, stabilize and cleanup legal and operational crises large and small that arise in the course of operations.

In this respect, Ms. Stamer works with businesses and their management, employee benefit plans, governments and other organizations deal with all aspects of human resources and workforce, regulatory compliance and operational and performance management. She supports her clients both on a real time, “on demand” basis and with longer term basis to deal with daily performance management and operations, emerging crises, strategic planning, process improvement and change management, investigations, defending litigation, audits, investigations or other enforcement challenges, government affairs and public policy.

Well known for her extensive work with health care, insurance and other highly regulated entities on corporate compliance, internal controls and risk management, her clients range from highly regulated entities like employers, contractors and their employee benefit plans, their sponsors, management, administrators, insurers, fiduciaries and advisors, technology and data service providers, health care, managed care and insurance, financial services, government contractors and government entities, as well as retail, manufacturing, construction, consulting and a host of other domestic and international businesses of all types and sizes.

As a key part of this work, Ms. Stamer uses her deep and highly specialized health, insurance, labor and employment and other knowledge and experience to help health industry, insurance and financial services and other employers and other employee benefit plan sponsors; health, pension and other employee benefit plans, their fiduciaries, administrators and service providers, insurers, and others design legally compliant, effective compliance and internal controls, risk management, human resources and other workforce performance, discipline, compensation, employee benefits and related programs, products and arrangements.

In the course of this work, Ms. Stamer has accumulated an impressive resume of experience advising and representing clients on HIPAA and other privacy and data security concerns. The scribe for the American Bar Association (ABA) Joint Committee on Employee Benefits annual agency meeting with the Department of Health & Human Services Office of Civil Rights for several years, Ms. Stamer has worked extensively with health plans, health care providers, health care clearinghouses, their business associates, employer and other sponsors, banks and other financial institutions, and others on risk management and compliance with HIPAA and other information privacy and data security rules, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and enforcement, and a host of other related concerns. Her clients include public and private health plans, health insurers, health care providers, banking, technology and other vendors, and others. Beyond advising these and other clients on privacy and data security compliance, risk management, investigations and data breach response and remediation, Ms. Stamer also advises and represents clients on OCR and other HHS, Department of Labor, IRS, FTC, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. She also is the author of numerous highly acclaimed publications, workshops and tools for HIPAA or other compliance including training programs on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

Ms. Stamer also is deeply involved in helping to influence the health care, workforce, insurance and financial services, employee benefit, privacy and data security and other federal, state and local laws, regulations and enforcement actions. She both helps her clients respond to and resolve emerging regulations and laws, government investigations and enforcement actions and helps them shape the rules through dealings with Congress and other legislatures, regulators and government officials domestically and internationally. A former lead consultant to the Government of Bolivia on its Social Security reform law and most recognized for her leadership on U.S. health and pension, wage and hour, tax, education and immigration policy reform, Ms. Stamer works with U.S. and foreign businesses, governments, trade associations, and others on workforce, social security and severance, health care, immigration, privacy and data security, tax, ethics and other laws and regulations. Founder and Executive Director of the Coalition for Responsible Healthcare Policy and its PROJECT COPE: the Coalition on Patient Empowerment and a Fellow in the American Bar Foundation and State Bar of Texas. She also works as a policy advisor and advocate to health, insurance and financial services, employee benefits and other business, professional and civic organizations.

Author of the thousands of publications and workshops these and other employment, employee benefits, health care, insurance, workforce and other management matters, Ms. Stamer also is a highly sought out speaker and industry thought leader known for empowering audiences and readers. Ms. Stamer’s insights on employee benefits, insurance, health care and workforce matters in Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, Modern Healthcare, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications. Ms. Stamer also regularly serves on the faculty and planning committees for symposia of LexisNexis, the American Bar Association, ALIABA, the Society of Employee Benefits Administrators, the American Law Institute, ISSA, HIMMs, and many other prominent educational and training organizations and conducts training and speaks on these and other management, compliance and public policy concerns.

Ms. Stamer also has a lifelong history of involvement with and service with a diverse range of professional, community and charitable organizations and causes including as founder and Executive Director of the Coalition for Responsible Health Care Policy and its PROJECT COPE: Coalition for Patient Empowerment; technical advisor to the National Physicians’ Council for Health Care Policy; a founding Board Member and President of the Alliance for Healthcare Excellence and its Patient Empowerment and Health Care Heroes Projects; a Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; the Board President of the early childhood development intervention agency, The Richardson Development Center for Children; a member of the Dallas United Way Long Range Planning Committee; as well as leadership involvement in the ABA Joint Committee on Employee Benefits Council, the North Texas Healthcare Compliance Professionals Association; the ABA RPTE Employee Benefits & Other Compensation Committee, the ABA Health Law Section, the ABA International Section Life Sciences Committee, and the ABA TIPS Employee Benefit Committee; TEGE Coordinator of the Gulf Coast TEGE Council TE Division; Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee; a member of the Board of Directors of the Southwest Benefits Association; Dallas, Regional and State BACPAC Chair of the Texas Association of Business; SHRM Regional Chair and National Advisory Board Chair; WEB Network of Benefits Professionals National and Dallas Boards; as a contributing author and the Advisory Board member of the BNA EBCD CD, InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications and as chair or planning faculty of a multitude of symposia.. For additional information about Ms. Stamer, see www.cynthiastamer.com, or contact Ms. Stamer via email here or via telephone to (214) 452.8297.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also may be interested reviewing other Solutions Law Press, Inc.™ resources at www.solutionslawpress.com such as:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here.

©2018 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.  All other rights reserved.

 


Record $16M Anthem HIPAA Settlement Signals Need To Tighten HIPAA Compliance & Risk Management

October 16, 2018

Health care providers, managed care organizations, health plans and insurers, health care clearinghouses and their business associates should study and learn from the just announced, record-setting $16 million resolution agreement between health insurance giant, Anthem, Inc. and the Department of Health & Human Services Office of Civil Rights (OCR).  The resolution agreement resolves OCR charges that Anthem, Inc.’s violations of the Health Insurance Portability & Accountability Act (HIPAA) Privacy and Security Rules exposed the electronic protected health information (ePHI) of almost 79 million people.  In addition to reviewing the adequacy of their own HIPAA privacy and security practices, health care providers, health plans, their employer and union sponsors and fiduciaries also should consider assessing the advisability of tightening their business associate and other agreements with health insurers, third party administrative services providers and other vendors in light of the resolution agreement and practical experiences with the fallout of the Anthem breach to better position themselves to assess and enforce HIPAA compliance, receive notice and respond in the event of an insurer or other vendor breach and mitigate financial costs and liabilities resulting from breaches or other compliance deficiencies.

Anthem’s Record Setting Breach & Resolution Agreement

The settlement agreement announced October 15, 2018 by OCR requires Anthem, Inc. to pay a $16 million resolution payment to OCR and take a series of corrective actions to resolve HIPAA liabilities to OCR for allowing the largest known U.S. health data breach in history in 2015.

The record $16 million resolution payment eclipses the prior record resolution payment of $5.55 million Memorial Healthcare System (MHS) paid OCR to settle HIPAA charges in 2016.

An independent licensee of the Blue Cross and Blue Shield Association and one of the nation’s largest health benefits companies, Anthem provides medical care coverage to one in eight Americans through its affiliated health plans.  The breach that resulted in the settlement agreement affected ePHI Anthem maintained for its affiliated health plans including many employer or union sponsored self-insured and insured group health plans and other HIPAA-covered entity health plans.

On March 13, 2015, Anthem filed a breach report with the HHS Office for Civil Rights  that disclosed that Anthem discovered on January 29, 2015 that cyber-attackers had gained access to and engaged in continuous and targeted cyberattack on Anthem’s IT system for the apparent purpose of extracting data, otherwise known as an advanced persistent threat attack.  After filing its breach report, Anthem discovered cyber-attackers had infiltrated their system through spear phishing emails sent to an Anthem subsidiary after at least one employee responded to the malicious email and opened the door to further attacks. OCR’s investigation revealed that between December 2, 2014 and January 27, 2015, the cyber-attackers stole the ePHI of almost 79 million individuals, including names, social security numbers, medical identification numbers, addresses, dates of birth, email addresses, and employment information.

In addition to the impermissible disclosure of ePHI, OCR’s investigation revealed that Anthem failed to conduct an enterprise-wide risk analysis, had insufficient procedures to regularly review information system activity, failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent the cyber-attackers from accessing sensitive ePHI, beginning as early as February 18, 2014.

Beyond the consequences for the millions of individuals whose ePHI was disclosed through the breach, the breach also triggered responsibilities and concerns for heath care providers who contracted to provide care or services to Anthem plan members, fiduciaries and sponsors of the employer and union-sponsored group health plans administered or insured by Anthem.  Health care providers and their patients were forced to deal with the fall out of having patient data exposed in the breach.  In addition sponsors and fiduciaries of private sector employer or union sponsored plans struggled to obtain information and cooperation from Anthem necessary to evaluate and fulfill their health plans’ HIPAA obligations as well as the fiduciary responsibility requirements of the Employee Retirement Income Security Act (ERISA).

In addition to the $16 million settlement that Anthem is paying to resolve OCR’s HIPAA charges stemming from the breach, the OCR settlement agreement also requires Anthem to undertake a robust corrective action plan to comply with the HIPAA Rules.

In addition to the $16 million paid under the OCR resolution agreement, anthem already has paid more than $115 million to settle lawsuits arising out of the breach under other laws.

Anthem Follows On Other Recent Enforcement

The record setting Anthem resolution agreement is notable in part as one of the few high dollar settlement agreements involving a health plan.  To date, the overwhelming majority of HIPAA enforcement actions have involved health care providers.

Rgeardless of the category of the covered entity involved, however, the Anthem settlement again drives home the risks health care providers, health plans and other covered entities and their business associates run for lax HIPAA compliance and risk management.  The latest in the growing list of high dollar HIPAA settlements OCR has collected from health care provider and other covered entities including the $999,0000 in settlement payments OCR announced on September 20, 2018 that Boston Medical Center (BMC), Brigham and Women’s Hospital (BWH), and Massachusetts General Hospital (MGH) paid  for putting publicity before patient privacy by allowing ABC News documentary film crews to film patients and access other patient information for a news documentary without obtaining prior patient authorization under three settlement agreements.

Act To Manage Compliance & Risks

Unquestionably, health care providers, other health insurers, employer, union and association sponsored group health plans, and their vendors and business associates should evaluate the adequacy and defensibility of their own health plan privacy and security practices in light of the Anthem breach and resolution agreement.  In addition, employer, union or association health plan sponsors, administrative service providers and fiduciaries also should consider the advisability of strengthening their business associate agreements with insurers, third party administrators and other health plan service providers to incorporate safeguards, audit, oversight or other provisions and practices to help prudently monitor potential risks and improve their ability to receive timely notice, respond to, and preserve rights of recourse against insurers or other vendors in the event of a breach or other deficiency.

Since Covered Entities also are likely to be subject to other statutory, ethical, contractual or other privacy or confidentiality requirements beyond those imposed by the Privacy Rule, most Covered Entities also will want to consider and take steps to identify and address other potential legal or ethical responsibilities such as medical confidentiality duties applicable to physicians and other health care providers under medical ethics, professional licensure or other similar rules, contractual responsibilities, as well as common law privacy or other related exposures when conducting this review.  Additionally, most Covered Entities also will want to take into account and manage their potential exposure to privacy, theft of likeness or other intellectual property, or other statutory or common law tort or contractual claims that might attached to the unauthorized filming, photographing, or surveillance of individuals under federal or state common or statutory laws.

Since this analysis and review in most cases will result in the uncovering or discussion of potentially legally or politically sensitive information, Covered Entities should consider consulting with or engaging experienced legal counsel for assistance in structuring and executing these activities to maximize their ability to claim attorney-client privilege or other evidentiary protections against discovery or disclosure of certain aspects of these activities.

Finally, Covered Entities should keep in mind that HIPAA compliance and risk management is an ongoing process requiring constant awareness and diligence.  Consequently, Covered Entities should both monitor OCR and other regulatory and enforcement developments as well as exercise ongoing vigilance to monitor and maintain compliance within their organizations.

About The Author

A practicing attorney and Managing Shareholder of Cynthia Marcotte Stamer, P.C, Cynthia Marcotte Stamer’s more than 30 years’ of leading edge work as an practicing attorney, author, lecturer and industry and policy thought leader have resulted in her recognition as a “Top” attorney in employee benefits, labor and employment and health care law.

Board certified in labor and employment law by the Texas Board of Legal Specialization, a Fellow in the American College of Employee Benefit Counsel, Scribe for the American Bar Association (ABA) Joint Committee on Employee Benefits (JCEB) Annual Agency Meeting with the Office of Civil Rights and a former JCEB Council Representative; former Chair of the ABA Health Law Section Managed Care & Insurance Interest Group; and past Chair, former Welfare Benefit Committee Co-Chair and current Fiduciary Responsibility Committee Co-Chair of the American Bar Association (ABA) RPTE Section Employee Benefits Group, former Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, Ms. Stamer is recognized nationally and internationally for her practical and creative insights and leadership on HIPAA and other health care, managed care and insurance, and other employee benefit, human resources, and related antitrust, corporate, privacy and data security, tax and other internal controls, regulatory affairs and public policy concerns.

Ms. Stamer’s legal and management consulting work throughout her career has focused on helping organizations and their management use the law and process to manage people, process, compliance, operations and risk. Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer helps public and private, domestic and international health, insurance and financial security, and other businesses, governments, and other organizations and their leaders manage their employees, vendors and suppliers, and other workforce members, customers and other’ performance, compliance, compensation and benefits, operations, risks and liabilities, as well as to prevent, stabilize and cleanup legal and operational crises large and small that arise in the course of operations.

In this respect, Ms. Stamer works with businesses and their management, employee benefit plans, governments and other organizations deal with all aspects of human resources and workforce, regulatory compliance and operational and performance management. She supports her clients both on a real time, “on demand” basis and with longer term basis to deal with daily performance management and operations, emerging crises, strategic planning, process improvement and change management, investigations, defending litigation, audits, investigations or other enforcement challenges, government affairs and public policy.

Well known for her extensive work with health care, insurance and other highly regulated entities on corporate compliance, internal controls and risk management, her clients range from highly regulated entities like employers, contractors and their employee benefit plans, their sponsors, management, administrators, insurers, fiduciaries and advisors, technology and data service providers, health care, managed care and insurance, financial services, government contractors and government entities, as well as retail, manufacturing, construction, consulting and a host of other domestic and international businesses of all types and sizes.

As a key part of this work, Ms. Stamer uses her deep and highly specialized health, insurance, labor and employment and other knowledge and experience to help health industry, insurance and financial services and other employers and other employee benefit plan sponsors; health, pension and other employee benefit plans, their fiduciaries, administrators and service providers, insurers, and others design legally compliant, effective compliance and internal controls, risk management, human resources and other workforce performance, discipline, compensation, employee benefits and related programs, products and arrangements.

In the course of this work, Ms. Stamer has accumulated an impressive resume of experience advising and representing clients on HIPAA and other privacy and data security concerns. The scribe for the American Bar Association (ABA) Joint Committee on Employee Benefits annual agency meeting with the Department of Health & Human Services Office of Civil Rights for several years, Ms. Stamer has worked extensively with health plans, health care providers, health care clearinghouses, their business associates, employer and other sponsors, banks and other financial institutions, and others on risk management and compliance with HIPAA and other information privacy and data security rules, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and enforcement, and a host of other related concerns. Her clients include public and private health plans, health insurers, health care providers, banking, technology and other vendors, and others. Beyond advising these and other clients on privacy and data security compliance, risk management, investigations and data breach response and remediation, Ms. Stamer also advises and represents clients on OCR and other HHS, Department of Labor, IRS, FTC, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. She also is the author of numerous highly acclaimed publications, workshops and tools for HIPAA or other compliance including training programs on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

Ms. Stamer also is deeply involved in helping to influence the health care, workforce, insurance and financial services, employee benefit, privacy and data security and other federal, state and local laws, regulations and enforcement actions. She both helps her clients respond to and resolve emerging regulations and laws, government investigations and enforcement actions and helps them shape the rules through dealings with Congress and other legislatures, regulators and government officials domestically and internationally. A former lead consultant to the Government of Bolivia on its Social Security reform law and most recognized for her leadership on U.S. health and pension, wage and hour, tax, education and immigration policy reform, Ms. Stamer works with U.S. and foreign businesses, governments, trade associations, and others on workforce, social security and severance, health care, immigration, privacy and data security, tax, ethics and other laws and regulations. Founder and Executive Director of the Coalition for Responsible Healthcare Policy and its PROJECT COPE: the Coalition on Patient Empowerment and a Fellow in the American Bar Foundation and State Bar of Texas. She also works as a policy advisor and advocate to health, insurance and financial services, employee benefits and other business, professional and civic organizations.

Author of the thousands of publications and workshops these and other employment, employee benefits, health care, insurance, workforce and other management matters, Ms. Stamer also is a highly sought out speaker and industry thought leader known for empowering audiences and readers. Ms. Stamer’s insights on employee benefits, insurance, health care and workforce matters in Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, Modern Healthcare, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications. Ms. Stamer also regularly serves on the faculty and planning committees for symposia of LexisNexis, the American Bar Association, ALIABA, the Society of Employee Benefits Administrators, the American Law Institute, ISSA, HIMMs, and many other prominent educational and training organizations and conducts training and speaks on these and other management, compliance and public policy concerns.

Ms. Stamer also has a lifelong history of involvement with and service with a diverse range of professional, community and charitable organizations and causes including as founder and Executive Director of the Coalition for Responsible Health Care Policy and its PROJECT COPE: Coalition for Patient Empowerment; technical advisor to the National Physicians’ Council for Health Care Policy; a founding Board Member and President of the Alliance for Healthcare Excellence and its Patient Empowerment and Health Care Heroes Projects; a Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; the Board President of the early childhood development intervention agency, The Richardson Development Center for Children; a member of the Dallas United Way Long Range Planning Committee; as well as leadership involvement in the ABA Joint Committee on Employee Benefits Council, the North Texas Healthcare Compliance Professionals Association; the ABA RPTE Employee Benefits & Other Compensation Committee, the ABA Health Law Section, the ABA International Section Life Sciences Committee, and the ABA TIPS Employee Benefit Committee; TEGE Coordinator of the Gulf Coast TEGE Council TE Division; Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee; a member of the Board of Directors of the Southwest Benefits Association; Dallas, Regional and State BACPAC Chair of the Texas Association of Business; SHRM Regional Chair and National Advisory Board Chair; WEB Network of Benefits Professionals National and Dallas Boards; as a contributing author and the Advisory Board member of the BNA EBCD CD, InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications and as chair or planning faculty of a multitude of symposia.. For additional information about Ms. Stamer, see www.cynthiastamer.com, or contact Ms. Stamer via email here or via telephone to (214) 452.8297.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also may be interested reviewing other Solutions Law Press, Inc.™ resources at www.solutionslawpress.com such as:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here.

©2018 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.  All other rights reserved.


Comments Due Tomorrow (10/17) On ONC Request for Information (RFI) for Input on EHR Reporting Program

October 16, 2018

Comments are due tomorrow on the Department of Health & Human Services Office of the National Coordinator’s (ONC’s) Electronic Health Record (EHR) Reporting Program Request for Information (RFI).

Section 4002(c) of the 21st Century Cures Act requires HHS to establish the program which provides publically available, comparative information on certified health IT. ONC recently issued an RFI for the public to share their views on the components of the EHR Reporting Program, and to provide feedback that will inform the development of EHR Reporting Program criteria and processes as required by the Cures Act.

ONC encourages stakeholders to provide their comments through the online submission process available on the Federal Register. Comments are due at 5:00pm ET tomorrow, October 17, 2018.  Interested persons may submit their comments here

About The Author

A practicing attorney and health industry consultant and policy advocate, Cynthia Marcotte Stamer’s more than 30 years’ of leading edge work as an practicing attorney, author, lecturer and industry and policy thought leader have resulted in her recognition as a “Top” attorney in employee benefits, labor and employment and health care law.

Board certified in labor and employment law by the Texas Board of Legal Specialization, a Fellow in the American College of Employee Benefit Counsel, Scribe for the American Bar Association (ABA) Joint Committee on Employee Benefits (JCEB) Annual Agency Meeting with the Office of Civil Rights and a former JCEB Council Representative; former Chair of the ABA Health Law Section Managed Care & Insurance Interest Group; and past Chair, former Welfare Benefit Committee Co-Chair and current Fiduciary Responsibility Committee Co-Chair of the American Bar Association (ABA) RPTE Section Employee Benefits Group, former Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, Ms. Stamer is recognized nationally and internationally for her practical and creative insights and leadership on HIPAA and other health care, managed care and insurance, and other employee benefit, human resources, and related antitrust, corporate, privacy and data security, tax and other internal controls, regulatory affairs and public policy concerns.

Ms. Stamer’s legal and management consulting work throughout her career has focused on helping organizations and their management use the law and process to manage people, process, compliance, operations and risk. Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer helps public and private, domestic and international health, insurance and financial security, and other businesses, governments, and other organizations and their leaders manage their employees, vendors and suppliers, and other workforce members, customers and other’ performance, compliance, compensation and benefits, operations, risks and liabilities, as well as to prevent, stabilize and cleanup legal and operational crises large and small that arise in the course of operations.

In this respect, Ms. Stamer works with businesses and their management, employee benefit plans, governments and other organizations deal with all aspects of human resources and workforce, regulatory compliance and operational and performance management. She supports her clients both on a real time, “on demand” basis and with longer term basis to deal with daily performance management and operations, emerging crises, strategic planning, process improvement and change management, investigations, defending litigation, audits, investigations or other enforcement challenges, government affairs and public policy.

Well known for her extensive work with health care, insurance and other highly regulated entities on corporate compliance, internal controls and risk management, her clients range from highly regulated entities like employers, contractors and their employee benefit plans, their sponsors, management, administrators, insurers, fiduciaries and advisors, technology and data service providers, health care, managed care and insurance, financial services, government contractors and government entities, as well as retail, manufacturing, construction, consulting and a host of other domestic and international businesses of all types and sizes.

As a key part of this work, Ms. Stamer uses her deep and highly specialized health, insurance, labor and employment and other knowledge and experience to help health industry, insurance and financial services and other employers and other employee benefit plan sponsors; health, pension and other employee benefit plans, their fiduciaries, administrators and service providers, insurers, and others design legally compliant, effective compliance and internal controls, risk management, human resources and other workforce performance, discipline, compensation, employee benefits and related programs, products and arrangements.

In the course of this work, Ms. Stamer has accumulated an impressive resume of experience advising and representing clients on HIPAA and other privacy and data security concerns. The scribe for the American Bar Association (ABA) Joint Committee on Employee Benefits annual agency meeting with the Department of Health & Human Services Office of Civil Rights for several years, Ms. Stamer has worked extensively with health plans, health care providers, health care clearinghouses, their business associates, employer and other sponsors, banks and other financial institutions, and others on risk management and compliance with HIPAA and other information privacy and data security rules, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and enforcement, and a host of other related concerns. Her clients include public and private health plans, health insurers, health care providers, banking, technology and other vendors, and others. Beyond advising these and other clients on privacy and data security compliance, risk management, investigations and data breach response and remediation, Ms. Stamer also advises and represents clients on OCR and other HHS, Department of Labor, IRS, FTC, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. She also is the author of numerous highly acclaimed publications, workshops and tools for HIPAA or other compliance including training programs on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

Ms. Stamer also is deeply involved in helping to influence the health care, workforce, insurance and financial services, employee benefit, privacy and data security and other federal, state and local laws, regulations and enforcement actions. She both helps her clients respond to and resolve emerging regulations and laws, government investigations and enforcement actions and helps them shape the rules through dealings with Congress and other legislatures, regulators and government officials domestically and internationally. A former lead consultant to the Government of Bolivia on its Social Security reform law and most recognized for her leadership on U.S. health and pension, wage and hour, tax, education and immigration policy reform, Ms. Stamer works with U.S. and foreign businesses, governments, trade associations, and others on workforce, social security and severance, health care, immigration, privacy and data security, tax, ethics and other laws and regulations. Founder and Executive Director of the Coalition for Responsible Healthcare Policy and its PROJECT COPE: the Coalition on Patient Empowerment and a Fellow in the American Bar Foundation and State Bar of Texas. She also works as a policy advisor and advocate to health, insurance and financial services, employee benefits and other business, professional and civic organizations.

Author of the thousands of publications and workshops these and other employment, employee benefits, health care, insurance, workforce and other management matters, Ms. Stamer also is a highly sought out speaker and industry thought leader known for empowering audiences and readers. Ms. Stamer’s insights on employee benefits, insurance, health care and workforce matters in Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, Modern Healthcare, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications. Ms. Stamer also regularly serves on the faculty and planning committees for symposia of LexisNexis, the American Bar Association, ALIABA, the Society of Employee Benefits Administrators, the American Law Institute, ISSA, HIMMs, and many other prominent educational and training organizations and conducts training and speaks on these and other management, compliance and public policy concerns.

Ms. Stamer also has a lifelong history of involvement with and service with a diverse range of professional, community and charitable organizations and causes including as founder and Executive Director of the Coalition for Responsible Health Care Policy and its PROJECT COPE: Coalition for Patient Empowerment; technical advisor to the National Physicians’ Council for Health Care Policy; a founding Board Member and President of the Alliance for Healthcare Excellence and its Patient Empowerment and Health Care Heroes Projects; a Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; the Board President of the early childhood development intervention agency, The Richardson Development Center for Children; a member of the Dallas United Way Long Range Planning Committee; as well as leadership involvement in the ABA Joint Committee on Employee Benefits Council, the North Texas Healthcare Compliance Professionals Association; the ABA RPTE Employee Benefits & Other Compensation Committee, the ABA Health Law Section, the ABA International Section Life Sciences Committee, and the ABA TIPS Employee Benefit Committee; TEGE Coordinator of the Gulf Coast TEGE Council TE Division; Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee; a member of the Board of Directors of the Southwest Benefits Association; Dallas, Regional and State BACPAC Chair of the Texas Association of Business; SHRM Regional Chair and National Advisory Board Chair; WEB Network of Benefits Professionals National and Dallas Boards; as a contributing author and the Advisory Board member of the BNA EBCD CD, InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications and as chair or planning faculty of a multitude of symposia.. For additional information about Ms. Stamer, see www.cynthiastamer.com, or contact Ms. Stamer via email here or via telephone to (214) 452.8297.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also may be interested reviewing other Solutions Law Press, Inc.™ resources at www.solutionslawpress.com such as:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here.

©2018 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.  All other rights reserved.

 


$999K Price Hospitals Pay To Settle HIPAA Privacy Charges From Allowing ABC To Film Patients Without Authorization

September 21, 2018

With New Settlements, OCR Collections From HIPAA Covered Entities For Improperly Allowing Filming Or Other PHI Disclosures To Media Now Exceed $3 Million

$999,0000 is the collective price tag paid by Boston Medical Center (BMC), Brigham and Women’s Hospital (BWH), and Massachusetts General Hospital (MGH)(collectively, the “Hospitals”) for putting publicity before patient privacy by allowing ABC News documentary film crews to film patients and access other patient information for a news documentary without obtaining prior patient authorization under three settlement agreements with the Hospitals just announced by the Department of Health and Human Services (HHS) Office of Civil Rights (OCR).

On Thursday, September 20, 2018, OCR announced the three Hospitals collectively have paid a total of $999,000 to settle OCR charges that each Hospital separately violated each violated patients’ Health Insurance Portability & Accountability Act (HIPAA) privacy rights by allowing ABC television documentary film crews to observe and film patients and otherwise access to patient’s protected health information (“PHI”) without prior HIPAA-compliant patient authorization.  The payments were made under three separate settlement agreements between OCR and each respective Hospital made public by OCR in connection with the September 20, 2018 announcement stemming from the Hospital’s allowing ABC film crews to film in patient treatment and other areas for  the ABC medical documentary “Save My Life: Boston Trauma” series.

Considered in conjunction with OCR’s April 16, 2016 announcement of its $2.2 million HIPAA settlement (NY-Presby Settlement) with New York-Presbyterian Hospital for allowing film crews from the “NY Med” television series to film patients and OCR’s concurrently-published 2016 Frequently Asked Question (Media FAQ) addressing Covered Entities’ responsibilities when dealing with the media, the three newly-announced settlement agreements drive home the need for physicians, hospitals and other health care providers, health plans, health care clearinghouses and their business associates (“Covered Entities”) to protect patients and their PHI against unauthorized filming, photography, observation and other access by news or other media or even other staff, patients or visitors.  With OCR now having collected nearly $3 million in settlement proceeds from 4 separate providers for violating these rules, all Covered Entities should review and tighten their current policies, practices and staff training regarding media access and relations, filming and photographing of patients and patient information within their facilities and other HIPAA compliance to reduce the potential that their organizations will fall subject to similar enforcement by OCR.

Media FAQ Highlights Duty To Protect Patients Against Unauthorized Filming, Photography & Other PHI Disclosures By Media, Others

OCR specifically alerted Covered Entities about their responsibility to safeguard patients and their PHI in dealings with the media in the Media FAQ OCR published in connection with its 2016 announcement of its $2.2 million settlement with New York-Presbyterian Hospital.

Among other things, the Media FAQ states that HIPAA prohibits health care providers and other Covered Entities from inviting or allowing media personnel into treatment or other areas where patients or patient PHI will be accessible in written, electronic, oral, or other visual or audio form, or otherwise making PHI accessible to the media without prior written authorization from each patient or other subject of the PHI who is or will be in the area or whose PHI otherwise will be accessible to the media except in a very limited set of circumstances set forth in the Media FAQ.

The Media FAQ also states, “It is not sufficient for a health care provider to request or require media personnel to mask the identities of patients (using techniques such as blurring, pixilation, or voice alteration software) for whom an authorization was not obtained, because the HIPAA Privacy Rule does not allow media access to the patients’ PHI, absent an authorization, in the first place.

In addition, the Media FAQ states that a health care provider also must ensure that reasonable safeguards are in place to protect against impermissible disclosures or to limit incidental disclosures of other PHI that may be in the area but for which an authorization has not been obtained.

Concerning the limited circumstances when a health care provider or other Covered Entity or business associate may disclose to the media or allow unconsented filming, photographing or use of PHI to the media or other film crews, the Media FAQ also clarifies that the HIPAA Privacy Rule does not require health care providers to prevent members of the media from entering areas of their facilities that are otherwise generally accessible to the public like public waiting areas or areas where the public enters or exits the facility.

In addition, the Media FAQ states a health care provider or other Covered Entity may:

  • Disclose limited PHI about the incapacitated patient to the media in accordance with the requirements of 45 C.F.R. 164.510(b)(1)(ii) when, in the hospital’s professional judgment, doing so is in the patient’s best interest; or
  • Disclose a patient’s location in the facility and condition in general terms that do not communicate specific medical information about the individual to any person, including the media, without obtaining a HIPAA authorization where the individual has not objected to his information being included in the facility directory, and the media representative or other person asks for the individual by name as specified in 45 C.F.R. 164.510(a).

The Media FAQ also discusses circumstances where a healthcare provider or other Covered Entity may use the services of a contract film crew to produce training videos or public relations materials on the provider’s behalf if the provider ensures that the film crew acting as a business associate enters into a HIPAA compliant business associate agreement with the Covered Entity which among other things ensures that the film crew will safeguard the PHI it obtains, only use or disclose the PHI for the purposes provided in the agreement, and return or destroy any PHI after the work for the health care provider has been completed as required by 45 C.F.R. 164.504(e)(2). The Media FAQ also states that as a business associate, the film crew must comply with the HIPAA Security Rule and a number of provisions in the Privacy Rule, including the Rule’s restrictions on the use and disclosure of PHI.  In addition, the Media FAQ reminds Covered Entities and business associates of the need to obtain prior authorizations from patients whose PHI is included in any materials before any of those materials are posted online, printed in brochures for the public, or otherwise publicly disseminated.

Finally, the Media FAQ states Covered Entities can continue to inform the media of their treatment services and programs so that the media can better inform the public, provided that, in doing so, the covered entity does not share PHI with the media

4 High Dollar HIPAA Settlements HIPAA Sanctions Covered Entities Risk By Allowing Improper Media & Other Recording, Use Or Access To PHI

The nearly $3 million in total settlement payments collected under the original 2016 NY-Presby Settlement and three additional settlement agreements announced by OCR on September 20, 2018 collectively make clear that health care providers or other Covered Entities risk substantial sanctions from OCR for allowing television or other media to film or access patients or their PHI without first obtaining a HIPAA-compliant authorization from the patient.

  • $2.2 Million NY-Presby Settlement

OCR originally made clear that its intention that other Covered Entities learn from the NY- Presbyterian experience in its April 21, 2016 announcement of the Resolution Agreement.  The announcement quoted OCR Director Jocelyn Samuels as stating, “This case sends an important message that OCR will not permit covered entities to compromise their patients’ privacy by allowing news or television crews to film the patients without their authorization.”

Of course, even without then OCR Director Samuel’s warning, the $2.2 million settlement amount OCR required NY-Presbyterian Hospital to pay under the NY-Presby Resolution Agreement alone strongly signaled OCR’s willingness to harshly sanction health care providers and other Covered Entities for putting media coverage before patients.

According to the NY-Presby Resolution Agreement, OCR’s investigation revealed that NY-Presbyterian “blatantly” violated HIPAA when it allowed ABC film crews and staff virtually unfettered access to its health care facility.  OCR says the access NY-Presbyterian allowed ABC effectively created an environment where patients PHI could not be protected from impermissible disclosure to the ABC film crew and staff filming the episode.  While the Resolution Agreement reflects allowing the filming and other access to ABC without prior HIPAA-compliant authorization from patients in the facility itself violated HIPAA, OCR also particularly found “egregious” the facility allowing ABC film crews and staff to film a dying patient and another patient in significant distress without first obtaining a HIPAA-compliant authorization from each of those patients and even more so that NY-Presbyterian failed stop the filming even after a medical professional urged the crew to stop.

Based on its investigation, OCR charged NY-Presbyterian with violating 45 C.F.R. §§ 164.502(a) and 164.530(c) by:

  • Impermissibly disclosing the PHI of two identified patients to the film crew and other staff of “NY Med”; and
  • Failing appropriately and reasonably to safeguard its patients’ PHI from disclosure during the filming of “NY Med” on its premises; and
  • Failing to implement policies, procedures and practices to protect the privacy of its filming of aforementioned television show.
  • BMC Settlement Agreement

The circumstances that resulted in the three resolution agreements announced on September 20, 2018 are strikingly similar to those underlying the NY-Presby Resolution Agreement. Notably, the investigations that resulted in the three settlement agreements all arose out of the respective Hospital’s permitting an ABC documentary film crew filming a medical documentary to access patient areas of their hospitals.  OCR’s investigation of MGH arose in response to an announcement about the impending filming on its website while OCR’s investigations of BMC and BWH started in response to a January 12, 2015 Boston Globe article that reported the Hospitals each separately had allowed ABC film crews filming a documentary to access PHI and film patients without obtaining patient authorization.  See Boston Medical Center Resolution Agreement (BMC Settlement Agreement);  Brigham and Women’s Hospital Resolution Agreement (BWH Settlement Agreement); and Massachusetts General Hospital Resolution Agreement (MGH Resolution Agreement)

The MGH Resolution Agreement reflects that OCR’s investigations began with an investigation of MGH on December 17, 2014 based on a news story posted to MGH’s website on October 3, 2014, indicating that ABC News would be filming a medical documentary program at MGH. The MGH Resolution Reports that the investigation revealed that before allowing the filming between October 2014 to January 2015, MGH reviewed and assessed patient privacy issues related to the filming and implemented various protections regarding patient privacy, including providing the ABC film crew with the same HIPAA privacy training received by MGH’s workforce.

Information contained in the respective settlement agreements reflect that OCR’s investigations of BMC and BWH began about a month later on January 25 and 26, 2015 respectively in response to the Boston Globe article. The BWH Settlement Agreement states that the BWH investigation revealed that like MGH, BWH reviewed and assessed patient privacy issues related to the filming and implemented various protections regarding patient privacy, including providing the ABC film crew with the same HIPAA privacy training received by BWH’s workforce before allowing the filming by the ABC film crew that occurred between October 2014 to January 2015.  The BMC Settlement Agreement does not state that OCR found BMC engaged in similar deliberations or undertook the same or other efforts to safeguard patients and their PHI.

The BMC Settlement Agreement reports that the OCR concluded based on the BMC investigation showed that BMC impermissibly disclosed PHI of patients to ABC employees during the production and filming of a television program at BMC in violation of HIPAA.  Meanwhile, while acknowledging the privacy deliberations and efforts undertaken at MGH and BWH, OCR also concluded that each of those organizations also violated HIPAA because in allowing the film crew access and to film patients and patient areas:

  • The timing at which they obtained patient authorizations showed MGH and BWH impermissibly disclosed the PHI of patients to ABC employees during the production and filming of a television program at BWH; and
  • Despite the various patient privacy protections that were put in place, MGH and BWH failed to appropriately and reasonably safeguard its patients’ PHI from disclosure during a filming project conducted by ABC on its premises in 2014 and January 2015.

To resolve potential HIPAA violations, BMC has paid OCR $100,000, BWH has paid OCR $384,000, and MGH has paid OCR $515,000. In addition, each Hospital agreed to provide workforce training as part of a corrective action plan that will include OCR’s guidance on disclosures to film and media in the 2016 Media FAQ.

OCR To Covered Entities:  Prevent Unauthorized Filming, Photography & PHI Access & Disclosures To Media, Other Third Parties

Given the clear warnings communicated by OCR in its Media FAQ and September 20, 2018 and NY-Presby Settlements, all Covered Entities should take steps to verify that their current policies, practices and training are appropriately designed and administered to ensure their ability to demonstrate compliance with OCR’s interpretation of the Privacy Rule as prohibiting health care providers or other Covered Entities from allowing film or media to film, photograph or even access areas where patients or their PHI are accessible or otherwise disclosing PHI to members of the media without first obtaining a HIPAA-compliant authorization from each patient whose presence or PHI could be observed, recorded or otherwise accessed.

When considering the adequacy of their current policies, practices and training concerning filming, photography and other access and disclosure to patients, patient treatment areas and other PHI, Covered Entities should resist the temptation to read the Media FAQ and media settlement agreements as relevant only to their policies concerning filming, photography and PHI access by members of the media.  In this respect, it bears noting that the NY-Presby Settlement expressly required NY-Presbyterian as part of its required corrective action to adopt and enforce policies requiring that “all photography, video recording and audio recording conducted on NY-Presbyterian premises” be reviewed, preapproved and actively monitored by appropriate NY-Presbyterian representatives for compliance with the Privacy Rule and NY-Presbyterian’s policies.  This requirement to adopt and administer appropriate safeguards to control filming or photography and other access to patients and their PHI generally, rather than just by the media, reflects a recognition by OCR that HIIPAA’s requirement that Covered Entities secure prior HIPAA-compliant authorization before allowing others to access or disclosing PHI to others applies to access or disclosure to “any third party not involved in patient care,” not merely those to media or film crews. Consequently, Covered Entities also should consider the implications of the guidance shared in the Media FAQ and media settlement agreements on the adequacy and defensibility of their current policies, practices and training about filming, photographing, or other access or disclosure to patients, patient treatment areas and PHI by any party within their facilities and organizations.

When evaluating these responsibilities and risks, Covered Entities are encouraged not only to take into account potential risks from filming, photographs or other access to patients or patient treatment or recordkeeping areas by third-parties unaffiliated with their organizations as well as filming, photographs and other access by staff, employees or business associates within their facilities.  Covered Entities should take steps to monitor and properly restrict and protect any filming, photography or other observations, records or other access to patients or their information by individuals within their workforce, as well as to regulate the access and activities of unrelated third parties.  In this respect, Covered Entities are cautioned about the need to prohibit and enforce restrictions against members of their workforce using their own personal devices or other equipment to film, photograph, and copy or disseminate photographs, film, recordings or other records or data that qualifies as or contains PHI without authorization in accordance with established protocols.  Covered Entities should ensure that their policies and training make clear that these prohibitions apply whether or not the workforce member believes that identity of the patient or patient information is concealed or otherwise not discoverable.  Moreover, even with respect to photographs, films or other recordings or records legitimately created for treatment, payment or operations purposes, Covered Entities generally need to take steps to restrict use, access and disclosure of the photographs or other recordings to individuals legitimately involved in patient treatment, operations, payment or other activities allowed by the Privacy Rule and to safeguard those materials against use, access or disclosure to others within or outside their workforce except as allowed by HIPAA and other applicable law. .

As part of these activities, Covered Entities should consider conducting a well-documented assessment of their current policies, practices and workforce training on allowing media or other parties to enter, film, photograph or record within their facilities or otherwise disclosing or allowing media access to their facilities as well as their policies about when parties not involved in care of a particular patient can film, photograph, or otherwise record, observe or access areas where patients or patient PHI is or might be present without prior written consent of the patient.

Since Covered Entities also are likely to be subject to other statutory, ethical, contractual or other privacy or confidentiality requirements beyond those imposed by the Privacy Rule, most Covered Entities also will want to consider and take steps to identify and address other potential legal or ethical responsibilities such as medical confidentiality duties applicable to physicians and other health care providers under medical ethics, professional licensure or other similar rules, contractual responsibilities, as well as common law privacy or other related exposures when conducting this review.  Additionally, most Covered Entities also will want to take into account and manage their potential exposure to privacy, theft of likeness or other intellectual property, or other statutory or common law tort or contractual claims that might attached to the unauthorized filming, photographing, or surveillance of individuals under federal or state common or statutory laws.

Since this analysis and review in most cases will result in the uncovering or discussion of potentially legally or politically sensitive information, Covered Entities should consider consulting with or engaging experienced legal counsel for assistance in structuring and executing these activities to maximize their ability to claim attorney-client privilege or other evidentiary protections against discovery or disclosure of certain aspects of these activities.

Finally, Covered Entities should keep in mind that HIPAA compliance and risk management is an ongoing process requiring constant awareness and diligence.  Consequently, Covered Entities should both monitor OCR and other regulatory and enforcement developments as well as exercise ongoing vigilance to monitor and maintain compliance within their organizations.

About The Author

A practicing attorney and Managing Shareholder of Cynthia Marcotte Stamer, P.C, Cynthia Marcotte Stamer’s more than 30 years’ of leading edge work as an practicing attorney, author, lecturer and industry and policy thought leader have resulted in her recognition as a “Top” attorney in employee benefits, labor and employment and health care law.

Board certified in labor and employment law by the Texas Board of Legal Specialization, a Fellow in the American College of Employee Benefit Counsel, Scribe for the American Bar Association (ABA) Joint Committee on Employee Benefits (JCEB) Annual Agency Meeting with the Office of Civil Rights and a former JCEB Council Representative; former Chair of the ABA Health Law Section Managed Care & Insurance Interest Group; and past Chair, former Welfare Benefit Committee Co-Chair and current Fiduciary Responsibility Committee Co-Chair of the American Bar Association (ABA) RPTE Section Employee Benefits Group, former Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, Ms. Stamer is recognized nationally and internationally for her practical and creative insights and leadership on HIPAA and other health care, managed care and insurance, and other employee benefit, human resources, and related antitrust, corporate, privacy and data security, tax and other internal controls, regulatory affairs and public policy concerns.

Ms. Stamer’s legal and management consulting work throughout her career has focused on helping organizations and their management use the law and process to manage people, process, compliance, operations and risk. Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer helps public and private, domestic and international health, insurance and financial security, and other businesses, governments, and other organizations and their leaders manage their employees, vendors and suppliers, and other workforce members, customers and other’ performance, compliance, compensation and benefits, operations, risks and liabilities, as well as to prevent, stabilize and cleanup legal and operational crises large and small that arise in the course of operations.

In this respect, Ms. Stamer works with businesses and their management, employee benefit plans, governments and other organizations deal with all aspects of human resources and workforce, regulatory compliance and operational and performance management. She supports her clients both on a real time, “on demand” basis and with longer term basis to deal with daily performance management and operations, emerging crises, strategic planning, process improvement and change management, investigations, defending litigation, audits, investigations or other enforcement challenges, government affairs and public policy.

Well known for her extensive work with health care, insurance and other highly regulated entities on corporate compliance, internal controls and risk management, her clients range from highly regulated entities like employers, contractors and their employee benefit plans, their sponsors, management, administrators, insurers, fiduciaries and advisors, technology and data service providers, health care, managed care and insurance, financial services, government contractors and government entities, as well as retail, manufacturing, construction, consulting and a host of other domestic and international businesses of all types and sizes.

As a key part of this work, Ms. Stamer uses her deep and highly specialized health, insurance, labor and employment and other knowledge and experience to help health industry, insurance and financial services and other employers and other employee benefit plan sponsors; health, pension and other employee benefit plans, their fiduciaries, administrators and service providers, insurers, and others design legally compliant, effective compliance and internal controls, risk management, human resources and other workforce performance, discipline, compensation, employee benefits and related programs, products and arrangements.

In the course of this work, Ms. Stamer has accumulated an impressive resume of experience advising and representing clients on HIPAA and other privacy and data security concerns. The scribe for the American Bar Association (ABA) Joint Committee on Employee Benefits annual agency meeting with the Department of Health & Human Services Office of Civil Rights for several years, Ms. Stamer has worked extensively with health plans, health care providers, health care clearinghouses, their business associates, employer and other sponsors, banks and other financial institutions, and others on risk management and compliance with HIPAA and other information privacy and data security rules, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and enforcement, and a host of other related concerns. Her clients include public and private health plans, health insurers, health care providers, banking, technology and other vendors, and others. Beyond advising these and other clients on privacy and data security compliance, risk management, investigations and data breach response and remediation, Ms. Stamer also advises and represents clients on OCR and other HHS, Department of Labor, IRS, FTC, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. She also is the author of numerous highly acclaimed publications, workshops and tools for HIPAA or other compliance including training programs on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

Ms. Stamer also is deeply involved in helping to influence the health care, workforce, insurance and financial services, employee benefit, privacy and data security and other federal, state and local laws, regulations and enforcement actions. She both helps her clients respond to and resolve emerging regulations and laws, government investigations and enforcement actions and helps them shape the rules through dealings with Congress and other legislatures, regulators and government officials domestically and internationally. A former lead consultant to the Government of Bolivia on its Social Security reform law and most recognized for her leadership on U.S. health and pension, wage and hour, tax, education and immigration policy reform, Ms. Stamer works with U.S. and foreign businesses, governments, trade associations, and others on workforce, social security and severance, health care, immigration, privacy and data security, tax, ethics and other laws and regulations. Founder and Executive Director of the Coalition for Responsible Healthcare Policy and its PROJECT COPE: the Coalition on Patient Empowerment and a Fellow in the American Bar Foundation and State Bar of Texas. She also works as a policy advisor and advocate to health, insurance and financial services, employee benefits and other business, professional and civic organizations.

Author of the thousands of publications and workshops these and other employment, employee benefits, health care, insurance, workforce and other management matters, Ms. Stamer also is a highly sought out speaker and industry thought leader known for empowering audiences and readers. Ms. Stamer’s insights on employee benefits, insurance, health care and workforce matters in Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, Modern Healthcare, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications. Ms. Stamer also regularly serves on the faculty and planning committees for symposia of LexisNexis, the American Bar Association, ALIABA, the Society of Employee Benefits Administrators, the American Law Institute, ISSA, HIMMs, and many other prominent educational and training organizations and conducts training and speaks on these and other management, compliance and public policy concerns.

Ms. Stamer also has a lifelong history of involvement with and service with a diverse range of professional, community and charitable organizations and causes including as founder and Executive Director of the Coalition for Responsible Health Care Policy and its PROJECT COPE: Coalition for Patient Empowerment; technical advisor to the National Physicians’ Council for Health Care Policy; a founding Board Member and President of the Alliance for Healthcare Excellence and its Patient Empowerment and Health Care Heroes Projects; a Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; the Board President of the early childhood development intervention agency, The Richardson Development Center for Children; a member of the Dallas United Way Long Range Planning Committee; as well as leadership involvement in the ABA Joint Committee on Employee Benefits Council, the North Texas Healthcare Compliance Professionals Association; the ABA RPTE Employee Benefits & Other Compensation Committee, the ABA Health Law Section, the ABA International Section Life Sciences Committee, and the ABA TIPS Employee Benefit Committee; TEGE Coordinator of the Gulf Coast TEGE Council TE Division; Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee; a member of the Board of Directors of the Southwest Benefits Association; Dallas, Regional and State BACPAC Chair of the Texas Association of Business; SHRM Regional Chair and National Advisory Board Chair; WEB Network of Benefits Professionals National and Dallas Boards; as a contributing author and the Advisory Board member of the BNA EBCD CD, InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications and as chair or planning faculty of a multitude of symposia.. For additional information about Ms. Stamer, see www.cynthiastamer.com, or contact Ms. Stamer via email here or via telephone to (214) 452.8297.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also may be interested reviewing other Solutions Law Press, Inc.™ resources at www.solutionslawpress.com such as:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here.

©2018 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.  All other rights reserved.

 


Device Manufacturers & Health Care Providers Should Update Audits & Controls For New NIST Data Security Guidance

August 23, 2018

Medical device manufacturers whose physical devices include technology that allows them to connect to the internet or other electronic system to communicate with other devices or systems “connected medical devices”) and health care providers installing, providing or using these devices should check out the guidance on connected medical device security provided by the just released 375 page NIST Special Publication 1800-8 (Guidance) from the National Institute of Standards and Technology (NIST).

While the Guidance’s title of “Securing Wireless Infusion Pumps,” suggests a more narrow focus, the Guidance clearly can be read as relevant if not generally applicable to all connected medical devices.

Unlike prior medical devices that were once standalone instruments, today’s wireless infusion pumps and other connected medical devices transmit and/or connect to a variety of electronic health records (EHRs) and other healthcare systems, networks, and other devices. While this connectivity often helps improve certain healthcare delivery processes, a medical device’s connectivity capabilities also can create significant cybersecurity risk, which could lead to health care privacy, operational or safety risks. Tampering or other intentional or inadvertent access or interference with the data sent or received from connected medical devices can expose health care providers and their healthcare enterprises to series risks including, for example:

  • A breach of electronic protected health information (ePHI) in violation of the privacy and security standards of the Health Insurance Portability & Accountability Act (HIPAA);
  • Loss or disruption of healthcare services;
  • Malicious access by malicious actors;
  • Loss or corruption of enterprise information and patient data and health records; and
  • Resulting damage to an organization’s reputation, productivity, and bottom-line revenue.

The Guide includes a variety of information NIST intends to help organizations manage these and other risks to connected medical devices and their ePHI and other data.  It provides an example that:

  • Illustrates cybersecurity standards and best-practice guidelines for better securing the wireless infusion pump ecosystem, such as the hardening of operating systems, segmenting the network, file and program whitelisting, code-signing, and using certificates for both authorization and encryption, maintaining the performance and usability of wireless infusion pumps and other connected mobile devices;
  • Discusses risks and opportunities to reduce risks from the compromise of information, including the potential for a breach or loss of ePHI, as well as not allowing these medical devices to be used for anything other than the intended purposes;
  • Documentation of a defense-in-depth strategy to introduce layers of cybersecurity controls that avoid a single point of failure and provide strong support for availability that may include a variety of tactics: using network segmentation to isolate business units and user access; applying firewalls to manage and control network traffic; hardening and enabling device security features to reduce zero-day exploits; and implementing strong network authentication protocols and proper network encryption, monitoring, auditing, and intrusion detection systems (IDS) and intrusion prevention systems (IPS);
  • Highlights best practices for the procurement of wireless infusion pumps, by including the need for cybersecurity features at the point of purchase; and
  • Calls upon industry to create new best practices for healthcare providers to consider when onboarding medical devices, with a focus on elements such as asset inventory, certificate management, device hardening and configuration, and a clean-room environment to limit the possibility of zero-day vulnerabilities.

As the patient identifiable ePHI these connected medical devices send, store or receive are considered subject to HIPAA’s privacy, security and breach notification rules, health care providers, medical device manufacturers acting as their business associates and other entities covered by these rules as covered entities or business associates are responsible for protecting and safeguarding this ePHI in accordance with HIPAA’s requirements.  Since the Department of Health & Human Services Office of Civil Rights (OCR) often points to the NIST guidance as a relevant touchstone for HIPAA covered entities and business associates to comply with HIPAA security requirements, HIPAA covered entities can anticipate that OCR will look to and be influenced by the Guidance in formulating and applying HIPAA to connected mobile devices.  Consequently, health care providers and other HIPAA covered entities and their business associates should be prepared to demonstrate their consideration and use of the standards and practices suggested in the Guidance including their analysis and justification for not following those criteria as part of their HIPAA security rule assessments. Meanwhile, connected mobile device manufacturers also will want to evaluate the Guidance and update their products and practices both to meet customer demands and to mitigate their risks as manufacturers to potential product liability claims and associated claims likely to rise from breaches or other events that may result from the failure to address the security and other risks identified in the Guidance as well as, when applicable, their specific business associate risk under HIPAA.

To accomplish this, impacted health care providers, manufacturers and other responsible parties generally will want to assess and confirm within the scope of attorney-client privilege the compliance of the ePHI safeguards of their current connected medical devices as well as require documented verification that any connected medical devices not yet deployed take into account these new standards.  To the extent that deficiencies exist in the adherence of currently in use connected medical devices, HIPAA covered entities and their business associates should consult with qualified legal counsel experienced in addressing these HIPAA compliance and risk management concerns about the defensibility and exposures potential arising from the continued use of the devices, if any, and develop an appropriate compliance and risk management plan accordingly.

About the Author

Recognized repeatedly by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: Erisa & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of health industry, health and other benefit, workforce and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer’s clients include employer, associations, government and other health benefit sponsors and administrators, public and private, domestic and international hospitals, health care systems, clinics, skilled nursing, long term care, rehabilitation and other health care providers and facilities; medical staff, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, insurers, self-insured health plans and other payers; and other health industry, insurance, technology, government and other management clients.

A former lead consultant to the Government of Bolivia on its Pension Privatization Project with extensive domestic and international public policy concerns in pensions, healthcare, workforce, immigration, tax, education and other areas, Ms. Stamer has been extensively involved in U.S. federal, state and local health care and other legislative and regulatory reform impacting these concerns throughout her career.

Beyond her public policy and regulatory affairs involvement, Ms. Stamer also has extensive experience helping these and other clients to design and reform programs and practices; establish and administer compliance and risk management policies; comply with requirements, investigate and respond to government; accreditation and quality organizations; private litigation and other federal and state health care industry investigations and enforcement actions; evaluate and influence legislative and regulatory reforms and other regulatory and public policy advocacy; training and discipline; enforcement, and a host of other related concerns. supports these organizations and their leaders on both a real-time, “on demand” basis as well as outsourced operations or special counsel on an interim, special project, or ongoing basis with strategic planning and product and services development and innovation; workforce and operations management, crisis preparedness and response as well as to prevent, stabilize and cleanup legal and operational crises large and small that arise in the course of operations.

Past Chair of the ABA Managed Care & Insurance Interest Group and, a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer has extensive health care reimbursement and insurance experience advising and defending health care providers, payers, and others about Medicare, Medicaid, Medicare and Medicaid Advantage, Tri-Care, self-insured group, association, individual and employer and association group and other health benefit programs and coverages including but not limited to advising public and private payers about coverage and program design and documentation, advising and defending providers, payers and systems and billing services entities about systems and process design, audits, and other processes; provider credentialing, and contracting; providers and payer billing, reimbursement, claims audits, denials and appeals, coverage coordination, reporting, direct contracting, False Claims Act, Medicare & Medicaid, ERISA, state Prompt Pay, out-of-network and other nonpar insured, and other health care claims, prepayment, post-payment and other coverage, claims denials, appeals, billing and fraud investigations and actions and other reimbursement and payment related investigation, enforcement, litigation and actions.

Heavily involved in health care and health information technology, data and related process and systems development, policy and operations innovation and a Scribe for ABA JCEB annual agency meeting with OCR for many years who has authored numerous highly-regarded works and training programs on HIPAA and other data security, privacy and use, Ms. Stamer also is widely recognized for her extensive work and leadership on leading edge health care and benefit policy and operational issues including meaningful use and EMR, billing and reimbursement, quality measurement and reimbursement, HIPAA, FACTA, PCI, trade secret, physician and other medical confidentiality and privacy, federal and state data security and data breach and other information privacy and data security rules and many other concerns.

Ms. Stamer helps health industry, health plans and insurers, health IT, life sciences and other health industry clients design, document and enforce plans, practices, policies, systems and solutions; manage regulatory, contractual and other legal and operational compliance; vendors and suppliers; Medicare, Medicaid, CHIP, Medicare/Medicaid Advantage, ERISA and other private payer and other terms of participation, medical billing, reimbursement, claims administration and coordination, and other provider-payer relations, contracting, compliance and enforcement; Form 990 and other nonprofit and tax-exemption; fundraising, investors, joint venture, and other business partners; quality and other performance measurement, management, discipline and reporting; physician and other workforce recruiting, performance management, peer review and other investigations and discipline, wage and hour, payroll, gain-sharing and other pay-for performance and other compensation, training, outsourcing and other human resources and workforce matters; board, medical staff and other governance; strategic planning, process and quality improvement; meaningful use, EMR, HIPAA and other technology, data security and breach and other health IT and data; STARK, antikickback, insurance, and other fraud prevention, investigation, defense and enforcement; audits, investigations, and enforcement actions; trade secrets and other intellectual property; crisis preparedness and response; internal, government and third-party licensure, credentialing, accreditation, HCQIA and other peer review and quality reporting, audits, investigations, enforcement and defense; patient relations and care; internal controls and regulatory compliance; payer-provider, provider-provider, vendor, patient, governmental and community relations; facilities, practice, products and other sales, mergers, acquisitions and other business and commercial transactions; government procurement and contracting; grants; tax-exemption and not-for-profit; 1557 and other Civil Rights; privacy and data security; training; risk and change management; regulatory affairs and public policy; process, product and service improvement, development and innovation, and other legal and operational compliance and risk management, government and regulatory affairs and operations concerns.

Author of leading works on a multitude of health care, health plan and other health industry matters, the American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting, former Vice President of the North Texas Health Care Compliance Professionals Association, past Chair of the ABA Health Law Section Managed Care & Insurance Section, past ABA JCEB Council Representative and CLE and Marketing Committee Chair, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer’s health industry clients include public health organizations; public and private hospitals, healthcare systems, clinics and other health care facilities; physicians, physician practices, medical staff, and other provider organizations; skilled nursing, long term care, assisted living, home health, ambulatory surgery, dialysis, telemedicine, DME, Pharma, clinics, and other health care providers; billing, management and other administrative services organizations; insured, self-insured, association and other health plans; PPOs, HMOs and other managed care organizations, insurance, claims administration, utilization management, and other health care payers; public and private peer review, quality assurance, accreditation and licensing; technology and other outsourcing; healthcare clearinghouse and other data; research; public and private social and community organizations; real estate, technology, clinical pathways, and other developers; investors, banks and financial institutions; audit, accounting, law firm; consulting; document management and recordkeeping, business associates, vendors, and service providers and other professional and other health industry organizations; academic medicine; trade associations; legislative and other law making bodies and others.

A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, privacy and data security, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her thought leadership, experience and advocacy on these and other related concerns by her service in the leadership of the Solutions Law Press, Inc. Coalition for Responsible Health Policy, its PROJECT COPE: Coalition on Patient Empowerment, and a broad range of other professional and civic organizations including North Texas Healthcare Compliance Association, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children (now Warren Center For Children); current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, past Representative and chair of various committees of ABA Joint Committee on Employee Benefits; a ABA Health Law Coordinating Council representative, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.

For more information about Ms. Stamer or her health industry and other experience and involvements, see here or contact Ms. Stamer via telephone at (469) 767-8872 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources here.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advise or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2018 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.


%d bloggers like this: