Health Care Providers Must Strengthen Disability Compliance & Risk Management

Health care providers beware! The Obama Administration is targeting health care providers that violate the Americans with Disabilities Act (ADA) and Section 504 of the Rehabilitation Act of 1973 (Rehab Act) and other federal disability discrimination laws. 

On March 13, 2013, the Justice Department announced that Glenbeigh Hospital (Glenbeigh) of Rock Creek, Ohio is the fourth health care provider in five weeks to agree to a settlement with the Justice Department resolving disability discrimination charges brought under its Barrier Free Health Care Initiative (Initiative).  The Glenbeigh settlement is one of a growing list of disability discrimination settlements and judgements against health care providers brought by the Justice Department, the Department of Health & Human Resources Office of Civil Rights and other federal agencies. 

Barrier Free Health Care Initiative Targets Health Care Providers For Disability Discrimination

Launched on the 22^nd anniversary of the ADA in July 2012, the Initiative is a partnership of the Civil Rights Division and 40 U.S. Attorney’s offices across the nation, that targets ADA and other disability discrimination law enforcement efforts on a critical area for individuals with disabilities.

Part of a broader enforcement initiative of the Obama Administration to enforce and expand federal protections for individuals with disabilities, the Initiative seeks to protect patients with disabilities against illegal disability discrimination by prosecuting health care providers under the ADA and the Rehab Act. 

Section 504 of the Rehab Act requires recipients of Medicare, Medicaid, HUD, Department of Education, welfare and most other federal assistance programs funds including health care, education, housing services providers, state and local governments to ensure that qualified individuals with disabilities have equal access to programs, services, or activities receiving federal financial assistance.

The ADA extends the prohibition against disability discrimination to private providers and other businesses as well as state and local governments including but not limited to health care providers reimbursed by Medicare, Medicaid or various other federal programs The ADA requirements extend most federal disability discrimination prohibits to health care and other businesses even if they do not receive federal financial assistance to ensure that qualified individuals with disabilities have equal access to their programs, services or activities.  

In many instances, these federal discrimination laws both prohibit discrimination and require health care and other regulated businesses to put in place reasonable accommodations needed to ensure that their services are accessible and available to persons with disabilities.  The public accommodation provisions of the ADA, for instance, generally require those doctors’ offices, medical clinics, hospitals, and other health care providers, as well as other covered businesses to provide people with disabilities, including those with HIV, equal access to goods, services, and facilities.  The ADA also may compel health care providers to adjust their practices for delivering care and/or providing access to facilities to accommodate special needs of disabled individuals under certain circumstances. Meanwhile the Civil Rights Act and other laws prohibit discrimination based on national origin, race, sex, age, religion and various other grounds.  These federal rules impact almost all public and private health care providers as well as a broad range housing and related service providers.

Glenbeigh ADA Disability Discrimination Settlement

According to the Justice Department, Glenbeigh has agreed to a settlement resolving charges it violated the ADA by denying admission to someone because of HIV.  The fourth ADA disability discrimination settlement addressing HIV discrimination by a medical provider reached by the Justice Department in six weeks, the settlement requires Glenbeigh to pay $32,500 to the complainant, $5,000 in civil penalties, train its staff on the ADA and develop and implement an anti-discrimination policy. 

The settlement resolves Justice Department charges that engaged in prohibited disability discrimination in violation of the ADA by unlawfully refusing to admit someone with HIV into its alcohol treatment program because of the side effects of his HIV medication.   Glenbeigh’s alcohol treatment program consists of helping patients through the physical aspects of recovery, as well as providing counseling and incorporating spiritual healing.   The Justice Department determined Glenbeigh cannot show that treating the complainant would have posed a direct threat to the health or safety of others.

In announcing the Glenbeigh settlement, the Justice Department warned other providers against illegal disability discrimination against individuals with HIV or other disabilities.

“Ensuring access to medical care for people with HIV requires that those in the medical field make medical decisions that are not based on fears or stereotypes,” said Thomas E. Perez, Assistant Attorney General for the Civil Rights Division.   “The ADA does not tolerate HIV discrimination and neither will the Justice Department.”

Glenbeigh Settlement Part of Larger Disability Enforcement Trend

Settlements like Glenbeigh’s are growing increasingly common as the Initiative picks up steam.  As part of a broader emphasis on the enforcement of disability and other federal discrimination laws by the Obama Administration, Federal agencies are making investigation and prosecution of suspected disability discrimination by health industry and other organizations a priority.  

In the past five weeks, the Justice Department announced similar agreements with Woodlawn Family Dentistry, the Castlewood Treatment Center, and the Fayetteville Pain Center to address HIV discrimination. These new settlements add to a growing list of Justice Department disability discrimination enforcement actions against health care providers.   Along side a growing list of disability discrimination settlements and prosections, the Justice Department has a website dedicated to disabilities law enforcement, which includes links to settlements, briefs, findings letters, and other materials. 

 The  Justice Departments campaign against disability discrimination by health care providers is supported and enhanced by the concurrent efforts of OCR.   Along side the Justice Department’s efforts, OCR recently has announced several settlement agreements and issued letters of findings as part of its ongoing efforts to ensure compliance with the Rehab Act and the ADA well as various other federal nondiscrimination and civil rights laws. Through its own antidiscrimination campaign, OCR is racking up an impressive list of settlements with health care providers, housing and other businesses for violating the ADA, Section 504 or other related civil rights rules enforced by OCR.   See, e.g. Genesis Healthcare Disability HHS OCR Discrimination Settlement Reminder To Use Interpreters, Other Needed Accommodations For Disabled.   Meanwhile, both the Justice Department and OCR also are encouraging victims of discrimination to enforce their rights through private action through educational outreach to disabled and other individuals protected by federal disabilities and other civil rights laws to make them aware of and to encourage them to act to enforce these rights.

Providers Should Act To Manage Patient-Related Disability Discrimination Risks

Prosecutions and settlements like the Glenbeigh settlements show the need for health care providers and other public and private organizations to strengthen their disability discrimination compliance and management practices to defend against rising exposures to actions by the Justice Department, OCR, the Equal Employment Opportunity Commission (EEOC) and other agencies as well as private law suits.  Hospitals, health care clinics, physicians and other health care providers should take steps to guard against joining the growing list of health care providers caught in the enforcement sights of the Initiative by reviewing and updating practices, policies, training and oversight to ensure that their organizations can prevent and defend against charges of disability discrimination.

Defending or paying to settle a disability discrimination charge brought by a private plaintiff, OCR or another agency, or others tends to be financially, operationally and politically costly for a health care organization or public housing provider.  In addition to the expanding readiness of OCR and other agencies to pursue investigations and enforcement of disability discrimination and other laws, the failure of health care organizations to effectively keep up processes to appropriately include and care for disabled other patients or constituents with special needs also can increase negligence exposure, undermine Joint Commission and other quality ratings, undermine efforts to qualify for public or private grant, partnerships or other similar arrangements, and create negative perceptions in the community.

In light of the expanding readiness of the Justice Department, OCR, HUD, EEOC and other agencies to investigate and take action against health care providers for potential violations of the ADA, Section 504 and other federal discrimination and civil rights laws, health care organizations and their leaders should review and tighten their policies, practices, training, documentation, investigation, redress, discipline and other nondiscrimination policies and procedures. In carrying out these activities, organizations and their leaders should keep in mind the critical role of training and oversight of staff and contractors plays in promoting and maintaining required operational compliance with these requirements.  Reported settlements reflect that the liability trigger often is discriminatory conduct by staff, contractors, or landlords in violation of both the law and the organization’s own policies.

To achieve and maintain the necessary operational compliance with these requirements, organizations should both adopt and policies against prohibited discrimination and take the necessary steps to institutionalize compliance with these policies by providing ongoing staff and vendor training and oversight, contracting for and monitoring vendor compliance and other actions.  Organizations also should take advantage of opportunities to identify and resolve potential compliance concerns by revising patient and other processes and procedures to enhance the ability of the organization to learn about and redress potential charges without government intervention.

For More Information Or Assistance

If you need assistance reviewing or tightening your policies and procedures, conducting training or audits, responding to or defending an investigation or other enforcement action or with other health care related risk management, compliance, training, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, may be able to help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 24 years experience advising health industry clients about these and other matters. Her experience includes advising hospitals, nursing home, home health, rehabilitation and other health care providers and health industry clients to establish and administer compliance and risk management policies; prevent, conduct and investigate, and respond to peer review and other quality concerns; and to respond to Board of Medicine, Department of Aging & Disability, Drug Enforcement Agency, OCR Privacy and Civil Rights, HHS, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns.

A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her presentations and programs include How to Ensure That Your Organization Is In Compliance With Regulations Governing Discrimination, as well as a wide range of other workshops, programs and publications on discrimination and cultural diversity, as well as a broad range of compliance, operational and risk management, and other health industry matters.

Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications.  You can get more information about her health industry experience here. If you need assistance responding to concerns about the matters discussed in this publication or other health care concerns, wish to obtain information about arranging for training or presentations by Ms. Stamer, wish to suggest a topic for a future program or update, or wish to request other information or materials, please contact Ms. Stamer via telephone at (469) 767-8872 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides business and management information, tools and solutions, training and education, services and support to help organizations and their leaders promote effective management of legal and operational performance, regulatory compliance and risk management, data and information protection and risk management and other key management objectives.  Solutions Law Press, Inc.™ also conducts and help businesses and associations to design, present and conduct customized programs and training targeted to their specific audiences and needs.  For additional information about upcoming programs, to explore becoming a presenting sponsor for an upcoming event, e-mail your request to info@Solutionslawpress.com   These programs, publications and other resources are provided only for general informational and educational purposes. Neither the distribution or presentation of these programs and materials to any party nor any statement or information provided in or in connection with this communication, the program or associated materials are intended to or shall be construed as establishing an attorney-client relationship, to constitute legal advice or provide any assurance or expectation from Solutions Law Press, Inc., the presenter or any related parties. If you or someone else you know would like to receive future Alerts or other information about developments, publications or programs or other updates, send your request to info@solutionslawpress.com.  CIRCULAR 230 NOTICE: The following disclaimer is included to comply with and in response to U.S. Treasury Department Circular 230 Regulations.  ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.   ©2013 Cynthia Marcotte Stamer, P.C. All rights reserved.

Hospitals, health care clinics, physicians and other health care providers should heed the settlement announced by the Justice Department announced today (January 31, 2013) with the Fayetteville Pain Center as a reminder of the importance of ensuring that their organizations can prove their care and other operations fulfill the Americans With Disabilities Act (ADA) nondiscrimination and accommodation requirements. 

The public accommodation provisions of the ADA generally require those doctors’ offices, medical clinics, hospitals, and other health care providers, as well as other covered businesses to provide people with disabilities, including those with HIV, equal access to goods, services, and facilities.  The ADA also may compel health care providers to adjust their practices for delivering care and/or providing access to facilities to accommodate special needs of disabled individuals under certain circumstances.

The Fayetteville Pain Center settlement arose as part of the Justice Department’s ADA enforcement effort as part of its Barrier-Free Health Care Initiative.  The settlement resolves allegations that the Fayetteville Pain Center violated the ADA by refusing to treat a woman because she has HIV.

The complainant, a woman with HIV who was suffering from back pain as a result of a car accident, visited the Fayetteville Pain Center in Fayetteville, North Carolina seeking treatment. According to the complaint, the woman was unable to get medical treatment because the doctor at the Fayetteville Pain Center refused to treat a person with HIV. 

Under the settlement, the Fayetteville Pain Center must pay $10,000 to the complainant and $5,000 to the United States in civil penalties, train its staff on the ADA, and develop and implement an anti-discrimination policy.  To read more about the Settlement, see here.

Enforcement Exposures Rising

The Justice Department’s Fayetteville Pain Center prosecution and settlement should remind health care providers and other public and private organizations of the need to strengthen their disability discrimination compliance and management practices to defend against rising exposures to actions by the U.S. Department of Justice, Department of Health & Human Services Office of Civil Rights (OCR), Equal Employment Opportunity Commission (EEOC) and other agencies as well as private law suits.

As part of a broader emphasis on the enforcement of disability and other federal discrimination laws by the Obama Administration, Federal agencies are making investigation and prosecution of suspected disability discrimination by health industry and other organizations a priority.  OCR recently has announced several settlement agreements and issued letters of findings as part of its ongoing efforts to ensure compliance with Section 504 of the Rehabilitation Act of 1973 (Section 504) and the ADA well as various other federal nondiscrimination and civil rights laws.

Defending or paying to settle a disability discrimination charge brought by a private plaintiff, OCR or another agency, or others tends to be financially, operationally and politically costly for a health care organization or public housing provider.  In addition to the expanding readiness of OCR and other agencies to pursue investigations and enforcement of disability discrimination and other laws, the failure of health care organizations to effectively keep up processes to appropriately include and care for disabled other patients or constituents with special needs also can increase negligence exposure, undermine Joint Commission and other quality ratings, undermine efforts to qualify for public or private grant, partnerships or other similar arrangements, and create negative perceptions in the community.

Most health care and other U.S. businesses fully appreciate the growing disability discrimination exposures in employment but often are less aware of or ready to manage their responsibilities under the ADA public accommodation rules or other laws.

• Employment Discrimination Under ADA

Title I of the ADA prohibits employers from discriminating against individuals on the basis of disability in various aspects of employment.  The ADA’s provisions on disability-related inquiries and medical examinations show Congress’s intent to protect the rights of applicants and employees to be assessed on merit alone, while protecting the rights of employers to make sure that individuals in the workplace can efficiently do the essential functions of their jobs.  An employer generally violates the ADA if it requires its employees to undergo medical examinations or submit to disability-related inquiries that are not related to how the employee performs his or her job duties, or if it requires its employees to disclose overbroad medical history or medical records.  Title I of the ADA also generally requires employers to make  reasonable accommodations to employees’ and applicants’ disabilities as long as  this does not pose an undue hardship or the employer the employer otherwise proves employing a person with a disability with reasonable accommodation could not end significant safety concerns.  Employers generally bear the burden of proving these or other defenses.  Employers are also prohibited from excluding individuals with disabilities unless they show that the exclusion is consistent with business necessity and they are prohibited from retaliating against employees for opposing practices contrary to the ADA. 

Violations of the ADA can expose businesses to substantial liability.  Violations of the employment provisions of the ADA may be prosecuted by the EEOC or by private lawsuits and can result in significant judgments.  Employees or applicants that can prove they were subjected to prohibited disability discrimination under the ADA generally can recover actual damages, attorneys’ fees, and up to $300,000 of exemplary damages (depending on the size of the employer).   

• ADA Public Accommodation & Other Federal Discrimination

In addition to the well-known and expanding employment discrimination risks, public and private health care and housing providers also increasingly face disability discrimination exposures under various federal laws such as the public accommodation and other disability discrimination prohibitions of the ADA, Section 504, the Civil Rights Act and various other laws that the Obama Administration views as high enforcement priorities.

Section 504 requires recipients of Medicare, Medicaid, HUD, Department of Education, welfare and most other federal assistance programs funds including health care, education, housing services providers, state and local governments to ensure that qualified individuals with disabilities have equal access to programs, services, or activities receiving federal financial assistance. The ADA extends the prohibition against disability discrimination to private providers and other businesses as well as state and local governments including but not limited to health care providers reimbursed by Medicare, Medicaid or various other federal programs The ADA requirements extend most federal disability discrimination prohibits to health care and other businesses even if they do not receive federal financial assistance to ensure that qualified individuals with disabilities have equal access to their programs, services or activities.  In many instances, these federal discrimination laws both prohibit discrimination and require health care and other regulated businesses to put in place reasonable accommodations needed to ensure that their services are accessible and available to persons with disabilities.  Meanwhile the Civil Rights Act and other laws prohibit discrimination based on national origin, race, sex, age, religion and various other grounds.  These federal rules impact almost all public and private health care providers as well as a broad range housing and related service providers.

As a result of its stepped up enforcement of the ADA, Section 504 and other civil rights and nondiscrimination rules, OCR is racking up an impressive list of settlements with health care providers, housing and other businesses for violating the ADA, Section 504 or other related civil rights rules enforced by OCR.  While OCR continues to wage this enforcement battle in the programs it administers, the Departments of Justice, Housing & Urban Development, Education, Labor and other federal agencies also are waging war against what the Obama Administration perceives as illegal discrimination in other areas.  Along side their own enforcement activities, OCR and other federal agencies are maintaining a vigorous public outreach to disabled and other individuals protected by federal disabilities and other civil rights laws intended to make them aware of and to encourage them to act to enforce these rights. To be ready to defend against the resulting risk of claims and other enforcement actions created by these activities, health care, housing and other U.S. providers and businesses need to tighten compliance and risk management procedures and take other steps to prepare themselves to respond to potential charges and investigations.

Enforcement of Discrimination & Other Civil Rights Laws Obama Administration Priority Putting Public & Private Providers At Risk

A growing list of ADA and other disability discrimination law enforcement actions against private and public health care and housing providers, state and local governments and other businesses under the Obama Administration make it increasingly critical that health care organizations and other businesses manage disability discrimination risk both in their employment practices and their other business operations.

As for employment discrimination, violators of these and other federal discrimination prohibitions applicable to the offering and delivery of services and products also face exposure to large civil damage awards to private plaintiffs as well as federal program disqualification, penalties and other federal agency enforcement. Unfortunately, while most businesses and governmental leaders generally are sensitive to the need to maintain effective compliance programs to prevent and redress employment discrimination, the awareness of the applicability and non-employment related disability and other discrimination risk management and compliance lags far behind.

When considering these potential exposures, many private health care organizations mistakenly assume that OCR’s enforcement actions are mostly a problem for state and local government agencies because state and local agencies and service providers frequently in the past have been the target of OCR discrimination charges.  As demonstrated by the ADA exposures are high for both public and private providers, however.  OCR , the Department of Justice and other federal and state agencies can and do investigate and prosecute  a wide variety of public and private physicians, hospitals, insurers and other private health care and other federal program participants.  

Consequently, disability discrimination management requires more than employment discrimination management.  The Obama Administration also has trumpeted its commitment to the aggressive enforcement of the public accommodation provisions of the ADA and other federal disability discrimination laws.  In June, 2012, for instance, President Obama himself made a point of reaffirming his administration’s “commitment to fighting discrimination, and to addressing the needs and concerns of those living with disabilities.”

As part of its significant commitment to disability discrimination enforcement, the Civil Rights Division at the Justice Department has aggressively enforced the public accommodation provisions of the ADA and other federal disability discrimination laws against state agencies and private businesses that it perceives to have improperly discriminated against disabled individuals.  For instance, the Justice Department entered into a landmark settlement agreement with the Commonwealth of Virginia, which will shift Virginia’s developmental disabilities system from one heavily reliant on large, state-run institutions to one focused on safe, individualized, and community-based services that promote integration, independence and full participation by people with disabilities in community life. The agreement expands and strengthens every aspect of the Commonwealth’s system of serving people with intellectual and developmental disabilities in integrated settings, and it does so through a number of services and supports.  The Justice Department has a website dedicated to disabilities law enforcement, which includes links to settlements, briefs, findings letters, and other materials. The settlement agreements are a reminder that private businesses and state and local government agencies alike should exercise special care to prepare to defend their actions against potential disability or other Civil Rights discrimination challenges.  All organizations, whether public or private need to make sure both that their organizations, their policies, and people in form and in action understand and comply with current disability and other nondiscrimination laws.  When reviewing these responsibilities, many state and local governments and private businesses may need to update their understanding of current requirements.  Statutory, regulatory or enforcement changes have expanded the scope and applicability of disability and various other federal nondiscrimination and other laws and risks of charges of discrimination. 

Invest in Prevention To Minimize Liability Risks

In light of the expanding readiness of the Justice Department, OCR, HUD, EEOC and other agencies to investigate and take action against health care providers for potential violations of the ADA, Section 504 and other federal discrimination and civil rights laws, health care organizations and their leaders should review and tighten their policies, practices, training, documentation, investigation, redress, discipline and other nondiscrimination policies and procedures. In carrying out these activities, organizations and their leaders should keep in mind the critical role of training and oversight of staff and contractors plays in promoting and maintaining required operational compliance with these requirements.  Reported settlements reflect that the liability trigger often is discriminatory conduct by staff, contractors, or landlords in violation of both the law and the organization’s own policies.

To achieve and maintain the necessary operational compliance with these requirements, organizations should both adopt and policies against prohibited discrimination and take the necessary steps to institutionalize compliance with these policies by providing ongoing staff and vendor training and oversight, contracting for and monitoring vendor compliance and other actions.  Organizations also should take advantage of opportunities to identify and resolve potential compliance concerns by revising patient and other processes and procedures to enhance the ability of the organization to learn about and redress potential charges without government intervention.

For More Information Or Assistance

If you need assistance reviewing or tightening your policies and procedures, conducting training or audits, responding to or defending an investigation or other enforcement action or with other health care related risk management, compliance, training, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, may be able to help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 24 years experience advising health industry clients about these and other matters. Her experience includes advising hospitals, nursing home, home health, rehabilitation and other health care providers and health industry clients to establish and administer compliance and risk management policies; prevent, conduct and investigate, and respond to peer review and other quality concerns; and to respond to Board of Medicine, Department of Aging & Disability, Drug Enforcement Agency, OCR Privacy and Civil Rights, HHS, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns.

A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her presentations and programs include How to Ensure That Your Organization Is In Compliance With Regulations Governing Discrimination, as well as a wide range of other workshops, programs and publications on discrimination and cultural diversity, as well as a broad range of compliance, operational and risk management, and other health industry matters.

Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications.  You can get more information about her health industry experience here. If you need assistance responding to concerns about the matters discussed in this publication or other health care concerns, wish to obtain information about arranging for training or presentations by Ms. Stamer, wish to suggest a topic for a future program or update, or wish to request other information or materials, please contact Ms. Stamer via telephone at (469) 767-8872 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides business and management information, tools and solutions, training and education, services and support to help organizations and their leaders promote effective management of legal and operational performance, regulatory compliance and risk management, data and information protection and risk management and other key management objectives.  Solutions Law Press, Inc.™ also conducts and help businesses and associations to design, present and conduct customized programs and training targeted to their specific audiences and needs.  For additional information about upcoming programs, to explore becoming a presenting sponsor for an upcoming event, e-mail your request to info@Solutionslawpress.com   These programs, publications and other resources are provided only for general informational and educational purposes. Neither the distribution or presentation of these programs and materials to any party nor any statement or information provided in or in connection with this communication, the program or associated materials are intended to or shall be construed as establishing an attorney-client relationship, to constitute legal advice or provide any assurance or expectation from Solutions Law Press, Inc., the presenter or any related parties. If you or someone else you know would like to receive future Alerts or other information about developments, publications or programs or other updates, send your request to info@solutionslawpress.com.  CIRCULAR 230 NOTICE: The following disclaimer is included to comply with and in response to U.S. Treasury Department Circular 230 Regulations.  ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.   ©2013 Cynthia Marcotte Stamer, P.C. All rights reserved.

Health care providers and their business associates have work to do.  Health care providers, health plans, health care clearinghouses and their business associates will need to review and update their  policies and practices for handling and disclosing personally identifiable health care information (“PHI”) in response to the omnibus restatement of the Department of Health & Human Services (“HHS”) Office of Civil Rights (“OCR”) of its of its regulations (the “2013 Regulations”) implementing the Privacy and Security Rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  The Rulemaking announced January 17, 2013 may be viewed here.

Since 2003, HIPAA generally has required that health care providers, health plans, health care clearinghouses and their business associates (“Covered Entities”) restrict and safeguard individually identifiable  health care information (“PHI”) of individuals and afford other protections to individuals that are the subject of that information.  The 2013 Regulations published today complete the implementation of changes to HIPAA that Congress enacted when it passed the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009 as well as make other changes to the prior regulations that OCR found desirable based on its experience administering and enforcing the law over the past decade.

Since passage of the HITECH Act, OCR officials have warned Covered Entities to expect an omnibus restatement of its original regulations.  While OCR had issued certain regulations implementing some of the HITECH Act changes, it waited to publish certain regulations necessary to implement other HITECH Act changes until it could complete a more comprehensive restatement of its previously published HIPAA regulations to reflect both the HITECH Act amendments and other refinements to  its HIPAA Rules. The 2013 Regulations published today fulfill  that promise by restating OCR’s HIPAA Regulations to reflect the HITECH Act Amendments and other changes and clarifications to OCR’s interpretation and enforcement of HIPAA.

Among other things, the 2013 Regulations:

• Revise OCR’s HIPAA regulations to reflect the HITECH Act’s amendment of HIPAA to add the contractors and subcontractors of health plans, health care providers and health care clearinghouses that qualify as business associates to the parties directly responsible for complying with and subject to HIPAA’s civil and criminal penalties for violating HIPAA’s Privacy, Security, and Breach Notification rules;
• Update previous interim regulations implementing HITECH Act breach notification rules that require Covered Entities including business associates to give specific notifications to individuals whose PHI is breached, HHS and in some cases, the media when a breach of unsecured information happens;
• Update interim enforcement guidance OCR previously published to implement increased penalties and other changes to HIPAA’s civil and criminal sanctions enacted by the HITECH Act;
• Implement HITECH Act amendments to HIPAA that tighten the conditions under which Covered Entities are allowed to use or disclose PHI for marketing and fundraising purposes and prohibit Covered Entities from selling an individual’s health information without getting the individual’s authorization in the manner required by the 2013 Regulations;
• Update OCR’s rules about the individual rights that HIPAA requires that Covered Entities to afford to individuals who are the subject of PHI used or possessed by a Covered Entity to reflect tightened requirements enacted by the HITECH Act  that allow individuals to order their health care provider not to share information about their treatment with health plans when the individual pays cash for the care and to clarify that individuals can require Covered Entities to provide electronic PHI in electronic form;
• Revise the regulations to reflect amendments to HIPAA made as part of the Genetic Information Nondiscrimination Act of 2008 (GINA) which added genetic information to the definition of PHI protected under the HIPAA Privacy Rule and prohibits health plans from using or disclosing genetic information for underwriting purposes; and
• Clarifies and revises other provisions to reflect other interpretations and information guidance that OCR has issued since HIPAA was passed and to make certain other changes that OCR found appropriate based on its experience administering and enforcing the rules. 

Enforcement Risks Signal Neeed To  Review & Update Policies & Practices Promptly

The restated rules in the 2013 Regulations make it imperative that Covered Entities review the revised rules carefully and updated their policies, practices, business associate agreements, training and documentation to comply with the updated requirements and other enforcement and liability risks.  OCR even prior to the regulations has aggressively investigated and enforced the HIPAA requirements.  

The commitment of OCR to enforcement most recently was demonstrated by its recent settlement with Hospice of North Idaho (HONI).  On January 2, 2013, OCR announced HONI will pay OCR $50,000 to settle potential HIPAA violations that occurred in connection with the theft of an unencrypted laptop computer containing ePHI. The HONI settlement is the first settlement involving a breach of ePHI affecting fewer than 500 individuals. 

While the HONI settlement marks the first settlement on a small breach, this is not the first time OCR has sought sanctions against a covered entity for data breaches involving the loss or theft of unencrypted data on a Laptop, storage device or other computer device.  Rather, OCR continues to rollout a growing list of enforcement actions demonstrating the potential risks of HIPAA violations are significant and growing.  OCR Hits Alaska Medicaid For $1.7M+ For HIPAA Security Breach; OCR Audit Program Kickoff Further Heats HIPAA Privacy Risks; $1.5 Million HIPAA Settlement Reached To Resolve 1st OCR Enforcement Action Prompted By HITECH Act Breach Report; HIPAA Heats Up: HITECH Act Changes Take Effect & OCR Begins Posting Names, Other Details Of Unsecured PHI Breach Reports On Website; Providence To Pay $100000 & Implement Other Safeguards.

Coupled with statements by OCR about its intolerance, the HONI and other settlements provide a strong warning to covered entities of the need to carefully and appropriately manage their HIPAA encryption and other Privacy and Security responsibilities. Covered entities are urged to heed these warning by strengthening their HIPAA compliance and adopting other suitable safeguards to minimize HIPAA exposures. 

In response to the 2013 Regulations and these expanding exposures, all Covered Entities should review critically and carefully the adequacy of their current HIPAA Privacy and Security compliance policies, monitoring, training, breach notification and other practices taking into consideration OCR’s investigation and enforcement actions, emerging litigation and other enforcement data; their own and reports of other security and privacy breaches and near misses; and other developments to decide if additional steps are necessary or advisable.   In response to these expanding exposures, all covered entities and their business associates should review critically and carefully the adequacy of their current HIPAA Privacy and Security compliance policies, monitoring, training, breach notification and other practices taking into consideration OCR’s investigation and enforcement actions, emerging litigation and other enforcement data; their own and reports of other security and privacy breaches and near misses, and other developments to decide if tightening their policies, practices, documentation or training is necessary or advisable.

For Help With Compliance, Risk Management, Investigations, Policy Updates Or Other Needs

If you need help with HIPAA or other health industry, regulatory policy or enforcement developments, or to review or respond to these or other health care or health IT related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.

Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 24 years experience advising health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical privacy and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. She regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others.

Scheduled to serve as the scribe for the ABA Joint Committee on Employee Benefits agency meeting with OCR, Ms. Stamer also regularly works with OCR and other agencies, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns.  Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications.   For instance, Ms. Stamer for the second year will serve as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR.  Her insights on HIPAA risk management and compliance often appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.  You can get more information about her HIPAA and other experience here.

If you need help with these or other compliance concerns, wish to ask about arranging for compliance audit or training, or need legal representation on other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here.

You can review other recent publications and resources and additional information about the other experience of Ms. Stamer here.  Examples of some recent publications that may be of interest include:

• OCR Gives Providers Guidance On HIPAA Safety Disclosures
• Justice Department Settles FACE Act Lawsuit Against Abortion Protester
• ONC-Authorized Certification Bodies & Accredited Testing Labs Scope Expansion for 2014 Edition Testing & Certification
• OCR Pops Idaho Hospice In 1st HIPAA Breach Settlement Affecting < 500 Patients
• Medical Device Excise Tax Rules Supplemented
• Updated 2013 ACA Prescription Drug Fee Calculation & Payment Rules Released; 12/18 Deadline To File Form 8947
• Hospitals Urged To Tighten Inpatient & Outpatient Admission Records As OIG Audits Hospitals for New vs. Established Patients,
• OIG Recommends CMS, ONC Tighten EMR Incentive Program Rules To Improve Oversight
• Congress Sends Bill Amending Lab Testing Rule Violation Sanctions
• Learn Latest On OCR New HIPAA De-Identification Guidance & Other HIPAA Developments In 12/12 HIPAA Update Workshop!
• $12M+ Settlement Recoveries In 2 Health Care Fraud Whistleblower Claims Shows Providers, Owners, Management & Staff Must Manage Compliance & Risks
• Feds Health Fraud Suit Against Psychiatrists Shows Risks Providers Run From Aggressive Referral or Billing Activities
• ONC Changes Start Time, Releases Agenda For 11/13 Virtual Workshop On Health IT Test Standards
• Medical Device Excise Tax Rules Supplemented
• Updated 2013 ACA Prescription Drug Fee Calculation & Payment Rules Released; 12/18 Deadline To File Form 8947
• Hospitals Urged To Tighten Inpatient & Outpatient Admission Records As OIG Audits Hospitals for New vs. Established Patients,
• OIG Recommends CMS, ONC Tighten EMR Incentive Program Rules To Improve Oversight
• Congress Sends Bill Amending Lab Testing Rule Violation Sanctions
• Learn Latest On OCR New HIPAA De-Identification Guidance & Other HIPAA Developments In 12/12 HIPAA Update Workshop!
• $12M+ Settlement Recoveries In 2 Health Care Fraud Whistleblower Claims Shows Providers, Owners, Management & Staff Must Manage Compliance & Risks
• Feds Health Fraud Suit Against Psychiatrists Shows Risks Providers Run From Aggressive Referral or Billing Activities
• ONC Changes Start Time, Releases Agenda For 11/13 Virtual Workshop On Health IT Test Standards
• ONC Releases Next Wave of 2014 Draft Test Methods For Public Review and Comment; Plans 11/13 Virtual Workshop
• Health Care Providers Warned To Raise Defenses As Feds Charge 91 Individuals Bilked Medicare For Approximately $430 Million
• Recent OIG Audit Reports Provide Insights Where Fraud Audits Likely To Look Next
• Hospital Chain HCA Inc. Pays $16.5 Million to Settle False Claims Act Allegations That Hospital
• Detroit-Area Doctor Charged for Role in Alleged $40 Million Medicare Fraud Scheme
• Five More Individuals Charged in Detroit for Alleged Roles in $24.7 Million Medicare Fraud Scheme

If you need help investigating or responding to a known or suspected compliance, litigation or enforcement or other risk management concern, assistance with reviewing, updating, administering or defending a current or proposed employment, employee benefit, compensation or other management practice, wish to inquire about federal or state regulatory compliance audits, risk management or training, or need legal representation on other matters please contact Ms Stamer here or at (469) 767-8872.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides business and management information, tools and solutions, training and education, services and support to help organizations and their leaders promote effective management of legal and operational performance, regulatory compliance and risk management, data and information protection and risk management and other key management objectives.  Solutions Law Press, Inc.™ also conducts and assist businesses and associations to design, present and conduct customized programs and training targeted to their specific audiences and needs.  For additional information about upcoming programs, to explore becoming a presenting sponsor for an upcoming event, e-mail your request to info@Solutionslawpress.com   These programs, publications and other resources are provided only for general informational and educational purposes. Neither the distribution or presentation of these programs and materials to any party nor any statement or information provided in or in connection with this communication, the program or associated materials are intended to or shall be construed as establishing an attorney-client relationship, to constitute legal advice or provide any assurance or expectation from Solutions Law Press, Inc., the presenter or any related parties. If you or someone else you know would like to receive future Alerts or other information about developments, publications or programs or other updates, send your request to info@solutionslawpress.com.  CIRCULAR 230 NOTICE: The following disclaimer is included to comply with and in response to U.S. Treasury Department Circular 230 Regulations.  ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN. If you are an individual with a disability who requires accommodation to participate, please let us know at the time of your registration so that we may consider your request.

 ©2013 Cynthia Marcotte Stamer, P.C. All rights reserved.

$50K Settlement Shows Small Breach Reports Carry Enforcement Risk

Properly encrypt and protected electronic protected health information (ePHI) on laptops and in other mediums!  That’s the clear message of the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) in its announcement of its first settlement under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule involving a breach of ePHI of fewer than 500 individuals by a HIPAA-covered entity, Hospice of North Idaho (HONI). 

In announcing the settlement against HONI, OCR sent a clear message that OCR stands ready to penalize these health care providers, health plans, healthcare clearinghouses and their businesses associates (covered entities) when their failure to properly secure and protect ePHI on laptops or in other systems results in a breach of ePHI even when the breach affects fewer than 500 individuals.

OCR Director Leon Rodriguez reiterated OCR’s expectation that covered entities will properly encrypt ePHI on mobile or other devices in OCR’s announcement of the HONI settlement.  “This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.” said OCR Director Leon Rodriguez. “Encryption is an easy method for making lost information unusable, unreadable and undecipherable.”

HONI Settlement For Small Breach Notification

On January 2, 2013, OCR announced HONI will pay OCR $50,000 to settle potential HIPAA violations that occurred in connection with the theft of an unencrypted laptop computer containing ePHI. The HONI settlement is the first settlement involving a breach of ePHI affecting fewer than 500 individuals.  Read the full HONI Resolution Agreement here.

OCR opened an investigation after HONI reported to HHS that an unencrypted laptop computer containing ePHI of 441 patients had been stolen in June 2010.  HONI team members regularly use Laptops containing ePHI their field work.  Over the course of the investigation, OCR discovered that HONI had not conducted a risk analysis to safeguard ePHI or have in place policies or procedures to address mobile device security as required by the HIPAA Security Rule.  Since the June 2010 theft, HONI has taken extensive additional steps to improve their HIPAA Privacy and Security compliance program.

HIPAA Security & Breach Notification For ePHI

The HONI settlement is notable because it marks the first time OCR has sanctioned a covered entity as a result of an OCR investigation stemming from the covered entity’s report of a breach of unsecured protected health information involving fewer than 500 individuals under new breach notification rules added to HIPAA in 2009.

Under the originally enacted requirements of HIPAA, covered entities and their business associates are required to restrict the use, access and disclosure of protected health information and establish and administer various other policies and safeguards in relation to protected health information.  Additionally, the Security Rules require specific encryption and other safeguards when covered entities collect, create, use, access, retain or disclose ePHI.   

The Health Information Technology for Economic and Clinical Health (HITECH) Act amended HIPAA, among other things to tighten certain HIPAA requirements, expand its provisions to directly apply to business associates, as well as covered entities and to impose specific breach notification requirements.  The HITECH Act Breach Notification Rule requires covered entities to report an impermissible use or disclosure of protected health information, or a “breach,” of 500 individuals or more (Large Breach) to the Secretary of HHS and the media within 60 days after the discovery of the breach.  Smaller breaches affecting less than 500 individuals (Small Breach) must be reported to the Secretary on an annual basis. Since the Breach Notification Rule took effect, OCR’s announced policy has been to investigate all Large Breaches and such investigations have resulted in settlements or other corrective action in relation to various Large Breaches.  Until now, however, OCR has not made public any resolution agreements requiring settlement payments involving any Small Breaches.

Enforcement Actions Highlight Growing HIPAA Exposures For Covered Entities

While the HONI settlement marks the first settlement on a small breach, this is not the first time OCR has sought sanctions against a covered entity for data breaches involving the loss or theft of unencrypted data on a Laptop, storage device or other computer device. In fact, OCR’s first resolution agreement – reached before Congress added the HIPAA Breach Notification Rules to HIPAA – stemmed from such a breach.  Providence To Pay $100000 & Implement Other Safeguards.   Breaches resulting from the loss or theft of unencrypted ePHI on mobile or other computer devices or systems has been a common basis of investigation and sanctions since that time, particularly since the Breach Notification rules took effect.  See, e.g., OCR Hits Alaska Medicaid For $1.7M+ For HIPAA Security Breach.  Coupled with statements by OCR about its intolerance, the HONI and other settlements provide a strong warning to covered entities to properly encrypt ePHI on mobile and other devices.

Furthermore, the HONI settlement also adds to growing evidence of the growing exposures that health care providers, health plans, health care clearinghouses and their business associates need to carefully and appropriately manage their HIPAA encryption and other Privacy and Security responsibilities. See OCR Audit Program Kickoff Further Heats HIPAA Privacy Risks; $1.5 Million HIPAA Settlement Reached To Resolve 1st OCR Enforcement Action Prompted By HITECH Act Breach Report; HIPAA Heats Up: HITECH Act Changes Take Effect & OCR Begins Posting Names, Other Details Of Unsecured PHI Breach Reports On Website.  Covered entities are urged to heed these warning by strengthening their HIPAA compliance and adopting other suitable safeguards to minimize HIPAA exposures. 

In the face of rising enforcement and fines, OCR’s initiation of HIPAA audits and other recent developments, covered entities and their business associates should tighten privacy policies, breach and other monitoring, training and other practices to reduce potential HIPAA exposures in light of recently tightened requirements and new enforcement risks. 

In response to these expanding exposures, all covered entities and their business associates should review critically and carefully the adequacy of their current HIPAA Privacy and Security compliance policies, monitoring, training, breach notification and other practices taking into consideration OCR’s investigation and enforcement actions, emerging litigation and other enforcement data; their own and reports of other security and privacy breaches and near misses, and other developments to decide if additional steps are necessary or advisable. 

New OCR HIPAA Mobile Device Educational Tool

While OCR enforcement of HIPAA has significantly increased, compliance and enforcement of the encryption and other Security Rule requirements of HIPAA are a special focus of OCR. 

To further promote compliance with the Breach Notification Rule as it relates to ePHI on mobile devices, OCR and the HHS Office of the National Coordinator for Health Information Technology (ONC) recently kicked off a new educational initiative, Mobile Devices: Know the RISKS. Take the STEPS. PROTECT and SECURE Health Information.  The program offers health care providers and organizations practical tips on ways to protect their patients’ health information when using mobile devices such as laptops, tablets, and smartphones.  For more information, see here.  For more information on HIPAA compliance and risk management tips, see here.

For Representation, Training & Other Resources

If you need help monitoring HIPAA and other health and health plan related regulatory policy or enforcement developments, or to review or respond to these or other health care or health IT related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.

Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 24 years experience advising health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical privacy and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. She regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others.

Scheduled to serve as the scribe for the ABA Joint Committee on Employee Benefits agency meeting with OCR, Ms. Stamer also regularly works with OCR and other agencies, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns.  Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications.   For instance, Ms. Stamer for the second year will serve as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR.  Her insights on HIPAA risk management and compliance frequently appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.  You can get more information about her HIPAA and other experience here.

If you need help with these or other compliance concerns, wish to ask about arranging for compliance audit or training, or need legal representation on other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here.

You can review other recent publications and resources and additional information about the other experience of Ms. Stamer here.  Examples of some recent publications that may be of interest include:

• Medical Device Excise Tax Rules Supplemented
• Updated 2013 ACA Prescription Drug Fee Calculation & Payment Rules Released; 12/18 Deadline To File Form 8947
• Hospitals Urged To Tighten Inpatient & Outpatient Admission Records As OIG Audits Hospitals for New vs. Established Patients,
• OIG Recommends CMS, ONC Tighten EMR Incentive Program Rules To Improve Oversight
• Congress Sends Bill Amending Lab Testing Rule Violation Sanctions
• Learn Latest On OCR New HIPAA De-Identification Guidance & Other HIPAA Developments In 12/12 HIPAA Update Workshop!
• $12M+ Settlement Recoveries In 2 Health Care Fraud Whistleblower Claims Shows Providers, Owners, Management & Staff Must Manage Compliance & Risks
• Feds Health Fraud Suit Against Psychiatrists Shows Risks Providers Run From Aggressive Referral or Billing Activities
• ONC Changes Start Time, Releases Agenda For 11/13 Virtual Workshop On Health IT Test Standards
• ONC Releases Next Wave of 2014 Draft Test Methods For Public Review and Comment; Plans 11/13 Virtual Workshop
• Health Care Providers Warned To Raise Defenses As Feds Charge 91 Individuals Bilked Medicare For Approximately $430 Million
• Recent OIG Audit Reports Provide Insights Where Fraud Audits Likely To Look Next
• Hospital Chain HCA Inc. Pays $16.5 Million to Settle False Claims Act Allegations That Hospital
• Detroit-Area Doctor Charged for Role in Alleged $40 Million Medicare Fraud Scheme
• Five More Individuals Charged in Detroit for Alleged Roles in $24.7 Million Medicare Fraud Scheme

If you need help investigating or responding to a known or suspected compliance, litigation or enforcement or other risk management concern, assistance with reviewing, updating, administering or defending a current or proposed employment, employee benefit, compensation or other management practice, wish to inquire about federal or state regulatory compliance audits, risk management or training, or need legal representation on other matters please contact Ms Stamer here or at (469) 767-8872.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides business and management information, tools and solutions, training and education, services and support to help organizations and their leaders promote effective management of legal and operational performance, regulatory compliance and risk management, data and information protection and risk management and other key management objectives.  Solutions Law Press, Inc.™ also conducts and assist businesses and associations to design, present and conduct customized programs and training targeted to their specific audiences and needs.  For additional information about upcoming programs, to explore becoming a presenting sponsor for an upcoming event, e-mail your request to info@Solutionslawpress.com   These programs, publications and other resources are provided only for general informational and educational purposes. Neither the distribution or presentation of these programs and materials to any party nor any statement or information provided in or in connection with this communication, the program or associated materials are intended to or shall be construed as establishing an attorney-client relationship, to constitute legal advice or provide any assurance or expectation from Solutions Law Press, Inc., the presenter or any related parties. If you or someone else you know would like to receive future Alerts or other information about developments, publications or programs or other updates, send your request to info@solutionslawpress.com.  CIRCULAR 230 NOTICE: The following disclaimer is included to comply with and in response to U.S. Treasury Department Circular 230 Regulations.  ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN. If you are an individual with a disability who requires accommodation to participate, please let us know at the time of your registration so that we may consider your request.

 ©2013 Cynthia Marcotte Stamer, P.C. All rights reserved.

Health care providers, health plans, health care clearinghouses and their business associates should review the Department of Heath & Human Services (HHS) Office of Civil Rights (OCR) HIPAA audit protocol used by OCR to conduct the audits required by the HITECH Act to identify potential areas where they may need to tighten existing practices to withstand a possible audit and reduce exposures under the Privacy, Security and Breach Notification rules of the Health Insurance Portability & Accountability Act.  OCR posted the audit protocols on its on its website on June 26, 2012, the same day it announced that the Alaska Medicaid program would pay more than $1.7 million to settle potential HIPAA liabilities arising from OCR’s investigation of circumstances resulting a large data breach reported under the HITECH Act breach notification rules. Covered entities should use these resources both to prepare for potential audits and to review and adjust their practices to help prevent violations and defend against potential HIPAA enforcement actionsl.

HIPAA Audit Protoco

The OCR HIPAA Audit program analyzes key processes, controls, and policies of selected covered entities pursuant to the HITECH Act audit requirement.  OCR established a comprehensive audit protocol that contains the requirements to be assessed through these performance audits. The entire audit protocol is organized around modules, representing separate elements of privacy, security, and breach notification.  The combination of these multiple requirements may vary based on the type of covered entity selected for review. These include:

• Privacy Rule requirements for (1) notice of privacy practices for PHI, (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures
•  Security Rule requirements for administrative, physical, and technical safeguards;
• Requirements for the Breach Notification Rule.

Presently OCR says that HIPAA audits primarily seek to tighten compliance and aid OCR to identify areas where guidance should be revised or supplemented to enhance compliance.  Where an audit identifies a significant compliance concern, however, OCR officials say OCR officials may open an enforcement investigation in response to evidence uncovered in connection with an audit.  Beyond this risk, however, the audit protocols also provide additional guidance for covered entities about expected practices and procedures that could help mitigate risks to enforcement under the OCR’s ongoing investigation and enforcement activities of HIPAA.  As reflected by a growing series of resolution agreements, these enforcement risks and their associated liability exposures are significant and growing.  OCR’s announcement of its latest Resolution Agreement with Alaska Medicaid concurrent the posting of the audit protocol.

Alaska 1.7 Million Resolution Agreement

OCR also announced June 26 that the Alaska State Medicaid Agency, the Alaska Department of Health and Social Services (DHSS) will pay the  $1,700,000 to settle possible violations of the HIPAA  Security Rule.  Alaska DHSS also has agreed to take corrective action to properly safeguard the electronic protected health information (ePHI) of their Medicaid beneficiaries. 

The first HIPAA Resolution Agreement that the HHS Office for Civil Rights (OCR) has reached a state agency, the Alaska Medicaid Resolution Agreement  second announced Resolution Agreement stemming from a unsecured protected health information breach report filed in response to the breach notification rules of the Health Information Technology for Economic and Clinical Health (HITECH) Act.  Earlier this year, OCR announced its first Resolution Agreement involving a health plan resulted from a breach notification report it had filed under the HITECH Act.  See $1.5 Million HIPAA Settlement Reached To Resolve 1st OCR Enforcement Action Prompted By HITECH Act Breach Report.

OCR opened the investigation leading to the Resolution Agreement after Alaska DHSS filed a breach report that indicated that a portable electronic storage device (USB hard drive) possibly containing ePHI was stolen from the vehicle of a DHSS employee.  Over the course of the investigation, OCR found evidence that DHSS did not have adequate policies and procedures in place to safeguard ePHI.  Further, the evidence indicated that DHSS had not completed a risk analysis, implemented sufficient risk management measures, completed security training for its workforce members, implemented device and media controls, or addressed device and media encryption as required by the HIPAA Security Rule.  Inadequacies by covered entities in safeguarding protected health information and laptops and other devices containing ePHI is a common compliance concern according to OCR statistics.

In addition to the $1,700,000 settlement, the agreement includes a corrective action plan that requires Alaska DHSS to review, revise, and maintain policies and procedures to ensure compliance with the HIPAA Security Rule.  A monitor will report back to OCR regularly on the state’s ongoing compliance efforts. 

OCR’s announcement highlights the need for covered entities not only to take proper steps to establish and administer appropriate policies and safeguards to protect protected health information and EHI, but also to prepare, update as needed and be prepared to produce documentation showing their oganizations actions to evaluate, monitor and maintain appropriate safeguards of ePHI and the operating systems and devices that contain this information. 

“Covered entities must perform a full and comprehensive risk assessment and have in place meaningful access controls to safeguard hardware and portable devices,” said OCR Director Leon Rodriguez.  “This is OCR’s first HIPAA enforcement action against a state agency and we expect organizations to comply with their obligations under these rules regardless of whether they are private or public entities.”

The HHS Resolution Agreement can be viewed here.

Enforcement Actions Highlight Growing HIPAA Exposures For Covered Entities

The Alaska Medicaid Resolution Agreement is the latest in a growing list of Resolutions Agreements highlighting the mounting exposures that health care providers, health plans, health care clearinghousesand their business associates face if required to file a large breach notification or otherwise charged with failing to appropriately manage their HIPAA responsibilities. See Arizona Physician Group Pays $100K To Settle HIPAA Charges; $1.5 Million HIPAA Settlement Reached To Resolve 1st OCR Enforcement Action Prompted By HITECH Act Breach Report; HIPAA Heats Up: HITECH Act Changes Take Effect & OCR Begins Posting Names, Other Details Of Unsecured PHI Breach Reports On Website.   As OCR leaders have indicated that OCR investigates all large breach notification filings made under the HITECH Act Breach Notification Rules and with more than 450 large breach notifications reported on its website, additional Resolution Agreements are expected in coming months even as covered entities and their business associates are awaiting the impending  issuance of updated HIPAA regulations.

In light of these and other developments and risks, covered entities and their business associates should move to audit and strengthen their HIPAA compliance and documentaiton and adopt  other suitable safeguards to minimize HIPAA exposures. 

In the face of rising enforcement and fines, OCR’s initiation of HIPAA audits and other recent developments, covered entities and their business associates should tighten privacy policies, breach and other monitoring, training and other practices to reduce potential HIPAA exposures in light of recently tightened requirements and new enforcement risks. 

In response to these expanding exposures, all covered entities and their business associates should review critically and carefully the adequacy of their current HIPAA Privacy and Security compliance policies, monitoring, training, breach notification and other practices taking into consideration OCR’s investigation and enforcement actions, emerging litigation and other enforcement data; their own and reports of other security and privacy breaches and near misses, and other developments to determine if additional steps are necessary or advisable. 

For more information about the PCS Resolution Agreement and HIPAA compliance and risk management tips, see here.

For Representation, Training & Other Resources

If you need assistance monitoring HIPAA and other health and health plan related regulatory policy or enforcement developments, or to review or respond to these or other health care or health IT related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.

Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 24 years experience advising health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical privacy and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. She regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others.

Scheduled to serve as the scribe for the ABA Joint Committee on Employee Benefits agency meeting with OCR, Ms. Stamer also regularly works with OCR and other agencies, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns.  Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications.   For instance, Ms. Stamer for the second year will serve as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR.  Her insights on HIPAA risk management and compliance frequently appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.

You can get more information about her HIPAA and other experience here.

If you need assistance with these or other compliance concerns, wish to inquire about arranging for compliance audit or training, or need legal representation on other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here.

You can review other recent publications and resources and additional information about the other experience of Ms. Stamer here.  Examples of some recent publications that may be of interest include:

• Supreme Court Now Expected To Release Ruling On Health Care Reform Law Thursday
• Health Care Reform Ruling Release Put Off Until Thursday
• OIG Invitation To Comment On Possible Changes To Provider Self-Disclosure Protocol Invaluable Opportunity To Provide Feedback
• Christus Pays $5 Million + To Settle False Claims Act Charges It Coded Outpatient Care As Inpatient
• Nonprofit CEO Convicted Of Embezzling Medicaid Funds Intended For Mentally Disabled Care
• Health Companies Looking To Raise Funds Beware: Old Practices & Forms May Need Update For Securities Law Changes
• Wichita Kansas Physician, Practice To Pay $1.5 Million To Settle False Claims Act
• Wichita Kansas Physician, Practice To Pay $1.5 Million To Settle False Claims Act
• Ambulance Worker Gets 46 Month Sentence For Defrauding Medicare By Running Company As Disqualified Person
• Temple To Pay $1,088,574.93 To Resolve Exposures From Voluntarily Disclosed Improper Health Care Billings
• Former Orthofix Executive Pleads Guilty To Anti-Kickback Law Violations
• Abbott Labs To Pay $1.5 Billion to Resolve Criminal & Civil Investigations Of Off-Label Promotion Of Depakote
• CMS Likely To Tighten Audits & Reimbursement After OIG Says “Extremely High” Retail Pharmacy Billings To Medicare Part D Warrant Close Scrutiny
• Houston-Area Nurse Gets 97 Month Sentence For Role In $5.2 Million Medicare Fraud Scheme
• Health Care Providers Get Nailed For Using False Statements To Defraud Medicaid, Bankruptcy Court

If you need help investigating or responding to a known or suspected compliance, litigation or enforcement or other risk management concern, assistance with reviewing, updating, administering or defending a current or proposed employment, employee benefit, compensation or other management practice, wish to inquire about federal or state regulatory compliance audits, risk management or training, or need legal representation on other matters please contact Ms Stamer here or at (469) 767-8872.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here. For important information concerning this communication click here.    If you do not wish to receive these updates in the future, send an e-mail with the word “Remove” in the Subject to here.

©2012 Cynthia Marcotte Stamer, P.C. All rights reserved.

The Alaska State Medicaid Agency, the Alaska Department of Health and Social Services (DHSS) will pay the U.S. Department of Health and Human Services’ (HHS) $1,700,000 to settle possible violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.  Alaska DHSS also has agreed to take corrective action to properly safeguard the electronic protected health information (ePHI) of their Medicaid beneficiaries. 

The first HIPAA Resolution Agreement that the HHS Office for Civil Rights (OCR) has reached a state agency, the Resolution Agreement  second announced Resolution Agreement stemming from a unsecured protected health information breach report filed in response to the breach notification rules of the Health Information Technology for Economic and Clinical Health (HITECH) Act.  Earlier this year, OCR announced its first Resolution Agreement involving a health plan resulted from a breach notification report it had filed under the HITECH Act.  See $1.5 Million HIPAA Settlement Reached To Resolve 1st OCR Enforcement Action Prompted By HITECH Act Breach Report.

OCR opened the investigation leading to the Resolution Agreement after Alaska DHSS filed a breach report that indicated that a portable electronic storage device (USB hard drive) possibly containing ePHI was stolen from the vehicle of a DHSS employee.  Over the course of the investigation, OCR found evidence that DHSS did not have adequate policies and procedures in place to safeguard ePHI.  Further, the evidence indicated that DHSS had not completed a risk analysis, implemented sufficient risk management measures, completed security training for its workforce members, implemented device and media controls, or addressed device and media encryption as required by the HIPAA Security Rule.  Inadequacies by covered entities in safeguarding protected health information and laptops and other devices containing ePHI is a common compliance concern according to OCR statistics.

In addition to the $1,700,000 settlement, the agreement includes a corrective action plan that requires Alaska DHSS to review, revise, and maintain policies and procedures to ensure compliance with the HIPAA Security Rule.  A monitor will report back to OCR regularly on the state’s ongoing compliance efforts. 

OCR’s announcement highlights the need for covered entities not only to take proper steps to establish and administer appropriate policies and safeguards to protect protected health information and EHI, but also to prepare, update as needed and be prepared to produce documentation showing their oganizations actions to evaluate, monitor and maintain appropriate safeguards of ePHI and the operating systems and devices that contain this information. 

“Covered entities must perform a full and comprehensive risk assessment and have in place meaningful access controls to safeguard hardware and portable devices,” said OCR Director Leon Rodriguez.  “This is OCR’s first HIPAA enforcement action against a state agency and we expect organizations to comply with their obligations under these rules regardless of whether they are private or public entities.”

The HHS Resolution Agreement can be viewed here.

Enforcement Actions Highlight Growing HIPAA Exposures For Covered Entities

The Alaska Medicaid Resolution Agreement is the latest in a growing list of Resolutions Agreements highlighting the mounting exposures that health care providers, health plans, health care clearinghousesand their business associates face if required to file a large breach notification or otherwise charged with failing to appropriately manage their HIPAA responsibilities. See Arizona Physician Group Pays $100K To Settle HIPAA Charges; $1.5 Million HIPAA Settlement Reached To Resolve 1st OCR Enforcement Action Prompted By HITECH Act Breach Report; HIPAA Heats Up: HITECH Act Changes Take Effect & OCR Begins Posting Names, Other Details Of Unsecured PHI Breach Reports On Website.   As OCR leaders have indicated that OCR investigates all large breach notification filings made under the HITECH Act Breach Notification Rules and with more than 450 large breach notifications reported on its website, additional Resolution Agreements are expected in coming months even as covered entities and their business associates are awaiting the impending  issuance of updated HIPAA regulations.

In light of these and other developments and risks, covered entities and their business associates should move to audit and strengthen their HIPAA compliance and documentaiton and adopt  other suitable safeguards to minimize HIPAA exposures. 

In the face of rising enforcement and fines, OCR’s initiation of HIPAA audits and other recent developments, covered entities and their business associates should tighten privacy policies, breach and other monitoring, training and other practices to reduce potential HIPAA exposures in light of recently tightened requirements and new enforcement risks. 

In response to these expanding exposures, all covered entities and their business associates should review critically and carefully the adequacy of their current HIPAA Privacy and Security compliance policies, monitoring, training, breach notification and other practices taking into consideration OCR’s investigation and enforcement actions, emerging litigation and other enforcement data; their own and reports of other security and privacy breaches and near misses, and other developments to determine if additional steps are necessary or advisable. 

For more information about the PCS Resolution Agreement and HIPAA compliance and risk management tips, see here.

For Representation, Training & Other Resources

If you need assistance monitoring HIPAA and other health and health plan related regulatory policy or enforcement developments, or to review or respond to these or other health care or health IT related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.

Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 24 years experience advising health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical privacy and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. She regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others.

Scheduled to serve as the scribe for the ABA Joint Committee on Employee Benefits agency meeting with OCR, Ms. Stamer also regularly works with OCR and other agencies, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns.  Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications.   For instance, Ms. Stamer for the second year will serve as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR.  Her insights on HIPAA risk management and compliance frequently appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.

You can get more information about her HIPAA and other experience here.

If you need assistance with these or other compliance concerns, wish to inquire about arranging for compliance audit or training, or need legal representation on other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here.

You can review other recent publications and resources and additional information about the other experience of Ms. Stamer here.  Examples of some recent publications that may be of interest include:

• Supreme Court Now Expected To Release Ruling On Health Care Reform Law Thursday
• Health Care Reform Ruling Release Put Off Until Thursday
• OIG Invitation To Comment On Possible Changes To Provider Self-Disclosure Protocol Invaluable Opportunity To Provide Feedback
• Christus Pays $5 Million + To Settle False Claims Act Charges It Coded Outpatient Care As Inpatient
• Nonprofit CEO Convicted Of Embezzling Medicaid Funds Intended For Mentally Disabled Care
• Health Companies Looking To Raise Funds Beware: Old Practices & Forms May Need Update For Securities Law Changes
• Wichita Kansas Physician, Practice To Pay $1.5 Million To Settle False Claims Act
• Wichita Kansas Physician, Practice To Pay $1.5 Million To Settle False Claims Act
• Ambulance Worker Gets 46 Month Sentence For Defrauding Medicare By Running Company As Disqualified Person
• Temple To Pay $1,088,574.93 To Resolve Exposures From Voluntarily Disclosed Improper Health Care Billings
• Former Orthofix Executive Pleads Guilty To Anti-Kickback Law Violations
• Abbott Labs To Pay $1.5 Billion to Resolve Criminal & Civil Investigations Of Off-Label Promotion Of Depakote
• CMS Likely To Tighten Audits & Reimbursement After OIG Says “Extremely High” Retail Pharmacy Billings To Medicare Part D Warrant Close Scrutiny
• Houston-Area Nurse Gets 97 Month Sentence For Role In $5.2 Million Medicare Fraud Scheme
• Health Care Providers Get Nailed For Using False Statements To Defraud Medicaid, Bankruptcy Court

If you need help investigating or responding to a known or suspected compliance, litigation or enforcement or other risk management concern, assistance with reviewing, updating, administering or defending a current or proposed employment, employee benefit, compensation or other management practice, wish to inquire about federal or state regulatory compliance audits, risk management or training, or need legal representation on other matters please contact Ms Stamer here or at (469) 767-8872.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here. For important information concerning this communication click here.    If you do not wish to receive these updates in the future, send an e-mail with the word “Remove” in the Subject to here.

©2012 Cynthia Marcotte Stamer, P.C. All rights reserved.

The $100,000 settlement with an Arizona-based physician group announced today by the Department of Health & Human Services (HHS) Office of Civil Rights (OCR) under the Health Insurance Portability & Accountability Act of 1996 (HIPAA) demonstrates the need for all health care providers, health plans, health care clearinghouses (covered entities) and their business associates to maintain appropriate HIPAA compliance and risk management procedures and documentation.

Arizona-based Phoenix Cardiac Surgery, P.C. (PCS) will pay the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) a $100,000 settlement and take corrective action to implement policies and procedures to safeguard the protected health information of its patients to settle OCR charges PCS violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.  Health care providers and other HIPAA-covered entities should heed the PSC and other recent settlements as the latest signal of the risks that health care providers and other covered entities run by failing to adequately implement and administer proper HIPAA compliance practices.

The PCS settlement follows an extensive OCR investigation of a report that PCS posted clinical and surgical appointments for its patients on a publically accessible Internet-based calendar. Among other things, the Resolution Agreement documenting the PCS settlement states that OCR’s investigation found that the persistent failure by PCS to adopt HIPAA required policies and safeguards, maintain required business associate agreements, and conduct necessary workforce training resulted in the prohibited posting of more than 1,000 separate entries of ePHI on a publicly accessible, Internet-based calendar and business associates improperly receiving and maintaining PHI and ePHI without the protection of required business associate agreements.

Under the PCS HHS Resolution Agreement available here, PCS will pay a $100,000 settlement amount and a corrective action plan that includes a review of recently developed policies and other actions taken to come into full compliance with the Privacy and Security Rules.  Like the $1,500,000 Blue Cross Blue Shield of Tennessee (BCBST) Resolution Agreement announced last month, the PCS shows OCR’s readiness to sanction health care providers and other covered entities of all sizes for violations of HIPAA.

Enforcement Actions Highlight Growing HIPAA Exposures For Covered Entities

Like the BCBST Resolution Agreement and other previously announced OCR Resolution Agreements, the PCS provides more evidence of the growing exposures that health care providers, health plans, health care clearinghouses and their business associates need to carefully and appropriately manage their HIPAA responsibilities. See $1.5 Million HIPAA Settlement Reached To Resolve 1st OCR Enforcement Action Prompted By HITECH Act Breach Report; HIPAA Heats Up: HITECH Act Changes Take Effect & OCR Begins Posting Names, Other Details Of Unsecured PHI Breach Reports On Website.  Covered entities are urged to heed these warning by strengthening their HIPAA compliance and adopting other suitable safeguards to minimize HIPAA exposures. 

In the face of rising enforcement and fines, OCR’s initiation of HIPAA audits and other recent developments, covered entities and their business associates should tighten privacy policies, breach and other monitoring, training and other practices to reduce potential HIPAA exposures in light of recently tightened requirements and new enforcement risks. 

In response to these expanding exposures, all covered entities and their business associates should review critically and carefully the adequacy of their current HIPAA Privacy and Security compliance policies, monitoring, training, breach notification and other practices taking into consideration OCR’s investigation and enforcement actions, emerging litigation and other enforcement data; their own and reports of other security and privacy breaches and near misses, and other developments to determine if additional steps are necessary or advisable. 

For more information about the PCS Resolution Agreement and HIPAA compliance and risk management tips, see here.

For Representation, Training & Other Resources

If you need assistance monitoring HIPAA and other health and health plan related regulatory policy or enforcement developments, or to review or respond to these or other health care or health IT related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.

Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 24 years experience advising health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical privacy and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. She regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others.

Scheduled to serve as the scribe for the ABA Joint Committee on Employee Benefits agency meeting with OCR, Ms. Stamer also regularly works with OCR and other agencies, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns.  Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications.   For instance, Ms. Stamer for the second year will serve as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR.  Her insights on HIPAA risk management and compliance frequently appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.

You can get more information about her HIPAA and other experience here.

If you need assistance with these or other compliance concerns, wish to inquire about arranging for compliance audit or training, or need legal representation on other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here.

You can review other recent publications and resources and additional information about the other experience of Ms. Stamer here.  Examples of some recent publications that may be of interest include:

• DC Court Enjoins Implementation of NLRB Poster Rule
  • Orthofix Medical Device Exec Awaits Sentencing After Pleading Guilty To Violating Anti-Kickback Law
  • Health Care Providers Also Should Guard Against Rising Exposures To State Health Care Fraud & Other Enforcement Risks
  • Director of Texas Office of e-Health Coodination To Discuss Texas HIE Strategy in 3/14 HHS Sponsored Teleconference
  • Halfway House Owner Gets 24 Months Imprisonment For Health Care Fraud & Kickback Conviction
  • Health Plans Should Act Quickly To Prepare Affordable Care Act Required Summary of Benefits & Communications & Update Other Health Plan Communications
  • NLRB Report Shows Rise In Unfair Labor Practice Complaints & Formal Proceedings
  • Sullivan University System to Pay $483,000 in Back Wages Overtime Violations Stemming From Worker Misclassifications
  • New DOL Final Rules Tighten Requirements For Employers To Hire Alien Workers Using H-2B Visas
  • OSHA $1Million Award Against AirTran Airways Highlights Retaliation Risks
  • HHS Chides Trustmark Life Insurance Company For “Excessive” Health Premium Increases After Affordable Care Act Rate Audit
  • Labor Department Final Rule Defines Recreation Vehicle For Longshore & Harbor Workers’ Compensation Act
  • Portion of Health Care Costs Paid By Government Programs Rose As Employer Provided & Other Private Health Care Coverage Declined In 2010
  • Help Careflite Celebrate New Facility 1/11
  • Careflite Dedicates New Facility January 11, 2012
  • Manufacturer’s Excessive I-9 Documentation Triggers Discrimination Liability

If you need help investigating or responding to a known or suspected compliance, litigation or enforcement or other risk management concern, assistance with reviewing, updating, administering or defending a current or proposed employment, employee benefit, compensation or other management practice, wish to inquire about federal or state regulatory compliance audits, risk management or training, or need legal representation on other matters please contact Ms Stamer here or at (469) 767-8872.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here. For important information concerning this communication click here.    If you do not wish to receive these updates in the future, send an e-mail with the word “Remove” in the Subject to here.

©2012 Cynthia Marcotte Stamer, P.C. All rights reserved.