HIPAA | | Page 4

Two Recent Criminal Prosecutions For HIPAA Privacy Rule Violations Signal Rising Criminal Enforcement Risks

September 8, 2009

Register here To Participate In September 9 or September 17 Briefings on New HIPAA Data Breach Rules

September 8, 2009

Two recent separate criminal actions against hospital workers for wrongfully accessed medical records in violation of the medical privacy provisions of the Health Insurance Portability & Accountability Act of 1996, as amended (HIPAA) are the latest reminders to health care providers, health plans, health care clearinghouses, their business associates and members of their workforce that the criminal provisions of the HIPAA Privacy Rules have teeth.

Palmetto General Hospital Employee And Accomplice Indicted For Stealing Patient Records As Part Of Fraud

In Miami-Dade County, federal felony charges are pending against Jacquettia L. Brown, 29, and Tear Renee Barbary, 25, prosecution on for offenses relating to the theft of patient profile records from Palmetto General Hospital to further a fraud scheme.

A seven-count Indictment announced by the Department of Justice on May 26, 2009 charges Brown and Barbary with conspiracy to commit access device fraud in violation of Title 18, United States Code, Section 1029(b)(2), and criminal violations of HIPAA. In addition, Brown is charged with aggravated identity theft, in violation of Title 18, United States Code, Section 1028A(a)(1). If convicted, the defendants face a statutory maximum of five (5) years’ imprisonment on Count 1, and a statutory maximum of ten (10) years’ imprisonment as to each of Counts 2, 3, and 7. As to Counts 4-6, Brown faces a two (2) year mandatory prison sentence per count.

According to the Indictment, Brown, a medical records employee of Palmetto General Hospital, took records containing personal profile information of Palmetto General Hospital patients. Defendant Brown and Barbary then used the stolen personal information to further a credit card fraud conspiracy. The patient profile records that Brown stole included personal identifying information, such as patients’ names, birthdates, Social Security numbers, addresses, driver’s license numbers, and next of kin contacts. Brown used the stolen identifying information to obtain patients’ credit card account numbers. She gave patient profile records and credit card account numbers to Barbary, who used the information to make unauthorized credit card purchases. When law enforcement officials disrupted the scheme, Brown was in possession of 41 patient profile records and Barbary was in possession of six patient profile records.

Curiosity Check of Medical Records Results In Arkansas Doctor, 2 Former Hospital Employees Guilty Plea To HIPAA Violation

Three Arkansas health care workers could be sentenced to up to 1 year in prison, a fine of not more than $50,000, or both after pleading guilty in July, 2009 to misdemeanor violations of the health information privacy provisions of HIPAA for accessing a patient’s record without any legitimate purpose.

United States Magistrate Judge Henry L. Jones, Jr. accepted the guilty pleas of Dr. Jay Holland, age 56, of Little Rock, Arkansas; Sarah Elizabeth Miller, age 28, of England Arkansas; and Candida Griffin, age 34 of Little Rock, Arkansas after each admitted to accessing patient records to satisfy their own curiosity.

Dr. Holland, Medical Director of Select Specialty Hospital, located on the 6 floor of the St. Vincent Infirmary Medical Center (SVIMC), admitted that after watching news reports on television, he logged on to the SVIMC patient records from his computer at home and accessed a patient’s files to determine if the news reports were accurate. He admitted he accessed the file because he was curious even though he had had HIPAA training and understood he was violating HIPAA when he accessed the file. SVIMC suspended Dr. Holland’s privileges for two weeks and required him to complete on-line HIPAA training.

Sarah Elizabeth Miller, formerly an account representative at SVIMC, Sherwood Campus, was responsible for checking patients in and out of the clinic and for processing patient billing. In order to perform her duties, she had access to the SVIMC patient records program which includes all locations, not just that of the Sherwood clinic. Miller admitted that on October 20 and 21, 2008, she accessed a patient’s files approximately 12 times out of curiosity. She admitted that she accessed the records without any legitimate purpose. Records show that Miller was trained on HIPAA privacy laws by SVIMC. SVIMC fired Miller from her position.

Candida Griffin was the emergency room unit coordinator at SVIMC. Her responsibilities were to order patient tests, perform data entry into electronic patient files for patients and perform other secretarial functions in the emergency room. Griffin admitted that on October 20, 2008, she was told by the charge nurse to set-up an alias for a particular patient admitted to the emergency room. On October 21, 2008, after the patient had been moved to ICU, Griffin admitted that she became curious about the patient’s status and accessed the medical chart to find out if the patient was still living. Although Griffin did not inform anyone about accessing the chart, hospital records show that the patient’s records were accessed three times that day by Ms. Griffin. SVIMC records show that Griffin was trained on HIPAA privacy laws. SVIMC fired Griffin from her position.

Pursuant to plea agreements with the United States, Holland, Miller and Griffin pleaded guilty to a misdemeanor a violation of the health information privacy provisions of HIPAA based on their accessing a patient’s record without any legitimate purpose. Each faces a maximum penalty of 1 year imprisonment, a fine of not more than $50,000, or both. A sentencing date has not yet been set, but is expected within the next few weeks.

Criminal Referral and Enforcement Continues

Together with the HIPAA-related criminal convictions of in 2008 of David Gibson, Ferando Ferrer, Jr. and Andrea Smith discussed here, these new Arkansas and Florida criminal actions document the willingness of Justice Department attorneys to investigate and prosecute certain criminal violations. Because they involved the theft of health information for use in furtherance of other health care fraud schemes, many have viewed as predictable and understandable the prosecution of Gibson, Ferrer, Brown and Barbary. In contrast, the willingness of Jane W. Duke, United States Attorney for the Eastern District of Arkansas, to prosecute criminally the wrongful access by the SVIMC health care workers and Andrea Smith in the absence of other health care fraud motives challenges the perception widely held among certain segments of the health care and health plan industry that the criminal provisions of HIPAA have little teeth. Since U.S. Attorney Duke pursued both the SVIMC and Smith prosecutions, it remains to be seen whether other U.S. Attorneys will be equally willing to pursue prosecution of HIPAA violations in the absence of evidence of other federal health care crimes.

Less speculative is the growing readiness of the Department of Health & Human Services Office of Civil Rights to pursue civil remedies for HIPAA violations. On February 18, 2009, for instance, OCR and the Federal Trade Commission (“FTC”) issued a joint announcement (the “Announcement”) ordering CVS Pharmacy, Inc., the nation’s largest retail pharmacy chain, to pay the U.S. government a $2.25 million settlement and to take other corrective action to ensure that it does not violate the privacy rights patients under HIPAA when disposing of patient information such as identifying information on pill bottle labels. In a coordinated action, CVS Caremark Corp., the parent company of the pharmacy chain, also signed a consent order and agreed to a settlement with the FTC to settle potential violations of the FTC Act. The investigation resulting in the settlement marks the first instance where the OCR formally coordinated on investigation and resolution of a case with the FTC.

Coming as new data breach notification requirements for HIPAA-covered entities are set to take effect on September 23, 2009, these and other stepped up oversight and enforcement activities make it critical that all health care providers, health plans, health care clearinghouses and their business associates need to update their policies and practices, tighten their compliance and data breach monitoring processes, and strengthen their internal controls, compliance in preparation for defending their actions under the newly strengthened Privacy Rules. Covered entities and their business associates more than ever must ensure their ability to demonstrate to federal regulators the effectiveness of their HIPAA compliance efforts by both adopting the written policies and procedures required by HIPAA and continuously monitoring and administering these safeguards. Covered entities should consider reviewing the adequacy of their current HIPAA Privacy and Security compliance practices taking into consideration the Corrective Action Plan, published OCR noncompliance and enforcement statistics, their own and reports of other security and privacy breaches and near misses, and other developments to determine if additional steps are necessary or advisable.

If you need assistance with auditing, updating or defending your organizations HIPAA and other privacy and data security practices, please contact Curran Tomko Tarski LLP Partner Cynthia Marcotte Stamer at (214) 270-2402 or via e-mail at CStamer@CTTLegal.com.

Register Now For Upcoming September Health Industry Update Programs

If you found this information of interest, you also may be interested in one of the following upcoming health industry programs to be presented by Ms. Stamer during September:

HITECH ACT Health Data Security & Breach Update on September 9, 2009 hosted live or via teleconference by Curran Tomko Tarski LLP
How to Ensure That Your Organization Is In Compliance With Regulations Governing Discrimination — What You Should Be Doing To Be Prepared for the New, Stepped Up Enforcement Actions on September 10, 2009 hosted via teleconference by Health Resources Publishing
Health Information Security & Data Breach Under HITECH Act on September 17, 2009 hosted via teleconference by the Health Care Compliance Association

To register or for other details about these and other upcoming programs and presentations by Ms. Stamer and other Curran Tomko Tarski members, see here.

Other Recent Developments

If you found this information of interest, you also may be interested in reviewing some of the following recent Curran Tomko Tarski LLP Latest in Health Care Updates available online by clicking on the article title:

For More Information

We hope that this information is useful to you. If you need assistance with auditing or defending these or other health care compliance, risk management, transaction or operation concerns, please contact the author of this update, Curran Tomko Tarski LLP Health Practice Group Chair, Cynthia Marcotte Stamer, at (214) 270‑2402, cstamer@cttlegal.com, Edwin J. Tomko at (214) 270-1405 or another Curran Tomko Tarski LLP Partner of your choice. Ms. Stamer has extensive experience advising clients and writes and speaks extensively on these and other health industry and other internal controls and risk management matters.

You can review other recent health care and internal controls resources and additional information about the health industry and other experience of Ms. Stamer here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile at here or e-mailing this information to cstamer@cttlegal.com.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile at here or e-mailing this information here. To unsubscribe, e-mail here.

Leave a Comment » | Corporate Compliance, Electronic Medical Records, FACTA, Health Care, Health Care Provider, Health IT, Health Plan, Health Plans, HIPAA, OCR | Tagged: ARRA, Doctor, Federal Sentencing Guidelines, Health Care, Health Care Provider, Health Insurance, HIPAA, Hospital, Identity Theft, Physician, Physicians, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

Health Care Providers & Other HIPAA Covered Entities Must Comply With New Data Breach Rules By September 23

August 26, 2009

Health care providers, health clearinghouses, health plans and their business associates generally must start complying with new federal data breach notification rules on September 23, 2009.

The new “Breach Notification For Unsecured Protected Health Information” regulation (Breach Regulation) published here in today’s Federal Register requires health care providers, health plans, health care clearinghouses and their business associates (Covered Entities) covered under the personal health information privacy and security rules of the Health Insurance Portability & Accountability Act (HIPAA) to notify affected individuals following a “breach” of “unsecured” protected health information. The Breach Regulation is part of a series of guidance that HHS is issuing to implement new and stricter personal health information privacy and data security requirements for Covered Entities added to HIPAA under the Health Information Technology for Economic and Clinical Health (HITECH) Act signed into law on February 17, 2009 as part of American Recovery and Reinvestment Act of 2009 (ARRA).

HITECH Act Data Breach and Unsecured PHI Rules

Published in the Federal Register on August 24, 2009, the new Breach Regulation implements the HITECH Act requirement that Covered Entities and their business associates notify affected individuals, the Secretary of HHS, and in some cases, the media, when a breach of “unsecured protected health information” happens and the form, manner, and timing of that notification. Covered Entities must begin complying with the new Breach Regulation on September 23, 2009.

Part of a series of new HHS rules implementing recent changes to HIPAA enacted under the HITECH Act to strengthen existing federally mandates requiring Covered Entities to safeguard protected health information, the Breach Regulation will obligate Covered Entities and business associates to provide certain notifications following a breach of “protected health information” that not secured at the time of the breach through the use of a technology or methodology meeting minimum standards issued by HHS pursuant to other provisions of the HITECH Act.

Under the HITECH Act, the breach notification obligations contained in the Breach Notification only apply to a breach of “unsecured protected health information.” The Breach Regulation exempts breaches of protected health information that qualify as “secured” under separately issued HHS and Federal Trade Commission (FTC) standards for encryption and destruction of protected health information from its breach notification requirements.

For purposes of the HITECH Act, electronic protected health information is considered “unsecured” unless the Covered Entity has satisfied certain minimum standards for the protection of that data established pursuant to the HITECH Act. Earlier this year, HHS and the FTC issued interim rules defining the minimum encryption and destruction technologies and methodologies that Covered Entities must use to render protected health information unusable, unreadable, or indecipherable to unauthorized individuals for purposes of determining when protected health information is “unsecured” for purposes of the HITECH Act. Concurrent with its publication of the Breach Regulation, HHS also released guidance updating and clarifying this previously issued guidance.

Read the Breach Regulation here. To review the HITECH Act Breach Notification Guidance and Request for Information, see here.

OCR officials are continuing to work on other guidance concerning the amendments to HIPAA’s privacy and security rules enacted under the HITECH Act and the Genetic Information and Nondiscrimination Act (GINA). Differences in the effective dates of certain requirements generally will necessitate that Covered Entitites and their business associates move forward to comply with the Breach Regulations and other aspects of these changes before some of these other rules or guidance relating to them takes effect.

About The Author

The author of this update, Curran Tomko Tarski LLP Health Practice Leader Cynthia Marcotte Stamer is nationally known for her work, publications and presentations on privacy and security of health and other sensitive information in health and managed care, employment, employee benefits, financial services, education and other contexts.

Vice President of the North Texas Health Care Compliance Professionals Association and Past Chair of the ABA Health Law Section Managed Care & Insurance Section, and Former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 20 years experience advising clients about health and other privacy and security matters. A popular lecturer and widely published author on privacy and data security and other related health care and health plan matters, Ms. Stamer is the Editor in Chief of the forthcoming 2010 edition of the Information Security Guide to be published by the American Bar Association Information Security Committee in 2010, as well as the author of “Protecting & Using Patient Data In Disease Management: Opportunities, Liabilities And Prescriptions,” “Privacy Invasions of Medical Care-An Emerging Perspective,” “Cybercrime and Identity Theft: Health Information Security Beyond HIPAA,” and a host of other highly regarded publications. She has continuously advises employers, health care providers, health insurers and administrators, health plan sponsors, employee benefit plan fiduciaries, schools, financial services providers, governments and others about privacy and data security, health care, insurance, human resources, technology, and other legal and operational concerns. Ms. Stamer also publishes and speaks extensively on health and managed care industry privacy, data security and other technology, regulatory and operational risk management matters. Her insights on health care, health insurance, human resources and related matters appear in the Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Managed Healthcare, Health Leaders, and a many other national and local publications. For additional information about Ms. Stamer, her experience, involvements, programs or publications, see here.

We hope that this information is useful to you. If you need assistance monitoring, evaluating or responding to these or other compliance, risk management, transaction or operation concerns, please contact the author of this update, Cynthia Marcotte Stamer, at (214) 270-2402, cstamer@cttlegal.com or another Curran Tomko Tarski LLP Partner of your choice.

Other Helpful Resources & Other Information

If you found this updates of interest, you also be interested in one or more of the following other recent articles published on our electronic Curran Tomko Tarski LLP publications available for review here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail- by creating or updating your profile at here. You can access other recent updates and other informative publications and resources provided by Curran Tomko Tarski LLP attorneys and get information about its attorneys’ experience, briefings, speeches and other credentials here.

For important information concerning this communication click here. If you do not wish to receive these updates in the future, send an e-mail with the word “Remove” in the Subject to support@cttlegal.net.

Leave a Comment » | ARRA, Doctor, Electronic Health Records, Electronic Medical Records, Employer, FACTA, Health Care, Health IT, Health Plan, Health Plans, HIPAA, Physician | Permalink
Posted by Cynthia Marcotte Stamer

Health Care Providers & Other HIPAA-Covered Entities & Their Business Associates Must Comply With New HHS Health Information Data Breach Rules By September 24

August 24, 2009

Register Now To Participate in September 9 “HITECH Act Health Data Security & Breach Update”

Health care providers, health clearinghouses, health plans and their business associates generally must start complying with new federal data breach notification rules on September 24, 2009.

You are invited to catch up on what these new rules mean for your organization and how it must respond by participating in the “HITECH Act Health Data Security & Breach Update” on Wednesday, September 9, 2009 from Noon to 1:30 P.M. Central Time.

HITECH Act Data Breach and Unsecured PHI Rules

Scheduled for publication in the Federal Register on August 24, 2009, the new Breach Regulation implements the HITECH Act requirement that Covered Entities and their business associates notify affected individuals, the Secretary of HHS, and in some cases, the media, when a breach of “unsecured protected health information” happens and the form, manner, and timing of that notification. Covered Entities must begin complying with the new Breach Regulation on September 24, 2009.

Read the Breach Regulation here. To review the HITECH Act Breach Notification Guidance and Request for Information, see here.

September 9 “HITECH Act Health Data Security & Breach Update” Briefing

Interested persons are invited to register here now to learn what these new rules mean for your organization and how it must respond by participating in the “HITECH Act Health Data Security & Breach Update” on Wednesday, September 9, 2009 from Noon to 1:30 P.M. Central Time. For a registration fee of $45.00, registrants will have the option to participate via teleconference or in person at the offices of Curran Tomko Tarski LLP, 2001 Bryan Street, Suite 2050, Dallas Texas 75201. For information about registering for this program or other questions here.

Conducted by Curran Tomko and Tarski LLP Partner Cynthia Marcotte Stamer, the briefing will cover:

Who must comply
What your organization must do
How to qualify protected health information as exempt from the breach regulations as “secure” protected health information
What is considered a breach of unsecured protected health information
What steps must a covered entity take if a breach of unsecured protected information happens
What liabilities do covered entities face for non-compliance
What new contractual requirements, policies and procedures Covered Entities and Business Associates will need
How the Breach Regulation, the Privacy Regulation, impending FTC red flag rules and state data breach and privacy rules interrelate
Other recent developments
Practical tips for assessing, planning, moving to and defending compliance
Participant questions
More

About The Presenter

The program will be presented by Curran Tomko Tarski LLP Partner Cynthia Marcotte Stamer. Ms. Stamer is nationally known for her work, publications and presentations on privacy and security of health and other sensitive information in health and managed care, employment, employee benefits, financial services, education and other contexts.

Other Helpful Resources & Other Information

If you found these updates of interest, you also be interested in one or more of the following other recent articles published on our electronic Curran Tomko Tarski LLP publications available for review here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail- by creating or updating your profile at here. You can access other recent updates and other informative publications and resources provided by Curran Tomko Tarski LLP attorneys and get information about its attorneys’ experience, briefings, speeches and other credentials here.

Leave a Comment » | ARRA, Disease Management, Doctor, Electronic Health Records, Electronic Medical Records, Employer, FACTA, FDA, Health Care, Health IT, Health Plan, Health Plans, HIPAA, Hospital, Indian Health, Inpatient Rehabilitation Facility, Medicaid, Medical Licensure, Medical Malpractice, Medicare, Medicare Advantage, Mental Heatlh, OCR, Outcomes Data, Peer Review, Physician, Prescription Drugs, Privacy, Reimbursement, Tax | Tagged: ARRA, Corporate Compliance, Data Security, Doctor, Health Care, Health Care Provider, Health Care Reimbursement, HHS, HIPAA, Hospital, Identity Theft, Long Term Care Hospital, Medicare, Medicare Part B, Physician, Physicians, Privacy, public health, Public Policy, Red Flag Rules, Reimbursement | Permalink
Posted by Cynthia Marcotte Stamer

HHS Issues Interim Final Requiring Health Care Provider, Health Plans & Other Covered Entities To Give Breach Notifications When Certain Personal Health Information Breached Beginning In September; Register to Participate In September 10th Briefing on New Rules In Person or Via Telephone

August 20, 2009

The U.S. Department of Health and Human Services (HHS) yesterday (August 19, 2009) issued “breach notification” regulations requiring health care providers, health plans and other covered entities (Covered Entities) under the personal health information privacy and security rules of the Health Insurance Portability & Accountability (HIPAA) to notify affected individuals following a “breach” of “unsecured” protected health information. Scheduled for publication in the Federal Register on August 24, 2009, the new breach notification regulations are part of a series of new rules that implement new electronic personal health information data security and data breach notification requirements for Covered Entities added to HIPAA under the Health Information Technology for Economic and Clinical Health (HITECH) Act signed into law on February 17, 2009 as part of American Recovery and Reinvestment Act of 2009 (ARRA). Covered entities must begin complying with the new rules no later than September 24, 2009.

Curran Tomko Tarski, LLP Health Practice leader Cynthia Marcotte Stamer will conduct a briefing on these new protected health information data security and data breach rules on Thursday, September 10, 2009 from Noon to 1:30 P.M. Central Time. For a registration fee of $45.00, registrants will have the option to participate via teleconference or in person at the offices of Curran Tomko Tarski LLP, 2001 Bryan Street, Suite 2050, Dallas Texas 75201. For more information, e-mail here.

HITECH Act Data Breach and Unsecured PHI Rules

The new data breach notification rules are part of a series of recent HIPAA enacted under the HITECH Act to strengthen the federal rules requiring HIPAA covered entities to safeguard electronic and certain other protected health information. Enhanced data security and data breach rules added as part of these HITECH Act amendments obligate covered entities and business associates to provide certain notifications following a breach of “unsecured” “protected health information” within the meaning of HIPAA, as amended. “Unsecured protected health information” is defined as protected health information that is not secured through the use of a technology or methodology specified by the HHS Secretary.

The new data breach regulations implement the HITECH Act requirement that Covered Entities and their business associates notify affected individuals, the Secretary of HHS, and in some cases, the media, of a breach and the form, manner, and timing of that notification. For purposes of the HITECH Act, electronic protected health information is considered “unsecured” unless the covered entity has satisfied certain minimum standards for the protection of that data established pursuant to the HITECH Act. HHS and the Federal Trade Commission previously issued certain initial guidance concerning the HITECH Act standards for determining when electronic personal health information qualifies as secure. To help further define when electronic health information is treated as “unsecured” and therefore subject to the breach notification requirements, the data breach rules also update and clarify the previously issued existing HHS guidance specifying encryption and destruction as the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals published earlier this year by HHS to for purposes of determining when protected health information will be considered “unsecured” for purposes of the HITECH Act data breach rules. Entities subject to the HHS and FTC regulations that secure health information as specified by the guidance through encryption or destruction are relieved from having to notify in the event of a breach of such information.

The HHS interim final regulations are effective September 24, 2009, which is the date 30 days after the date they will be published on the Federal Register and include a 60-day public comment period. To review the interim final data breach regulations, see here. To review the HITECH Act Breach Notification Guidance and Request for Information, see here.

For More Information

The author of this article, Curran Tomko and Tarski LLP Health Care Practice Chair Cynthia Marcotte Stamer has extensive experience advising and assisting health care providers, payors and their business associates about HIPAA and other privacy and data security matters, as well as a diverse range of health care policy, regulatory, compliance, risk management and operational concerns.

Past chair of the American Bar Association Health Law Section Managed Care & Insurance Section, Martindale Hubble AV-rated and recognized in International Who’s Who of Professionals, Ms. Stamer continuously advises health care providers, health care payers and administrators, employers, governments and others about health care, insurance, human resources, privacy and data security, technology, and other legal and operational concerns. A popular lecturer and widely published author on privacy and data security and other related health care and health plan matters, Ms. Stamer also writes and speaks extensively on health and managed care industry privacy, data security and other technology, regulatory and operational risk management matters. She currently serves as the Editor in Chief of the forthcoming 2010 edition of the Information Security Guide to be published by the American Bar Association Information Security Committee in 2010. Examples of her other works include “Protecting & Using Patient Data In Disease Management: Opportunities, Liabilities And Prescriptions,” “Privacy Invasions of Medical Care-An Emerging Perspective,” “Cybercrime and Identity Theft: Health Information Security Beyond HIPAA,” and a host of others. Her insights on health care, health insurance, human resources and related matters appear in the Atlantic Information Service Privacy Report, The Wall Street Journal, Business Insurance, the Dallas Morning News, Managed Healthcare, Health Leaders, and a various other national and local publications. For additional information about Ms. Stamer, her experience, involvements, programs or publications, see here.

We hope that this information is useful to you. If you need assistance monitoring, evaluating or responding to these or other proposed health care or other regulatory reforms or with other health care compliance, risk management, transaction or operation concerns, please contact the author of this update, Curran Tomko Tarski LLP Health Practice Group Chair, Cynthia Marcotte Stamer, at (214) 270-2402, cstamer@cttlegal.com or your other favorite Curran Tomko Tarski LLP Partner.

We also encourage you and others to join the discussion about these and other health care reform proposals and concerns by joining the Coalition for Responsible Health Care Reform Group on Linkedin, registering to receive these updates here.

Other Helpful Resources & Other Information

We hope that this information is useful to you. If you found these updates of interest, you also be interested in one or more of the following other recent articles published on our electronic Solutions Law Press Health Care Update publication available here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please register to receive this Solutions Law Press Health Care Update here and be sure that we have your current contact information – including your preferred e-mail- by creating or updating your profile at here. You can access other recent updates and other informative publications and resources provided by Curran Tomko Tarski LLP attorneys and get information about its attorneys’ experience, briefings, speeches and other credentials here.

Leave a Comment » | ARRA Funding, Corporate Compliance, Doctor, Electronic Health Records, Electronic Medical Records, FACTA, Health Care, Health IT, Health Plan, Health Plans, HIPAA, Hospital, Physician, Privacy | Tagged: ARRA, Corporate Compliance, Data Security, Doctor, Federal Sentencing Guidelines, Health Care, Health Care Policy, Health Care Provider, Health Insurance, Health Plans, Hospital, Identity Theft, Physician, Physicians, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

House Democratic Leaders Work To Resolve Differences In Committee Versions of Health Care Reform Legislation and Build Public Support During August Recess

August 5, 2009

Democratic Leaders in the House of Representatives plan to hammer out differences three versions of the America’s Affordable Health Choices Act (H.R. 3200) as separately passed by three key House Committees in July before House members return from their August recess in hopes of bringing the agreed to version of H.R. 3200 to the full house in September. Regardless of which version ultimately emerges, the enactment of H.R. 3200 would result in sweeping new regulation and federal control over health care providers, health care payers, employers, and individuals.

After negotiating a last minute pre-August recess deal with certain Blue Dog Democrat Committee members, the House Energy and Commerce Committee on July 31, 2009 passed its version of H.R. 3200, the America’s Affordable Health Choices Act (H.R. 3200). The version of H.R. 3200 passed by the House Energy and Commerce Committee incorporates a series of amendments to the language of H.R. 3200 as originally introduced. For instance, this version of H.R. 3200 provides incentives for states to adopt certain tort reforms, provides for a public plan option that would reimburse physicians based on negotiated rates rather Medicare rates, and would allow states to offer both state-based heath insurance exchanges and health insurance co-ops. To review H.R. 3200 as amended by the House Energy and Commerce Committee, see here.

The approval by the Energy and Commerce Committee of its version of H.R. 3200 follows the July 17, 2009 approval by the House Ways and Means Committee and Education and Labor Committee of their own versions of H.R. 3200. For details on the version of H.R. 3200 approved by the House Ways and Means Committee, see here. For details on the version of H.R. 3200 approved by the House Education and Labor Committee, see here.

Leading House Democrats have announced their intention to work to resolve differences between these three versions of H.R. 3200 as passed by these Committees during August recess in hopes of bringing the agreed to version of H.R. 3200 to a vote of the full House of Representatives in September.

Meanwhile, House members from both parties also generally are using the August recess as an opportunity to reconnect with local constituents on health care reform and other core issues.

For More Information

The author of this article, Curran Tomko and Tarski LLP Health Care Practice Chair Cynthia Marcotte Stamer has extensive experience advising and assisting health industry clients and others about a diverse range of health care policy, regulatory, compliance, risk management and operational concerns. You can get more information about her health industry experience here.

Other Helpful Resources & Other Information

Leave a Comment » | Disease Management, Electronic Health Records, Evidence Based Medicine, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Quality, Health Care Qulity, Health Care Reform, Health Insurance Exchange, Health IT, Health Plan, Health Plans, Health Policy, HIPAA, Hospital, Indian Health, Medicaid, Medical Malpractice, Medicare, Medicare Advantage, Outcomes Data, Physician, Prescription Drugs, Reimbursement, Rural Health Care, Tax, Wellness | Tagged: Affordable Health Choices Act, America's Affordable Health Choices Act, Doctor, Employer, Health Care, Health Care Policy, Health Care Provider, Health Care Reform, Health Care Reimbursement, Health Insurance, Health Plans, Health Policy, HHS, Hospital, Medicare, Medicare Part B, Nonprofits, Physician, Physicians, Prescription Drugs, public health, Public Policy, Reimbursement | Permalink
Posted by Cynthia Marcotte Stamer

HHS Hiring to Expand its Health Information Enforcement Team Again

August 4, 2009

The Department of Health and Human Services (HHS) this week announced additional job openings on its Office For Civil Rights (OCR) Health Information Privacy Enforcement Team.

These new positions are located in the OCR Office of the Deputy Director Health Information Privacy (ODDHIP). OCR provides the oversight, leadership, and coordination necessary to ensure that individuals have nondiscriminatory access to HHS services or programs and that the privacy of their health information is protected. The Division of Health Information Privacy enforces the HIPAA Privacy Rule and the confidentiality provisions of the Patient Safety and Quality Improvement Act.

For more information on these available positions, go here and enter the corresponding job announcement number applicable to the position of interest below.

Health Information Privacy Specialist, GS-301-13/14 HHS-OS-14-2009-0012

Health Information Privacy Specialist, GS-301-13/14 HHS-OS-14-2009-0013

The open period for these positions is Friday, July 31, 2009 to Thursday, August 13, 2009.

For More Information

We hope that this information is useful to you. If you need assistance with EMR or other health care technology, privacy or other health care compliance, risk management, transaction or operation concerns, please contact the author of this update, Curran Tomko Tarski LLP Health Practice Group Chair, Cynthia Marcotte Stamer, at (214) 270-2402, cstamer@cttlegal.com or your other favorite Curran Tomko Tarski LLP Partner.

Leave a Comment » | Electronic Health Records, Health Care, Health IT, Health Plan, Health Plans, HIPAA, Hospital, Physician, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

Reassignment of HIPAA Security Rule Enforcement Signals Growing Seriousness About Enforcing HIPAA

August 4, 2009

The Department of Health & Human Services (HHS) today (August 3, 2009) transferred authority for the administration and enforcement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule to the Office for Civil Rights (OCR). Prior to this announcement, responsibility for interpretation and enforcement of the Security Rule rested with the Centers for Medicare & Medicaid Services (CMS). The change reflects the growing seriousness of HHS and others about enforcing federal privacy and data security mandates for health information. HHS anticipates the transfer of authority will eliminate duplication and increase efficiencies in how the department ensures that Americans’ health information privacy is protected.

HHS has the authority for administration and enforcement of the federal standards for health information privacy called for in HIPAA. The Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. OCR has been responsible for enforcement of the Privacy Rule since 2003. The Security Rule specifies a series of administrative, technical, and physical security procedures for covered entities to use to assure the confidentiality of electronic protected health information. The Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009 (ARRA), mandated improved enforcement of the Privacy Rule and the Security Rule.

Through a separate delegation, CMS continues to have authority for administration and enforcement of the HIPAA Administrative Simplification regulations, other than privacy and security of health information.

The transfer of Security Rule enforcement authority comes as guidance about new data breach rules for electronic protected health information is impending. This impending guidance relates to the implementation of new breach notification rules for covered entities and their business associates concerning their obligation to use of technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals, as required by amendments to HIPAA enacted under the Health Information Technology for Economic and Clinical Health (HITECH) Act passed as part of the American Recovery and Reinvestment Act of 2009 (ARRA) last February. OCR officials have stated that they are working to publish the next set of regulations regarding these new breach notifications before the end of August, 2009.

In addition to adding the breach notification requirements, the HITECH Act also tightened the HIPAA mandates in several other respects. Among other things, it amended HIPAA to:

Broaden the applicability of the HIPAA’s Privacy Rules and penalties to include business associates;
Clarify that HIPAA’s criminal sanctions apply to employees or other individuals that wrongfully use or access PHI held by a covered entity;
Increase criminal and civil penalties for HIPAA Privacy Rules violators;
Allow State Attorneys General to bring civil damages actions on behalf of certain state citizens who are victims of HIPAA Privacy and Security Rule violations;
Modify certain HIPAA use and disclosure and accounting requirements and risks;
Prohibits sales of PHI without prior consent;
Tighten certain other HIPAA restrictions on uses or disclosures;
Tighten certain HIPAA accounting for disclosure requirements;
Clarify the definition of health care operations to excludes certain promotional communications; and
Expand the Business Associates Agreement Requirements.

These and other developments make it imperative HIPAA covered entities and their business associates take prompt action to immediately review and update their data security and privacy practices to guard against growing liability exposures under HIPAA and other federal and state laws. Covered entities must update policies and practices to avoid these growing liabilities. Business associates that have not already done so also must appoint privacy officers and adopt and implement privacy and data security policies and procedures fully compliant with HIPAA and other applicable federal and state rules, including amendments enacted as part of the American Recovery and Reinvestment Act of 2009 signed into law on February 17, 2009.

For more information about today’s announcement, see here. See here for the initial guidance and request for comments issued by HHS regarding these new security standards.

For More Information

We hope that this information is useful to you. If you need assistance with health care privacy and data security, technology, or other health care compliance, risk management, transaction or operation concerns, please contact the author of this update, Curran Tomko Tarski LLP Health Practice Group Chair, Cynthia Marcotte Stamer, at (214) 270-2402, cstamer@cttlegal.com or your other favorite Curran Tomko Tarski LLP Partner. Ms. Stamer has extensive experience advising clients and writes and speaks extensively on these and other health care privacy and data security and related matters.

Leave a Comment » | Doctor, Electronic Health Records, Electronic Medical Records, Health Care, Health Care Reform, Health IT, Health Plan, Health Plans, HIPAA, Hospital, Physician, Privacy, Technology | Tagged: Data Security, Health Care, Health Care Provider, Health Insurance, Health Plans, HIPAA, Hospital, Identity Theft, Nonprofits, Personal Health Information, PHI, Physicians, Privacy, Red Flag Rules | Permalink
Posted by Cynthia Marcotte Stamer

House Democrats Introduce the “American’s Affordable Health Care Choices Act of 2009”

July 15, 2009

House Democrats introduced their proposal for health care reform this afternoon (July 14, 2009), the “America’s Affordable Health Choices Act of 2009 (the “House Bill”). Introduced under the sponsorship of three key House committees — Energy and Commerce, Ways and Means, and Education and Labor — the 1018 page House Bill details the sweeping and comprehensive health care reforms touted by House Democrat Leaders.. A copy of the House Bill as introduced may be reviewed here.

The House Bill proposes sweeping reforms built around the establishment of a public plan option while technically continuing to permit private plans to operate but in a federally regulated form allowing for little meaningful plan design control to private payers, health care providers or the individuals choosing among the plan options. The Congressional Budget Office estimates that the coverage side of the bill will cost $1 trillion and cover 97 percent of the legal population within 10 years.

The following is a brief overview of certain key provisions of the House Bill drawn mostly from a series of high level summaries released by House Democrats along with the House Bill. Long on politically comforting phrasing and short on details, you can read these summaries here.

Public Plan Option. The House Bill proposes the establishment of a public health insurance option that would compete with allowable private plans, both of which would be subject to sweeping federal controls. Democrat House co-sponsors represent the House Bill:

Provides a public health insurance option that would compete with private insurers within the Health Insurance Exchange.
The public health insurance option would be made available in the new Health Insurance Exchange (Exchange) along with private health insurance plans that comply with the design dictates established in the House Bill.
The public health insurance option and private plan options meet the same benefit requirements and comply with the same insurance market reforms
The public option’s premiums would be established for the local market areas designated by the Exchange.
Individuals with affordability credits could choose among the private carriers and the public option.
Require that the public health plan and private health plan options and private options each must be financially self-sustaining
Promote primary care, encourage coordinated care and shared accountability, and improve quality.
Institute new payment structures and incentives to promote these critical reforms.
Specify health care provider participation in the plans will be voluntary; Medicare providers are presumed to be participating unless they opt out.
Provides for provider reimbursements for services from the plans initially will be established using “rates similar to those used in Medicare with greater flexibility to vary payments.
Speaker of the House Nancy Pelosi has announced plans to proceed immediately on mark up on the House Bill with the intention to of scheduling a vote on the House Bill by the end of July. Assuming that House leaders adhere to this schedule, the planned timetable leaves little opportunity for critical evaluation and input by members of Congress or the public who may have questions or concerns about the proposed legislation. Prompt and coordinated action is required for individuals with concerns about any of the proposed reforms.

Federal Mandates Health Plan Benefits. In order to achieve affordable, quality health care for all, the House Bill would impose federal standards regulating the benefits that the public health plan and private health plans would be required and permitted to offer. Under these provisions, the House Bill would:

Establish a standardized benefit package that covers essential health services.
Vest the power in the Secretary of Health & Human Services to decide the coverage that would be included in this mandated standardize benefit package.
Eliminate cost-sharing for preventive care (including well baby and well child care)
Impose caps annual out-of-pocket spending for individuals and families.
Create a new independent Benefits Advisory to recommend to the Secretary and update the core package of benefits.
Provide for the public health plan option to offer four tiers of benefit packages from which consumers can choose to best meet their health care needs. Each allowable plan would be required to provide the dictated core benefits.
- The Basic Plan would include the federally mandated core set of covered benefits and cost sharing protections;
- The Enhanced Plan would include the federally mandated core set of covered benefits with more generous cost sharing protections than the Basic plan;
- The Premium Plan would include the federally mandated core set of covered benefits with more generous cost sharing protections than the Enhanced plan; and
- The Premium Plus Plan would include the federally mandated core set of covered benefits, the more generous cost sharing protections of the Premium plan, and additional covered benefits (e.g., oral health coverage for adults, gym membership, etc.) that will vary per plan. In this category, insurers must disclose the separate cost of the additional benefits so consumers know what they’re paying for and can choose among plans accordingly.

The House Bill empowers the Secretary of Health & Human Services to decide the federally dictated, required core set of benefits provides coverage with input from a newly created Benefits Advisory Commission. These core benefits are intended to include inpatient hospital services, outpatient hospital services, physician services, equipment and supplies incident to physician services, preventive services, maternity services, prescription drugs, rehabilitative and habilitative services, well baby and well child visits and oral health, vision, and hearing services for children and mental health and substance abuse services. However, the particular, terms and scope of these benefits is left to HHS to define.

Health Insurance Exchange. The House Bill also calls for the establishment of a “Health Insurance Exchange” meeting federal mandates through which low income individuals initially, and certain small businesses would be offered the option to purchase health care coverage through federally mandated purchasing groups. In the first year, the House Bill provides for the Health Insurance Exchange to accept those without health insurance, those who are buying health insurance on their own, and small businesses with fewer than 10 people. In the second year, the Health Insurance Exchange could accept small businesses with fewer than 20 people. After that, “larger employers as permitted by the Commissioner.” In other words, expansion is discretionary, not mandated.

Affordability & Subsidies. The House Bill provides sliding-scale affordability credits for individuals and families with incomes above the Medicaid thresholds but below 400% of poverty and imposes a cap on total out-of-pocket spending for individuals and families covered under the plans regardless of income. In addition, the House Bill would broaden Medicaid coverage to include individuals and families with incomes below 133% of poverty.

Effective 2013, sliding scale affordability credits would be provided provided to individuals and families between 133% to 400% of poverty. That means the credits phase out completely for an individual with $43,320 in income and a family of four with $88,200 in income (2009).

The sliding scale credits limit individual family spending on premiums for the essential benefit package to no more than 1.5% of income for those with the lowest income and phasing up to no more than 11% of income for those at 400% of poverty.

The affordability credits also subsidize cost sharing on a sliding scale basis, phasing out at 400% of poverty, ensuring that covered benefits are accessible.

The Health Insurance Exchange would administer the affordability credits in relationship with other federal and state entities, such as local Social Security offices and Medicaid agencies.

The essential benefit package, and all other benefit options, limit exposure to catastrophic costs with a cap on total out of pocket spending for covered benefits. Special provisions would apply to Medicaid.

Effective 2013, individuals with family income at or below 133% of poverty ($14,400 for an individual in 2009) are eligible for Medicaid. State Medicaid programs would continue to cover those individuals with incomes above 133% of poverty, using the eligibility rules states now have in place.

Paying The Tab. House Democrats propose to finance approximately half of the estimated $1 trillion bill for their proposed reforms through projected $500 billion or so in savings from Medicare and Medicaid achieved by a variety of reimbursement and benefit cutbacks and other reforms. The rest of the financing would come from a combination of revenue expections from employer and individual mandates (an estimated $200 billion over 10 years) and a surtax on the richest 1.5 percent of Americans. The surtax is 1 percent on income between $350,000 and $500,000; 1.5 percent on income between $500,000 and $1,000,000; and 5.4 percent in income above $1,000,000. The House Bill permits the amount of this surtax to vary if the bill is less or more expensive than initially anticipated.

If you need assistance evaluating or formulating comments on the proposed reforms contained in the House Bill or on other health industry matters please contact Cynthia Marcotte Stamer, CTT Health Care Practice Group Chair, at cstamer@cttlegal.com, 214.270.2402 or your other favorite Curran Tomko Tarski LLP attorney.

Other Helpful Resources & Other Information

We hope that this information is useful to you. If you or someone else you know would like to receive future updates about developments on these and other concerns, please register to receive this Solutions Law Press Health Care Update in real time here, joining the LinkedIn SLP Health Care Risk Management & Operations Group, and/or subscribing to receive e-mail distributions of some of these updates by sharing your current contact information – including your preferred e-mail- by creating or updating your profile here. You can access other recent updates and other informative publications and resources provided by Curran Tomko Tarski LLP attorneys and get information about its attorneys’ experience, briefings, speeches and other credentials here.

For important information concerning this communication click here. If you do not wish to receive these updates in the future, send an e-mail with the word “Remove” in the Subject here.

Leave a Comment » | Anti-KickBack, Centers For Disease Control, Childrens Health Insurance Program, Consumer Driven Health Care, Corporate Compliance, Disease Management, Doctor, Electronic Health Records, Electronic Medical Records, Employer, Evidence Based Medicine, false claims act, FDA, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Quality, Health Care Reform, Health IT, Health Plan, Health Plans, Health Policy, HIPAA, Hospital, Indian Health, Medicaid, Medical Malpractice, Medicare, Medicare Advantage, OCR, OIG, Outcomes Data, Patient Empowerment, Peer Review, Physician, Prescription Drugs, Public Policy, Reimbursement, Rural Health Care, Stark, Tax, Veterans Health, Veterans Health Care, Wellness | Tagged: Corporate Compliance, Doctor, Health Care Policy, Health Care Provider, Health Care Reform, Health Care Reimbursement, Health Insurance, HIPAA, Hospital, Medicare, Medicare Part B, PBMs, Physician, Physicians, Prescription Drugs, Privacy, public health, Public Policy, Reimbursement | Permalink
Posted by Cynthia Marcotte Stamer

Comments On Definition of Meaningful Use of EMR For Purposes of HITECH Act Provider Incentives Due June 26

June 16, 2009

Friday, June 26, 2009 at 5:00 p.m. Eastern Time is the deadline to submit comments to the Office of the National Coordinator for Health Information Technology (ONC) on the recommendations about what should be considered the term “meaningful use” of electronic health records (EHRs) presented to the Health Information Technology Policy Committee today (June 16, 2009) available for review here. Comments will be received by the Committee for consideration and further recommendations to the National Coordinator of Health Information Technology on the elements and measures of Meaningful Use of a certified EHR.

The HIT Policy Committee is a Federal Advisory Committee (FACA) to the U.S. Department of Health and Human Services (HHS). The American Recovery and Reinvestment Act of 2009 (ARRA”) provides for Medicare and Medicaid incentive payments for eligible providers, such as physicians and hospitals, in order to promote the adoption of EHRs. To receive the incentive payments, providers must demonstrate “meaningful use” of a certified EHR. Building upon the work of the HIT Policy Committee, HHS anticipates developing a proposed rule that provides greater detail on the incentive programs and “meaningful use.” HHS expects to issue the proposed rule in late 2009, which will be followed by a comment period.

How OCR decides to define meaningful use of EMR is likely to play a central role in determining how effective provider incentives to use EMR included in ARRA’s HITECH Act provisions work and ultimately influence how effectively those provisions and other OCR efforts to accelerate EMR and other health information technology use to promote health care efficiency and quality work.

For instructions on how to comment or additional information, see here.

For More Information

We hope that this information is useful to you. If you need assistance with EMR or other health care technology, privacy or other health care compliance, risk management, transaction or operation concerns, please contact Curran Tomko Tarski LLP Health Practice Group Chair, Cynthia Marcotte Stamer at (214) 270-2402, CStamer@CTTLegal.com or your other favorite Curan Tomko Tarski LLP Partner.

Leave a Comment » | ARRA Funding, Corporate Compliance, Doctor, Health Care, Health Care Finance, Health Care Provider, Health Care Reform, Health Plan, HIPAA, Hospital, Nonprofits | Tagged: ARRA, Data Security, Health Care Policy, Health Care Provider, Health Care Reform, Health Care Reimbursement, Health Insurance, Health Plans, Health Policy, HIPAA, Hospital, Medicare, Physician, Physicians, Reimbursement | Permalink
Posted by Cynthia Marcotte Stamer

FTC Issues FAQ Guidance On Red Flag Rules Applicable To Health Care Providers & Others

June 12, 2009

The Federal Trade Commission (FTC) and five other federal agencies yesterday (June 11, 2009) jointly issued a set of frequently asked questions (FAQs) about federal regulations on the “Red Flags and Address Discrepancy Rules” (Red Flag Rules) implementing sections of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act) now scheduled to take effect on August 1, 2009.

Health care providers and a broad range of other entities are among the organizations generally required to comply with the broadly reaching Red Flag Rules, which require “financial institutions” and “creditors” to develop and implement written Identity Theft Prevention Programs and require issuers of credit cards and debit cards to assess the validity of notifications of changes of address. The rules also provide guidance for users of consumer reports regarding reasonable policies and procedures to employ when consumer reporting agencies send them notices of address discrepancy.

The sweeping reach of the definition of “creditor: and “financial institutions” in the Red Flag Rules and other confusion about the Red Flag Rules have prompted the agencies to delay the deadline for compliance several times. The most recent delay, which extended the compliance deadline from May 1 to August 1, 2009, was announced by the FTC on April 30, 2009. The FTC promised to issue additional guidance to help promote better understanding of the rules when it announced this latest delay in the compliance deadline on April 30, 2009.

Fulfilling this promise, the FAQs discuss numerous aspects of the Red Flag Rules, including:

Types of entities and accounts covered;
Establishment and administration of an Identity Theft Prevention Program;
Address validation requirements applicable to card issuers; and
Obligations of users of consumer reports upon receiving a notice of address discrepancy.

FACTA directed financial regulatory agencies, including the FTC, to promulgate rules requiring “creditors” and “financial institutions” with covered accounts to implement programs to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft. FACTA’s definition of “creditor” applies to any entity that regularly extends or renews credit – or arranges for others to do so – and includes all entities that regularly permit deferred payments for goods or services. Accepting credit cards as a form of payment does not, by itself, make an entity a creditor. Some examples of creditors are finance companies; automobile dealers that provide or arrange financing; mortgage brokers; utility companies; telecommunications companies; non-profit and government entities that defer payment for goods or services; and businesses that provide services and bill later, including many doctors and other health care providers and other professionals. “Financial institutions” include entities that offer accounts that enable consumers to write checks or make payments to third parties through other means, such as other negotiable instruments or telephone transfers. The FTC has made clear it perceives most health care providers as falling within the scope of these rules.

FACTA is only one of a growing list of the evolving privacy and data security mandates applicable to businesses under federal and state laws that organizations must address under applicable federal laws. In addition to FACTA, most businesses also face other specific data security and data breach requirements under a tapestry of other federal and state laws which are constantly evolving. In addition to these FACTA and other generally applicable data security and breach rules, many organizations face evolving industry specific mandates. For example, health care providers, health plans, health care and their business associates also are required to update their privacy and data security practices to comply with recent amendments to the Health Insurance Portability & Accountability Act Privacy & Security Standards signed into law February 17, 2009.

Many of these federal laws provide for both civil penalties as well as criminal penalties that bring violations of these regulations under the Federal Sentencing Guidelines. As a consequence, most organizations need to implement and administer compliance programs to manage these Federal Sentencing Guideline risks. Even where criminal sanctions are not triggered, noncompliance with these and other data security mandates can trigger substantial judgment awards, administrative penalties or both.

If you need assistance with auditing, updating, administering or defending your privacy, data security or other privacy and data security practices or addressing other health care compliance, risk management, transactions or operations concerns, please contact Cynthia Marcotte Stamer at (214) 270-2402, CStamer@CTTLegal.com.

For More Information

We hope that this information is useful to you. You can find more information about the Red Flag Rules and other privacy and identity theft matters at here. You also can review other recent health care and internal controls resources and additional information about the health industry and other experience of Ms. Stamer here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile at here or e-mailing this information to CStamer@CTTLegal.com.

Leave a Comment » | Corporate Compliance, Doctor, FACTA, Federal Sentencing Guidelines, Health Care, Health IT, HIPAA, Privacy | Tagged: ARRA, Corporate Compliance, Data Security, Doctor, Federal Sentencing Guidelines, Health Care, Health Care Provider, Health Insurance, Health Plans, Health Policy, HIPAA, Hospital, Identity Theft, Physician, Physicians, Privacy, Red Flag Rules | Permalink
Posted by Cynthia Marcotte Stamer

Democrats Unveil Comprehensive Health Care Reform Proposal, Move To Fast Track Enactment

June 10, 2009

Coalition For Responsible Health Care Reform Founded To Help Concerned Americans Respond

Americans concerned about plans of President Obama and Congressional Democrats to enact comprehensive health care reform this year must speak up now.

Senator Edward M. Kennedy yesterday (June 9, 2009) circulated a 625 page proposal to radically reform the U.S. health care system. The latest draft of the “Affordable Health Choices Act” (the “Act”) details the comprehensive health care reforms that President Obama and Democrats in Congress propose to enact before year end. President Obama and key Congressional Democrats are moving quickly to enact their vision for “comprehensive health reform” this year.

The Act circulated yesterday by Senator Kennedy would radically change the U.S. health care system in enacted as currently proposed. Consistent with announced plans by President Obama and key Congressional Democrats to enact “comprehensive health care reform” this year, Democratic leaders in Congress are rushing to enact this legislation well before year end. In furtherance of plans to fast track enactment of the Act, the Senate Committee on Health, Education, Labor and Pensions (HELP) chaired by Senator Kennedy will hold a hearing on the Act this week in anticipation of meetings to mark up of the Act on Tuesday, June 16 at 2:30 p.m. in Russell 325.

The Act, as proposed, would make sweeping changes to the U.S. health care system and radically expand the involvement of government in the delivery and financing of health care. Among other things, the Act as proposed would:

Establish government provided “Gateway” health care coverage programs to provide coverage for Americans not insured under qualifying employer or other privately run “qualified health plan” to be financed in part through surcharges on private health plans and health insurers and other taxes and assessments and in part through premiums on enrolled individuals
Require that Americans participating in the Gateway health care coverage programs be offered the opportunity to enroll in at least one “public health insurance option”
Require Americans to chose either to enroll in a government run Gateway health program or enroll in qualifying coverage under a privately run qualified health plan
Impose sweeping new mandates on employer and union-sponsored group health plans and insurers
Impose newly created taxes on individuals that fail to maintain enrollment in health coverage under either a Gateway health program or a private qualified health plan
Tax and/or eliminate the deductibility of health coverage premiums and certain other amounts paid by certain employers and employees
Impose new federal mandates for health care providers, health plans and health insurers relating to the quality standards, the use of health care technology and other matters
Grant federal regulators sweeping authority to define what qualifies as appropriate health care and health care coverage, the health care services that qualify for health care coverage and the payment and delivery of health care services.

You can review a copy of currently proposed provisions of the 615 page Act here. Individuals concerned about these and other proposed health care reforms must act immediately to become familiar and share their input on the proposals.

Assistance Monitoring & Responding To Health Care Reform Proposals

If you or someone else you know would like to receive updates about health care reform proposals and other related legislative, regulatory, and enforcement developments, please:

Register for this resource at the link above;
Join the Coalition for Responsible Health Policy group at linkedin.com to share information and input;
Share your input by communicating with key members of Congress on committees responsible for this legislation and your elected officials directly and by actively participating in and contributing to other like-minded groups; and
Be sure that we have your current contact information – including your preferred e-mail- by creating or updating your profile here.

You can register to receive future updates on legislative and regulatory health care reform proposals and other related information by registering for this resource or access other publications by Ms. Stamer and access other helpful resources here.

Long-time health policy advocate and advisor Cynthia Marcotte Stamer has more than 22 years of experience advising and assisting clients to evaluate and respond to health care reform proposals and other proposed or adopted changes in federal or state health care, employee benefit, employment, tax and other federal and state laws. Former Chair of the American Bar Association’s Managed Care & Insurance Section, Ms. Stamer is highly regarded legal advisor, policy advocate, author and speaker recognized both nationally and internationally for her more than 20 years of work assisting U.S. public and private employers, health care providers, health insurers, and a broad range of other clients to respond to these and other health care, employee benefit and workforce public policy, regulatory and compliance and risk management concerns within the U.S. as well as internationally. Her work includes extensive involvement providing input and assistance about health care, workforce, pensions and social security and other reforms domestically and internationally. In addition to her continuous involvement in U.S. health care, pensions and savings, and workforce policy matters, Ms. Stamer has served as an advisor on these matters internationally. As part of this work, she served as a lead advisor to the Government of Bolivia on its social security reform as well as has provided input on ethics, medical tourism, workforce and other reforms internationally.

Ms. Stamer is a widely published author and popular speaker on health plan and other human resources, employee benefits and internal controls issues. Her work has been featured and published by the American Bar Association, BNA, SHRM, World At Work, Employee Benefit News and the American Health Lawyers Association. Her insights on human resources risk management matters have been quoted in The Wall Street Journal, the Dallas Business Journal, Managed Care Executive, HealthLeaders, Business Insurance, Employee Benefit News and the Dallas Morning News.

Ms. Stamer also serves in a number of professional leadership roles including the leadership council of the ABA Joint Committee on Employee Benefits, Vice Chair of the ABA Real Property, Probate & Trust Section and Employee Benefits & Compensation Group.

If your organization needs assistance with monitoring, assessing, or responding to these or other health care, employee benefit or human resources reforms, please contact Ms. Stamer via e-mail here, or by calling (214) 270-2402. For additional information about the experience, services, publications and involvements of Ms. Stamer specifically or to access some of her many publications, see here.

Additional Resources & Information

We hope that this information is useful to you. For additional information about the experience, services, publications and involvements of Ms. Stamer specifically or to access some of her many publications, see here.

Leave a Comment » | Childrens Health Insurance Program, Corporate Compliance, Disease Management, Doctor, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Reform, Health IT, Health Plan, Health Policy, HIPAA, Hospital, Indian Health, Medicaid, Medicare Advantage, Physician, Prescription Drugs, Public Policy, Reimbursement, Tax | Tagged: Affordable Health Choices Act, employer mandates, Health Care, health care access, Health Care Finance, Health Care Provider, health care quality, Health Care Reform, Health Care Reimbursement, Health Insurance, Health Plans, Health Policy, HIPAA, Hospital, Medicare, Medicare Part B, PBMs, Physician, Physicians, Prescription Drugs, public health, Public Policy, Reimbursement, Uninsured | Permalink
Posted by Cynthia Marcotte Stamer

Stamer To Discuss “Making Gainsharing Work: Managing Physician Performance” At June 17, 2009 Dallas Bar Association Health Law Section Meeting

May 26, 2009

Health care organizations, health plans and regulars increasingly point to gainsharing and pay-for-performance strategies as key to securing needed key physician buy-in and performances to achieve desired health care quality and cost objectives. Using physician gainsharing to promote desired performances within the bounds of the law without undesirable side effects involves more than staying within the STARK exceptions and anti-kickback safe harbors.

Curran, Tomko Tarski, LLP attorney Cynthia Marcotte Stamer will discuss key strategies and processes for designing and administering legally defensible pay-for-performance and other gainsharing arrangements that promote desired outcomes in operation at the Dallas Bar Association Health Law Section meeting on June 17, 2009.

Former Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, attorney and author Cynthia Marcotte Stamer is nationally and internationally recognized for her legal work, publications and programs, and advocacy on health industry performance management and other health industry matters. Ms. Stamer works extensively with health care organizations, managed care and health insurance organizations, governments and others to manage performance and legal risks. Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, Ms. Stamer combines her more than 22 years of health industry regulatory and risk management experience with an in-depth knowledge of workforce management and regulation to help clients manage performance and legal and operational risks. Her experience includes advising public and private health industry clients domestically and internationally on a wide range of matters. A widely published author and popular speaker, Ms. Stamer’s insights on health industry matters also are quoted in HealthLeaders, Managed Care Executive, the Wall Street Journal and many other national popular, business and industry publications.

Ms. Stamer is scheduled to begin her remarks at Noon on June 17, 2009 at the offices of the Dallas Bar Association located at 2101 Ross Avenue, Dallas, Texas 75201. For additional information, call the Dallas Bar Association at 214-220-7400 or see http://www.dallasbar.org.

Leave a Comment » | Anti-KickBack, Doctor, Health Care, Health Care Fraud, Health Care Provider, Health Care Reform, Health Plan, Health Policy, HIPAA, Hospital, Licensing, Medical Licensure, Medical Malpractice, Medicare Advantage, OCR, OIG, Peer Review, Physician, Physician Licensing, Public Policy, Reimbursement, Stark | Tagged: Antitrust, Corporate Compliance, Federal Sentencing Guidelines, Gainsharing, Health Care Policy, Health Care Provider, Health Care Reform, Health Insurance, Health Policy, Hospital, Managed Care, Medicare, Medicare Part B, Pay-For-Performance, PBMs, Physician, Physicians, Prescription Drugs, Public Policy, Reimbursement | Permalink
Posted by Cynthia Marcotte Stamer

FTC Extends Red Flag Rule Compliance Deadline From May 1 to August 1, 2009

May 1, 2009

Today is no longer the deadline for health care providers and other businesses regulated by the Fair and Accurate Credit Transactions Act of 2003 (“FACTA”) to begin complying with the identity theft detection and prevention (“Red Flag Rules”) adopted by the Federal Trade Commission (“FTC”).

While health care providers have more time to comply, they can’t breathe easy. Finalizing arrangements to comply with these new mandates and other recent amendments to the health care privacy and data security requirements applicable to health care providers under recently enacted amendments to the Health Insurance Portability & Accountability Act (“HIPAA”) and FACTA and other recent regulatory and enforcement changes to these rules requires that health care providers move quickly. Learn more about these recent changes at http://solutionslaw.wordpress.com/2009/04/18/hhs-ftc-release-guidance-on-hitech-act-data-breach-rules-for-hipaa-covered-entities-entities-dealing-with-personal-health-records.

The FTC announced yesterday (April 30, 2009) its extension of the Red Flag Rule enforcement date to until August 1, 2009. Before yesterday’s announcement, health care providers and certain other FACTA-regulated businesses were required to comply with the Red Flag Rules today. The announcment means these organizations now have an additional three months to adopt the necessary policies and processes to monitor and respond to possible identity theft required under the Red Flag Rules.

According to the FTC announcement, organizations regulated by FACTA also will need to review their practices in light of additional guidance that the FTC expects to issue soon. For entities that have a low risk of identity theft, such as businesses that know their customers personally, the FTC plans to soon release a template to help them comply with the law. Yesterday’s announcement does not affect other federal agencies’ enforcement of the original November 1, 2008 compliance deadline for institutions subject to their oversight.

The FACTA directed financial regulatory agencies, including the FTC, to promulgate rules requiring “creditors” and “financial institutions” with covered accounts to implement programs to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft. FACTA’s definition of “creditor” applies to any entity that regularly extends or renews credit – or arranges for others to do so – and includes all entities that regularly permit deferred payments for goods or services. Accepting credit cards as a form of payment does not, by itself, make an entity a creditor. Some examples of creditors are finance companies; automobile dealers that provide or arrange financing; mortgage brokers; utility companies; telecommunications companies; non-profit and government entities that defer payment for goods or services; and businesses that provide services and bill later, including many doctors and other health care providers and other professionals. “Financial institutions” include entities that offer accounts that enable consumers to write checks or make payments to third parties through other means, such as other negotiable instruments or telephone transfers.

During outreach efforts last year, the FTC staff learned that some industries and entities within the agency’s jurisdiction were uncertain about their coverage under the Red Flags Rule. During this time, FTC staff developed and published materials to help explain what types of entities are covered, and how they might develop their identity theft prevention programs. Among these materials was an alert on the Rule’s requirements, www.ftc.gov/bcp/edu/pubs/business/alerts/alt050.shtm. The resources also included a Web site with more resources to help covered entities design and implement identity theft prevention programs, www.ftc.gov/redflagsrule.

You can find more information about the Red Flag Rules and other privacy and identity theft matters at CynthiaStamer.com. If you need assistance with questions or compliance with these or other privacy and data security rules or other health law matters, contact Cynthia Marcotte Stamer at (214) 270.2402, or cstamer@cttlegal.com. To receive future Solutions Law Press Health Care Updates, register to participate in this Solution Law Press Health Care Update blog, register at CynthiaStamer.com or join the SLP Health Care Risk Management & Operations Group on linkedin.com.

Leave a Comment » | Anti-KickBack, Corporate Compliance, Doctor, Federal Sentencing Guidelines, Health Care, Health Care Provider, HIPAA, Hospital, Medicare Advantage, Physician, Privacy | Tagged: Doctor, Health Care, HIPAA, Hospital, Identity Theft, Physicians, Privacy, Red Flag Rules | Permalink
Posted by Cynthia Marcotte Stamer

Swine Flu Treatment & Pandemic Response Information Updated

April 30, 2009

With U.S. officials confirming the first swine flu attributed death in the U.S. yesterday and the number of U.S. reported cases expected to top 100 today, health care providers and organizations are initiating their pandemic response plans to help their organizations, people, patients and communities respond to the rapidly spreading epidemic.

Whether or not the swine flu outbreak reaches the level of an official pandemic, official reports reflect a legitimate need for concern. According to officials from the Centers for Disease Control and Prevention (CDC), victims of the swine influenza A (H1N1) virus infection already have been reported in 10 states, and the number of people known to be infected with the 2009 H1N1 influenza strain grew to 91 in the U.S. as of Wednesday. That number includes the first U.S. swine flu fatality: a 22-month-old child from Mexico who died of the illness Monday at a Houston, Texas hospital while visiting the United States. While swine flu victims have been reported in more than 11 countries, the majority of the incidents of the disease and deaths as of Wednesday morning had occurred in Mexico. Alarm that the outbreak will reach pandemic proportions continues to grow.

In response to the expanding crisis, the CDC yesterday released updated interim guidance on the use of antiviral agents for treatment and chemoprophylaxis of patients with confirmed, probable or suspected swine influenza virus infection and their close contacts. This guidance is only part of a host of growing resources for health care providers and other parties posted at http://www.pandemicflu.gov, the website founded by the U.S government to provide one-stop access to U.S. Government swine, avian and pandemic flu information. The website links to a growing list of special guidance provided by the CDC and other organizations for health care organizations and providers, public officials, schools, businesses, the public and others. Health care providers and other concerned parties should check this site regularly for updates about the latest guidance for responding to and treating swine flu.

Health care providers, schools, government agencies and others concerned about preparing to cope with pandemic or other infectious disease challenges also may want to review the guidance for health care providers and public health officials as health care providers, employers, and public entities contained in the pandemic and privacy planning workshop materials “Planning for the Pandemic” authored by Curran Tomko Tarski LLP partner Cynthia Marcotte Stamer available at http://www.cynthiastamer.com/documents/speeches/20070530%20Pan%20Flu%20Workplace%20Privacy%20Issues%20Final%20Merged.pdf.

Health care providers also should educate employees, patients and the public about the steps they should take to help minimize their risk of contracting the disease. While the CDC says getting employees and their families to get a flu shot remains the best defense against a flu outbreak, it also says getting individuals to consistently practice good health habits like covering a cough and washing hands also is another important key to prevent the spread of germs and prevent the spread of respiratory illnesses like the flu. Health care providers, employers, public officials and others should encourage patients, employees and their families and others to take the following steps and to coach others they know to do so as well:

Avoid close contact with people who are sick. When you are sick, keep your distance from others to protect them from getting sick too.
Stay home when you are sick to help prevent others from catching your illness. Cover your mouth and nose.
Cover your mouth and nose with a tissue when coughing or sneezing. It may prevent those around you from getting sick.
Clean your hands to protect yourself from germs.
Avoid touching your eyes, nose or mouth.
Germs are often spread when a person touches something that is contaminated with germs and then touches his or her eyes, nose, or mouth.
Practice other good health habits. Get plenty of sleep, be physically active, manage your stress, drink plenty of fluids, and eat nutritious food.

To help promote this message, health care providers, public officials and businesses may want to download and circulate some of the many free resources published by the CDC at http://www.cdc.gov/flu/protect/habits.htm.

Cynthia Marcotte Stamer and other members of Curran Tomko and Tarski LLP are experienced with advising and assisting health care providers, public agencies, schools, businesses and others employers with these and other health care, workforce, crisis preparedness and response and related matters. If your organization needs assistance with assessing, , please contact Ms. Stamer at cstamer@cttlegal.com, (214) 270-2402. For additional information about the experience and services of Ms. Stamer and to access some of her publications, see www.cynthiastamer.com or www.cttlegal.com.

Leave a Comment » | Doctor, Health Plan, HIPAA, Hospital, Pandemic, Privacy, Uncategorized | Tagged: Health Care, Health Care Provider, Pandemic, Privacy, public health, Swine Flu | Permalink
Posted by Cynthia Marcotte Stamer

HIPAA Complaint Basis For Texas Whistleblower Claim

April 4, 2009

In a March 19, 2009 ruling, the U.S. District Court for the Northern District of Texas recently recognized that the Texas Whistleblower Act prohibits health care organizations run by the State of Texas from retaliating against employees for making good faith complaints of violations of the Privacy Rules of the Health Insurance Portability Act (“HIPAA”).Nevertheless, the court dismissed the wrongful discharge lawsuit brought by a former Terrell State Hospital security guard who alleged he was wrongfully fired for complaining to the U.S. Department of Health and Human Services Office of Civil Rights (”OCR”) that the Hospital violated the HIPAA Privacy Rules because the plaintiff had failed to present sufficient proof that he was terminated in retaliation for filing a HIPAA complaint.

Illustrative of a growing number of state law retaliatory discharge claims brought be employees claiming to have been retaliated against for complaining about alleged violations of HIPAA’s Privacy Rules, Faulkner v. Department of State Health Servs., 2009 U.S. Dist. LEXIS 22419 (N.D. Tex. Mar. 19, 2009), involved claims made by plaintiff Anthony Faulkner (”Faulkner”) that the Texas Department of State Health Services (”DSHS”); Terrell State Hospital; Texas DSHS Commissioner David L. Lakey, M.D.; Terrell State Hospital Superintendent Fred Hale; and Terrell State Hospital Risk Management Coordinator Clent Holmes, R.N. violated the Whistleblower Act and the First and Fourteenth Amendments by firing him seven days after he complained to OCR that Terrell State Hospital violated the HIPAA Privacy Rule by leaving admissions logs containing patient names and admission dates in a public area.

The Texas Whistleblower Act generally prohibits a state or local governmental entity from terminating or taking any other adverse personnel action against a public employee who in good faith reports a violation of law by the employing governmental entity or another public employee to an appropriate law enforcement authority.See Tex. Gov’t Code § 554.002(a).While the Court affirmed that the Texas Whistleblower Act permits a public employee of the State of Texas discharged or otherwise retaliated against for complaining in good faith to OCR that his public employer or its employee violated the HIPAA Privacy Rules, the Court nevertheless granted summary judgment to the defendants.

According to the court, Faulkner’s failure to introduce evidence rebutting defendant’s affidavit that he was terminated for repeatedly violating rules requiring him to report suspected abuse of patients precluded him from proving his termination was in retaliation for his filing of the HIPAA complaint.Meanwhile, the court also ruled that Faulkner’s claims against the individual defendants should be dismissed as the Whistleblower Act only creates a cause of action against governmental entities and not their employees. Having found Faulkner’s constitutional claims also without merit, the District Court granted the defendant’s motion for summary judgment.

While the defendants were able to overcome Faulkner’s retaliatory discharge claim, the decision highlights the need for health care providers and other HIPAA covered entities to take appropriate precautions to defend against potential wrongful discharge, retaliation or other claims by employees or other service providers for complaining of possible HIPAA violations or for attempting to exercise other HIPAA-protected rights.HIPAA covered entities now should avoid engaging in actions that might unnecessarily fuel claims of retaliation. They also should carefully document and preserve evidence necessary to demonstrate the legitimacy of their disciplinary actions on an ongoing basis.

We hope you found this information helpful. If your organization needs assistance with understanding or managing its responsibilities or liabilities under HIPAA or other health care or employment laws or wishes to inquire about HIPAA training or other services and experience of Cynthia Marcotte Stamer, please contact Ms. Stamer via e-mail at Cstamer@Solutionslawyer.net or by telephoning Ms. Stamer at 469.767.8872.You also can review other helpful resources and register to receive other updates at CynthiaStamer.com.

Leave a Comment » | Corporate Compliance, Health Care, Health Care Provider, Health Plan, HIPAA, Hospital, Physician, Privacy | Tagged: Corporate Compliance, Data Security, Employer, Health Care Provider, HIPAA, Hospital, Privacy, retaliation, Retalitory Discharge, Whistleblower | Permalink
Posted by Cynthia Marcotte Stamer

Two Recent Criminal Prosecutions For HIPAA Privacy Rule Violations Signal Rising Criminal Enforcement Risks

Health Care Providers & Other HIPAA Covered Entities Must Comply With New Data Breach Rules By September 23

Health Care Providers & Other HIPAA-Covered Entities & Their Business Associates Must Comply With New HHS Health Information Data Breach Rules By September 24

HHS Issues Interim Final Requiring Health Care Provider, Health Plans & Other Covered Entities To Give Breach Notifications When Certain Personal Health Information Breached Beginning In September; Register to Participate In September 10th Briefing on New Rules In Person or Via Telephone

House Democratic Leaders Work To Resolve Differences In Committee Versions of Health Care Reform Legislation and Build Public Support During August Recess

HHS Hiring to Expand its Health Information Enforcement Team Again

Reassignment of HIPAA Security Rule Enforcement Signals Growing Seriousness About Enforcing HIPAA

House Democrats Introduce the “American’s Affordable Health Care Choices Act of 2009”

Comments On Definition of Meaningful Use of EMR For Purposes of HITECH Act Provider Incentives Due June 26

FTC Issues FAQ Guidance On Red Flag Rules Applicable To Health Care Providers & Others

Democrats Unveil Comprehensive Health Care Reform Proposal, Move To Fast Track Enactment

Stamer To Discuss “Making Gainsharing Work: Managing Physician Performance” At June 17, 2009 Dallas Bar Association Health Law Section Meeting

FTC Extends Red Flag Rule Compliance Deadline From May 1 to August 1, 2009

Swine Flu Treatment & Pandemic Response Information Updated

HIPAA Complaint Basis For Texas Whistleblower Claim

Recent Posts

Archives

About Cynthia Marcotte Stamer

Share this blog

Archives

Solutions Law Press Health Care Update

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Recent Posts

Archives

About Cynthia Marcotte Stamer

Share this blog

Archives

Solutions Law Press Health Care Update