Hospital |

Mississippi Health Care Staffing Company Nailed For Paying Straight Time For Overtime Hours Worked

August 16, 2023

A Mississippi health care staffing agency, Prime Care Nursing Inc. received a $314,211 lesson from the U.S. Department of Labor Wage & Hour Division (“DOL”) about the consequences of failing to properly pay nurses and other workers required overtime in violation of the Fair Labor Standard Act (“FLSA”).

Located in Jackson and Greenville, Prime Care Nursing provides registered nurses, licensed practical nurses and caregivers to staff hospitals, nursing homes, patients in their homes, hospice agencies and rehabilitation centers throughout Mississippi. A DOL investigation found Prime Nursing Care violated the overtime requirements of the FLSA by failing to pay employees the required overtime rate for overtime hours worked. Rather, Prime Nursing Care paid straight-time hourly rates for all hours of work performed, including hours in excess of 40 hours in a workweek. To remedy the overtime violations, the DOL required Prime Nursing Care to pay $314,211 in back wages and liquidated damages.

The Prime Care Nursing enforcement action highlights the DOL’s concern about perceived noncompliance with FLSA overtime and other requirements within the health care industry and its readiness to investigate and take enforcement action against health industry and other employers for violating theses rules. In support of its efforts to encourage compliance and enforcement of the FLSA within the nursing and health care industry, DOL’s website includes specific fact sheets on nurses and exemptions under the FLSA and nursing care facilities under the FLSA. DOL communications also encourage nursing home and other health industry employees who suspect their employers are not paying required overtime to use the division’s search tool, to download the agency’s new Timesheet App to help monitor if the hours and pay used to calculate their wages are accurate and report suspected violations to DOL.

In the facts of these efforts, nursing services and other health industry employers should use care to ensure that their practices for classifying workers as exempt, non-exempt or contractors, for collecting and retaining time records, and for calculating and paying base and overtime pay are defensible under the FLSA. While not specifically addressed the the DOL’s announcement of this enforcement actions, health industry employers using staffing or other outside sources for staffing also are cautioned to assess their potential exposure for being treated as a joint employer of workers whose services are obtained through staffing or other outside workforce providers. The Biden Administration in the past year has reinstituted interpretations of the FLSA joint employer rules that enhance the risk that two or more employers will be treated as joint employers, jointly and severally liable for overtime worked taking into account the hours an employee works for all businesses considered part of the joint employer group even where they do not share ownership.

For More Information

We hope this update is helpful. For more information about these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

A Fellow in the American College of Employee Benefit Counsel, Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee and VIce-Chair Elect of its International Employment Law Committee, Chair-Elect of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership on healthcare and life science, managed care and insurance and other workforce and staffing, employee benefits, safety, contracting, quality assurance, compliance and risk management, and other legal, public policy and operational concerns in the healthcare and life sciences, employee benefits, managed care and insurance, technology and other related industries. She speaks and publishes extensively on these and other related compliance issues.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Scribe for the ABA JCEB Annual Meeting with the HHS Office of Civil Rights, her experience includes extensive involvement throughout her career in advising health care and life sciences and other clients about preventing, investigating and defending EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state discrimination investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state equal opportunity, equity and other laws.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

NOTICE: These statements and materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstances at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules make it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access to this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

Leave a Comment » | compensation, FLSA, Health Care, Home Health, home health, Hospital, Hospital, hospitals, Labor Law, nursing home, Skilled Nursing Facility, Sober Homes | Tagged: caregivers, Health Care, nursing, Overtime, Wage and Hour | Permalink
Posted by Cynthia Marcotte Stamer

Accommodating Patient Preferences No Defense To Prohibited Employment Discrimination

July 31, 2023

A new federal Equal Employment Opportunity Commission (“EEOC”) lawsuit reminds health industry and other employers that patient or other customer preferences do not justify or excuse an employer’s discrimination against employees in violation of the Civil Rights Act or other federal employment discrimination laws.

Brooklyn-based home health company ACARE HHC Inc., doing business as Four Seasons Licensed Home Health Care Agency (“Four Seasons”) faces a race discrimination suit for allegedly removing home health aides from their work assignments due to their race and national origin to accommodate client preferences.

According to a lawsuit (EEOC v. ACARE HHC d/b/a Four Seasons Licensed Home Health Care, 23-cv-5760), filed by the EEOC in the U.S. District Court for Eastern District of New York on July 31, 2023, Four Seasons violated the Title VII of the Civil Rights Act of 1964 (“Civil Rights Act”) by routinely acceding to racial preferences of patients in making home health aide assignments. The EEOC claims Four Seasons routinely removed Black and Hispanic home health aides based on clients’ race and national origin-based requests. Four Seasons would transfer aides to a new assignment or, if no other assignment was available, the aides lost their employment completely. The EEOC charges this alleged conduct violates the Civil Rights Act, which among other things prohibits employers from discriminating against employees on the basis of race and national origin. The EEOC seeks compensatory damages and punitive damages for the affected employees, and injunctive relief to remedy and prevent future discrimination based on employees’ race and national origin.

The lawsuit, warns employers against resigning or assigning workers to accommodate racial or other prohibited discriminatory preferences of customers, or business partners. “Making work assignment decisions based on an employee’s race or national origin is against the law, including when these decisions are grounded in preferences of the employer’s clients,” said Jeffrey Burstein, regional attorney for the EEOC’s New York District Office.

The lawsuit is one of a plethora of enforcement Civil Rights and other federal discrimination law actions by EEOC, the Department of Health and Human Services Office of Civil Rights, and other federal agencies under the Biden Administration’s prioritization of expansion and enforcement of discrimination and other discrimination and equal opportunity laws.

In light of these efforts, employers should take immediate steps to update policies, postings, training, and practices to ensure their ability to defend their compliance with race and other federal nondiscrimination laws.

For More Information

About the Author

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Leave a Comment » | Abortion, Academic medicine, air ambulance, Child Care, Childcare, Childrens Health Insurance Program, Civil Rights, Conditions of Participation, Corporate Compliance, Direct Primary Care, Discrimination, DME, Doctor, drug treatment, early childhood education, Emergency Care, Employer, exchange plans, Federal Health Center, Health Care, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Quality, Health Insurance, Health Plan, HHS, Home Health, home health, Hospice, Hospital, Hospital, hospitals, Indian Health, Inpatient Rehabilitation, Inpatient Rehabilitation Facility, Life Sciences, long-term care, Medicare Prescription Drug Program, Mental Health, Nonprofits, nursing home, OCR, OIG, Physician, Prescription Drugs, Provider contracting, Rehabilitation Act, Reproductive Rights, Section 1557, Sexual Abuse, Sexual Assault, Sexual Harassment | Permalink
Posted by Cynthia Marcotte Stamer

HHS Recommits To LGBTQ Nondiscrimination Protections In Newly Proposed Rules; Religious Exemption Likely Limited By Pending HHS Changes In Religious Freedom Protections

July 11, 2023

Health care providers, health insurance issuers, health care professional associations, state and local government entities and other organizations and providers participating or receiving funds from the Department of Health and Human Services (“HHS”) funded programs should evaluate their likely responsibilities and exposures for preventing discrimination on the basis of sexual orientation and gender under the Notice of Proposed Rule Making (“NPRM”) to the Health and Human Services Grants Regulation (the “Proposed HHS Grants Rule”) the HHS Office for Civil Rights (“OCR”) and the Assistant Secretary for Financial Resources (“ASFR”) released to the public today (July 11, 2023) and scheduled for joint publication the Federal Register on July 13, 2023.

Proposed HHS Grants Rule Overview

The NPRM builds on HHS’ efforts to ensure access to health and human services for Lesbian, Gay, Bisexual, Transgender, Queer, and Intersex (“LGBTQI”) individuals in furtherance of President Biden’s Executive Orders on Preventing and Combating Discrimination on the Basis of Gender Identity and Sexual Orientation and Advancing Equality for Lesbian, Gay, Bisexual, Transgender, Queer, and Intersex Individuals by reaffirming the prohibition against discrimination on the basis of sexual orientation and gender identity in federal statutes administered by HHS while defining procedures through which HHS would permit organization with religious objections to seek an exemption from or modification of the otherwise applicable requirements.

The Proposed HHS Grants Rule clarifies and reaffirms HHS’ prohibition against LGBTQI discrimination by stating, “In statutes that HHS administers which prohibit discrimination on the basis of sex, the Department interprets those provisions to include a prohibition against discrimination on the basis of sexual orientation and gender identity, consistent with the Supreme Court’s decision in Bostock v. Clayton County, 140 S. Ct. 1731 (2020), and other federal court precedent applying Bostock’s reasoning that sex discrimination includes discrimination based on sexual orientation and gender identity.”

The Proposed HHS Grants Rule represents the latest effort of HHS to finalize and implement prohibition against LGBTQI individuals in HHS first undertaken in 2016. Since HHS originally adding the prohibition against LGBTQI discrimination to its HHS Grants Rule, HHS faced various court challenges to its LGBTQI nondiscrimination provisions. These challenges included lawsuits challenging HHS’ interpretation of the sex discrimination prohibitions of Title VII of the Civil Rights Act of 1964, 42 U.S.C. 2000e-2(a)(1) (“Title VII”) as prohibiting discrimination based on sexual orientation and identity, First Amendment religious freedom challenges and challenges based on alleged violations of the Administrative Procedures Act.

In the intervening years, HHS originally granted various waivers, then subsequently adopted a blanket non-enforcement policy to address First Amendment religious freedom concerns about the LGBTQI discrimination prohibition and attempted to resolve Administrative Procedures Act challenges in subsequently published versions of the rules. Meanwhile, the U.S. Supreme Court resolved objections to HHS’ expansive interpretation of Title VII as extending to LGBTQI when it affirmed Title VII’s prohibition against discrimination on the basis of sex includes discrimination based on sexual orientation and gender identity in Bostock v. Clayton County, 140 S. Ct. 1731 (2020).

As currently proposed, the HHS Grants Rule has a sweeping reach. In the Proposed HHS Grant Rule, HHS reaffirms that discrimination against LGBTQI individuals is prohibited in virtually all HHS-funded and administered programs while revising the existing HHS Grants Rule to address when and how a provider with faith-based objections to the rules can seek exemption or other religious accommodations from HHS.

As currently proposed the Proposed HHS Grants Rule would treat LGBTQI discrimination as prohibited discrimination on the basis of sex in most HHS regulated or funded programs. The LGBTQI discrimination prohibition would apply to authorizations for domestic resettlement of and assistance to refugees; assistance in transition from homelessness; Children with Serious Emotional Disturbances; Title VII Health Workforce Programs; Nursing Workforce Development; Preventive Health Services Block Grant; Substance Abuse Treatment and Prevention Block Grant; Community Mental Health Services Block Grant; Maternal and Child Health Block Grant; Disaster relief; Low-Income Home Energy Assistance Program; Head Start; Community Services Block Grant Program; and Family Violence Prevention and Services programs.

HHS’ announcement of its plans to reaffirm its LGBTQI equal protection requirements in the HHS Grants Rule likely will prompt new attention and scrutiny from organizations and individuals with faith-based objections to its mandates, particularly given HHS’ release of the rule comes less than two weeks after the Supreme Court’s June 30, 2023 landmark ruling in 303 Creative LLC . v. Elenis, 600 U. S. ____ (2023), upholding the right of a website designer, who believes same-sex marriage contravenes her faith, to exemption from enforcement of a state law that prohibited a public business from communicating to patrons that service would be refused based on sexual orientation.

The Proposed HHS Grants Rule includes provisions requiring HHS to accommodate the religious rights of organizations or individuals with faith-based objections protected by the Religious Freedom Restoration Act (“RFRA”) or the First Amendment when administering and enforcing its provisions without specifically detailing the procedures for raising such objections or the standards HHS will apply to decide whether to approve a request for religious exemption or accommodation.

In this respect, the Proposed HHS Grants Rule provides that a recipient at any time may notify the HHS awarding agency, ASFR, or the Office for Civil Rights (OCR) of the recipient’s view that it is exempt from, or requires modified application of, certain provisions of the Rule due to the RFRA, the First Amendment or another religious freedom law. The Proposed HHS Grants Rule also directs that once the awarding agency receives notice of religious objection from a particular recipient, “any relevant ongoing compliance activity regarding the recipient shall be held in abeyance” until the applicable agencies in legal consultation with the HHS Office of the General Counsel determine whether the recipient is exempt from the application of certain provisions or entitled to modified application of the rules based on a federal religious freedom law.

While the Proposed HHS Grants Rule does not detail the procedures for requesting religious accommodation or the standards HHS will use to decide whether to approve requests, HHS does address those standards and procedures in other guidance, the current provision of which are highlighted on the HHS Conscience and Religious Freedom Webpage. It bears noting, however, that along with the Proposed HHS Grants Rule, HHS also currently is considering a separate proposal to narrow the availability of religious and conscience objections to its rules it announced in a January 5, 2023 Notice of Proposed Rule Making titled “Safeguarding the Rights of Conscience as Protected by Federal Statutes” (“Proposed Religion Rule”). While the official comment period for the Proposed Religion Rule closed on March 6, 2023, its provisions, if adopted as proposed, could materially affect the interpretation and enforcement of the HHS Grants Rule. Accordingly, organizations and other parties concerned about the likely interpretation and enforcement of the HHS Grants Rule with respect to parties claiming religious freedom objections should consider the likely implications of the Proposed Religion Rule in their evaluation of the HHS Grants Rule.

In response to the HHS Grants Rule, all health care providers, health plans and others expected to be impacted by the Proposed HHS Grants Rule should both begin preparing to adjust their existing policies and practices in anticipation of the finalization of the Proposed HHS Grants Rule as well as submit relevant concerns and other feedback on the Proposed Rule by the September 11, 2023 comment deadline established in the NPRM. Providers and other stakeholders with potential faith-based concerns about any of the requirements of the Proposed HHS Grants Rule should take particular note of the Rule’s proposed provisions regarding religious accommodation, taking into account the Proposed Religion Rule purposes of this planning as well as their timely submission of any comments by the applicable September 11, 2023 comment deadline.

For More Information

About the Author

A Fellow in the American College of Employee Benefit Counsel, Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee, Chair-Elect of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership on health and managed care and employer benefits legal, public policy and operational concerns in the healthcare, employer benefits, and insurance and financial services industries. She speaks and publishes extensively on HIPAA and other related compliance issues.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Lab Nailed For HIPAA Right Of Access Violation; Other Covered Entities Warned

January 3, 2023

A medical laboratory is the latest health care provider nailed under the U.S. Department of Health and Human Services Office for Civil Rights (OCR) Right of Access Initiative for violating the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule’s right of access requirements.

OCR announced the 43rd access rule settlement with Life Hope Labs, LLC (“Life Hope Labs”), a full-service diagnostic laboratory in Sandy Springs, Georgia Tuesday.

In August 2021, a complaint was filed with OCR alleging that Life Hope Labs would not provide a personal representative with a copy of her deceased father’s medical records. The personal representative first requested access to her father’s records on July 7, 2021, but did not receive them until February 16, 2022, over seven months later. OCR’s investigation determined that Life Hope Labs’ failure to provide timely access to the requested medical records was a potential violation of the HIPAA right of access provision.

The access rule requires that patients be able to access their health information in a timely manner.

In its Resolution Agreement, Life Hope Labs agreed to pay $16,500 to resolve this investigation. In addition to the monetary settlement, Life Hope Labs also agreed to implement a corrective action plan that includes two years of monitoring by OCR.

In announcing its filing of the settlement, OCR warned other labs and health care providers to ensure their right of access compliance.

“Access to medical records, including lab results, empowers patients to better manage their health, communicate with their treatment teams, and adhere to their treatment plans. The HIPAA Privacy Rule gives individuals and personal representatives a right to timely access their medical records from all covered entities, including laboratories,” said OCR Director Melanie Fontes Rainer in OCR’s announcement of the settlement. “Laboratories covered by HIPAA must follow the law and ensure that they are responding timely to records access requests.”

More Information

About the Author

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Leave a Comment » | ambulance, DME, Doctor, drug treatment, Electronic Health Records, Emergency Care, EMTALA, English as A Second Language, Health Care, Health Care, Health IT, Health Plan, Health Plans, HIPAA, home health, Hospice, Hospital, Hospital, hospitals, Indian Health, medical devices, Pharmaceudical, Pharmacy, Physician, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

Chiropractor, Modern Vascular Office-Based Labs and Modern Vascular Corporate Entities Face False Claims Act Prosecution

December 19, 2022

Three consolidated False Claims Act (“FCA”) lawsuits against chiropractor Yury Gampel (“Gampel”), 15 Modern Vascular office-based labs owned primarily by Gampel located across the United States, and five Modern Vascular-affiliated companies owned by Gampel alert other chiropractic, physician and other medical providers using office-based labs send a clear warning to other health care providers and suppliers for services covered or billed to Medicare, Medicaid, TRICARE or other federal health care programs about the necessity to ensure their arrangements don’t involve illegal financial relationships or transactions.

False Claims Act Liability Arising From Participation In Or Filing Claims Involving Improper Inducements

The Justice Department suit against the defendants alleges the defendants both arose from the defendants participation in arrangements involving the offering and payment of illegal remuneration in violation of the federal Anti-Kickback Statute (“AKS”) and that the claims for benefits made to Medicare and other federal programs for care provided involving the arrangement violated the FCA.

The AKS generally prohibits any person or entity from soliciting, receiving, offering, or paying any direct or indirect prohibited remuneration as an inducement or reward for referring, recommending, ordering, or arranging for the purchase of any item or service for which payment may be made in whole or in part by a federal health care program. Parties violating the AKS commit a felony punishable with a fine of up to $100,000, imprisonment for up to 10 years or both.

In addition to any criminal liability arising under the AKS, filing claims derived or involving transactions prohibited by the AKS also can trigger liability for violation of the FCA. The FCA makes it unlawful for any person to submit, directly or indirectly, false or fraudulent claims for payment to the Government by among other things:

Knowingly presenting, or causing to be presented, a false or fraudulent claim for payment or approval in violation of 31 U.S.C. § 3729(a)(1)(A) (the “presentment provision”); or
Knowingly making, using, or causing to be made or used, a false record or statement material to a false or fraudulent claim in violation of 31 U.S.C. § 3729(a)(1)(B).

The FCA defines the term “knowingly” under the FCA very broadly. As defined, “knowingly” means that a person, with respect to information, (i) has actual knowledge of the information, (ii) acts in deliberate ignorance of the truth or falsity of the information, or (iii) acts in reckless disregard of the truth or falsity of the information. 31 U.S.C. § 3729(b). No proof of specific intent to defraud is required to show that a person acted knowingly under the FCA.

Violations of the FCA subject the defendant to mandatory civil penalties per FCA violation, plus three times the amount of damages that the Government sustains as a result of the defendant’s actions. 31 U.S.C. § 3729(a). Under 42 U.S.C. § 1320a-7(b)(7), health care providers submitting claims to Medicare or other federal health care programs also can face exclusion from participation in federal health care programs for FCA violations.

Health care providers filing claims for Medicare or other federal health plans can violate the FCA by knowingly presenting or causing to be presented claims for items or services that the person knew or should have known were not medically necessary, or were false or fraudulent. 42 U.S.C. §§ 1320a-7a(a)(1).

Moreover, health care providers under the Medicare statute have an affirmative duty to familiarize themselves with the statutes, regulations, and guidelines regarding coverage for the Medicare services. As a condition of program participation, Medicare regulations require providers and suppliers to certify that:

The provider or supplier meets, and will continue to meet, the requirements of the Medicare statute and regulations, 42 C.F.R. § 424.516(a)(1), including that any claims and underlying transactions made in a claim for Medicare comply with the Federal anti-kickback statute and the Stark law), and on the supplier’s compliance with all otherwise applicable conditions of participation in Medicare; and
The provider or supplier will not knowingly to present or cause to be presented a false or fraudulent claim for payment by Medicare, or to submit claims with deliberate ignorance or reckless disregard of their truth or falsity.

Additional certifications of continued compliance with these requirements also are required when claims are filed. Accordingly, since health care providers and suppliers are responsible for taking appropriate steps to familiarize themselves with the rules and regulations applicable to their claim and the transactions underlying it and certify in connection with the filing of the claim that the claim and its underlying transactions comply with the law, health care providers filing claims involving prohibited financial incentives or other transactions prohibited by law risk FCA liability.

Gampel, Modern Vascular FCA Complaint

Derived from the Justice Department’s assumption and consolidation of various qui tam lawsuits separately brought by various physicians, the United States filed its complaint in three consolidated lawsuits pending in the United States District Court for the District of Arizona under the qui tam, or whistleblower, provisions of the False Claims Act, 31 U.S.C. §§ 3729-3733 (“FCA”) which allow a private citizen to sue on behalf of the government and share in any recovery. The United States is also entitled to intervene in the lawsuits, as it did in these cases.

The resulting consolidated three consolidated Justice Department lawsuits seek to recover treble damages and civil penalties, and under common law and equitable theories of recovery from defendants for their billing of Medicare, TRICARE and other federal health care programs for claims resulting from transactions involving prohibited remuneration offered and provided in violation of the AKS under Gampel’s alleged schemes Nobility Management LLC; Modern Vascular LLC; Modern Vascular of South Florida LLC; Modern Vascular Management LLC; Modern Vascular Management – East LLC; Modern Vascular Management – West LLC; Modern Vascular Institute LLC; Modern Vascular of Mesa LLC; Modern Vascular of Glendale LLC; Modern Vascular of Sun City LLC; Modern Vascular of Tucson LLC; San Antonio Vascular Specialists Corp. dba Modern Vascular; Fort Worth Vascular Specialists Corp. dba Modern Vascular; Modern Vascular of Denver LLC; Modern Vascular – Navajo LLC; Modern Vascular of Fairfax LLC; Modern Vascular of Houston LLC; Modern Vascular of Indianapolis LLC; Modern Vascular of Southaven LLC; Modern Vascular of St. Louis LLC; and Modern Vascular of Kansas LLC.

The Justice Department complaint alleges Defendant Yury Gampel, a chiropractor, is the founder and former Chief Executive Officer (“CEO”) of a franchise of office-based labs (“OBL”) located in Arizona, New Mexico, Colorado, Texas, Indiana, Kansas, Mississippi, Missouri, Tennessee, and Virginia operating under the name Modern Vascular (collectively, the “Modern Vascular OBLs”). The Modern Vascular OBLs – each its own separate legal entity – focus on the treatment of peripheral arterial disease (“PAD”), particularly through an aggressive use of vascular intervention procedures, such as angioplasty and atherectomy. The complaint claims Gampel and the Modern Vascular defendants designed and promoted the franchises that incorporated a package of management and other services provided by various Modern Vascular defendant companies.

Defendant Nobility Management, LLC, provides management services to the Modern Vascular OBLs. Defendants Modern Vascular Management, LLC; Modern Vascular Management – East, LLC; and Modern Vascular Management – West, LLC, offer
IT and management support to Modern Vascular OBLs. Defendants Modern Vascular, LLC, and Modern Vascular of South Florida, LLC, are corporations controlled by Gampel that have various ownership interests in Modern Vascular OBLs. Through Modern Vascular, LLC, and Modern Vascular of South Florida, LLC, and in his own capacity, Gampel is the majority owner of the Modern Vascular OBLs. (These entities that own and manage the Modern Vascular OBLs are referred to collectively below as “Modern Vascular Corporate.”)

The complaint alleges that Gampel and Modern Vascular Corporate designed and implemented a fraud scheme at Modern Vascular OBLs at the expense of patients and federal payors from at least January 1, 2018 through June 30, 2022. Among other things, the complaint charges Gampel and the Modern Vascular defendants offered physicians the opportunity to invest in Modern Vascular office-based labs to induce them to refer their Medicare and TRICARE patients to Modern Vascular for the treatment of peripheral arterial disease. More specifically, Gampel and Modern Vascular Corporate opened Modern Vascular OBLs in new markets where referring physicians and vascular surgeons had established relationships. Prior to opening an OBL in a particular location, Gampel sought out up to 20 local physicians – usually podiatrists and pain management physicians – who traditionally referred to vascular surgeons and offered each up to a two percent ownership interest in the OBL in order to induce the physicians to refer to the OBL. Gampel and Modern Vascular Corporate selected these particular physicians (hereinafter “physician investors”) to offer ownership investment because Gampel and Modern Vascular Corporate identified them as potential high-referral sources. Once they invested in an OBL, Gampel and Modern Vascular Corporate further required the physician-investors to make referrals to Modern Vascular OBLs as a condition for remaining as a physician-investor. The complaint also alleges that Gampel pressured vascular surgeons and interventional radiologists employed at the Modern Vascular office-based labs to increase the number of invasive surgical procedures performed by tracking procedures and setting aggressive weekly and monthly goals for such procedures. In particular, Gampel and Modern Vascular Corporate provided remuneration to physician investors in Modern Vascular OBLs to induce those investors to refer patients to the Modern Vascular OBL.

The Justice Department charges that using this scheme, Defendants between January 1, 2018 and June 30, 2022 submitted, and caused to be submitted, tens of millions of dollars in false or fraudulent claims to Medicare, TRICARE and other federal health care programs by offering and providing illegal remuneration to health care providers to induce referrals to the Modern Vascular OBLs in violation of the Anti-Kickback Statute (“AKS”), 42 U.S.C. § 1320a-7b. To induce referrals, Gampel and Modern Vascular Corporate provided remuneration to physician-investors in the form of equity ownership interests in an OBL, which also included distributions, the prospect of future distributions, and/or the prospect of a cash-out of the equity ownership amounts when
the Modern Vascular OBLs were sold. During the relevant time period, the Justice Department also claims Modern Vascular
OBLs received over $50 million from Medicare Part B alone for claims submitted for patients referred by physician-investors in violation of the FCA.

Warning To Other Heath Care Providers & Suppliers

In announcing its filing of the Gambrel FCA lawsuit, the Justice Department warned other federal health program providers and suppliers and their business partners, investors, employees and agents from violating the AKS, FCA or both in the provision of or billing of health care services or supplies. “As part of our mission to protect the American people, the FBI remains committed to safeguarding patients who rely on our healthcare systems,” said Deputy Assistant Director Aaron Tapp of the FBI’s Criminal Investigative Division. “The FBI and our law enforcement partners will continue to investigate those who abuse our healthcare systems, place patients at risk, and waste taxpayer dollars.”

This warning, along with the ever-lengthening list of federal criminal and civil prosecutions, convictions and settlements by the Justice Department, the Department of Health & Human Services Office of Inspector General and other agencies provide a strong warning to health care providers, suppliers and others involved in creating or administering transactions and other arrangements for the delivery and billing for health are to be billed to Medicare, Medicaid, TRICARE and other health care arrangements covered by the AKS, the FCA or other federal or state health care fraud laws to take well documented care to ensure the care delivery arrangement does not involve transactions prohibited under the AKS or other federal or state health care fraud transactions and the care billed qualifies for reimbursement before submitting the claim. Parties who know or suspect that they may have participated in an arrangement prohibited under these laws or submitted prohibited claims should contact experienced legal counsel within the scope of attorney-client privilege for assistance in reviewing those concerns and exploring options for correction or mitigation.

For More Information

If your organization would like to learn more about the concerns discussed in this update or seeks assistance auditing, updating, administering or defending its human resources, compensation, benefits, corporate ethics and compliance practices, or other performance related concerns, contact management attorney and consultant Cynthia Marcotte Stamer.

An attorney Board Certified in Labor & Employment Law by Texas Board of Legal Specialization, Ms. Stamer is recognized for work helping organizations management people, operations and risk as a Fellow in the American College of Employee Benefit Counsel, a “Top Woman Lawyer,” “Top Rated Lawyer,” and “LEGAL LEADER™” in Labor and Employment Law and Health Care Law; a “Best Lawyers” in “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law.”

For 35 years, Ms. Stamer’s work has focused on advising and assisting businesses and business leaders with these and other employment and other staffing, employee benefit, compensation, risk, performance and compliance management and other operational solutions and concerns. Her experience includes helping management both manage performance and manage legal risk and compliance. While helping businesses define and manage the conduct and performance of their employees, contractors and vendors, she also assists employers and others about compliance with federal and state equal employment opportunity, compensation, health and other employee benefit, workplace safety, leave, and other labor and employment laws, advises and defends businesses against labor and employment, employee benefit, compensation, fraud and other regulatory compliance and other related audits, investigations and litigation, charges, audits, claims and investigations by the IRS, Department of Labor, Department of Justice, SEC, Federal Trade Commission, HUD, HHS, DOD, Departments of Insurance, and other federal and state regulators. Ms. Stamer also speaks, coaches management and publishes extensively on these and other related matters. For additional information about Ms. Stamer and her experience or to access other publications by Ms. Stamer see hereor contact Ms. Stamer directly.

Other Helpful Resources & Information

If you found this article of interest, you also may be interested in reviewing other Breaking News, articles and other resources available including:

NOTICE: Terms. These materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice, a substitute for legal advice, an offer or commitment to provide legal advice or an admission. The information and statements in these materials may not address all relevant issues or apply to any situation or circumstances. The author reserves the right to qualify or retract any of these statements at any time. and does not necessarily address all relevant issues. Because the law evolves and in ways that subsequent developments could impact the currency and completeness of this discussion. The author disclaims and has no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstance at any time. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access of this publication. Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein. ©2022 Cynthia Marcotte Stamer. Nonexclusive right to republish granted to Solutions Law Press, Inc. All other rights reserved.

Leave a Comment » | Academic medicine, Anti-KickBack, ASC, billing, compensation, Conditions of Participation, Corporate Compliance, DME, Doctor, Durable Medical Equipment, Federal Health Center, Federal Sentencing Guidelines, Health Care, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Quality, health care reimbursement, Health IT, Home Health, Hospice, Hospital, Hospital, Indian Health, Inpatient Rehabilitation Facility, Laboratory tests, Laws, long-term care, Medicaid, Medicaid Advantage, Medicare, Mergers and Acquisitions, nursing home, Outpatient, pain management, Pharmaceudical, Physician, Physician Licensing, Prescription Drugs, Reimbursement | Tagged: Anti-Kickback, Health Care Fraud, Health Care Reimbursement, Medicaid, Medicare, Office-based labs | Permalink
Posted by Cynthia Marcotte Stamer

Act Promptly To Comment On ONC’s Proposed Electronic Clinical Quality Measure Draft Changes

September 14, 2022

Health care providers, health plans and insurers and other stakeholders concerned about the Department of Health and Human Services Office of the National Coordinator for Healthcare Information (“ONC”) electronic clinical quality measures (“eCQMs”) have the opportunity to review and comment on draft changes to the eCQM specifications and supporting resources under consideration by ONC as part of ONC’s 2022 Change Review Process (CRP) for the ONC Project Tracking System. Interested stakeholders must monitor the posting of issues and act quickly to share their feedback, however, as stakeholders have only two weeks to comment after a ONC posts a new proposed eCQm change.

eCQMs As Measure of Health Care Quality

Electronic clinical quality measures or “eCQMs” are tools that ONC develops with stakeholder input to help Medicare and Medicaid measure and track the quality of health care services that eligible hospitals and critical access hospitals (CAHs) provide, as generated by a provider’s electronic health record (EHR). CMS Measuring and reporting eCQMs helps to ensure that our health care system is delivering effective, safe, efficient, patient-centered, equitable, and timely care. CMS’ eCQMs measure many aspects of patient care, including:

Patient and Family Engagement
Patient Safety
Care Coordination
Population/Public Health
Efficient Use of Healthcare Resources
Clinical Process/Effectiveness

To successfully participate in the Medicare and Medicaid Promoting Interoperability Programs, the Centers for Medicare and Medicaid Services (“CMS”) requires eligible providers, eligible hospitals, critical access hospitals and dual-eligible hospitals electronically to report on eCQMs determined by CMS that require the use of data from the provider’s certified electronic health record (“EHR”) technology (CEHRT) or other health information technology systems to measure and report quality measures in a standardized manner. For calendar year (CY) 2022, Medicare Promoting Interoperability Program participants are required to report on three self-selected eCQMs and the Safe Use of Opioids – Concurrent Prescribing eCQM from the set of nine available for at least three self-selected quarters of CY 2022 data. To report eCQMs successfully, health care providers must use an EHR and adhere to the requirements identified by the CMS quality program. Failing to meet these eCQM reporting requirements can prevent the provider from meeting meaningful use requirements and trigger reductions in reimbursements for care.

Health care quality, credentialing, accreditation, and other provider, health plan and other organizations also use the eCQMs data alone or with other quality measures and tools to set standards and assess and enforce quality goals and performances.

As the proposed changes on a relevant eCQM could materially impact the reporting responsibilities of the reporting providers, the quality and meaning of a proposed data measure, or both, impacted stakeholders should monitor the system for possible changes impacting the eCQMs used or applicable to their organizations and its activities and if appropriate, comment promptly.

2022 eCQMs Updates

Each year, CMS makes updates to the eCQMs approved for CMS programs to reflect changes in:

Evidence-based Medicine
Code Sets
Measure Logic

Conducted annually as part of OCN’s eCQM Issue Tracker project, the CRP provides eCQM users the opportunity to review and comment on draft changes to the eCQM specifications and supporting resources under consideration by the measure stewards. The goal of the CRP is for eCQM implementers to comment on the potential impact of draft changes to eCQMs so CMS and measure stewards can make improvements to meet CMS’s intent of minimizing provider and vendor burden in the collection, capture, calculation, and reporting of eCQMs.

Stakeholders with an account on the ONC Project Tracking System can monitor, review and comment on proposed eCQM changes through the eCQM Issue Tracker project during the two week period following the date the issue is posted in the eCQM Issue Tracker. To participate in the CRP, users must have an ONC Project Tracking System account. New users can create an account via the ONC Project Tracking System website.

The following table reflects the eCQM issues open on the eCQM Issue Tracker as of September 14, 2022 and their scheduled comment closing dates

Issues Open for Public Comment As of 9/14/2022

CMS eCQM Identifier and Measure Title	CRP Issue Title	Issue Number and Link	Issue Type	Goal of Review	Public Comment Open Date	Public Comment Close Date
Multiple measures	Incorporate ‘Diagnosis’ datatype to capture Hospice Care	CQM-5561	Logic; Value Set	Obtain clinical and technical feedback	09/07/2022	09/21/2022
CMS128: Anti-depressant Medication Management; CMS136: Follow-Up Care for Children Prescribed ADHD Medication (ADD); CMS156: Use of High-Risk Medications in Older Adults	Update Cumulative Medication Duration function to calculate maximum daily frequency	CQM-5562	Logic	Obtain technical feedback	09/07/2022	09/21/2022
Multiple measures	Expand codes using ‘Diagnosis’ datatype to capture Palliative Care	CQM-5563	Logic; Value Set	Obtain clinical and technical feedback	09/07/2022	09/21/2022
Multiple measures	Require 2 indications of frailty to meet exclusion	CQM-5564	Header; Logic; Measure Intent Clarification	Obtain clinical feedback	09/07/2022	09/21/2022
CMS127: Pneumococcal Vaccination Status for Older Adults	Expand numerator to allow for pneumococcal vaccination since 19 years of age	CQM-5565	Header; Logic; Measure Intent Clarification	Obtain clinical feedback	09/07/2022	09/21/2022

eCQM Issue Tracker Open Issues As Of September 14, 2022

As proposed eCQM changes are posted for public comment as CRP issues. ONC informs eCQM accountholders of the proposed change or eCQM issue by posting for review in the ONC Project Tracking System. Accountholders only have two weeks after ONC posts a proposed eCQM to comment on the posted issue. Stakeholders interested in commenting on a particular issue must submit their comment in accordance with the directions within this two week period.

More Information

We hope this update is helpful. For more information about the these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

A Fellow in the American College of Employee Benefit Counsel, Vice Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on health and managed care industry legal, public policy and operational concerns.

Ms. Stamer’s work throughout her 30 plus year career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here.

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access of this publication.

Learn About DOJ Federal Antitrust Health Industry Market Competition Enforcement & Latest On $2.67 Billion BCBS Class Action Antitrust Settlement In 9/8 JCEB Webex

September 2, 2022

As qualifying individuals and companies that purchased or received health insurance await instructions on how to claim their share of the $2.67 billion In re: Blue Cross Blue Shield Antitrust Litigation private federal class action civil antitrust lawsuit settlement (“Settlement”) finally approved August 9, 2022 against the Blue Cross Blue Shield Association (“BCBSA”) and other settling individual Blue Cross Plans, employers and other plan sponsors, health care systems and providers, health insurers, pharmacy benefit managers, brokerages, and other health and health insurance market participants need to keep in mind that the private antitrust judgements are not their only exposure under federal antitrust laws. Health insurance and health industry market participants that engage in anticompetitive conduct or business transactions also risk investigation and prosecution under federal antitrust laws by the U.S. Department of Justice, the Federal Trade Commission and state regulators or attorneys general.

Market participants and others with health or health insurance industry market competitiveness concerns or interests should register and attend the September 8, 2022 Justice Department Health Industry Antitrust Enforcement Update to learn about key federal antitrust statutes regulating or prohibiting anticompetitive conduct and business transactions and hear how the Department of Justice uses these laws to promote market competition in the health care and health insurance marketplaces.

Hosted by the American Bar Association Joint Committee on Employee Benefits, the webinar will feature a discussion by U.S. Department of Justice Civil Division Healthcare and Consumer Products Section Antitrust Attorney Natalie Melada of basic federal antitrust rules and principles the Justice Department relies upon to safeguard market competitiveness and discusses selected Justice Department antitrust litigation and other compliance and enforcement initiatives the Department of Justice has undertaken to protect competition in the healthcare industry. Attorney and Solutions Law Press, Inc. editor and author Cynthia Marcotte Stamer also will provide an update on the In re: Blue Cross Blue Shield Antitrust Litigation and resulting $2.67 billion settlement approved August 9.

For more details and to register for the program, see here.

More Information

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and following and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Ms. Stamer’s work throughout her 30 plus year career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here.

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Leave a Comment » | Academic medicine, Anethesiology, Antitrust, ASC, Childrens Health Insurance Program, Conditions of Participation, Cyber crime, data breach, Direct Primary Care, Durable Medical Equipment, E-Prescribing, Electronic Medical Records, Employee Benefits, Federal Sentencing Guidelines, Health Apps, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Quality, Health Insurance, Health Insurance Exchange, Health IT, Health Plan, Health Plans, healthcare, HHS, HIPAA, HIPAA Cyber Crime, HITECH Act, Home Health, home health, Hospice, Hospital, Hospital, hospitals, Indian Health, Inpatient Rehabilitation, Inpatient Rehabilitation Facility, managed care, Medical Licensure, Medical Records, Medicare, Mental Health, Mental Heatlh, nursing home, occupational health, OCR, Outpatient, participating provider, Pharmaceudical, Pharmacy, Physician, Physician Licensing, physician licensure, Prescription Drugs, Privacy, Psychiatric, public health, Reproductive Rights, Rural Health Care, Self-Insured Group health Plans, Skilled Nursing Facility, substance abuse treatment | Tagged: Antitrust, Association, competition, Department of Justice, Employers, Group Purchasing Organizations, Health Care, Health Insurance, Health Plans, PBMs, Physician, Prescription Drugs, Protected Health Information | Permalink
Posted by Cynthia Marcotte Stamer

HIPAA Covered Entity Nailed With $300,000+ HIPAA Settlement For Improper PHI Disposal

August 23, 2022

A Massachusetts dermatology practice’s Health Insurance Portability & Accountability Act (“HIPAA”) $300,000 plus settlement with the Department of Health & Human Services Office for Civil Rights (OCR) reminds health care providers, health plans, health care clearinghouses and their business associates (“Covered Entities”) to use proper practices and safeguards when disposing of protected health information (“PHI”).

Following up on other OCR enforcement involving improper protection and disposal of paper and electronic PHI, the settlement with New England Dermatology P.C., d/b/a New England Dermatology and Laser Center (“NDELC”) OCR announced today (August 23, 2022) resolves charges that NDELC violated the HIPAA Privacy Rules when it placed specimen containers with patient identifying PHI in its parking lot garbage bin.

OCR interprets HIPAA as requiring Covered Entities to appropriate steps to ensure that safeguards are in place when disposing of patient information to keep it from being accessible by the public. ”Improper disposal of protected health information creates an unnecessary risk to patient privacy,” said Acting OCR Director Melanie Fontes Rainer.

On May 11, 2021, NEDLC filed a breach report with OCR that reported empty specimen containers with the PHI on labels were placed in a garbage bin in their parking lot. The containers’ labels included patient names and dates of birth, dates of sample collection, and name of the provider who took the specimen. On March 31, 2021, a third-party security guard found one specimen container bearing a label containing patient names, dates of birth, dates of sample collection, and name of the provider who took the specimen. During the investigation, NEDLC stated that from February 4, 2011 until March 31, 2021, it regularly discarded specimen containers with an attached label that contained PHI as regular waste, bagged and placed in an exterior dumpster accessible via the parking lot, without alteration to the PHI containing label.

OCR’s New England Regional Office found the practice of disposing of specimen containers with their labels containing PHI violated the HIPAA Privacy Rule including the impermissible use and disclosure of PHI and failure to maintain appropriate safeguards to protect the privacy of PHI.

Under the NEDLC Resolution Agreement negotiated to settle the alleged violations, NEDLC paid $300,640 to OCR and agreed to implement a “robust” corrective action plan that includes two years of OCR monitoring. Among other things, the corrective action plan requires NEDLC to:

Within 60 days, develop, maintain, and revise, as needed and present for OCR review its written policies and procedures to comply with the physical safeguard and disposal of PHI created, received or maintained by or on behalf of NEDLC and all other HIPAA Privacy, Security and Breach Notification and training protocols to ensure workforce member compliance with these policies; and sanctions for workforce members violating these requirements;
Implement the updated policies and procedures within 30 days of receipt of HHS approval;
Distribute the policies to existing members of its workforce within 30 days of receipt of HHS approval of the policies and subsequently to new members of the workforce within 30 days of their beginning of service and obtain a signed written or electronic initial compliance certification from all members of the workforce and relevant business associates stating that the workforce members have read, understand, and shall abide by such policies and procedures;
Assess, update, and revise, as necessary, the policies and procedures at least annually or as needed, provide the revised policies and procedures to HHS for review and approval, and redistribute to and obtained new compliance certifications from workforce members and business associates within 30 days of HHS approval;
If it receives information during the Compliance Term that a workforce member or business associate may have failed to comply with its policies and procedures for safeguarding PHI, promptly investigate and it the investigation finds a violation, notify HHS within 30 days of the violation and corrective action taken;
Comply with specified breach investigation and notification requirements;
Provide reports certified by a designated leader of the organization its implementation of the corrective action plan, annually and upon the occurrence of certain other events during the two-year monitoring period.

The NEDLC Resolution Agreement is not the first time OCR has nailed a Covered Entity for improper disposal of PHI. In 2015 Cornell Prescription Pharmacy paid OCR $125,000 and implemented a correction action plan to correct alleged HIPAA violations after an OCR investigation of a local news report confirmed unsecured paper documents containing PHI of more than 1600 patients were disposed of in an unlocked, open container on Cornell’s premises. The documents were not shredded and contained identifiable information regarding specific patients. See Cornell Prescription Pharmacy Resolution Agreement. See also $800,000 HIPAA Settlement in Medical Records Dumping Case.

To reduce their own exposure to potential HIPAA liability arising from improper disposal of PHI, covered entities should evaluate the adequacy of the PHI handling, security and disposal policies, procedures, training and compliance for potential weaknesses and take appropriate, timely documented corrective action to tighten their compliance with OCR’s regulations, OCR’s Frequently Asked Questions About the Disposal and other OCR enforcement actions and guidance on PHI disposal.

Since these evaluations could uncover past or ongoing compliance concerns, Covered Entities and business associates should consider engaging legal counsel experienced with HIPAA compliance to advise and aid the Covered Entity to structure, conduct, evaluate findings and determine and implement any corrective actions that the review reveals as required or advisable within the scope of attorney client privilege.

Effective protection and disposal of PHI requires that Covered Entities recognize and keep track of all PHI in the various phases of its lifecycle in the organization including when it is being disposed or or migrating through various systems. Sanctions for disposal of specimen bottles containing PHI labels should raise the need for awareness of disposal practices for other patient labeled items including identification bracelets, medication containers and labels, meal trays and the plethora of other items containing patient specific information. PHI disposal issues also can arise out of the disposal of files, storage containers, computers, copiers or other devices. For instance, under the Affinity Health Plan, Inc. Resolution Agreement, Affinity Health paid OCR $1,215,780 to settle potential HIPAA Civil Monetary Sanctions after OCR found it exposed the PHI of up to 344,579 individuals by returning photocopiers to a leasing agent without erasing the data contained on the copier hard drives.

Because HIPAA obligations continue even when a Covered Entity or business associate goes out of business, Covered Entities also need to take appropriate steps to provide for ongoing management, protection and disposal of PHI when they or a business associate ceases business. Thus, in the FileFax Resolution Agreement, for instance the receiver appointed to liquidate the assets of Filefax, Inc. agreed to pay $ 100,000 out of the receivership estate to OCR to settle potential HIPAA violations after Filefax shut its doors during the course of OCR’s investigation into alleged HIPAA violations.

Covered Entities must understand that these responsibilities generally cannot be met merely through adoption of a standard set of policies and procedures from a third-party. The HIPAA Privacy Rule requires all Covered Entities to prepare and document risk assessments and develop and enforce appropriate privacy and security policies and procedures. Security and disposal practices and procedures are among the elements of HIPAA compliance that OCR expects Covered Entities to address in the documented risk assessments the regulations require Covered Entities to prepare and maintain. See $750,000 HIPAA Settlement Underscores the Need for Organization Wide Risk Analysis. As with other HIPAA compliance responsibilities, OCR regulations require that Covered Entities include their documented assessment and decision-making about the adequacy and reasonableness of their PHI protection and destruction practices under HIPAA as part of their overall HIPAA risk assessment plan and practices.

While OCR guidance provides some examples of several practices that a Covered Entity might use that could or could not meet the destruction standards, these examples are not safe harbors. The regulations and guidance expect Covered Entities to conduct a documented review and assessment “of their own circumstances to determine what steps are reasonable to safeguard PHI through disposal and develop and implement policies and procedures to carry out those steps.” OCR guidance directs that Covered Entities should assess potential risks to patient privacy, as well as consider such issues as the form, type, and amount of PHI to be disposed. Covered entities are responsible for conducting and documenting their analysis as well as their adoption, implementation and enforcement of the resulting policies and procedures.

If circumstances come to light that indicate a breach of the standards in the course of the disposal compliance assessment or otherwise, Covered Entities also promptly should work with legal counsel timely to investigate, determine and provide any required notifications or other corrective action and document their actions to meet applicable HIPAA and other legal obligations and mitigate liability.

Of course, Covered Entities and their leaders always must keep in mind that their responsibilities and potential liability for mishandling PHI could extend well beyond HIPAA. In addition to the civil monetary penalties HIPAA authorizes, mishandling the collection, protection or disposal of PHI or other sensitive data also can trigger other legal exposures. For instance, as HIPAA compliance is part of the Conditions of Participation that Medicare participating Covered Entities and Medicare Advantage Plans must meet to qualify for program participation, noncompliance could trigger program exclusion, False Claims Act or related exposures. Deficiencies in security or destruction of credit card, banking or other PHI that also qualifies as personal financial information could trigger exposure under Federal Trade Commission, state identity theft and privacy or other laws. Public companies and their leaders also may need to evaluate if deficiencies in their security or destruction protocols trigger investor disclosure obligations under Securities and Exchange Commission rules or other federal or state laws. Considering these and other exposures, documented, compliance and defensibility of PHI and other sensitive information use, protection, disclosure and destruction should rank high among the priorities of all Covered Entities and their leaders.

More Information

About the Author

Ms. Stamer’s work throughout her 30 plus year career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here.

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Leave a Comment » | Academic medicine, Anethesiology, ASC, Childrens Health Insurance Program, Conditions of Participation, Cyber crime, data breach, Direct Primary Care, Durable Medical Equipment, E-Prescribing, Electronic Medical Records, Employee Benefits, Health Apps, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Quality, Health Insurance, Health Insurance Exchange, Health IT, Health Plan, Health Plans, healthcare, HHS, HIPAA, HIPAA Cyber Crime, HITECH Act, Home Health, home health, Hospice, Hospital, Hospital, hospitals, Indian Health, Inpatient Rehabilitation, Inpatient Rehabilitation Facility, managed care, Medical Licensure, Medical Records, Medicare, Mental Health, Mental Heatlh, nursing home, occupational health, OCR, Outpatient, participating provider, Pharmaceudical, Pharmacy, Physician, Physician Licensing, physician licensure, Prescription Drugs, Privacy, Psychiatric, public health, Reproductive Rights, Rural Health Care, Self-Insured Group health Plans, Skilled Nursing Facility, substance abuse treatment | Tagged: Abortion, dobbs, Health Care, HIPAA, Physician, Protected Health Information, Reproductive Rights | Permalink
Posted by Cynthia Marcotte Stamer

6 Texas Physicians Face Federal Health Care Fraud Charges For Alleged Improper Kickbacks & Lab Testing Claims

May 29, 2022

The Department of Justice sent another strong warning to physicians and other health care provides not to violate the False Claims Act by making improper patient referrals in violation of the Anti-Kickback Statute and the Stark Law, billing federal health care programs for medically unnecessary laboratory testing or other services or both when charged six Texas physicians with federal health care fraud this week. The prosecution of the physicians for laboratory tests arranged and billed through management services organizations also reminds physicians and other providers that reliance upon management services or other third-party service providers generally does not protect a physician participating in prohibited laboratory or other testing, durable medical equipment, facility, physical therapy or other health care billing or referral arrangements from liability.

Charges Against Texas Physicians

This week, the Justice Department added the following six physicians as defendants to criminal charges filed in a False Claims Act complaint filed in January 2022 against former True Health Diagnostics LLC (THD) CEO Christopher Grottenthaler, former Boston Heart Diagnostics Corporation (BHD) CEO Susan Hertzberg, former LRH CEO Jeffrey Madison, and others:

Doyce Cartrett, Jr., M.D., of Silsbee, Texas, allegedly received over $320,000 from LRH and two management services organizations or “MSOs,” Ascend MSO of TX LLC (Ascend) and Eridanus MG LLC (Eridanus), in return for his referrals.
Elizabeth Seymour, M.D., of Corinth, Texas, allegedly received over $280,000 from two MSOs, Ascend and Eridanus, in return for her referrals.
Emanuel Paul “E.P.” Descant, II, M.D., of Spring, Texas, allegedly received over $125,000 from two MSOs, North Houston MSO and Tomball Medical Management Inc., in return for his referrals.
Frederick Brown, M.D., of Missouri City, Texas, allegedly received over $190,000 from two MSOs, Ascend and Indus MG LLC (Indus), in return for his referrals.
Heriberto Salinas, M.D., of Cleburne, Texas, allegedly received over $75,000 from two MSOs, Ascend and Herculis MG LLC (Herculis), in return for his referrals.
Hong Davis, M.D., of Lewisville, Texas, allegedly received over $70,000 from two MSOs, Ascend and Herculis, in return for her referrals.

The complaint in United States, et al. ex rel. STF, LLC v. True Health Diagnostics, LLC, et al., No. 4:16-cv-547 (E.D. Tex.) charges that small Texas hospitals including Rockdale Hospital dba Little River Healthcare (LRH), THD, BHD, the six physicians and others conspired to pay physicians to induce referrals to the hospitals for laboratory testing performed by THD or BHD. The charges stem from allegations made under the qui tam or whistleblower provisions of the False Claims Act by STF LLC by Felice Gersh, M.D. and Chris Riedel. The United States intervened in the qui tam action in December 2021.

The complaint alleges the charged hospitals paid a portion of their laboratory profits to recruiters, who in turn kicked back those funds to the referring physicians through MSOs allegedly set up by the recruiters to make payments to referring physicians. The Justice Department charges the alleged kickbacks were disguised as investment returns but actually were based on, and offered in exchange for, the physicians’ referrals. The complaint alleges that laboratory tests resulting from this referral scheme were billed to various federal health care programs, and that the claims not only were tainted by improper inducements but, in many cases, also involved tests that were not reasonable and necessary.

The Justice Department reports that before adding charges against the six physicians to the complaint this week, the Justice Department recovered more than $31 million relating to conduct involving BHD, THD and LRH, including False Claims Act settlements with 29 physicians, two health care executives and a laboratory company.

Health Care Fraud Liability Under False Claims Act, Anti-Kickback Statute, Stark Law

The Anti-Kickback Statute prohibits offering, paying, soliciting or receiving remuneration to induce referrals of items or services covered by Medicare, Medicaid and other federally-funded programs. The Stark Law forbids a hospital or laboratory from billing Medicare for certain services referred by physicians that have a financial relationship with the hospital or laboratory. The Anti-Kickback Statute and the Stark Law seek to ensure that medical providers’ judgments are not compromised by improper financial incentives and are instead based on the best interests of their patients.

The False Claims Act prohibits health care providers from billing federal health care programs for services resulting from referrals prohibited by the Anti-Kickback Statute or the Stark law.

Under the False Claims Act, a private party can file an action on behalf of the United States and receive a portion of the recovery. The False Claims Act also allows the Justice Department to intervene in such lawsuits and add claims and defendants, as happened in this litigation. The qui tam case is captioned United States, et al. ex rel. STF, LLC v. True Health Diagnostics, LLC, et al., No. 4:16-cv-547 (E.D. Tex.). If a defendant is found liable for violating the act, the United States may recover three times the amount of its losses plus applicable penalties.

The United States’ pursuit of this lawsuit illustrates the government’s emphasis on combating health care fraud generally with a special emphasis on physicians. For instance, U.S. Attorney Brit Featherston is quoted as saying, “Schemes that funnel health care referrals do not work without the participation of physicians. … They are not merely passive players in these elaborate schemes, but an integral part, without which the scheme could not exist. Our office is committed to rooting out health care fraud by pursuing all players involved the scheme, from the laboratories and their leaders to the marketers and the physicians who make it all possible. Naming these physicians in the complaint is evidence of that commitment.”

Given this clear warning, physicians and other prescribers, as well as recruiting, billing and management services organizations, laboratories and others involved in recruiting and marketing, providing or billing for laboratory or other services to double check the appropriateness of their referral and other practices keeping in mind that the Anti-Kickback Statute and Stark Law prohibitions against direct and indirect compensation can reach to a wide range of subtle value and benefits in addition to the obvious payment of cash or gifts delivered in a multitude of ways. The prosecution of these physicians for referrals made and compensation delivered under management services contracts also clearly warns physicians and other providers against expecting their reliance upon billing, management services or other staff or management service providers to shield them from liability if an improper referral or payment happens.

More Information

About the Author

Ms. Stamer’s work throughout her 30 plus year career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here.

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Leave a Comment » | Anti-KickBack, billing, Centers For Disease Control, Conditions of Participation, DME, Doctor, Durable Medical Equipment, E-Prescribing, false claims act, Federal Sentencing Guidelines, Health Care, Health care coding, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Quality, health care reimbursement, healthcare, HHS, Home Health, home health, Hospice, Hospital, Hospital, hospitals, Laboratory tests, Licensing, Medical Licensure, Medical Malpractice, Medicare, Medicare Advantage, Medicare Prescription Drug Program, Money Laundering, nursing home, OIG, Opiates, Pharmaceudical, Physician, Physician Licensing, Reimbursement, Stark, Substance Abuse | Tagged: Federal Sentencing Guidelines, Opiate, pain management, Physician | Permalink
Posted by Cynthia Marcotte Stamer

SCOTUS: Emotional Injury Damages Not Recoverable In Patient’s Private Rehab Act and ACA Disability Discrimination Lawsuit But Other Significant Liability Risks Remain

May 2, 2022

Today’s Supreme Court ruling that emotional distress damages are not recoverable in a private action to enforce the disability discrimination and accommodation requirements of either the Rehabilitation Act of 1973 (“Rehab Act”) or the Patient Protection and Affordable Care Act (“ACA”) prevents health care and other businesses subject to these requirements against the risk of large emotional injury awards in private actions for discrimination based on these laws. However, health care providers and other organizations subject to these requirements should use care to maintain compliance to avoid large actual damage awards to plaintiffs bringing private lawsuits, program exclusion, penalties or other governmental sanctions or both.

Cummings Supreme Court Ruling

The May 1, 2022 United States Supreme Court ruling in Cummings v. Premier Rehab Keller authored by Supreme Court Justice John Roberts resulted from a suit that sought emotional distress damages brought by filed by a deaf and legally blind woman, Jane Cummings against Premier Rehab Keller after it denied her request that it provide an American Sign Language interpreter at her physical therapy sessions. Premier Rehab told Cummings the therapist could communicate with her through other means, Claiming Premier Rehab’s failure to provide an ASL interpreter constituted discrimination on the basis of disability in violation of the Rehab Act and Section 1557 of the ACA, Cummings sued Premier Rehab seeking various damages and other relief, including emotional distress damages.

The Supreme Court took notice that Premier Rehab was subject to these laws because its receipt of Medicare and Medicaid payments qualified as federal financial assistance triggering their applicability.

The Supreme Court affirmed the previous District Court and Fifth Circuit Court of Appeals’ rulings that emotional distress damages are not recoverable in a private action to enforce either the Rehab Act or the ACA.

The Supreme Court Majority based its decision on its finding that the Rehab Act and Act both are spending statutes that condition their offer of federal funding on a promise by the recipient not to discriminate creating what amounts essentially to a contract between the Government and the recipient of funds. Following previously established Supreme Court precedent for “private spending clause actions,” the Court ruled the emotional distress or other remedy is not available unless “the funding recipient is on notice that by accepting federal funding, it exposes itself to liability of that nature.”

To decide whether emotional distress damages are available under the Spending Clause statutes in this case, the Court therefore asked if a prospective funding recipient deciding whether to accept
federal funds would have had “clear notice” regarding that liability. Because the two statutes are silent on the availability of emotional injury damages, the Supreme Court followed prior precedent by looking to whether the emotional damages sought by Cummings were the type of damages traditionally available in suits for breach of contract so as to put Premier Rehab and other defendants on notice of their exposure to such damages from actions under the Rehab Act or ACA. While acknowledging some exceptional circumstances where punitive damages may be recovered where “the conduct constituting the breach is also a tort for which punitive damages are recoverable,” the Court found such damages “are generally not available for breach of contract.” Concluding that the recognized exception to the general rule was insufficient to give funding recipients the requisite notice that they could face such damages. the Supreme Court ruled that funding recipients under the Rehab Act and the ACA “have not, merely by accepting funds, implicitly consented to liability for punitive damages.”

To read the full Majority opinion and related consenting and dissenting opinions, see here.

Liability Risks Remain Substantial Despite Cummings Ruling

While the Supreme Court’s ruling means private litigants cannot recover emotional injury damages in discrimination actions brought to enforce the Rehabilitation Act or the ACA, health industry and other organizations remain subject to other substantial liability risks for improper discrimination in violation of those laws. Beyond recoveries for actual damages, attorneys’ fees and costs recoverable by private litigants, covered organizations also can face substantial civil monetary penalties, program disqualification, in some instances even False Claims Act liability for billing in violation of program conditions of participation and other risks. As federal agencies continue to make enforcement of these sanctions a priority, organization covered by either of these laws should use care to maintain appropriate compliance and risk management to ensure their ability to defend against any potential charges.

For instance, HHS recently reaffirmed its continued commitment and prioritization of protecting disabled individuals against disability discrimination by its publication of its February 4, 2022 FAQs for Healthcare Providers during the COVID-19 Public Health Emergency: Federal Civil Rights Protections for Individuals with Disabilities under Section 504 and Section 1557. Published to remind health care providers of their obligations under law and provide examples of applicability, HHS clarifies in that guidance that federal civil rights laws apply to health care providers, including those administering COVID-19 testing, medical supplies, and medication. These rules also apply to entities providing hospitalization, long-term care, intensive treatments, and critical care, such as oxygen therapy and mechanical ventilators. HHS also confirm that federal civil rights laws apply to state Crisis Standard of Care plans, procedures, and related standards for triaging scarce resources that hospitals are required to follow. HHS Issues New Guidance for Health Care Providers on Civil Rights Protections for People with Disabilities. See also New Guidance to Boost Accessibility and Equity in COVID-19 Vaccine Programs (December 22, 2021); HHS Takes Action to Prevent Discrimination and Strengthen Civil Rights (November 18, 2021); HHS and DOJ Issue Guidance on “Long COVID” and Disability Rights Under the ADA, Section 504, and Section 1557 (July 26, 2021); OCR Provides Technical Assistance to the State of Arizona to Ensure Crisis Standards of Care Protect Against Age and Disability Discrimination (May 25, 2021); HHS Announces Prohibition on Sex Discrimination Includes Discrimination on the Basis of Sexual Orientation and Gender Identity (May 10, 2021); New Legal Guidance and Resources to Ensure — and Expand — Access to COVID-19 Vaccines for People with Disabilities and Older Adults (April 13, 2021).

HHS’ guidance announcements all include a warning like the one from OCR Director Lisa J. Pino in the February 4, 2022 announcment that “OCR will continue our robust enforcement of federal civil rights laws that protect people with disabilities from discrimination, including when Crisis Standards of Care are in effect.”

The current and historical enforcement record of HHS demonstrates the teeth behind this commitment. OCR has a long and continuing history of extracting substantial settlements or civil monetary penalties from health care or other organizations receiving Medicare, Medicaid or other federal funds administered by HSS for engaging in conduct OCR finds inconsistent with the ACA or Rehabilitation Act discrimination requirements. See, e.g., Settlement Agreement Reached with Rhode Island Department of Children, Youth and Families to Address Discrimination Against Parents with Disabilities (March 30, 2022); Massachusetts Healthcare Provider Resolves Allegations of Discriminatory Practices Regarding Patients Needing Opioid Use Disorder Treatment (December 22, 2021); HHS Office for Civil Rights and U.S. Attorney’s Office for the District of Massachusetts Settle Disability Discrimination Case with Baystate Medical Center (November 17, 2021); HHS Office for Civil Rights and U.S. Attorney’s Office Settle Disability Discrimination Case with Backus Hospital (October 5, 2021); Rhode Island, Massachusetts Healthcare Provider Resolves Allegations of Discriminatory Practices Regarding Patients Needing Opioid Use Disorder Treatment (August 9, 2021).

These OCR guidance and enforcement actions and similar activities by other federal agencies send a strong message that OCR and other federal agencies will continue and expand their zealous investigation and enforcement of disability and other violations by health care providers and other public and private organizations covered by the Rehabilitation Act, the ACA or other federal discrimination and civil rights laws. Health care providers and others regulated by these federal discrimination laws should consider auditing the adequacy of existing practices, reaffirming their own and their business partners’ compliance, retraining workforce and taking other appropriate steps to help prevent illegal discrimination within their organization and to position their organization to respond and defend against potential discrimination investigations or charges.

For Additional Information Or Assistance

If you need have questions or need assistance with health, health or other insurance, employee benefit, payroll, investment or other data, systems or other privacy or security related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help. Longtime scribe for the American Bar Association Joint Committee on Employee Benefits agency meeting with OCR and author of leading publications on HIPAA and other privacy and data security concerns, Ms. Stamer regularly assists clients and provides input to Congress, OCR and other agencies, publishes and speaks extensively on medical and other privacy and cybersecurity, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns.

Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. Her insights on HIPAA risk management and compliance frequently appear in medical privacy related publications of a broad range of health care, health plan and other industry publications. She also is a highly-sought out speaker on privacy and data security who serves on the planning faculty and speaks for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others. You can get more information about her HIPAA and other experience here. If you need assistance with these or other compliance concerns, wish to inquire about arranging for compliance audit or training, or need legal representation on other matters, e-mail Ms. Stamer or call (214) 452-8297.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here.

Important Information About This Communication

Leave a Comment » | 1335 Waiver, Academic medicine, ADA, air ambulance, Ambulatory care, Childrens Health Insurance Program, Civil Rights, Conditions of Participation, Corporate Compliance, Covid, Disability Discrimination, Discrimination, DME, early childhood education, Emergency Care, Employee Benefits, Employment, false claims act, Health Care, Health Care Fraud, Health Care Provider, health care reimbursement, Health Plan, Health Plans, healthcare, HHS, Home Health, home health, Hospice, Hospital, Hospital, hospitals, Indian Health, Inpatient Rehabilitation, Inpatient Rehabilitation Facility, Labor Law, Laws, Life Sciences, Medicaid, Medicare, Medicare Advantage, Medicare Prescription Drug Program, Mental Health, Mental Heatlh, nursing home, occupational health, OCR, OIG, Opiates, Outpatient, Pharmaceudical, Pharmacy, Physician, Physician Licensing, Prescription Drugs, Reimbursement, Section 1557 | Permalink
Posted by Cynthia Marcotte Stamer

Federal Convictions Of Physicians Highlight Need For Care In Opiate & Other Pain Management Prescribing & Billing

March 4, 2022

Physicians and other health care prescribers must remain hyper vigilant when prescribing, documenting, billing and managing opiate and other pain management prescriptions and patients. That’s the clear message sent by the ever-growing wave of federal prosecutions and convictions like the March 2, 2022 federal conviction of Tennessee physician Mark Murphy and his wife, Jennifer Murphy and his wife for unlawfully distributing opioids, providing unnecessary services and defrauding insurers from their now-shuttered North Alabama Pain Services clinics (“NAPS”) and March 1, 2022 sentencing of former physician Patrick Titus to 20 years in prison for his conviction of unlawful distribution of opioid drug outside the usual scope of professional practice and not for legitimate medical purposes as part of the his internal medicine practice.

Tennessee Doctor & Wife Convicted of Pain Management Related Unlawful Opioid Distribution, Health Care Fraud & Other Criminal Charges

The March 2 federal jury conviction of Dr. and Ms. Murphy stemmed from their ownership and operation of their now-defunct pain management clinics resulted from evidence gathered through a joint investigation by the Federal Bureau of Investigation, the Department of Health & Human Services Office of Inspector General, the Internal Revenue Service, and the Drug Enforcement Agency.

During the resulting jury trial, federal prosecutors presented evidence that during the five-year period leading up to the clinic closing its Alabama locations in 2017, Dr. Murphy and Ms. Murphy, who was the office manager, caused over $50 million in fraudulent or unnecessary medical services to be charged to Medicare, TRICARE, Blue Cross Blue Shield of Alabama and others. Evidence at trial showed that NAPS provided pre-signed prescriptions to thousands of patients a month, including prescriptions written outside the usual course of professional practice without a legitimate medical purpose. Federal prosecutors also introduced evidence that the Murphys also solicited and received unlawful payments for referring fraudulent or unnecessary services to patients.

Based on the evidence, the jury found both Dr. and Ms. Murphy guilty on numerous criminal charges including:

Conspiracy to unlawfully distribute and unlawful distribution of controlled substances;
Conspiracy to commit and commission of health care fraud;
Conspiracy to defraud the United States; and
Receiving illegal kickbacks in violation of the Anti-Kickback Statute.

Ms. Murphy also was convicted of tax-related charges for underreporting clinic income.

Currently scheduled for sentencing in June, the Murphys each face a maximum of 20 years in prison for the drug charges and a maximum of 10 years in prison for the health care fraud charges. Both defendants also face a maximum of five years in prison for charges stemming from violations of the Anti-Kickback Statute, and Ms. Murphy faces up to three years in prison for the tax charges.

Former Delaware Doctor Sentenced to 20 Years in Prison for Unlawful Opioid Distribution

The Murphy’s jury conviction came one day after the sentencing of former to 20 years in prison for his July 2021 federal jury conviction on 13 counts of unlawfully distributing and dispensing controlled substances and one count of maintaining a drug-involved premises.

Federal prosecutors presented evidence in court documents and trial that Dr. Titus unlawfully distributed or dispensed opioid drugs including fentanyl, morphine, methadone, OxyContin and oxycodone outside the usual scope of professional practice and not for legitimate medical purposes as part of the his internal medicine practice. The Justice Department charged Dr. Titus frequently prescribed these dangerous controlled substances in high dosages, sometimes in combination with each other or in other dangerous combinations, mostly in exchange for cash. Evidence at trial showed he distributed over 1 million opioid pills without providing any meaningful medical care and to patients he knew were suffering from substance use disorder and/or who demonstrated clear signs that the prescribed drugs were being abused, diverted or sold on the street.

Health Care Fraud Task Force Targeting Opioid Distribution, Billing, & Related Misconduct

Both the Murphy and Titus prosecutions and convictions are two of a growing series of convictions resulted from investigations into opioid and other pain management prescribing conducted as part of efforts targeting physicians and other health care providers involved in prohibited the federal Health Care Fraud Strike Force Program. See e.g., Medical Director Convicted in $110 Million Addiction Treatment Fraud Scheme.

The Federal agencies made a point of warning to other physicians not to overprescribe, bill or engage in other prohibited dealings involving opioids or other controlled substances when announcing the Titus sentencing.

“As we continue the fight against the opioid crisis, this case serves as an important reminder that health care professionals have a duty to prescribe medication responsibly to ensure the well-being of individuals under their care. Failing to do so can endanger patients and undermines critical, ongoing public health measures,” said Special Agent in Charge Maureen Dixon of the U.S. Department of Health and Human Services, Office of the Inspector General (HHS-OIG). “HHS-OIG will continue to work with our law enforcement partners to hold bad actors accountable.”

“This sentence is a reminder that the Department of Justice will hold accountable those doctors who are illegitimately prescribing opioids and fueling the country’s opioid crisis,” said Assistant Attorney General Kenneth A. Polite Jr. of the Justice Department’s Criminal Division. “Doctors who commit these unlawful acts exploit their roles as stewards of their patients’ care for their own profit.”

“DEA-registered medical practitioners have an important role in our communities to treat patients compassionately and responsibly,” said DEA Administrator Anne Milgram. “Today’s sentencing makes clear that medical professionals who recklessly prescribe opioids and endanger the safety and health of patients will be held accountable.”

More Information

About the Author

Ms. Stamer’s work throughout her 30 plus year career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here.

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Leave a Comment » | billing, Centers For Disease Control, Conditions of Participation, Controlled Substances, Corporate Compliance, DEA, Doctor, drug treatment, E-Prescribing, Evidence Based Medicine, false claims act, FDA, Federal Sentencing Guidelines, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Quality, health care reimbursement, Health Plan, Health Plans, healthcare, hemp, HHS, Home Health, home health, Hospice, Hospital, Hospital, hospitals, Licensing, managed care, marijuana, Medical Licensure, Medical Malpractice, Medical Records, Medicare, Medicare Advantage, Medicare Prescription Drug Program, Mental Heatlh, Money Laundering, Monopoly, OIG, Opiates, pain management, Physician, Physician Licensing, Prescription Drugs, Reimbursement, Substance Abuse | Tagged: Federal Sentencing Guidelines, Opiate, pain management, Physician | Permalink
Posted by Cynthia Marcotte Stamer

California Medical Privacy Rules Eased. New 7/1/2021 rules allow greater flexibility on disclosures of breach and give agency more fine flexibility. https://www.cdph.ca.gov/Programs/OLS/CDPH%20Document%20Library/DPH-11-009-Final-Reg-Text-ADA.pdf?TSPD_101_R0=087ed344cfab2000e6180d5b948228963ad32da0f65608ac719d6195a6f27133d24ce863d99f043c0837b3f91e1430004ffeef0033a9cb5c891c837f86137a340f296f3e726ff679e108e054e92eb347c0a393522a8d745468b6d859b3ba0e76

August 3, 2021

California Medical Privacy Rules Eased. New 7/1/2021 rules allow greater flexibility on disclosures of breach and give agency more fine flexibility. https://www.cdph.ca.gov/Programs/OLS/CDPH%20Document%20Library/DPH-11-009-Final-Reg-Text-ADA.pdf?TSPD_101_R0=087ed344cfab2000e6180d5b948228963ad32da0f65608ac719d6195a6f27133d24ce863d99f043c0837b3f91e1430004ffeef0033a9cb5c891c837f86137a340f296f3e726ff679e108e054e92eb347c0a393522a8d745468b6d859b3ba0e76

Leave a Comment » | Academic medicine, ambulance, Corporate Compliance, Cyber crime, data breach, data security, Doctor, Electronic Health Records, Electronic Medical Records, Emergency Care, Employer, Genetic Information, GINA, Health Care, Health Care Provider, Health IT, Health Plan, Health Plans, healthcare, HIPAA, HIPAA Cyber Crime, Hospice, Hospital, hospitals, Life Sciences, managed care, Medical Privacy, Medical Records, NIST, nursing home, occupational health, OCR, ONC, Pharmacy, Physician, Physician Licensing, Privacy | Tagged: California, Data Breach, Health Care, Medical Privacy, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

Comment & Begin Preparation For Compliance With Proposed HIPAA Privacy Rule Changes

December 21, 2020

Health care providers, health plans and health insurers, health care clearinghouses (“Covered Entities”) and their business associates should budget and begin compliance plans, even as they comment on proposed changes to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule announced by the Department of Health & Human Services Office of Civil Rights (“OCR”) in its December 10, 2020 Notice of Proposed Rulemaking (“Proposed Rule). While the official Federal Register publication date has yet to be announced, OCR already is accepting comments pending the official publication. To assure consideration, comments must be received by OCR no later than 60 days from that official Federal Register publication date.

More than 300 pages in length, the proposed HIPAA Privacy Rule changes include changes OCR intends to strengthen individuals’ rights to access their own electronic and other health information; improve information sharing for care coordination and case management for individuals; facilitate greater family and caregiver involvement in the care of individuals experiencing emergencies or health crises; enhance flexibilities for disclosures in the Opioid and COVID-19 public health emergencies or other emergency or threatening circumstances; and reduce administrative burdens on HIPAA covered health care providers and health plans. Highlights of some of the more significant proposed changes that the Proposed Rule will make if adopted as proposed include:

Individual Access Rights Expanded

The Proposed Rule includes a number of changes that if adopted as proposed, will increase significantly the burdens upon Covered Entities of complying with the individual access requirements of the Privacy Rule. Among other things, these include the following:

Responding To Access Requests. The Proposed Rule calls for:
Reducing the maximum period that Covered Entities have to respond to requests to “as soon as practicable,” but in no case later than 15 calendar days after receipt of the request” instead of current 30 calendar days;
Clarifying the current requirement for Covered Entities to provide PHI in the form and format requested by the individual if “readily producible” in that form and format by providing that “readily producible” includes secure, standards-based APIs using applications chosen by the individuals, such as a “personal health application” and protect individual’s rights to take notes, videos, and photographs, or use other personal resources to view or capture PHI in person;
Requiring Covered Entities to allow individuals access to inspect or obtain copies of their own PHI Free of charge when inspecting in person or accessing PHI on the internet, but continue to permit certain fees for labor, supplies, and postage for certain other means of access in accordance with Privacy Rules parameters. In acquiescence to the District Court’s January, 2020 holding that the prohibition against Covered Entities charging for third party copies in the current regulations exceeded its statutory authority in Ciox Health, LLC v. Azar, however the Proposed Rule would allow Covered Entities to charge limited fees to an individual directing transmission of an electronic copy of PHI to a third party under specified circumstances. The Proposed Rule also would require Covered Entities to provide advance notice of estimated fee schedules on their websites (if they have one) for common types of requests for copies of PHI and, upon request, provide individualized estimates of fees for copies and an itemized list of actual costs for requests for copies.
Right to Direct Copies to Third Parties. The Proposed Rule will require Covered Entities to transmit electronic PHI in an electronic health record to another Covered Entity as part of the individual’s access right. In addition, also in response to the Coix Health, LLC ruling, the Proposed Rule will limit the current right of an individual to direct a copy of PHI to a third party to an electronic copy and will specify that third party direction request need not be in writing as long as it is “clear, conspicuous, and specific.”
Verification. The Proposed Rule also would prohibit a Covered Entity from imposing “unreasonable” identity verification measures on an individual, including notarization of requests, requiring the individual to provide proof of identity in person when remove verification would be practicable, or requiring the individual to complete a full HIPAA authorization form for an access request.

Encouraging Care Coordination and Case Management Activities

The Proposed Rule also would make a number of changes that OCR believes will remove the barriers created in the current Privacy Rule to Covered Entities, whether a health care provider or health plan, engaging in individual-level care coordination and case management activities. Some of the key elements of these changes include the following:

Clarification of Rules For Individual-Level Care Coordination. The Proposed Rule would revise existing rules regarding sharing of information for individual-level care coordination to apply to Covered Entities involved in such coordination activities, whether or not the participating Covered Entity is participating in the actual care or treatment of the individual by:
- Revising the definition of “health care operations” in the current version of the Privacy Rule to clarify that the Privacy Rule allows sharing of PHI for individual-level care coordination among Covered Entities whether or not the participating Covered Entity is one involved in treatment or non-treatment involved Covered Entities such as health plans;
- Revises the current minimum necessary restriction on the disclosure of PHI for purposes of individual-level care coordination to treat all Covered Entities engaging in individual-based care coordination and case management activities the same, regardless of whether performing the activities under the “treatment” or “health care operations” functions as defined by HIPAA. Currently non-treatment involved Covered Entities participating in care coordination and case management can only receive and share the minimum necessary PHI as their lack of involvement in treatment disqualifies them for reliance upon the treatment exception to the Privacy Rule’s general requirement to limit disclosures to the minimum necessary.
- The Proposed Rule also would allow Covered Entities to disclose PHI to community-based organizations, home and community-based services (HCBS) providers, social services agencies, and other similar third parties providing health-related services for individual-level care coordination and case management without obtaining a valid authorization from the individual.

Required Updates To Notices of Privacy Practices

The Proposed Rule also would change the Privacy Rule Notice of Privacy Practices (“NPP”) requirements in a manner that would require most Covered Entities to update their NPPs and associated privacy policies. In the Proposed Rule, OCR proposes:

Replacing the requirement that certain Covered Entities that have a direct treatment relationship with an individual obtain, and retain copies of, written acknowledgements from that individual confirming their receipt of the NPP with a right for the individual to discuss the NPP with a designee of the Covered Entity.
- Modification of the required NPP content to include an additional description and instruction as to how individuals can exercise their access rights and a new, more detailed and instructive, required header meeting new specifications about the information the NPP provides to individuals with respect to their rights, how to exercise them, and the availability of the Covered Entity’s designated contact person.

Disclosures to Family Members and Other Caretakers in Certain Situations

Continuing a trend that OCR has followed over the past several years in its other guidance, the Proposed Rule also would modify the Privacy Rule under specified conditions to facilitate if not encourage health care providers more broadly to disclose PHI to family members or other caretakers of individuals with substance use disorders (SUD) or serious mental illness (SMI) and in emergency situations with less concern about exposing themselves to liability under HIPAA. The key elements of these changes are accomplished as follows:

The Proposed Rule would replace the current language that allows Covered Entities to make certain uses and disclosures of PHI based on their “exercise of professional judgment” with language allowing disclosure based on a Covered Entity’s “good faith belief” that the use or disclosure is in the best interests of the individual and add a presumption of good faith by the health care provider for this purpose.
- The Proposed Rule would enable Covered Entities to disclose PHI to avert a threat to the health or safety of a person or the public when a harm is “serious and reasonably foreseeable,” instead of the current stricter requirement that the Covered Entity see a “serious and imminent” threat to health or safety.

Clarification Regarding Disclosures to TRS Providers

The Proposed Rule also would amend the current Privacy Rules to remove telephone relay service providers (“TRS providers”) from the definition of “business associates” and expressly to allow disclosures to TRS communications assistants for persons who are deaf, hard of hearing, deaf-blind, or who have a speech disability.

Act Now

HIPAA Covered Entities, business associates and other concerned or impacted persons immediately should begin evaluating the Proposed Rule as soon as possible. As the current comment will end 60 days after the impending publication of the Proposed Rule in the Federal Register, concerned persons desiring a change to any provision of the Proposed Rule should prepare and submit appropriate comments to OCR in a timely fashion within the comment period. In addition, all Covered Entities and their business associates should review the rule in preparation for its provisions taking effect with a particular eye toward understanding the actions necessary to comply with the modified rules and to budget the financial and operational resources likely to be required to accomplish that compliance.

More Information

About the Author

Ms. Stamer is most widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on health and other privacy and data security and other health industry legal, public policy and operational concerns. This involvement encompasses helping health care systems and organizations, group and individual health care providers, health plans and insurers, health IT, life sciences and other health industry clients prevent, investigate, manage and resolve sexual assault, abuse, harassment and other organizational, provider and employee misconduct and other performance and behavior; manage Section 1557, Civil Rights Act and other discrimination and accommodation, and other regulatory, contractual and other compliance; vendors and suppliers; contracting and other terms of participation, medical billing, reimbursement, claims administration and coordination, Medicare, Medicaid, CHIP, Medicare/Medicaid Advantage, ERISA and other payers and other provider-payer relations, contracting, compliance and enforcement; Form 990 and other nonprofit and tax-exemption; fundraising, investors, joint venture, and other business partners; quality and other performance measurement, management, discipline and reporting; physician and other workforce recruiting, performance management, peer review and other investigations and discipline, wage and hour, payroll, gain-sharing and other pay-for performance and other compensation, training, outsourcing and other human resources and workforce matters; board, medical staff and other governance; strategic planning, process and quality improvement; meaningful use, EMR, HIPAA and other technology, data security and breach and other health IT and data; STARK, ant kickback, insurance, and other fraud prevention, investigation, defense and enforcement; audits, investigations, and enforcement actions; trade secrets and other intellectual property; crisis preparedness and response; internal, government and third-party licensure, credentialing, accreditation, HCQIA and other peer review and quality reporting, audits, investigations, enforcement and defense; patient relations and care; internal controls and regulatory compliance; payer-provider, provider-provider, vendor, patient, governmental and community relations; facilities, practice, products and other sales, mergers, acquisitions and other business and commercial transactions; government procurement and contracting; grants; tax-exemption and not-for-profit; privacy and data security; training; risk and change management; regulatory affairs and public policy; process, product and service improvement, development and innovation, and other legal and operational compliance and risk management, government and regulatory affairs and operations concerns. to establish, administer and defend workforce and staffing, quality, and other compliance, risk management and operational practices, policies and actions; comply with requirements; investigate and respond to Board of Medicine, Health, Nursing, Pharmacy, Chiropractic, and other licensing agencies, Department of Aging & Disability, FDA, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; JCHO and other accreditation and quality organizations; private litigation and other federal and state health care industry actions: regulatory and public policy advocacy; training and discipline; enforcement; and other strategic and operational concerns.

Author of leading works on HIPAA and a multitude of other health care, health plan and other health industry matters, the American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting and a former Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:

Leave a Comment » | 21st century cures act, Academic medicine, ambulance, ASC, Childrens Health Insurance Program, Coronavirus, Corporate Compliance, COVID-19, data breach, data security, Direct Primary Care, Disease Management, DME, Doctor, drug treatment, Electronic Medical Records, Emergency Care, Employee Benefits, Employer, FDA, Federal Health Center, Genetic Information, GINA, Health Care, Health Care Provider, Health Insurance, Health IT, Health Plan, Health Plans, healthcare, HIPAA, HITECH Act, Home Health, home health, Hospice, Hospital, Hospital, hospitals, Human Subjects Research, Inpatient Rehabilitation, Inpatient Rehabilitation Facility, Life Sciences, long-term care, managed care, medical devices, Medical Privacy, Medical Records, Medicare, Mental Health, Mental Heatlh, nursing home, occupational health, OCR, Pandemic, participating provider, Pharmaceudical, Pharmacy, Physician, Privacy, Psychiatric, public health, Rural Health Care, Skilled Nursing Facility, transplant, Uncategorized, Veterans Health Administration, Wellness | Permalink
Posted by Cynthia Marcotte Stamer

Pennsylvania OCR Settlement Warns Others Against Disability Or Other Civil Rights Discrimination In COVID-19 Resource Allocation & Other Response

April 30, 2020

OCR Says “No” To Allocating Respirators & Other Scarce COVID-19 Care Based On Pre-Existing Medical Conditions

This week’s Department of Health and Human Services (“HHS”) Office of Civil Rights (“OCR”) announcement of that the Pennsylvania Department of Health (PDH) has agreed to using a list of preexisting health care conditions to decide patient priority for access to respirators and other scarce resources during the COVID-19 health care emergency flags potential civil rights discrimination violations by the multitude of other State, local, tribal, and territorial public health policymakers, healthcare systems leadership, and other public emergency decision-makers and other public or private HHS funds recipients (collectively “COVID responders”) whose pandemic emergency response plans call for the use pre-existing health conditions or other civil rights act protected status of patients to ration scarce medical resources like ventilators or other scarce resources.

Coupled with other recent guidance warning COVID responders against discrimination and to provide all legally required accommodations for individuals with pre-existing conditions or disorders constituting disabilities, English as a second language, religion, age or other protected status under Section 504 of the Rehabilitation Act of 1973 (“Section 504”), Title II of the Americans with Disabilities Act (the “ADA”), Section 1557 of the Patient Protection and Affordable Care Act (“Section 1557”) and other federal civil rights laws, health care providers, public health authorities and other COVID-19 responders should act immediately to review and take any action needed to correct civil rights law deficiencies in their own COVID-19 emergency policies or operations.

PDH Enforcement Shows Agencies’ Serious About COVID-19 Civil Rights Enforcement

OCR’s April 28, 2020, OCR announcement of PDH’s agreement to revise its Interim Pennsylvania Crisis Standards of Care for Pandemic Guidelines (CSC Guidelines) to revolve an April 3, 2020 civil rights complaint that PDH’s COVID-19 pandemic response plan illegally discriminated against patients with disabilities by denying or lowing the care priority of patients with certain listed preexisting health conditions shows that OCR and other federal agencies are carrying through on promises to take quick enforcement action against COVID-19 responders that violate federal discrimination and other civil rights laws when dealing with the COVID-19 public health emergency in the March 14, 2020 Crisis Standards of Care and Civil Rights Laws guidance (“CSC Guidelines”) and in OCR’s March 28, 2020 Civil Rights, HIPAA, and the Coronavirus Disease 2019 Bulletin (the “Bulletin”).

The CSC Guidelines jointly issued by the Health Care Resilience Taskforce (composed of HHS, FEMA, and the Army Corps of Engineers) warned public health, health care providers and other pandemic decisionmakers against adopting or applying policies in for managing ventilators or other constricted resources during the COVID-19 or other emergencies that negatively impact vulnerable populations (e.g., older adults and persons with disabilities). After reminding state, local, tribal, and territorial policymakers, healthcare systems leadership, and other decision-makers that civil rights laws are not suspended or waived in times of disaster, the CSC Guidelines cautioned “Federal civil rights laws and regulations apply, and have not been suspended, during the COVID19 national health emergency. Federal fund recipients must comply with those requirements.”

OCR reaffirmed the CSC Guidelines warnings in its March 28, 2020 Bulletin reminding health care providers and other HHS fund recipients the laudable goal of providing care quickly and efficiently during the COVID-19 health care emergency still must comply with federal civil rights prohibitions against disability discrimination in HHS funded programs under Section 1557, Section 504, and other civil rights laws, stating:

“persons with disabilities should not be denied medical care on the basis of stereotypes, assessments of quality of life, or judgments about a person’s relative “worth” based on the presence or absence of disabilities or age. Decisions by covered entities concerning whether an individual is a candidate for treatment should be based on an individualized assessment of the patient based on the best available objective medical evidence.”

The PDH disability discrimination investigation and resolution announced April 28^th resulted from OCR’s investigation of a civil rights complaint filed less than a week after OCR released the Bulletin by Disability Rights Pennsylvania and other disability rights groups. Like many other regional and facility pandemic response plans, the CSC Guidelines listed specific impairments or disabilities that would lead to greater deprioritization of patients for care during a pandemic emergency. The April 3 complaint against PDH charged that Pennsylvania’s CSC Guidelines violated Section 504, Title II, and Section 1557 by unlawfully authorizing the denial of treatment to individuals with disabilities when prioritizing access to critical care and ventilators. The complaint also alleged that the guidelines did not require an individualized assessment, but instead used “preexisting conditions that are disabilities” to determine a priority score.

OCR PDH COVID-19 Civil Rights Investigation & Settlement

Consistent with the warning provided in the Bulletin, OCR moved with rare speed to investigate the complaint and notify PDH of its civil rights concerns. To resolve potential OCR civil rights charges, OCR announced April 28, 2020 that PDH agreed to accept technical assistance from OCR and make the following revisions to its CDC guidelines:

Remove criteria that automatically deprioritized persons on the basis of particular disabilities,
Require individualized assessments based on the best available, relevant, and objective medical evidence to support triaging decisions, and
Ensure at no one is denied care based on stereotypes, assessments of quality of life, or judgments about a person’s “worth” based on the presence or absence of disabilities.

Based on these “responsive actions and the revisions” to its guidelines in response to OCR’s concern, the OCR announcement states that OCR is closing its complaint investigation as satisfactorily resolved without a finding of liability while noting that this does not preclude future OCR enforcement in cases of potential discriminatory implementation of Pennsylvania’s policies by any covered health care provider.

Other Public Health, Health Care & Other COVID Responders Should Confirm COVID-19 Civil Rights Response Compliance

The PDH announcement provides a strong warning to health care providers, public health authorities and other COVID-19 responders to act quickly to evaluate and make any necessary adjustments to redress any questionable disability or other civil rights concerns in their own COVID-19 or other emergency response plans or practices.

Even before the COVID-19 health care emergency, disability and other civil rights law enforcment already was a high priority for OCR and other federal agencies. See e.g., Civil Rights Settlement Highlights Health Industry Discrimination Risks As OCR Prepares To Broaden Requirements; OCR’s Proposed Sex & Other Discrimination Rules Spell Headaches & New Risks For Health Care Providers, Insurers & Others; Check Defensibility Of Policies & Practices Given New HHS/DOJ Joint Disability Law Technical Assistance; Important Lessons For Health Care Providers From Michigan State Settlement Of OCR Larry Nassar Sexual Abuse Investigation; Cognitive Disability Exclusion from Heart Transplant List Placement Prohibited.

The PDH announcement clearly alerts other health care providers and COVID-19 responders that OCR does not plan to slacken civil rights discrimination investigation or enforcement against health care providers or others because of the COVID-19 health care emergency. Rather, the PDH investigaiton and resolution make clear that COVID-19 responders need to use particular care take the well-documented steps necessary to ensure they can defend their ongoing compliance with disability discrimination and other federal civil rights laws throughout the COVID-19 health care emergency.

In this respect, OCR’s PDH announcement makes a point of clearly warning other public health, health care providers and other recipients of HHS funding across the nation against using preexisting conditions or other prohibited stereotypes or classifications of patients without individual assessments to triage and prioritize access to care or other resources for purposes of their COVID-19 or other pandemic planning or response. To emphasize the importance of continued compliance with these civil rights laws, the Bulletin quotes OCR Director Roger Severino, as stating: “Triage decisions must be based on objective and individualized evidence, not discriminatory assumptions about the prognoses of persons with disabilities” and “we must ensure that triage decisions are free from discrimination both in their creation and their application, and we will remain vigilant in achieving that goal.”

These warnings and OCR’s quick enforcement action make clear that OCR’s commitment to hold health care providers, state and local public health, and other COVID-19 responders accountable for ensuring their COVID-19 pandemic plans and operations don’t impermissibly discriminate against individuals with or needing accommodations for disabilities, limited English skills, religious beliefs, age or other status protected by HHS’ civil rights rules. Meanwhile, OCR’s reported willingness to accept PHD’s prompt corrective action without imposing financial sanctions also signals the probable willingness of OCR to show similar leniency to other health care providers or COVID-19 responders that for acting promptly to self-identify and redress potentially questionable past COVID-19 restricted resource allocation practices in response to the PDH announcement and other COVID-19 civil rights compliance guidance.

Given the often multimillion dollar penalties and other heavy sanctions that OCR already regularly imposes against a long and ever-growing list of state and other health care, child care, elder care, insurance and other entities for violating its civil rights nondiscrimination and accommodation requirements and the often significant judgements awarded to private litigant victims, state and local public health, health care providers and other COVID providers generally will want to review and tighten as advisable their existing practices to reduce the risk of being incuring penalties or judgments, being sanctioned, excluded or a combination of these consequences for violation of these nondiscrimination and other civil rights requirements by among other things:

Auditing the adequacy of their pandemic response and other plans, policies, practices and actions for allocating scarce resources and care during the COVID-19 health emergency and in other scarce resource situations;
Developing a strategy and procedures for receiving, investigating and responding with appropriate documentation to complaints or other indicators of potential civil rights violations or risks;
Taking prompt, documented action to reform and strengthen civil rights policies, practices and controls, training, investigations and other compliance and risk management;
Explore potential strategies, if any, to mitigate potential liability exposure to OCR or private litigant investigations or enforcement from past, ongoing or future policies or actions; and
Other actions to maintain and demonstrate their organization-wide culture of compliance with applicable civil rights laws.

Since organization and their leaders likely will be required to uncover and discuss legally and politically sensitive information in the course of these activities, public health, health care and other COVID responders are encouraged to consider engaging qualified legal counsel with relevant experience to advise and guide them in conducting, maintaining and using attorney-client privilege and other procedures to safeguard sensitive analysis, discussions and work product from avoidable discovery and other processes to promote the legal effectiveness and defensibility of their actions.

More Information & Resources

We hope this update is helpful. If you need assistance reviewing or responding to these or other health care related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, may be able to help. In addition to this update, the author of this article also is extensively published and frequent speaker on pandemic and other infectious disease, and other health industry crisis preparedness and response, and many other regulatory compliance, risk management and operations, public policy and other concerns. For more information about the these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

Solutions Law Press, Inc. also invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Cynthia Marcotte Stamer is a practicing attorney, management and regulatory affairs consultant, author and lecturer, who has worked extensively on pandemic and other crisis planning, preparedness and response and other business change, risk, compliance and operation management throughout her 30 plus year career.

Her experience includes extensive work domestically and internationally with hospitals, health care systems, clinics, skilled nursing and other long term care, rehabilitation and other health care facilities; physicians, medical staff and other health care providers and organizations; accreditation, peer review and quality committees and organizations; health care management and technology and other health and managed care industry clients; self-insured and insured health and other employee benefit plans, their sponsors, fiduciaries, administrators, insurers and service providers and other payers; employers; billing, utilization management, quality, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; EHR, claims, payroll and other technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; health industry advocacy and other service providers and groups and other health and managed care industry clients as well as federal and state legislative, regulatory, investigatory and enforcement bodies and agencies.

Board Certified in Labor and Employment Law by the Texas Board of Legal Specialization and the author of “Privacy and the Pandemic Workshop” for the Association of State and Territorial Health Plans and a multitude of other publications and workshops on health and other disaster and other crisis preparedness, risk management and response, as well as a multitude of other health care, workforce and other management and regulatory affairs publications and presentations, Ms. Stamer also shares her thought leadership through her extensive and diverse involvement in a broad range of other professional and civic organizations. Examples of these involvements include her service as the current American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting and a former JCEB Council Representative; past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group; former ABA RPTE Employee Benefits & Other Compensation Group Chair and Past Chair and current Co-Chair of its Welfare Benefits Committee; former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas; former technical advisor to the National Physicians Council on Health Care Policy; former member of the Stem Cell Advisory Committee; and in a multitude of other professional, trade, civic and community service organizations . For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides consulting, publications and other information, education, coaching, training, tools and other resources on leadership, governance, health care, human resources, employee benefits, insurance, public policy and regulatory affairs, data security and privacy and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here. ©2020 Cynthia Marcotte Stamer. Limited non-exclusive license to republish granted to SOlSolutions Law Press, Inc.™ All other rights reserved.

Leave a Comment » | 21st century cures act, ADA, air ambulance, Biological Wafar3e, Civil Rights, Consumer Driven Health Care, Coronavirus, Corporate Compliance, COVID-19, Cultural diversity, Diabetes, Disability Discrimination, Disease Management, DME, Doctor, drug treatment, ebola, Emergency Care, English as A Second Language, Health Care Provider, Health Care Quality, healthcare, HHS, Home Health, Hospice, Hospital, hospitals, Inpatient Rehabilitation, Inpatient Rehabilitation Facility, Life Sciences, long-term care, managed care, medical devices, Pandemic, Uncategorized | Permalink
Posted by Cynthia Marcotte Stamer

CMS Steps Up Nursing Home Inspections & Tightens Inspections In Response To Continuing COVID-19 Outbreaks & Deaths

April 3, 2020

Skilled nursing and other long term care facilities commonly known as “nursing homes” (“LTC facilities”),[i] rehabilitation, assisted living, retirement and other facilities and communities caring for elderly, disabled, aged or other infirm patients or residents should use recently released tools to confirm the adequacy of and update their current COVID-19 and other infectious disease prevention and control and other key policies and practices with the latest Centers for Medicare & Medicaid Services (CMS) and Centers for Disease Control and Prevention (CDC) requirements and guidelines in light of recently announced changes to CMS nursing home inspection policies (the “Targeted Inspection Policy”)[iii] that target nursing homes with COVID-19 outbreaks or death for likely inspection announced March 23, 2020 including all existing requirements including new “recommendations” on nursing homes on COVID-19 preparedness and response announced April 2, 2020 (the “April Recommendations”).[iii]

Prompted by the continuing explosive growth in COVID-19 infection and deaths among nursing home residents and widespread deficiencies found during recent inspections at the Kirkland, Washington Life Care Center nursing homes (the “Kirkland Facilities”) made notorious by the death of 23 people and other nursing homes with COVID-19 inspections, the Targeted Inspection Policy and April Recommendations supplement and give more teeth to the CMS Guidance for Infection Control and Prevention of Coronavirus Disease 2019 (COVID-19) in Nursing Homes (the “3/3 Directive”)[iv] previously released by CMS released in conjunction with President Trump’s Proclamation on Declaring a National Emergency Concerning the Novel Coronavirus Disease (COVID-19) Outbreak (“COVID Emergency Declaration”) in response to concerns raised by reports of 19 COVID-19 related deaths at the Kirkland Facilities[v] on March 13, 2020.

Despite CMS and CDC’s efforts to reign in nursing home based COVID-19 infections and deaths by ordering nursing homes in the Nursing Home Directive to limit outside visitors and take other precautions outlined in the Nursing Home Directive and release of other guidance and tools, nursing home based COVID-19 infections and deaths have continued to soar since March 13, 2020.[vi] Meanwhile, onsite audits at the Kirkland Facilities and other facilities during March uncovered concerning deficiencies in the compliance at the Kirkland Facilities and many other nursing homes across the nation, as well as the need to address other weaknesses in current CMS and CDC practices and guidelines that the agencies determined were perpetuating practices that left nursing home residents exposed to COVID-19.

The new Targeted Inspection Policy and April Recommendations attempt to address these compliance and other concerns by updating, clarifying and supplementing previously established requirements and guidance, providing new tools for nursing homes and their inspectors to use to assess nursing home compliance with the latest standards and stepping up inspections and enforcement of nursing homes that experience COVID-19 outbreaks.[vii]

April Recommendations Send Warnings, Share New Tools

To this end, the just announced April Recommendations urge nursing homes to move quickly to clean up their practices by:

Urging nursing homes to immediately ensure that they are complying with all CMS and CDC guidance related to COVID-19 and other infection control and other requirements;
Urging nursing homes immediately to implement symptom screening for all staff, residents, and visitors – including temperature checks; [viii]
Urging nursing homes to ensure all staff are using appropriate PPE when interacting with patients and residents, to the extent PPE is available and per CDC guidance on conservation of PPE;
Confirming the availability of Medicare coverage of Medicare enrolled residents performed by laboratories and that facilities can allow laboratory personnel into facilities to perform the tests;
Urging State and local leaders to consider the needs of long term care facilities with respect to supplies of PPE and COVID-19 tests as nursing homes are a critical part of the healthcare system, and because of the ease of spread in long term care facilities and the severity of illness that occurs in residents with COVID-19,
Recommending facilities use separate staffing teams for residents to the best of their ability to avoid transmission within nursing homes in response to evidence that using staff shared between multiple facilities helped to fuel the COVID-19 outbreak in the Kirkland Facilities;
Consistent previously published guidance and resources on the CDC Isolation Sites and Alternative Care Sites webpage,[ix] urging nursing homes to work with State and local leaders to designate separate facilities or units within a facility to separate COVID-19 negative residents from COVID-19 positive residents and individuals with unknown COVID-19 status; and
Encouraging facilities to use new targeted survey assessment tools adopted by CMS to guide inspections under the Targeted Inspection Program to self-assess and make appropriate adjustments to tighten their facility compliance with applicable requirements and guidelines promptly.

While characterized as “recommendations,” the reaffirmation in the April Recommendations that CMS intends to continue to follow the new Targeted Inspection Policy announced March 23, 2020 sends a strong message to all nursing homes that CMS does not view compliance with the recommendations as optional.

Under the Targeted Inspection Policy, CMS intends to conduct targeted inspections giving prioritization for Immediate Jeopardy investigations over recertification surveys for Clinical Laboratory Improvement Amendment (CLIA) laboratories.

According to CMS’ announcement regarding the Targeted Inspection Policy, only the following types of federal inspections will be prioritized and conducted over the next few weeks:

Complaint inspections: State survey agencies will continue to conduct inspections related to complaints and facility-reported incidents that are triaged at the Immediate Jeopardy level. Inspectors will use a streamlined Infection Control review tool, regardless of the Immediate Jeopardy allegation.
Targeted Infection Control inspections: Federal and state inspectors will conduct targeted infection control inspections of providers identified through CMS collaboration with the Centers for Disease Control and Prevention (CDC). These inspectors will use a streamlined targeted review checklist to minimize the impact on provider activities, while ensuring providers are implementing actions to protect health and safety. This will consist of both onsite and offsite inspections.
Self-Assessments: The Infection Control checklist referenced above will also be shared with providers and suppliers, to allow for self-assessment of their Infection Control plans. This may be the best solution in some cases when there is a lack of personal protective equipment or state surveyors available.

During this time frame, CMS has indicated it will not conduct the following inspections:

Standard inspections for nursing homes, hospitals, home health agencies, intermediate care facilities for individuals with intellectual disabilities, and hospices; and

Revisit inspections not associated with Immediate Jeopardy.

In addition to redefining the priorities and scope for conducting inspections in the new Targeted Inspection Policy, CMS also refocused the inspection process that surveyors are expected to use when conducting inspections under the Targeted Inspection Policy which includes existing components of CMS’s infection control inspection process updated to include the latest CDC and CMS guidance. Under the Targeted Inspection Policy CMS and state inspectors will be guided by a newly developed and updated targeted assessment tool in assessing if certain facilities are prepared to meet CMS’s expectations for preventing the spread of COVID-19. When gaps are identified, CMS warns that facilities will be required to take corrective actions to close the gaps.

Facilities are well advised to follow the recommendation of CMS to use the new surveyor tools to self-assess their own ability to prevent the spread of COVID-19 in accordance with applicable CMS requirements both to mitigate potential exposures to CMS sanctions and because CMS also is encouraging residents and families to be proactive about nursing home safety by among other things asking facility staff how the facility performed on its self-assessment. Facilities and their leaders at all times should keep in mind the significant risks that they are likely to incur if significant deficiencies are found from an inspection. While the March 23, 2020 announcement of the Targeted Inspection Policy states that CMS is not seeking to be punitive, but rather to respond to urgent issues while proactively ensuring providers are compliant with federal health and safety standards. Accordingly, CMS has indicated that CMS intends to exercise enforcement discretion, unless Immediate Jeopardy situations arise. Given the conclusions announced regarding Immediate Jeopardy findings found from the inspection at the Kirkland Facility, however, nursing homes are well advised to assume that the occurrence of COVID-19 related deaths or infections at their facilities might create a significant risk of Immediate Jeopardy findings with regard to their facilities which could result in significant sanctions.

CMS and other agencies continue to tailor their response to the COVID-19 outbreak. In addition to verifying and maintaining their compliance with current COVID-19 and other CMS, CDC and state and local requirements and guidelines, nursing homes and their leaders also should continue to monitor emerging developments and guidance from CMS, CDC, the Federal Emergency Management Agency (“FEMA”) and their state and local regulatory bodies.

[i] Nursing homes (also known as “skilled nursing facilities” under the Medicare program and “nursing facilities” under Medicaid; or “long-term care facilities”).

[ii] Press release Trump Administration Issues Key Recommendations to Nursing Homes, State and Local Governments, CMS (2020), https://www.cms.gov/newsroom/press-releases/trump-administration-issues-key-recommendations-nursing-homes-state-and-local-governments (last visited Apr 2, 2020).

[iii] Fact sheet Kirkland, Washington Update and Survey Prioritization Fact Sheet, CMS (2020), https://www.cms.gov/newsroom/fact-sheets/kirkland-washington-update-and-survey-prioritization-fact-sheet (last visited Mar 31, 2020).

[iv] Guidance For Infection Control and Prevention of Coronavirus Disease 2019 (COVID-19) in Nursing Homes, DEPARTMENT OF HEALTH & HUMAN SERVICES (2020), https://www.cms.gov/files/document/3-13-2020-nursing-home-guidance-covid-19.pdf (last visited Mar 30, 2020).

[iv] Nursing home with the biggest cluster of covid-19 deaths to date in the U.S. thought it was facing an influenza outbreak, a spokesman says, https://www.msn.com/en-us/news/us/nursing-home-with-the-biggest-cluster-of-covid-19-deaths-to-date-in-the-us-thought-it-was-facing-an-influenza-outbreak-a-spokesman-says/ar-BB11fvgj (last visited Mar 30, 2020).

[vi] See e.g., Guidance for Infection Control and Prevention of Coronavirus Disease 2019 (COVID-19) in Nursing Homes (REVISED), CMS (2020), https://www.cms.gov/files/document/qso-20-14-nh-revised.pdf (last visited Apr 2, 2020).

[vii] In the initial wave of surveys during the week of March 30, CMS reports finding 36 percent of facilities inspected in recent days did not follow proper hand washing guidelines and 25 percent failed to demonstrate proper use of personal protective equipment (PPE) required by longstanding federal regulations. Press release Trump Administration Issues Key Recommendations to Nursing Homes, State and Local Governments, CMS (2020), https://www.cms.gov/newsroom/press-releases/trump-administration-issues-key-recommendations-nursing-homes-state-and-local-governments (last visited Apr 3, 2020).

[viii] Facilities that have not already done so should consult with experienced legal counsel for assistance about the advisability of providing or posting notifications and/or securing consents to these screening procedures, advisable or recommended procedures regarding the collection, use, or disclosure of screenings or their results, or other safeguards to manage relevant privacy or other legal rights or risks.

[ix] See Alternate Care Sites and Isolation Sites (March 25, 2020) https://www.cdc.gov/coronavirus/2019-ncov/healthcare-facilities/alternative-care-sites.html. Also see Topic Collection: Alternate Care Sites (including shelter medical care) https://asprtracie.hhs.gov/technical-resources/48/alternate-care-sites-including-shelter-medical-care/47.

More Information

We hope this update is helpful. In addition to this update, the author also has prepared a more comprehensive discussion of these concerns scheduled for publication by the American Bar Association Health Publication in April, 2020. To request access for a prepublication unofficial manuscript of that upcoming publication or of more information about the these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

About the Author

This involvement encompasses helping health care systems and organizations, group and individual health care providers, health plans and insurers, health IT, life sciences and other health industry clients prevent, investigate, manage and resolve sexual assault, abuse, harassment and other organizational, provider and employee misconduct and other performance and behavior; manage Section 1557, Civil Rights Act and other discrimination and accommodation, and other regulatory, contractual and other compliance; vendors and suppliers; contracting and other terms of participation, medical billing, reimbursement, claims administration and coordination, Medicare, Medicaid, CHIP, Medicare/Medicaid Advantage, ERISA and other payers and other provider-payer relations, contracting, compliance and enforcement; Form 990 and other nonprofit and tax-exemption; fundraising, investors, joint venture, and other business partners; quality and other performance measurement, management, discipline and reporting; physician and other workforce recruiting, performance management, peer review and other investigations and discipline, wage and hour, payroll, gain-sharing and other pay-for performance and other compensation, training, outsourcing and other human resources and workforce matters; board, medical staff and other governance; strategic planning, process and quality improvement; meaningful use, EHR, HIPAA and other technology, data security and breach and other health IT and data; STARK, ant kickback, insurance, and other fraud prevention, investigation, defense and enforcement; audits, investigations, and enforcement actions; trade secrets and other intellectual property; crisis preparedness and response; internal, government and third-party licensure, credentialing, accreditation, HCQIA and other peer review and quality reporting, audits, investigations, enforcement and defense; patient relations and care; internal controls and regulatory compliance; payer-provider, provider-provider, vendor, patient, governmental and community relations; facilities, practice, products and other sales, mergers, acquisitions and other business and commercial transactions; government procurement and contracting; grants; tax-exemption and not-for-profit; privacy and data security; training; risk and change management; regulatory affairs and public policy; process, product and service improvement, development and innovation, and other legal and operational compliance and risk management, government and regulatory affairs and operations concerns. to establish, administer and defend workforce and staffing, quality, and other compliance, risk management and operational practices, policies and actions; comply with requirements; investigate and respond to Board of Medicine, Health, Nursing, Pharmacy, Chiropractic, and other licensing agencies, Department of Aging & Disability, FDA, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; JCHO and other accreditation and quality organizations; private litigation and other federal and state health care industry actions: regulatory and public policy advocacy; training and discipline; enforcement; and other strategic and operational concerns.

Author of “Privacy and the Pandemic Workshop” for the Association of State and Territorial Health Plans, as well as a multitude of other health industry matters, workforce and health care change and crisis management and other highly regarded publications and presentations, the American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting and a former Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here. ©2020 Cynthia Marcotte Stamer. Limited non-exclusive license to republish granted to Solutions Law Press, Inc.™ All other rights reserved.

Leave a Comment » | 1335 Waiver, Biological Warfare, Centers For Disease Control, Conditions of Participation, Coronavirus, Corporate Compliance, COVID-19, Disaster Relief, Disease Management, drug treatment, Durable Medical Equipment, Federal Health Center, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Quality, HHS, home health, Hospice, Hospital, Hospital, hospitals, Inpatient Rehabilitation, Inpatient Rehabilitation Facility, Laboratory tests, Licensing, long-term care, Medicaid, Medicare, Medicare Advantage, Mental Heatlh, nursing home, Pandemic, Patient Empowerment, Physician, public health, Public Policy, quality reporting, Reimbursement, Skilled Nursing Facility, Uncategorized, Veterans Health, Veterans Health Care | Permalink
Posted by Cynthia Marcotte Stamer

OCR Warns HIPAA Entities To “Get Serious” About HIPAA Compliance In Announcing Latest Settlement Against Ambulance Company

December 31, 2019

The $65,000 payment and corrective action plan commitments West Georgia Ambulance, Inc. (“West Georgia”) is making to settle Department of Health & Human Services Office for Civil Rights (“OCR”) charges it recurrently violated the Health Insurance Portability and Accountability Act (“HIPAA”) Security Rule sends a warning to all oher HIPAA-covered health care providers, health plans, health care clearighouses and their business associates (“covered entities”)maintain and be prepared to defend their own HIPAA compliance under a Resolution Agreement and Corrective Action Plan (“Resolution Agreement”) OCR announced on December 30, 2019.

The Resolution Agreement resolves charges resulting from an OCR investigation initiated in response to a HIPAA breach report the Georgia based ambulance company filed in 2013 in which the company, which provides emergency and non-emergency ambulance services in Carroll County, Georgia, disclosed the loss of an unencrypted laptop containing the protected health information (PHI) of 500 individuals. The breach occurred when an unencrypted laptop fell off the back bumper of an ambulance. The laptop was not recovered. West Georgia reported that exactly 500 individuals were affected by the breach.

In the course of its investigation of the breach report, OCR’s investigation uncovered long-standing noncompliance with the HIPAA Rules, including failures to conduct a risk analysis, provide a security awareness and training program, and implement HIPAA Security Rule policies and procedures. Specifically, the Resolution Agreement states that West Georgia:

Did not conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of its ePHI. See 45 C.F.R. § 164.308(a)(1)(ii)(A);
Failed to have a HIPAA security training program, and failed to provide security training to its employees. See 45 C.F.R. § 164.308(a)(5);
Failed to implement Security Rule policies or procedures. See 45 C.F.R. § 164.316; and
Despite OCR’s investigation and technical assistance, “did not take meaningful steps to address their systemic failures.”

To resolve its exposure to the substantially higher civil monetary penalties that OCR could impose for violations of this nature, West Georgia agreed to pay a $65,000 resolution payment to OCR and implement and comply with a corrective action plan that in addition to requiring West Georgia to correct the compliance deficiencies, also subjects West Georgia to two years of OCR monitoring and oversight.

The Resolution Agreement and corrective action plan carry a number of important messages for other health care providers and other Covered Entities. First, the OCR enforcement action against West Georgia coming at the end of yet another heavy HIPAA enforcement year by OCR reminds Covered Entities that OCR is serious about HIPAA enforcement on the heels of its 2018 HIPAA record setting collection of $28.7 million in civil monetary penalties and resolution payments including the single largest individual HIPAA settlement in history of $16 million with Anthem, Inc. See OCR Concludes 2018 with All-Time Record Year for HIPAA Enforcement. While not topping this record, OCR during 2019 now has collected civil monetary penalties and resolution payments totaling more than $15 million from HIPAA Covered Entities and their business associates including:

Second, the Resolution Agreement and various other smaller settlements during the year show HIPAA compliance and enforcement is a concern for smaller provideres and other covered entities, not juswt the huge ones. While the $65,000 settlement payment required by the Resolution Agreement is substantially smaller than the amounts of the civil monetary penalties and many of resolution payments OCR collected in its other 2019 enforcement actions, the West Georgia and other 2019 enforcement actions demonstrate the teeth behind the warning in the OCR Press Release announcing the West Georgia Resolution Agreement from OCR Director Roger Severino that“All providers, large and small, need to take their HIPAA obligations seriously.” With OCR promises to keep up its vigorous investigation and enforcement of the HIPAA requirements, every Covered Entity and business associate should take the necessary steps to verify and maintain their HIPAA compliance and to be prepared to defend their compliance under the Privacy, Security, Breach Notification and HIPAA access and other individual rights mandates of HIPAA.

Third, OCR’s statement in the Resolution Agreement about the failure by West Georgia to meaningfully act to correct compliance deficiencies and cooperate in other corrective action during the period following the breach report highlights the importance for covered entities involved in a breach or other dealings with OCR on a potential compliance concern to behave appropriately to express and exhibit the necessary concern OCR expects regarding the compliance issue to position themselves to request and receive the clemency OCR is empowered under HIPAA to extend when deciding the sanctions for any noncompliance.

Of course meeting the requirements of HIPAA is not the only concern that covered entities should consider as they review and tightened their HIPAA and other privacy and data security procedures. Health care providers and other covered entities also should keep in mind their other obligations to protect patient and other confidential information under other federal laws, the requirements of which also are ever-evolving. For instance, on January 1, 2020 Texas providers like other Texas businesses will become subject to a shortened deadline for providing notice of data breaches under a new law enacted by the Texas Legislature in its last session. Arrangements should be designed to fulfill all of these requirements as well as any ethical or contractual.

Covered entities also should keep in mind that violations of HIPAA can have implications well beyond HIPAA.ramifications beyond HIPAA itself. For instance, heath care providers can face disqualification from federal program participation, licensing and ethics discipline and other professional consequences. Health plans and their fiduciaries also may face Department of Labor and other fiduciary claims, while insurers can face licensing and other regulatory consequences.

For More Information

We hope this update is helpful. For more information about this or other labor and employment developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

About the Author

Scribe for the ABA JCEB Annual Agency Meeting with the Department of Health & Human Services Office of Civil Rights, Vice Chair of the ABA International Section Life Sciences Committee, past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and the ABA RPTE Employee Benefits & Other Compensation Group, Ms. Stamer has extensive legal, operational, and public policy experience advising and representing health care, health care and other entities about HIPAA and other privacy, data security, confidentiality and other matters.

Ms. Stamer’s work throughout her 30 plus year career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services, public and private primary, secondary, and other educational institutions, and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. As a part of this work, she has recurrently worked extensively with public school districts and public and private primary and secondary schools, colleges and universities, academic medical, and other educational institutions, insured and self-insured health plans; domestic and international hospitals, health care systems, clinics, skilled nursing, long term care, rehabilitation and other health care providers and facilities; medical staff, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; EMR, claims, payroll and other technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, employers; and federal and state legislative, regulatory, investigatory and enforcement bodies and agencies on health care, education, and other data privacy, security, use, protection and disclosure; disability and other educational rights; workforce, and a host of other risk management and compliance concerns.

Ms. Stamer is most widely recognized for her decades-long leading edge work, scholarship and thought leadership on health and other privacy and data security and other health industry legal, public policy and operational concerns. This involvement encompasses helping health care systems and organizations, group and individual health care providers, health plans and insurers, health IT, life sciences and other health industry clients prevent, investigate, manage and resolve sexual assault, abuse, harassment and other organizational, provider and employee misconduct and other performance and behavior; manage Section 1557, Civil Rights Act and other discrimination and accommodation, and other regulatory, contractual and other compliance; vendors and suppliers; contracting and other terms of participation, medical billing, reimbursement, claims administration and coordination, Medicare, Medicaid, CHIP, Medicare/Medicaid Advantage, ERISA and other payers and other provider-payer relations, contracting, compliance and enforcement; Form 990 and other nonprofit and tax-exemption; fundraising, investors, joint venture, and other business partners; quality and other performance measurement, management, discipline and reporting; physician and other workforce recruiting, performance management, peer review and other investigations and discipline, wage and hour, payroll, gain-sharing and other pay-for performance and other compensation, training, outsourcing and other human resources and workforce matters; board, medical staff and other governance; strategic planning, process and quality improvement; meaningful use, EMR, HIPAA and other technology, data security and breach and other health IT and data; STARK, ant kickback, insurance, and other fraud prevention, investigation, defense and enforcement; audits, investigations, and enforcement actions; trade secrets and other intellectual property; crisis preparedness and response; internal, government and third-party licensure, credentialing, accreditation, HCQIA and other peer review and quality reporting, audits, investigations, enforcement and defense; patient relations and care; internal controls and regulatory compliance; payer-provider, provider-provider, vendor, patient, governmental and community relations; facilities, practice, products and other sales, mergers, acquisitions and other business and commercial transactions; government procurement and contracting; grants; tax-exemption and not-for-profit; privacy and data security; training; risk and change management; regulatory affairs and public policy; process, product and service improvement, development and innovation, and other legal and operational compliance and risk management, government and regulatory affairs and operations concerns. to establish, administer and defend workforce and staffing, quality, and other compliance, risk management and operational practices, policies and actions; comply with requirements; investigate and respond to Board of Medicine, Health, Nursing, Pharmacy, Chiropractic, and other licensing agencies, Department of Aging & Disability, FDA, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; JCHO and other accreditation and quality organizations; private litigation and other federal and state health care industry actions: regulatory and public policy advocacy; training and discipline; enforcement; and other strategic and operational concerns.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc. disclaim, and have no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

©2019 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.

1 Comment | air ambulance, ambulance, Health Care, Health care coding, Health Care Provider, Health Care Quality, HIPAA, HIPAA Cyber Crime, Home Health, home health, Hospital, Hospital, hospitals, Medical Privacy, Physician, Privacy, Rural Health Care, Uncategorized, Veterans Health Care | Permalink
Posted by Cynthia Marcotte Stamer

University of Rochester Medical Center Paying $3 Million For Unencrypted Laptop & Flash Drive

November 6, 2019

$3 million is the hefty price that the University of Rochester Medical Center (URMC) has agreed to pay to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules arising from the loss of unencrypted laptops and other mobile devices containing protected health information (PHI). Like prior settlements and civil monetary penalties OCR previously assessed against HIPAA-covered entities for using or storing electronic protected health information (ePHI) on unencrypted mobile devices, the $3 million sanction and other requirements imposed in the URMC Resolution Agreement and Corrective Action Plan made public after the close of business on November 5 reaffirm OCR’s readiness to sanction harshly health care providers, health plans, healthcare clearinghouses and businesses associates for the loss or compromise of ePHI due to the covered entity’s failure to appropriately encrypt mobile devices. Any HIPAA covered entity or business associate that has not already done so must act to avoid a similar fate by establishing and enforcing systematic procedures to ensure all mobile devices using, accessing, storing or otherwise dealing with ePHI are properly encrypted at all times.

URMC Breach & Resolution Agreement

The URMC Resolution Agreement resolves potential charges resulting from an OCR investigation commenced in response to breach reports UMRC filed with OCR in 2013 and 2017. The breach reports disclosed UMRC’s discovery of the impermissible disclosure of PHI through the loss of an unencrypted flash drive and theft of an unencrypted laptop, respectively. URMC includes healthcare components such as the School of Medicine and Dentistry and Strong Memorial Hospital. URMC is one of the largest health systems in New York State with over 26,000 employees.

OCR’s investigation revealed that URMC failed to conduct an enterprise-wide risk analysis; implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level; utilize device and media controls; and employ a mechanism to encrypt and decrypt electronic protected health information (ePHI) when it was reasonable and appropriate to do so. Of note, in 2010, OCR investigated URMC concerning a similar breach involving a lost unencrypted flash drive and provided technical assistance to URMC. Despite the previous OCR investigation, and URMC’s own identification of a lack of encryption as a high risk to ePHI, URMC permitted the continued use of unencrypted mobile devices.

OCR made a point of reaffirming the requirement to encrypt laptops and other mobile devices containing ePHI when announcing the new Resolution Agreement. “Because theft and loss are constant threats, failing to encrypt mobile devices needlessly puts patient health information at risk,” said Roger Severino, OCR Director. “When covered entities are warned of their deficiencies, but fail to fix the problem, they will be held fully responsible for their neglect.”

As part of its punishment for allowing the ePHI breaches by failing to encrypt mobile devices, URMC must pay a $3 million monetary settlement as well as undertake a corrective action plan that includes two years of monitoring their compliance with the HIPAA Rules.

Mobile Device Encryption Requirement Well-Established

OCR repeatedly through published guidance and reported sanctions repeatedly has warned covered entities and business associates not to permit ePHI to be used, accessed or stored on unencrypted laptops or other mobile devices. In 2017, Children’s Medical Center of Dallas (Children’s) paid a $3,217,000.00 Civil Monetary Penalty (CMP) after OCR issued its January 18, 2017 Final Determination that Children’s for years knowingly violated HIPAA by failing to encrypt or otherwise properly secure ePHI on laptops and other mobile devices and failing to comply with many other HIPAA requirements. See Learn From Children’s New $3.2M+ HIPAA CMP For “Knowing” Violation of HIPAA Security Rules. An OCR Newsletter Article on Guidance on Mobile Devices and Protected Health Information (PHI), for instance, states:

Entities regulated by the HIPAA Privacy, Security, and Breach Notification Rules (the HIPAA Rules) must be sure to include mobile devices in their enterprise-wide risk analysis and take action(s) to reduce risks identified with the use of mobile devices to a reasonable and appropriate level.
The article also shared insights about some of the steps OCR considers necessary to meet this expectation, as including:

Implement policies for use of mobile devices that are used to handle PHI;
Consider using Mobile Device Management (MDM) software to secure mobile devices;
Install or enable automatic lock/logoff functions;
Require authentication to access devices;
Keep devices’ security features updated;
Procure encryption, anti-virus/anti-malware software, and remote wipe capabilities;
Use a privacy screen to prevent viewing by third-parties;
Assure that Wi-Fi networks used are secure;
Use a secure Virtual Private Network (VPN);
Institute policies regarding downloading third-party apps on devices which access PHI;
Delete all PHI from device before disposing of; and
Provide training on secure use of mobile devices for all employees.

Covered entities and business associates should promptly and continuously act to ensure on a systematic and carefully documented basis that their organization is taking these and and other steps necessary to ensure that all mobile device with ePHI are always appropriately encrypted.

We hope this information was helpful. For more information about HIPAA or other related concerns, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

Solutions Law Press, Inc. invites you receive future updates and join discussions about these and other human resources, health and other employee benefit and patient empowerment concerns by participating and contributing to the discussions in our Solutions Law Press Health Care Risk Management & Operations Group and registering for updates on our Solutions Law Press Website.

About the Author

As a primary focus of this work, Ms. Stamer has worked extensively with domestic and international hospitals, health care systems, clinics, skilled nursing, long term care, rehabilitation and other health care providers and facilities; medical staff, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, insurers, self-insured health plans and other payers, health industry advocacy and other service providers and groups and other health industry clients as well as federal and state legislative, regulatory, investigatory and enforcement bodies and agencies.

Scribe for the ABA JCEB Annual Agency Meeting with OCR, Vice Chair of the ABA International Section Life Sciences Committee, past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, the ABA RPTE Employee Benefits & Other Compensation Group, Ms. Stamer is noted for her decades-long leading edge work, scholarship and thought leadership on health and other privacy and data security and other health industry legal, public policy and operational concerns. This involvement encompasses helping health care systems and organizations, group and individual health care providers, health plans and insurers, health IT, life sciences and other health industry clients prevent, investigate, manage and resolve sexual assault, abuse, harassment and other organizational, provider and employee misconduct and other performance and behavior; manage Section 1557, Civil Rights Act and other discrimination and accommodation, and other regulatory, contractual and other compliance; vendors and suppliers; contracting and other terms of participation, medical billing, reimbursement, claims administration and coordination, Medicare, Medicaid, CHIP, Medicare/Medicaid Advantage, ERISA and other payers and other provider-payer relations, contracting, compliance and enforcement; Form 990 and other nonprofit and tax-exemption; fundraising, investors, joint venture, and other business partners; quality and other performance measurement, management, discipline and reporting; physician and other workforce recruiting, performance management, peer review and other investigations and discipline, wage and hour, payroll, gain-sharing and other pay-for performance and other compensation, training, outsourcing and other human resources and workforce matters; board, medical staff and other governance; strategic planning, process and quality improvement; meaningful use, EMR, HIPAA and other technology, data security and breach and other health IT and data; STARK, antikickback, insurance, and other fraud prevention, investigation, defense and enforcement; audits, investigations, and enforcement actions; trade secrets and other intellectual property; crisis preparedness and response; internal, government and third-party licensure, credentialing, accreditation, HCQIA and other peer review and quality reporting, audits, investigations, enforcement and defense; patient relations and care; internal controls and regulatory compliance; payer-provider, provider-provider, vendor, patient, governmental and community relations; facilities, practice, products and other sales, mergers, acquisitions and other business and commercial transactions; government procurement and contracting; grants; tax-exemption and not-for-profit; privacy and data security; training; risk and change management; regulatory affairs and public policy; process, product and service improvement, development and innovation, and other legal and operational compliance and risk management, government and regulatory affairs and operations concerns. to establish, administer and defend workforce and staffing, quality, and other compliance, risk management and operational practices, policies and actions; comply with requirements; investigate and respond to Board of Medicine, Health, Nursing, Pharmacy, Chiropractic, and other licensing agencies, Department of Aging & Disability, FDA, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; JCHO and other accreditation and quality organizations; private litigation and other federal and state health care industry actions: regulatory and public policy advocacy; training and discipline; enforcement; and other strategic and operational concerns.

Author of leading works on HIPAA and a multitude of other health care, health plan and other health industry matters, the American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting and a former Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. For more information about Ms. Stamer or her services, experience and involvements, e-mail Ms. Stamer here or contact Ms. Stamer via telephone at (214) 452-8297 or see here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides legal risk management and compliance, business strategy and operations, management, leadership and other publications, coaching, , training and education tools and other resources on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, we invite you to register to receive other updates and review our other Solutions Law Press, Inc.™ resources available here.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

Leave a Comment » | 21st century cures act, Academic medicine, Ambulatory care, ASC, Centers For Disease Control, Childrens Health Insurance Program, Civil Rights, Corporate Compliance, Cyber crime, data security, E-Prescribing, Electronic Health Records, Employee Benefits, Employer, Employment, Health Care, Health Care Finance, Health Care Provider, health care reimbursement, Health Insurance, Health Insurance Exchange, Health IT, Health Plan, Health Plans, healthcare, HIPAA Cyber Crime, HITECH Act, Home Health, Hospice, Hospital, hospitals, Inpatient Rehabilitation, Inpatient Rehabilitation Facility, Joint Commission, medical devices, Medical Privacy, NIST, Skilled Nursing Facility, Technology, Telemedicine, Uncategorized | Tagged: cyber cybersecurity, Data Breach, Data Privacy, HIPAA, medical, patient | Permalink
Posted by Cynthia Marcotte Stamer

Jackson Health System Nailed With $2.15 Million Plus Penalty For Violating HIPAA

October 23, 2019

Jackson Health System (JHS) has paid a heavy price for violating the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security and Breach Notification Rules between 2013 and 2016.

The $2,154,000 civil monetary penalty the Miami, Florida-based nonprofit academic medical system paid to the Department of Health & Human Services Office for Civil Rights (OCR) to settle OCR charges it violated the HIPAA Security & Breach Notifications= Rules makes clear the urgent need for other health care providers, health plans, healthcare clearinghouses and their business associates to verify the adequacy of their organizations with HIPAA’s privacy, security and breach notification rules currently and on an ongoing basis.

The $2.1 million plus payment was required to satisfy a civil monetary penalty assessment OCR imposed in a Notice of Proposed Determination and Notice of Final Determination made public by OCR on October 23, 2019 in response to findings from a series of investigations of HIPAA breach and compliance concerns raised between 2013 and 2016 raised by various HIPAA-mandated breach reports and media reports that raised concerns about improper access disclosure and use of patient PHI between 2013 and 2016. When JHS did not challenge the findings or determination became final. OCR reports JHS has paid the specified $2.154,000 civil monetary penalties.

JHS HIPAA Violations Found By OCR

JHS operates six major hospitals, a network of urgent care centers, multiple primary care and specialty care centers, long-term care nursing facilities, and corrections health services clinics, provides health services to approximately 650,000 patients annually, and employs about 12,000 individuals. The OCR investigation stemmed from a series of breach and media reports spanning several years and revealed a host of long standing violations of long-standing HIPAA requirements and a failure to accurately disclose or correct those or other violations of a nature that likely continue to exist in many health care systems and other covered entities.

On August 22, 2013, JHS submitted a breach report to OCR stating that its Health Information Management Department lost paper records containing the protected health information (PHI) of 756 patients in January 2013. JHS’s internal investigation determined that an additional three boxes of patient records also were lost in December 2012; however, JHS did not report the additional loss or the increased number of individuals affected to 1,436, until June 7, 2016.

In July 2015, OCR initiated an investigation following a media report that disclosed the PHI of a JHS patient. A reporter had shared a photograph of a JHS operating room screen containing the patient’s medical information on social media. JHS subsequently determined that two employees had accessed this patient’s electronic medical record without a job-related purpose.

On February 19, 2016, JHS submitted a breach report to OCR reporting that an employee had been selling patient PHI. The employee had accessed inappropriately over 24,000 patients’ records since 2011.

According to OCR Director Roger Severino, “OCR’s investigation revealed a HIPAA compliance program that had been in disarray for a number of years. …This hospital system’s compliance program failed to detect and stop an employee who stole and sold thousands of patient records; lost patient files without notifying OCR as required by law; and failed to properly secure PHI that was leaked to the media.”

These and other findings led to the OCR determination in the Notice of Proposed Determination and Notice of Final Determination that JHS failed to provide timely and accurate breach notification to the Secretary of HHS, conduct enterprise-wide risk analyses, manage identified risks to a reasonable and appropriate level, regularly review information system activity records, and restrict authorization of its workforce members’ access to patient ePHI to the minimum necessary to accomplish their job duties. OCR assessed the $2.1 million civil monetary penalty based on these determinations.

Lessons For Other Health Providers & HIPAA Covered Entities Likely Similarly Exposed

The JHS civil monetary penalty is the latest in a growing series of OCR enforcement and regulatory actions that drive home the perils HIPAA-covered health care, health plan, healthcare clearinghouse and business associates risk by failing to responsibly and effectively manage their HIPAA compliance. A review of the available JHS record reveals that like all too many HIPAA-covered entities, JHS never adequately implemented appropriate measures to operationally comply with many of the original HIPAA requirements and perpetuated those deficiencies despite the series of breaches. Sadly, many other health care systems and other HIPAA-covered entities are subject to the same practices. Failing to address these compliance issues makes these non-compliant entities susceptible to the same type of enforcement and other liabilities that JHS now has experienced.

OCR enforcement data documents a steady rise in OCR investigation and enforcement activity. OCR set all-time records for HIPAA Enforcement in 2018. Heavy enforcement activity has continued in 2019. Before its October 23, 2019 announcement of the JHS civil monetary penalties, OCR already had announced:

A $10,000 resolution agreement with a dental practice for improperly disclosing patient PHI on social media at the beginning of October;
Its first HIPAA right of access resolution agreement against a health care provider for violating HIPAA’s right of access rules on September 9, 2019 as part of its recently announced HIPAA access rule enforcement initiative;
A $100,000 resolution payment from an Indiana Medical Records Service resulting from a breach of electronic protected health information at a business associate;
The collection of a $3 million resolution payment collected from a Tennessee diagnostic medical imaging services company to settle HIPAA civil monetary penalty exposures arising from a breach that exposed the protected health information of more than 300,000 patients; and
A multitude of other audits and enforcement activities resolved through corrective action without collection of any resolution payment or civil monetary penalties.

Given these and other previously announced enforcement initiatives and actions, all HIPAA covered entities and their business associates are urged to maintain hyper-vigilance about their own HIPAA compliance with long standing as well as emerging HIPAA requirements taking into account old, recent, and emerging guidance and enforcement activities of OCR. Given the almost certain discovery or discussion of known or uncovered compliance concerns and other sensitive information, covered entities are cautioned that these activities generally should be undertaken under the guidance of an experienced attorney within the scope of attorney client privilege.

For More Information

About the Author

Author of leading works on HIPAA and a multitude of other health care, health plan and other health industry matters, the American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting and a former Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. For more information about Ms. Stamer or her health industry and other experience and involvements, see here or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:

Leave a Comment » | Academic medicine, Conditions of Participation, continuing medical education (CME), Corporate Compliance, Cultural diversity, Discrimination, Doctor, Employer, Employment law, Federal Health Center, Federal Sentencing Guidelines, Health Care, Health Care Provider, Health Care Quality, Home Health, Hospital, hospitals, Immigration, Inpatient Rehabilitation, Labor Law, Laws, Life Sciences, Medical Privacy, Patient Empowerment, Peer Review, Psychiatric, Section 1557, Sexual Abuse, Sexual Assault, Sexual Harassment, Uncategorized | Permalink
Posted by Cynthia Marcotte Stamer

IRS Proposes Easing Disclosure Requirements For Certain Tax-Exempt Entities

October 9, 2019

December 10, 2019 is the deadline for charitable and other tax-exempt organizations to comment on proposed regulations the Internal Revenue Service (“IRS”) intends to use to implement clarify the reporting requirements generally applicable to tax-exempt organizations as they apply to returns filed after September 6, 2019.

The proposed regulations officially published by the IRS in the September 10, 2019 Federal Register implement changes in response to various statutory amendments and certain grants of reporting relief announced by the Treasury Department and the IRS in prior guidance to help many tax-exempt organizations generally find the reporting requirements in one place. Among other provisions, the proposed regulations incorporate the existing exception from having to file an annual return for certain organizations that normally have gross receipts of $50,000 or less, which is found in Revenue Procedure 2011-15.

In addition, the proposed regulations also reissue relief for certain tax-exempt entities from requirements to report contributor names and addresses on annual returns filed by certain tax-exempt organizations. Originally announced last year in Revenue Procedure 2018-38, the relief was invalidated by a district court ruling that the Treasury Department and the IRS failed to follow required notice and comment procedures. Under the proposed regulations, filing requirements for Section 501(c)(3) organizations and Section 527 political organizations remain unchanged, and all organizations are required to keep the contributor information and make it available to the IRS upon request.

Additionally, the IRS issued Notice 2019-47 (PDF) providing penalty relief for certain exempt organizations that, consistent with the 2018 guidance from the IRS, do not report the names and addresses of contributors on annual returns for tax years ending on or after December 31, 2018, but on or before July 30, 2019.

Need more information or help evaluating or responding to this or developments? Contact the author licensed attorney experienced in FDA and other health care and other regulatory affairs matters.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications including extensive experience advising and representing health care systems and providers about sexual abuse, assault, harassment, discrimination and other personal and professional misconduct policies, training and other prevention and investigation, peer review and other discipline, mitigation and charges defense, as well extensively published and conducted workshops on “Sex, Drugs & Rock ‘N Role: Preventing and Addressing Personal Misconduct In Healthcare,” “What To Do When Your Employee’s Life Becomes Your Business,” and other educational training and publications for health industry clients and others on these concerns.

In these and other legal, management, governmental affairs work and speaking and publications, Ms. Stamer When working with these and other clients, Ms. Stamer merges a talent for creative problem solving with her detailed legal and operational knowledge and experience to help her clients develop and use legally defensible, pragmatic, client-centric law, performance and risk management tools and processes to manage people, performance, quality, compliance, risk and other operational needs on a real-time, “on demand” basis as well as outsourced general, operations, regulatory affairs or other special counsel capacity on an interim, special project, or ongoing basis. Her clients have included domestic and international hospitals, health care systems, clinics, skilled nursing, long term care, rehabilitation and other health care providers and facilities; medical staff, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, insurers, self-insured health plans and other payers; and other health industry clients.

Her involvement encompasses helping health care systems and organizations, group and individual health care providers, health plans and insurers, health IT, life sciences and other health industry clients prevent, investigate, discipline and defend sexual assault, abuse, harassment and other organizational, provider and employee misconduct and other performance and behavior; manage Section 1557, Civil Rights Act and other discrimination and accommodation, and other regulatory, contractual and other compliance; vendors and suppliers; contracting and other terms of participation, medical billing, reimbursement, claims administration and coordination, Medicare, Medicaid, CHIP, Medicare/Medicaid Advantage, ERISA and other payers and other provider-payer relations, contracting, compliance and enforcement; Form 990 and other nonprofit and tax-exemption; fundraising, investors, joint venture, and other business partners; quality and other performance measurement, management, discipline and reporting; physician and other workforce recruiting, performance management, peer review and other investigations and discipline, wage and hour, payroll, gain-sharing and other pay-for performance and other compensation, training, outsourcing and other human resources and workforce matters; board, medical staff and other governance; strategic planning, process and quality improvement; meaningful use, EMR, HIPAA and other technology, data security and breach and other health IT and data; STARK, antikickback, insurance, and other fraud prevention, investigation, defense and enforcement; audits, investigations, and enforcement actions; trade secrets and other intellectual property; crisis preparedness and response; internal, government and third-party licensure, credentialing, accreditation, HCQIA and other peer review and quality reporting, audits, investigations, enforcement and defense; patient relations and care; internal controls and regulatory compliance; payer-provider, provider-provider, vendor, patient, governmental and community relations; facilities, practice, products and other sales, mergers, acquisitions and other business and commercial transactions; government procurement and contracting; grants; tax-exemption and not-for-profit; privacy and data security; training; risk and change management; regulatory affairs and public policy; process, product and service improvement, development and innovation, and other legal and operational compliance and risk management, government and regulatory affairs and operations concerns. to establish, administer and defend workforce and staffing, quality, and other compliance, risk management and operational practices, policies and actions; comply with requirements; investigate and respond to Board of Medicine, Health, Nursing, Pharmacy, Chiropractic, and other licensing agencies, Department of Aging & Disability, FDA, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; JCHO and other accreditation and quality organizations; private litigation and other federal and state health care industry actions: regulatory and public policy advocacy; training and discipline; enforcement; and other strategic and operational concerns.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Leave a Comment » | Academic medicine, Conditions of Participation, continuing medical education (CME), Corporate Compliance, Cultural diversity, Discrimination, Doctor, Employer, Employment law, Federal Health Center, Federal Sentencing Guidelines, Form 990, Health Care, Health Care Finance, Health Care Provider, Health Care Quality, Home Health, Hospital, hospitals, Immigration, Inpatient Rehabilitation, Labor Law, Laws, Life Sciences, Medical Privacy, Patient Empowerment, Peer Review, Psychiatric, Rural Health Care, Section 1557, Sexual Abuse, Sexual Assault, Sexual Harassment, Tax, Tax-Exemption, Uncategorized | Permalink
Posted by Cynthia Marcotte Stamer

Important Lessons For Health Care Providers From Michigan State Settlement Of OCR Larry Nassar Sexual Abuse Investigation

August 12, 2019

Health care providers should review and tighten their policies and practices for conducting therapies or other procedures on children and other procedures on any patient involving the exposure of the breasts, genitalia or rectum where a patient is fully or partially disrobed as well as sexual assault, abuse and harassment policies and procedures in light of a resolution agreement between the Board of Trustees of Michigan State University (“MSU”) d/b/a Michigan State University and MSU HealthTeam (“MSU HealthTeam”) and MSU Health Care, Inc. (“MSU Health Care”) announced by the U.S. Department of Health and Human Services, Office for Civil Rights (“OCR”) arising from a civil rights compliance review OCR initiated after federal and state criminal investigations found that an osteopathic physician Larry Nassar sexually abused gymnasts and others while employed as an associate professor by MSU.

OCR opened a compliance review of MSU to determine if its doctors’ offices and clinics violated Title IX of the Education Amendments of 1972 (“Title IX”) and Section 1557 of the Patient Protection and Affordable Care Act (“Section 1557”) after federal and state criminal investigations found Nassar sexually abused hundreds of women and girls under his care over decades while an associate professor at MSU.

Considered alone or in conjunction with the growing awareness and concern fueled by the #me too movement, widespread publicity about the sexual misconduct of Nassar alleged Bill Cosby, billionaire Jeffrey Einstein, who died in prison while awaiting trial last Saturday and others, and OCR’s reaffirmation of its commitment to vigorously enforce civil rights laws in connection with its May 24, 2019 proposal of changes to its Section 1557 implementing regulations, the Resolution Agreement sends a strong signal to health care organizations and individual physician and other health care providers of the advisability of proactively preventing and managing their exposure to potential sexual abuse, assault and harassment complaints brought by patients, caregivers, employees and others.

The OCR investigation that led to the Resolution Agreement arose from a compliance review OCR started after Nassar was sentenced to 40 to 125 years in prison on February 5, 2018, after entering a guilty plea to seven counts of felony criminal sexual conduct in the first degree in Eaton County, Michigan. He also has been convicted to various other federal and state sexual offenses. Additionally, the former dean of MSU’s College of Osteopathic Medicine, William Strampel, was convicted of felony misconduct stemming from a charge that he used his public office to sexually harass students and a separate charge of willfully neglecting to monitor Nassar after an earlier investigation.

Title IX and Section 1557 are two of a multitude of federal laws prohibiting sex discrimination enforced by OCR, Title IX prohibits discrimination on the basis of sex in federally assisted education programs or activities while Section 1557 prohibits discrimination on the basis of sex, race, color, national origin, age and disability in certain health programs or activities.

The Resolution Agreement resolves potential additional enforcement action by OCR against MSU arising from the investigation commenced in response to the Nassar convictions as well as enforcement actions OCR had initiated against the MSU Entities for failing to comply with an earlier OCR resolution agreement.

In return for OCR’s agreement to close its investigation, the Resolution Agreement requires the MSU Entities to implement specific procedures for conducting examinations and procedures involving children as well as procedures and therapies conduct on patients of any age and gender s where the patient is disrobed, in full or in part, and there is exposure of the breasts, genitalia or rectum (“sensitive examinations”) as well as strengthen its other policies, notices and practices impacting the prevention, investigation and redress of sexual abuse, sexual assault, sexual harassment and other sex discrimination against patients, staff, employees and others.

Notably, to help safeguard patients from future sexual assault or abuse, the Resolution Agreement requires the MSU Entities to adopt, communicate to patients and staff and enforce specific policies patient privacy, chaperones and informed consent and patient privacy including

Requiring that staff always follow Universal Precautions with conducting “sensitive examinations,” which the Resolution Agreement defines as “procedures or therapies where the Patient is disrobed, in full or in part, and there is exposure of the breasts, genitalia or rectum);
Require that staff provide the patient with: an explanation of the required examination, procedure or therapy before beginning the procedure and secure informed consent from the patient or if the patient lacks decision making capacity, the consent of the patient’s guardian before conducting any sensitive examination;
Always honor the Patient’s request to have a parent, relative or friend present as a support person present during any sensitive examination;
Requiring a chaperone for all sensitive examinations;
For sensitive examinations of patients of 10 years of age or greater that the chaperone be an authorized member of the health care team and in other cases allow patients and/or their parent or other support person, as well as providers to request a chaperone at any time;
Require that physical examinations of an infant, toddler or child always be performed in the presence of a patient or guardian unless the parent or guardian or, if the parent is unavailable or in situations involving suspected abuse, mental health or other instances where the parental presence would interfere with the examination, another member of the health care team;
Require the use of a chaperone for sensitive examinations be documented in the patient record or where a patient declines or refuses a chaperone for an examination where one is required, require that the provider document the offer and its declination in the record and have the patient or guardian sign a waiver;
Always honor a patient’s request to have a chaperone present even when the patient also has a support person present when conducting a sensitive examination; and
Allow the patient’s wishes and comfort to determine the sex of the chaperone and accommodate, to the extent practicable, a patient’s request for a same sex chaperone

Moreover, the Resolution Agreement also dictates that the MSU Entities ensure that staff always provide patients undergoing sensitive examinations with an appropriate gown, privacy for undressing and dressing, and sensitive draping to maximize physical privacy.

In addition to these specified required procedures for the actual conduct of sensitive medical examinations, the Resolution Agreement also requires that the MSU Entities significantly strengthen their policies, notifications, procedures, and training regarding sexual assault, sexual abuse, sexual harassment and sex discrimination including to:

Revise their existing non-discrimination notices and sexual misconduct policies to clarify Title IX’s and Section 1557’s prohibitions against sex discrimination, including sex discrimination, sexual harassment, sexual abuse and sexual assault, against men and women;
In the revised non-discrimination notices and sexual misconduct policies clearly communicate that patient, staff or individuals who believe they are victims of sexual harassment, abuse, assault or other sexual harassment are “encouraged” to report their concerns to the designated MSU Entities’ Title IX and Section 1557 compliance team, the MSU police and OCR and explains the procedures for making those reports;
Conspicuously post and distribute the revised nondiscrimination and sexual misconduct policy notices which clearly communicate the clarified non-discrimination and sexual harassment policies;
Improve their processes for notifying students, staff, patients and others about reporting and for investigating and resolving Title IX and Section 1557 complaints (including for MSU-students, non-MSU-student patients, faculty and staff) including specific requirements concerning reporting to and coordination between MSU Entities’ compliance staff and law enforcement;
Designate a responsible official to coordinate the acceptance, investigation and resolution of Title IX and Section 1557 complaints;
Conduct all-staff training, planning and coordination between MSU Entities’ compliance and investigation teams and law enforcement, and provide bi-annual reports to OCR during the three year term of the agreement;
Require that all grievances or complaints alleging sexual assault, sexual abuse, sexual harassment or other sex discrimination filed by any patient, staff or other individual related to the MSU Health Team, be reviewed and investigated by, or under the supervision of, a dedicated independent health care investigator approved by OCR, who MSU may only terminate for cause with OCR’s consent.

While neither exhaustive nor binding on any other health care providers, the conditions (CR imposed against MSU under the Resolution Agreement are concrete steps other health care organizations and providers, academic institutions and other organizations and individuals at risk of claims directly or vicariously should consider using as part of their efforts to prevent and defend themselves against potential exposures to sexual misconduct charges.

With the #metoo movement and other widespread media coverage of the Nassar, Jeffery Epstein, Bill Cosby and other sex scandals fueling growing awareness and discussion about sexual abuse, assault and harassment, physicians and other individual health care providers as well as the health care systems, clinics and other health industry organizations, educational institutions and businesses generally face heightened risks of accusations by patients, caregivers, employees, and others of sexual misconduct. Whether founded in fact, hypersensitivity, or independent agenda, recent history proves the potentially financially costly civil judgments or settlements, as well as career if not freedom ending consequences health care providers and institutions if unable to defend these claims. In addition to the criminal sentences imposed upon Nassar and, for instance, MSU previous entered into a civil settlement with more than 300 alleged victims of 332 women and girls who alleged they were Nassar sexual assault victims. See MSU reaches $500M settlement with Nassar victims. This huge civil liability and the fact that MSU accepteed it rather than risk a potential jury verdict reflects the significance of the this liability risk.

About the Author

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Tips Help Exempt Organizations Avoid Common Form 990 Filing Mistakes

May 7, 2019

Tax-exempt organizations operating on calendar-year tax year should take some simple steps to avoid potentially costly mistakes when preparing their Form 990-series return, which are due May 15th unless the exempt organization has filed Form 8868, Application for Automatic Extension of Time To File an Exempt Organization Return.

The IRS suggests organizations consider using the following steps when completing their Form 990 to ensure a complete return and reduce the chances the IRS will send a return back or need to request additional information:

Issue 1: Report your organization’s correct organization type. Many organizations report the incorrect organization type in Part I of Schedule A, Public Charity Status and Public Support, which all 501(c)(3) organizations must file with Form 990 or 990-EZ.

Solution: Look at the letter the IRS sent your organization recognizing it as exempt (your “determination” letter) to verify your correct organizational type to confirm the right answer.

Filers then also should accurately and fully complete all information about their public charity status on Schedule A. As indicated in the instructions to Schedule A, the public charity status an organization indicates on Schedule A can be the same as stated in the organization’s tax-exempt determination letter from the IRS (“exemption letter”) or subsequent IRS determination letter, or it can be different. See Instructions for Schedule A for more information.

Issue 2: Employment taxes. Many organizations forget to file required employment tax returns, such as Forms W-2, 940, 941 or 945.

Solution: Learn about employment tax filing requirements for exempt organizations. The Employment Issues Course explains how to report employee wages, payments to independent contractors and other reportable payments.

Issue 3: Missing attachments and schedules: Organizations often forget to attach the schedules that may be required of Form 990 or Form 990-EZ filers.

Solution: Carefully review Form 990 – Part IV, Checklist of Required Schedules, or Form 990-EZ – Part V, Other Information, and Part VI, Section 501(c)(3) Organizations Only, to ensure that your organization has completed and attached all required schedules.

The Form 990 Overview Coursediscusses which forms to file, when they are due, public disclosure of your return and tips to help prepare your Form 990-series return.

Electronic filing can help you file a complete return

Electronic filing provides you with fast acknowledgement that the IRS has received your return. It also reduces normal processing time, making compliance with reporting and disclosure requirements easier. To ensure you are ready to file electronically, check your Electronic Filing Identification Number (EFIN) to ensure it is active.

In August 2018, EFINs were deactivated (dropped) if the system showed no usage for two years. For some filers, the system erroneously deactivated the account if the only returns filed using the EFIN were Form 990 series returns. Log into your existing IRS e-File applicationto check your EFIN status. If the status is not listed as “Active,” you will need to reapply for a new EFIN by choosing the “Reapply” link on the “Application Details” page. If an exempt organization encounters any problems when reapplying, it may contact the IRS e-help Desk on 1-866-255-0654.

About the Author

Ms. Stamer’s legal, management, governmental affairs work and speaking and publications have focused on helping health industry, health benefit and other organizations and their management use the law, performance and risk management tools and process to manage people, performance, quality, compliance, operations and risk.

Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer supports these organizations and their leaders on both a real-time, “on demand” basis as well as outsourced operations or special counsel on an interim, special project, or ongoing basis with strategic planning and product and services development and innovation; workforce and operations management, crisis preparedness and response as well as to prevent, stabilize and cleanup legal and operational crises large and small that arise in the course of operations.

As core components of this work, Ms. Stamer helps health industry, health plans and insurers, health IT, life sciences and other health industry clients manage regulatory, contractual and other compliance; vendors and suppliers; Medicare, Medicaid, CHIP, Medicare/Medicaid Advantage, ERISA and other private payer and other terms of participation, medical billing, reimbursement, claims administration and coordination, and other provider-payer relations, contracting, compliance and enforcement; Form 990 and other nonprofit and tax-exemption; fundraising, investors, joint venture, and other business partners; quality and other performance measurement, management, discipline and reporting; physician and other workforce recruiting, performance management, peer review and other investigations and discipline, wage and hour, payroll, gain-sharing and other pay-for performance and other compensation, training, outsourcing and other human resources and workforce matters; board, medical staff and other governance; strategic planning, process and quality improvement; meaningful use, EMR, HIPAA and other technology, data security and breach and other health IT and data; STARK, antikickback, insurance, and other fraud prevention, investigation, defense and enforcement; audits, investigations, and enforcement actions; trade secrets and other intellectual property; crisis preparedness and response; internal, government and third-party licensure, credentialing, accreditation, HCQIA and other peer review and quality reporting, audits, investigations, enforcement and defense; patient relations and care; internal controls and regulatory compliance; payer-provider, provider-provider, vendor, patient, governmental and community relations; facilities, practice, products and other sales, mergers, acquisitions and other business and commercial transactions; government procurement and contracting; grants; tax-exemption and not-for-profit; 1557 and other Civil Rights; privacy and data security; training; risk and change management; regulatory affairs and public policy; process, product and service improvement, development and innovation, and other legal and operational compliance and risk management, government and regulatory affairs and operations concerns.

Her clients include public and private, domestic and international hospitals, health care systems, clinics, skilled nursing, long term care, rehabilitation and other health care providers and facilities; medical staff, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, insurers, self-insured health plans and other payers; and other health industry clients to establish and administer compliance and risk management policies; comply with requirements, investigate and respond to Board of Medicine, Health, Nursing, Pharmacy, Chiropractic, and other licensing agencies, Department of Aging & Disability, FDA, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; JCHO and other accreditation and quality organizations; private litigation and other federal and state health care industry investigation, enforcement including insurance or other liability management and allocation; process and product development, contracting, deployment and defense; evaluation, commenting or seeking modification of regulatory guidance, and other regulatory and public policy advocacy; training and discipline; enforcement, and a host of other related concerns for public and private health care providers, health insurers, health plans, technology and other vendors, employers, and others.and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns.

Author of leading works on a multitude of health care, health plan and other health industry matters, the American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting, former Vice President of the North Texas Health Care Compliance Professionals Association, past Chair of the ABA Health Law Section Managed Care & Insurance Section, past ABA JCEB Council Representative and CLE and Marketing Committee Chair, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer’s health industry clients include public health organizations; public and private hospitals, healthcare systems, clinics and other health care facilities; physicians, physician practices, medical staff, and other provider organizations; skilled nursing, long term care, assisted living, home health, ambulatory surgery, dialysis, telemedicine, DME, Pharma, clinics, and other health care providers; billing, management and other administrative services organizations; insured, self-insured, association and other health plans; PPOs, HMOs and other managed care organizations, insurance, claims administration, utilization management, and other health care payers; public and private peer review, quality assurance, accreditation and licensing; technology and other outsourcing; healthcare clearinghouse and other data; research; public and private social and community organizations; real estate, technology, clinical pathways, and other developers; investors, banks and financial institutions; audit, accounting, law firm; consulting; document management and recordkeeping, business associates, vendors, and service providers and other professional and other health industry organizations; academic medicine; trade associations; legislative and other law making bodies and others.

Past Chair of the ABA Managed Care & Insurance Interest Group and, a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also has extensive health care reimbursement and insurance experience advising and defending health care providers, payers, and others about Medicare, Medicaid, Medicare and Medicaid Advantage, Tri-Care, self-insured group, association, individual and group and other health benefit programs and coverages including but not limited to advising public and private payers about coverage and program design and documentation, advising and defending providers, payers and systems and billing services entities about systems and process design, audits, and other processes; provider credentialing, and contracting; providers and payer billing, reimbursement, claims audits, denials and appeals, coverage coordination, reporting, direct contracting, False Claims Act, Medicare & Medicaid, ERISA, state Prompt Pay, out-of-network and other nonpar insured, and other health care claims, prepayment, post-payment and other coverage, claims denials, appeals, billing and fraud investigations and actions and other reimbursement and payment related investigation, enforcement, litigation and actions.

Ms. Stamer has worked extensively with health care providers, health plans, health care clearinghouses, their business associates, employers and other plan sponsors, banks and other financial institutions, and others on risk management and compliance with HIPAA, FACTA, trade secret and other information privacy and data security rules, including the establishment, documentation, implementation, audit and enforcement of policies, procedures, systems and safeguards, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and and enforcement, and a host of other related concerns. Her clients include public and private health care providers, health insurers, health plans, technology and other vendors, and others. In addition to representing and advising these organizations, she also has conducted training on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, MGMA, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

A former lead consultant to the Government of Bolivia on its Pension Privatization Project with extensive domestic and international public policy concerns in Pensions, healthcare, workforce, immigration, tax, education and other areas.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her thought leadership, experience and advocacy on these and other related concerns by her service in the leadership of the Solutions Law Press, Inc. Coalition for Responsible Health Policy, its PROJECT COPE: Coalition on Patient Empowerment, and a broad range of other professional and civic organizations including North Texas Healthcare Compliance Association, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children (now Warren Center For Children); current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, past Representative and chair of various committees of ABA Joint Committee on Employee Benefits; a ABA Health Law Coordinating Council representative, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.

For more information about Ms. Stamer or her health industry and other experience and involvements, see here or contact Ms. Stamer via telephone at (469) 767-8872 or via e-mail here.

About Solutions Law Press, Inc.™

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advise or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Leave a Comment » | Form 990, Health Care, Health Insurance, Health Plan, Health Plans, healthcare, Hospice, Hospital, hospitals, Tax, Tax-Exemption | Tagged: Charity, Form 990, Health Care, irs, tax-exempt | Permalink
Posted by Cynthia Marcotte Stamer

New GAO Report Likely To Fuel Scrutiny Of Air Ambulance Charges

March 21, 2019

Expect greater Congressional, regulatory and payer scrutiny of air ambulance coverage and services in response to a new US Government Accountability Office (GAO) Report entitled Air Ambulance: Available Data Show Privately-Insured Patients Are at Financial Risk released yesterday.

The report raises the alarm that out-of-network air ambulance transport costs and the risk of its balance billing poses a risk to patients.

The report analyzed FAIR Health data to show that about two-thirds (69 percent) of air ambulance transports for privately insured patients in 2017 were out of network, and that the proportion was similar (75 percent) in 2012. The report noted that the proportion is higher than the rate research shows for ground ambulance transports and other types of emergency services.

Further analyzing FAIR Health data, the GAO found that the median prices charged for air ambulance transport rose in recent years. Prices for helicopter transport and fixed-wing transport increased over 60 percent from 2012 to 2017.

The GAO turned to FAIR Health because our data repository was determined to be “the most complete data source we identified with data on prices charged for and the network status of air ambulance transports for privately-insured patients.” The GAO determined the reliability of FAIR Health data by “reviewing related documentation, interviewing relevant officials, checking for internal consistency, and comparing our results across data sets and to published sources.”

The release of the report comes as insurers and other payers are pushing Federal and state legislators and regulators to clamp down on out of network emergency and other charges.

The Patient Protection and Affordable Care Act (“ACA”) sought to protect patients from “surprise bills” for out-of-network services incurred when the need for emergency care denied the patient the option of choosing a in-network provider contracted with the patient’s health plan to provide care at discounted rates.

Insurers are complaining to legislators and regulators that this emergency coverage provision is Driving up healthcare costs by incentivizing the growth of out-of- network emergency care. Payers accuse healthcare providers that are out of network of driving up healthcare costs by overcharging for their services. payers are lobbying to obtain controls on these out of network services through federal and state legislation limiting coverage and balance billing for these services.

Meanwhile, air ambulance and other emergency transportation services generally contend that high operating costs and unreasonable coverage practices by payers are the problem. These providers argue their rates are driven by high operating costs to provide these services, the high number of uninsured or underinsured patients needing the services, and the exclusion or limitation of coverage for the services and refusal to reimburse providers at adequate rates. They also point out that aside from limiting reimbursement rates, many insurers exclude air ambulance services from coverage in their entirety. Accordingly, patient is transported by air ambulance generally incur substantial uncovered charges whether or not the ambulance happens to be contracted as an in network provider. Many out of network and other air ambulance providers argue that payers seek to exercise and do market pressure to try to compel providers to deliver care and services at prices that are not financially viable and to restrict care in a manner that is inconsistent with patient needs. They caution that cutbacks in reimbursement will further endanger patients needing immediate transportation by limiting the availability of the services in what often are life and death situations.

With the debate over “surprise billing” versus “surprise denials” heating up and emergency services and their costs, look for heightened scrutiny of charges and a slew of new regulatory proposals ahead.

About the Author

For more information about Ms. Stamer or her health industry and other experience and involvements, see here or contact Ms. Stamer via telephone at (469) 767-8872 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources here such as:

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advise or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Leave a Comment » | air ambulance, ambulance, balance billing, Consumer Driven Health Care, Corporate Compliance, Emergency Care, Employee Benefits, Health Care, Health Care Finance, health care reimbursement, Health Insurance, Health Plan, Health Plans, healthcare, Hospital, Hospital, hospitals, managed care, Medicare Fee Schedule, participating provider, Physician, Provider contracting, Reimbursement, surprise billing, Uncategorized | Permalink
Posted by Cynthia Marcotte Stamer

Physicians Pay $700,000 to Settle False Claims Act Violation Charges Arising from Financial Relationship with Drug Testing Lab

May 8, 2018

Three physicians are paying a total of $700,000 to settle Justice Department (DOJ) charges stemming from financial relationships with a drug testing lab. The settlement highlights the continuing need for providers to exercise care to avoid entering into financial arrangements with laboratories that DOJ, the Department of Health & Human Services Office of Inspector General (OIG) considers improper under federal health care fraud laws.

Dr. Robert Fetchero, D.O., Dr. Sridhar Pinnamaneni, M.D., and Dr. Thelma Green-Mack, M.D., separately agreed to settle allegations that they each received improper payments for referrals from Greensburg, Pennsylvania drug testing lab Universal Oral Fluid Laboratories, and caused false claims to be submitted to Medicare for drug testing services, United States Attorney Scott W. Brady announced yesterday.

The settlements announced resolve allegations that the settling physicians referred Medicare patients to Universal Oral Fluid Laboratories (“UOFL”) for drug testing services while engaged in a financial relationship with the lab. Specifically, UOFL paid the settling physicians to refer their patients to the lab for drug tests; UOFL then submitted claims to Medicare for the drug testing services from 2011 to 2014.

The settlements follow the earlier guilty plea on related charges of UOFL’s former medical director, Dr. John H. Johnson.

UOFL was owned and operated by William Hughes. The United States alleged that the financial arrangement between the settling physicians and UOFL violated the physician self-referral law, commonly known as the “Stark Law,” and the Anti-Kickback Statute, giving rise to liability under the False Claims Act. Pursuant to separately executed settlement agreements, Dr. Fetchero agreed to pay $200,000; Dr. Pinnamaneni agreed to pay $370,000; and Dr. Green-Mack agreed to pay $130,000.

The Stark Law forbids physicians from making referrals for certain designated health services payable by Medicare to an entity with which he or she (or an immediate family member) has a financial relationship, unless an exception applies. The Anti-Kickback Statute prohibits offering, paying, soliciting, or receiving remuneration to induce referrals of services covered by federal health care programs, such as Medicare. Violations of the Stark Law or Anti-Kickback Statute may give rise to civil liability for treble damages and penalties under the False Claims Act.

The settlements and underlying charges the resolve illustrate the risks that physicians and other providers run for participating in financial arrangements not structured to clearly meet applicable federal anti-kickback and STARK rules.

About the Author

For more information about Ms. Stamer or her health industry and other experience and involvements, see here or contact Ms. Stamer via telephone at (469) 767-8872 or via e-mail here.

About Solutions Law Press, Inc.™

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advise or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

May 8, 2018

Review Your Provider Performance Data

December 13, 2017

January 3 is Deadline for Inpatient Rehabilitation Facility (IRF) and Long-term Care Hospital (LTCH) providers to review their Medicare performance data on each quality measure based on Quarter 2 -2016 to Quarter 1 – 2017 data, before the March 2018 IRF and LTCH Compare refresh, during which this data will be publicly displayed.

Providers have until January 3, 2018 to review their performance data.

Corrections to the underlying data will not be permitted during this time. However, providers can request a CMS review during the preview period if they believe their data is inaccurate.

For more information, see:

IRF Quality Public Reporting webpage, IRF Compare, and Preview Report Access Instructions
LTCH Quality Public Reporting webpage, LTCH Compare and Preview Report Access Instructions

About the Author

For more information about Ms. Stamer or her health industry and other experience and involvements, see here or contact Ms. Stamer via telephone at (469) 767-8872 or via e-mail here.

Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources here including

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advise or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Leave a Comment » | Clinical pathway, Electronic Medical Records, Health care coding, health care reimbursement, HHS, Hospital, hospitals, Inpatient Rehabilitation, Inpatient Rehabilitation Facility, Medicare Fee Schedule, quality reporting, Reimbursement, Uncategorized | Tagged: CMS, Health Care Compliance, Health Care Policy, health care quality, Health Care Reimbursement, Hospitals, Reimbursement | Permalink
Posted by Cynthia Marcotte Stamer

11/30 Deadline For Critical Access Hospital Hardship Exception Applications

November 13, 2017

November 30 is the deadline for Critical Access Hospitals (CAHs) to submit a hardship exception application to avoid the 2016 payment adjustment based on the 2016 reporting year for failing to meet the meaningful use requirements of the American Recovery and Reinvestment Act of 2009 (ARRA),

Under AARA, Congress mandated CAHs that are not meaningful users of Certified Electronic Health Record (EHR) Technology under the Medicare EHR Incentive Program receive negative payment adjustments beginning in 2015. Specifically, section 4102(b)(2) of the HITECH Act amended section 1814(l) of the Act to include an adjustment to a CAH’s Medicare reimbursement for inpatient services if the CAH is not a meaningful EHR user for an EHR reporting period unless the CAH qualifies for a hardship exception. CAHs must demonstrate meaningful use every year according to the timelines specified to avoid Medicare payment adjustments. For example, CAHs that demonstrate meaningful use in 2017 will avoid the payment adjustment in 2017, but they also must demonstrate meaningful use in 2018 to avoid the payment Medicaid CAHs that do not bill Medicare are not subject to these payment adjustments in 2018. Medicaid CAHs that do not bill Medicare are not subject to these payment adjustments.

A CAH demonstrates meaningful use by successfully attesting through either the CMS Attestation System or through its state’s attestation system annually by the applicable deadline:

If a CAH does not meet the meaningful us requirement, it may be possible to avoid the payment adjustment by qualifying for a hardship exception. AARA allows CMS on a case-by-case basis, to grant CHAs an exception from this adjustment if CMS or its Medicare contractor determines, on an annual basis, that a significant hardship exists.

If the facility is a CAH, as defined in the Stage 2 Final Rule 42 CFR Part 413 § 413.70(C), that is new in the payment adjustment year (2016) and has not previously operated, CMS will grant a hardship exception automatically and is automatically exempt from the payment adjustment. Note that CAHs are NOT considered NEW if any of the following circumstances apply:

The CAH builds a new or replacement facility/facilities at the same or another location even if this is coincidental with a change of ownership, a change in management or a lease arrangement;
A CAH closes and subsequently reopens; or o A CAH that has been converted from an eligible hospital.

If any of the outlined circumstances listed apply, the CAH should consider applying for a hardship if it has not successfully demonstrated meaningful use for an EHR reporting period and if at least one of the hardship reasons indicated on the application was met.

There are several categories of hardship exceptions for CAHs:

CAHs can also apply for a hardship exception for the following circumstances:

Insufficient Internet Connectivity – The CAH was located in an area without sufficient Internet access to comply with meaningful use objectives requiring Internet connectivity, and faced insurmountable barriers to obtaining such Internet connectivity.
Extreme and Uncontrollable Circumstances – If they encounter an unforeseeable barrier, such as a natural disaster (includes vendor issues).

CAHs can submit hardship exception applications in two ways:

Electronic submission via e-mail to Sent to ehrhardship@provider-resources.com; or
Paper submission via fax to 814-456-7132.

All hardship exception determinations will be returned via email from ehrhardship@provider-resources.com to the email address provided on the application.

If approved, the hardship exception is valid for the 2016 payment year only. If the CAH claims a hardship exception for a following payment year, the CAH must submit a new application.

For more information, reviewthe Critical Access Hospital Payment Adjustment and Hardship Exception Tipsheet and visit the Payment Adjustments and Hardship Information webpage on the EHR Incentive Programs website.

About the Author

For more information about Ms. Stamer or her health industry and other experience and involvements, see here or contact Ms. Stamer via telephone at (469) 767-8872 or via e-mail here.

Solutions Law Press, Inc.™

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advise or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Leave a Comment » | Accreditation, Ambulatory care, Electronic Health Records, Electronic Medical Records, Health Care, Health Care Provider, Health Care Quality, health care reimbursement, Health IT, Hospital, hospitals, Medicare Fee Schedule, Reimbursement, Uncategorized | Permalink
Posted by Cynthia Marcotte Stamer

OCR Gives Health Care Providers, Other Covered Entities Post-Las Vegas Shooting HIPAA Medical Privacy Guidance On Disclosures To Family, Media & Others For Notification & Other Purposes

October 9, 2017

Widespread media coverage of this week’s Las Vegas, Nevada mass shooting (Las Vegas Shooting), and recent Hurricanes in Texas, Florida and Puerto Rico shows the barrage of requests for patient information from emergency and disaster response personnel, concerned family and friends, the media or others about the identity, status and other circumstances of patients and other individuals that health care providers caring for patients following a mass disaster or other emergency.

The tight restrictions and potentially stiff penalties authorized under the Health Insurance Portability And Accountability Act (HIPAA) Privacy and Security Rule (Privacy Rule) on health care providers, health plans, and health care clearinghouses (Covered Entities) for improperly disclosing information about identifiable patients under the Privacy Rule necessitate that health care providers and other Covered Persons exercise great care to ensure that statements and other disclosures of identifiable patient information either are authorized in writing in accordance with HIPAA or otherwise specifically allowed under the Privacy Rule. See, e.g., $2.4M HIPAA Settlement Warns Providers About Media Disclosures Of PHI; $2.4M HIPAA Settlement Message Warns Health Plans & Providers Against Sharing Medical Info With Media, Others; $2 Million+ HIPAA Settlement, FAQ Warn Providers Protect PHI From Media, Other Recording Or Use.

Following the Las Vegas Shooting, the Department of Health & Human Services (HHS) Office for Civil Rights (OCR) on October 3, 2017 issued an announcement on “Disclosures to Family, Friends, and Others Involved in an Individual’s Care and for Notification” (Announcement) intended to clarify certain limited situations when OCR interprets the Privacy Rule as allowing Covered Entities to disclose PHI to individuals involved in the patient’s care, the media or other parties not involved in the patient’s care for notification purposes without prior patient authorization. Health care providers and other Covered Entities should review and update their existing Privacy Rule policies, practices and training in response to this and other evolving guidance to help prepare their teams appropriately to respond to family, media and other inquiries about patients in emergency and other circumstances.

Privacy Rule Generally

While mass shooting events like the Las Vegas Shooting, recent hurricanes, Ebola or other contagious disease outbreak and other mass injury or illness events garner widespread media and public attention, health care providers and other Covered Entities also regularly field requests for PHI about current or former patients from family and others involved in patients’ care or treatment, law enforcement, law enforcement, and the media or other members of the general public not involved in patient care.

The Privacy Rule generally requires Covered Entities to keep confidential, and prohibits Covered Entities from disclosing individually identifiable health care information about a patient that qualifies as “protected health information” or “PHI” without first obtaining a HIPAA-compliant authorization unless the disclosure meets all the requirements to fall under an exception defined in the Privacy Rule.

Since HIPAA’s broad definition of PHI encompasses even the name, identity and even existence of a patient, as well as more specific information about the current or past health condition and treatment of a patient, health care providers and other Covered Entities must prepare and train their staff to be prepared appropriately to comply with the Privacy Rules even when considering disclosing PHI to identify an incapacitated patient, notify or respond to inquiries of family or others involved in caring for patient during an emergency or disaster.

As OCR guidance consistently reaffirms, the Privacy Rule’s general prohibition against PHI without prior patient authorization and other requirements generally still apply during public health or other emergencies.[1] While Social Security Act § 1135(b)(7) allows HHS temporarily to waive sanctions and penalties for violations of some, but not all Privacy Rule requirements by a covered hospitals operating under disaster protocols during periods the President declares an emergency or disaster and the HHS Secretary declares a public health emergency as in response to Hurricanes Katrina,[2]Harvey,[3] Irma,[4] and Maria,[5] this relief is rarely applicable, and limited in scope, applicability and duration.[6] Consequently, Covered Entities still need to ensure that any contemplated disclosure is either authorized or meets all requirements the Privacy Rule requires to fall under an exemption to its general prohibition against unauthorized disclosure to avoid becoming subject to civil or even criminal sanctions under the Privacy Rule even when responding to inquiries during mass disaster, public health emergency or other exigent circumstances.

As discussed in November 2016 OCR Bulletin On HIPAA Privacy in Emergency Situations, the Privacy Rule includes various exceptions that may allow a health care provider or other Covered Entity to disclose the PHI of a patient involved in a public health or other emergency without patient authorization including:

PHI about the patient necessary to treat the patient or to treat a different patient including the coordination or management of health care and related services by one or more health care providers and others, consultation between providers, and the referral of patients for treatment. See 45 CFR §§ 164.502(a)(1)(ii), 164.506(c), and the definition of “treatment” at 164.501;
To a public health authority, such as the Centers for Disease Control and Prevention (CDC) or a state or local health department, authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury or disability. See 45 CFR §§ 164.501 and 164.512(b)(1)(i);
As necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public when consistent with applicable law (such as state statutes, regulations, or case law) and the provider’s standards of ethical conduct. See 45 CFR 164.512(j);
To a patient’s family members, relatives, friends, or other persons identified by the patient as involved in the patient’s care or as necessary to identify, locate, and notify family members, guardians, or anyone else responsible for the patient’s care, of the patient’s location, general condition, or death provided that the Covered Entity gets at least verbal permission from individuals or otherwise be able to reasonably infer that the patient does not object, when possible; or if the individual is incapacitated or not available, in the Covered Entity’s professional judgment, doing so is in the patient’s best interest. See 45 CFR 164.510(b);
With disaster relief organizations that, like the American Red Cross, are authorized by law or by their charters to assist in disaster relief efforts, for the purpose of coordinating the notification of family members or other persons involved in the patient’s care, of the patient’s location, general condition, or death without authorization if doing so would interfere with the organization’s ability to respond to the emergency; or
Limited facility directory information to acknowledge an individual is a patient at the facility and provide basic information about the patient’s condition in general terms (e.g., critical or stable, deceased, or treated and released) to the media or others not involved in the care of the patient upon request for information about a particular patient by name, if the patient has not objected to or restricted the release of such information or, if the patient is incapacitated, if the disclosure is believed to be in the best interest of the patient and is consistent with any prior expressed preferences of the patient. See 45 CFR 164.510(a).

Announcement Clarifies Privacy Rules For Disclosures To Individuals Involved In Patient’s Care; For Notification; And To Media Or Others Not Involved In Patient Care

The new OCR Announcement provides clarification of the applicability of the Privacy Rule exemptions regarding disclosures of PHI by health care providers or other Covered Entities:

To individuals involved in the patient’s care or for notification purposes; or
To media or other individuals not involved in the patient’s care.

In addition, the Announcement also reminds Covered Entities:

Of their responsibility to limit disclosures made without HIPAA-compliant patient authorization other than for treatment purposes to the minimum necessary,
That the Privacy Rule allows Covered Entities to rely upon certifications that information requested by public health authorities or officials that the information requested is the minimum necessary; and
To continue to enforce role-based restrictions on PHI.
Disclosures to Family, Friends, Disaster Relief Responders and Others Involved in an Individual’s Care and for Notification

Privacy Rule §164.510(b) permits a Covered Entity to share PHI:

With a patient’s family members, relatives, friends, or other persons identified by the patient as involved in the patient’s care.
About a patient as necessary to identify, locate, and notify family members, guardians, or anyone else responsible for the patient’s care, of the patient’s location, general condition, or death. This may include, where necessary to notify family members and others, the police, the press, or the public at large. See Privacy Rule § 164.510(b).

When making such disclosures, the Announcement states a Covered Entity should get verbal permission from individuals or otherwise be able to reasonably infer that the patient does not object, when possible.

Concerning patients who are unconscious or incapacitated, the OCR guidance also states that a health care provider may share relevant information about the patient with family, friends, or others involved in the patient’s care or payment for care, if the health care provider in its professional judgement determines that doing so is in the best interests of the patient.

In addition, OCR says Covered Entities also may share PHI with disaster relief organizations that, like the American Red Cross, are authorized by law or by their charters to assist in disaster relief efforts, for the purpose of coordinating the notification of family members or other persons involved in the patient’s care, of the patient’s location, general condition, or death. When disclosing PHI to disaster relief organizations, the Announcement states it is unnecessary to obtain a patient’s permission to share the information in this situation if doing so would interfere with the organization’s ability to respond to the emergency.

Disclosures to the Media or Others Not Involved in the Care of the Patient/Notification

As the Las Vegas Shooting illustrates, health care providers and other Covered Entities caring for patients during public health or other emergency situations often must deal with news or other media crews on or around treatment or other health care facilities and media and inquiries from the media or others about the identity, status or other PHI of patients. OCR’s past imposition of stiff penalties against other Covered Entities for improperly disclosing patient PHI to the media or the public without authorization alert Covered Entities of HIPAA risks of failing to properly control access and disclosures of PHI to the media or other general public without obtaining prior written authorization from patients or their personal representatives. See e.g., $2.4M HIPAA Settlement Warns Providers About Media Disclosures Of PHI. See also HIPAA Sanctions Triggered From Covered Entity Statements To Media, Workforce.

Previously issued OCR guidance makes clear that health care providers and other Covered Entities risk sanction both from allowing media or other members of the public inappropriate access to patient treatment or other areas with unsecured PHI as well as media statements and other disclosures of PHI to the media or public without first obtaining a HIPAA-compliant authorization except under narrow circumstances specified in the Privacy Rule.. See 45 CFR 164.510(a). OCR FAQ on Disclosures to the Media, for instance, states:

“the HIPAA Privacy Rule does not permit health care providers to disclose PHI to media personnel, including film crews, without having previously obtained a HIPAA-compliant authorization signed by the patient or his or her personal representative. In other words, health care providers may not allow members of the media, including film crews, into treatment areas of their facilities or other areas where PHI will be accessible in written, electronic, oral or other visual or audio form, without prior authorization from the patients who are or will be in the area or whose PHI will be accessible to the media. It is not sufficient for a health care provider to request or require media personnel to mask the identities of patients (using techniques such as blurring, pixilation, or voice alteration software) for whom an authorization was not obtained, because the HIPAA Privacy Rule does not allow media access to the patients’ PHI, absent an authorization, in the first place.

In addition, the health care provider must ensure that reasonable safeguards are in place to protect against impermissible disclosures or to limit incidental disclosures of other PHI that may be in the area but for which an authorization has not been obtained.

While emphasizing the Privacy Rule’s general requirement to secure advance authorization, OCR FAQ on Disclosures to the Media also recognizes the following “very limited situations” that the Privacy Rule permits a Covered Entity to disclose limited PHI to the media without obtaining a HIPAA authorization:

A Covered Entity may disclose limited PHI about an unidentified incapacitated patient to the media seek to have the media help identify or locate the family of an unidentified and incapacitated patient in its care if, in the hospital’s professional judgment, doing so is in the patient’s best interest. See 45 C.F.R. 164.510(b)(1)(ii);
A Covered Entity may disclose a patient’s location in the facility and condition in general terms that do not communicate specific medical information about the individual to any person, including the media, without obtaining a HIPAA authorization where the individual has not objected to his information being included in the facility directory, and the media representative or other person asks for the individual by name. See 45 C.F.R. 164.510(a);
The HIPAA Privacy Rule does not require health care providers to prevent members of the media from entering areas of their facilities that are otherwise generally accessible to the public, which may include public waiting areas or areas where the public enters or exits the facility;
A health care provider may utilize the services of a contract film crew to produce training videos or public relations materials on the provider’s behalf if certain protections are in place. If patients are to be identified by the provider and interviewed by a film crew, or if PHI might be accessible during filming or otherwise disclosed, the provider must enter into a HIPAA business associate agreement with the film crew acting as a business associate. Among other requirements, the business associate agreement must ensure that the film crew will safeguard the PHI it obtains, only use or disclose the PHI for the purposes provided in the agreement, and return or destroy any PHI after the work for the health care provider has been completed. See 45 C.F.R. 164.504(e)(2). As a business associate, the film crew must comply with the HIPAA Security Rule and a number of provisions in the Privacy Rule, including the Rule’s restrictions on the use and disclosure of PHI. In addition, authorizations from patients whose PHI is included in any materials would be required before such materials are posted online, printed in brochures for the public, or otherwise publicly disseminated; and
Covered Entities can continue to inform the media of their treatment services and programs so that the media can better inform the public, provided that, in doing so, the Covered Entity does not share PHI with the media without the prior authorization of the individuals who are the subject of the PHI.

The Announcement reaffirms the general principles stated in this and other prior guidance concerning Covered Entities dealings with the media and public and clarifies its interpretation about what PHI, if any, the Privacy Rule allows hospitals and other health care providers about PHI may share in response to requests from the media or other individuals not involved in the care of a patient without first obtaining an authorization.

The Announcement reaffirms that affirmative reporting to the media or the public at large about an identifiable patient, or the disclosure to the public or media of specific information about treatment of an identifiable patient, such as specific tests, test results or details of a patient’s illness, may not be done without the patient’s written authorization (or the written authorization of a personal representative who is a person legally authorized to make health care decisions for the patient) that complies with HIPAA’s authorization requirements. See 45 CFR 164.508.

The Announcement also clarifies, however, that Covered Entities that are hospitals or health care facilities that receive a request for information about a particular patient by name may release limited facility directory information to acknowledge an individual is a patient at the facility and provide basic information about the patient’s condition in general terms (e.g., critical or stable, deceased, or treated and released) if the patient has not objected to or restricted the release of such information or, if the patient is incapacitated, if the disclosure is believed to be in the best interest of the patient and is consistent with any prior expressed preferences of the patient.

Minimum Necessary Requirements & Other Privacy Rule Responsibility Reminders

The Announcement also cautions Covered Entities of the need to ensure beyond ensuring that a disclosure falls under a Privacy Rule exception, Covered Entities also need to ensure that other requirements of the Privacy Rule applicable to the disclosure also are met. In this respect, the Announcement cautions Covered Entities that the Privacy Rule requires they limit any otherwise permitted disclosure of PHI other than for treatment purposes made without obtaining a HIPAA-compliant patient authorization to the minimum necessary to achieve the allowed purpose, while also reminding Covered Entities that when making disclosures otherwise permitted to public health authorities or public officials, the Privacy Rule allows the Covered Entity to rely on representations from a public health authority or other public official that the requested information is the minimum necessary for the purpose.

Furthermore, the Announcement also warns Covered Entity that they should continue to apply their role-based access policies to limit access to PHI to only those workforce members who need it to carry out their duties. See Privacy Rules §§ 164.502(b), 164.514(d).

In addition to keeping in mind these Privacy Rule conditions, Covered Entities also need to take steps to ensure that their organizations and workforce also continue to follow all necessary procedures to ensure that their organizations can demonstrate continued compliance with other Privacy Rule requirements on verification, documentation and recordkeeping, accounting for disclosure, business associates and the like. In this regard, it is important that Covered Entities and their business associates take appropriate steps to ensure that their workforce carefully creates and retains the documentation and records needed to defend their actions as well as to respond to HHS requests and/or requests for accounting or disclosure that might arise in the future.

Required Action: Review & Update Emergency & Other Practices, Training In Response To Evolving Guidance

The Privacy Rules and other OCR guidance make clear that health care providers and other Covered Entities and their business associates are expected both to implement and maintain their practices, policies, workforce training and safeguards appropriately to control use, access and disclosure in emergency and other situations as well as to implement the necessary systems and safeguards to protect sensitive PHI, electronic PHI and associated records and system from improper access from the media or others and damage or destruction from disaster or other events.

In recognition that maintaining Privacy and Security Rule Compliance can prove challenging for Covered Entities and their business associates during emergency or other exigent events, OCR has published various other guidance it hopes will help Covered Entities and business associates prepare for and respond to these challenges including its Disclosure For Emergency Preparedness Decision Tool; and Public Health Authority Disclosure Request Checklist.

Covered Entities and their business associates should act promptly to review and update their policies, practices, safeguards and workforce training as needed in response to the new Announcement and other OCR guidance promptly.

About The Author

Repeatedly recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, a Fellow in the American College of Employee Benefit Council, the American Bar Foundation and the Texas Bar Foundation and board certified in labor and employment law by the Texas Board of Legal Specialization, Cynthia Marcotte Stamer is a practicing attorney, management consultant, author, public policy advocate and lecturer widely known for health and managed care, employee benefits, insurance and financial services, data and technology and other management work, public policy leadership and advocacy, coaching, teachings, and publications. Nationally recognized for her work, experience, leadership and publications on HIPAA and other medical privacy and data use and security, FACTA, GLB, trade secrets and other privacy and data security concerns, Ms. Stamer has worked extensively with clients and the government on cybersecurity, technology and processes and other issues involved in the use and management of medical, insurance and other financial, workforce, trade secrets and other sensitive data and information throughout her career. Scribe or co-scribe of the ABA Joint Committee on Employee Benefits Agency meeting with OCR since 2011, Ms. Stamer extensive experience, advising, representing, training and coaching health care providers, health plans, healthcare clearinghouses, business associates, their information technology and other solutions providers and vendors, and others on HIPAA and other privacy, data security and cybersecurity design, documentation, administration, audit and oversight, business associate and other data and technology contracting, breach investigation and response, and other related concerns including extensive involvement representing clients in dealings with OCR and other Health & Human Services, Federal Trade Commission, Department of Labor, Department of Treasury, state health, insurance and attorneys’ general, Congress and state legislators and other federal officials.

Ms. Stamer also has an extensive contributes her leadership and insights with other professionals, industry leaders and lawmakers. Her insights on HIPAA risk management and compliance often appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, SHRM, HIMMS, the American Bar Association, the Health Care Compliance Association, a multitude of health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others. You can get more information about her HIPAA and other experience here. For additional information about Ms. Stamer, see here, e-mail her here or telephone Ms. Stamer at (214) 452-8297.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources here.
If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

[1] See e.g. OCR Bulletin: HIPAA Privacy in Emergency Situations (November 2014).

[2] Disclosing PHI in Emergency Situations; Compliance Guidance and Enforcement Statement.

[3] August 2017 Hurricane Harvey Bulletin.

[4] September 2017 Hurricane Irma Bulletin.

[5] September 2017 Hurricane Maria Bulletin

[6] The HIPAA Privacy Rule is not suspended during a public health or other emergency; however, Section 1135(b)(7) of the Social Security Act allows HHS to waive sanctions and penalties against a covered hospital that does not comply with the following provisions of the Privacy Rule events if the President declares an emergency or disaster and the Secretary declares a public health emergency:

the requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
the requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
the requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
the patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
the patient’s right to request confidential communications. See 45 CFR 164.522(b).

If the Secretary issues such a waiver, it only applies: (1) in the emergency area and for the emergency

period identified in the public health emergency declaration; (2) to hospitals that have instituted a disaster protocol; and (3) for up to 72 hours from the time the hospital implements its disaster protocol.

When the Presidential or Secretarial declaration terminates, a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours has not elapsed since implementation of its disaster protocol. See also Social Security Act 1135(b)(7); Frequently Asked Question: HIPAA waiver during a national or public health emergency; OCR Bulletin: HIPAA Privacy in Emergency Situations (November 2014).

Leave a Comment » | 1335 Waiver, Academic medicine, ARRA, ASC, Childrens Health Insurance Program, Corporate Compliance, Cyber crime, data breach, data security, Disaster Relief, Doctor, Durable Medical Equipment, E-Prescribing, Electronic Health Records, Electronic Medical Records, Employer, ERISA, FACTA, Federal Health Center, Fiduciary Responsibility, GINA, Health Care, Health Care Provider, Health Care Quality, Health IT, Health Plan, Health Plans, Health Policy, healthcare, HIPAA, HIPAA Cyber Crime, HITECH Act, Home Health, Hospital, Hospital, Inpatient Rehabilitation, Inpatient Rehabilitation Facility, Joint Commission, Laws, managed care, Meaningful Use, Medical Privacy, Medical Records, Mental Health, Pharmaceudical, Pharmacy, Privacy, Psychiatric, Skilled Nursing Facility, Technology, Telemedicine, Uncategorized, Veterans Health Administration | Tagged: Crisis preparedness, Cybercrime, Disaster, dta breach, Emergency, Health Care, HIPAA, Hurricane, Hurricane Harvey, Hurricane Irma, Hurricane Maria, Las Vegas Shooting, Mass Shooting, Medical Privacy, OCR, Privacy, public health, Terrorism | Permalink
Posted by Cynthia Marcotte Stamer

Christus Pays $12.24M Settlement Resolves False Claims Act Charges From “Donations” To New Mexico

September 11, 2017

CHRISTUS St. Vincent Regional Medical Center (St. Vincent) and its partner, CHRISTUS Health (CHRISTUS), have agreed to pay $12.24 million, plus interest to resolve charges by the U.S. Department of Justice (DOJ) and U.S Department of Health and Human Services Office of Inspector General (OIG) they violated the False Claims Act by making illegal donations to county governments that the counties used to fund the state share of Medicaid payments to the hospital. The settlement announced September 1, 2017 highlights the needs for States and private healthcare providers to use care to ensure that creative partnerships don’t violate federal Medicare or other program requirements as well as the risk that the False Claims Act or other whistleblower rules will incentivize disgruntled employees or other service providers to bring aggressive conduct to the attention of federal officials.

The settlement resolves allegations made in U.S. ex rel. Stepan v. Christus St. Vincent Regional Medical Center Corp. et al., Civil Action No. 11-cv-572 (D.N.M.) that St. Vincent and CHRISTUS allegedly caused the State of New Mexico to present false Medicaid claims in violation of the False Claims Act by making non-bona fide donations to the State of New Mexico that New Mexico improperly used to fulfill the requirement that the State pay 25% “matching” share to fund the New Mexico Sole Community Provider Program (SCP) between 2001 and 2009.

Under the now defunct SCP Program, federal law required that New Mexico fund 25% of the costs of the SCP program to qualify for reimbursement from the federal government for approximately 75 percent of its health care expenditures under the SCP program. Under federal law, New Mexico’s 25 percent “matching” share of SCP program payments had to consist of state or county funds, and not impermissible “donations” from private hospitals. Congress enacted this restriction on the use of private hospital funds to satisfy state Medicaid obligations to curb possible abuses and ensure that states have sufficient incentive to curb rising Medicaid costs.

The charges resolved by the settlement originally were brought in a qui tam lawsuit filed by a former Los Alamos County, New Mexico Indigent Healthcare Administrator . The whistleblower will receive $2.249 million as her share of the recovery in this case.

The prosecution and its settlement drive home both the importance for States receiving Medicaid funds and private health care partners providing services to patients reimbursed by these funds to use care to comply with all applicable program requirements, as well as the continuing risk of exposure and resulting liability from whistleblower claims brought by unhappy employees or others looking to use their knowledge of questionable conduct to realize profitable recoveries.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: Erisa & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications. Ms. Stamer works with health industry and related businesses and their management, employee benefit plans, governments and other organizations deal with all aspects of human resources and workforce, internal controls and regulatory compliance, change management and other performance and operations management and compliance. For additional information about Ms. Stamer, see here, e-mail her here or telephone Ms. Stamer at (214) 452-8297.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources here.
If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advise or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Leave a Comment » | Academic medicine, Anti-KickBack, Conditions of Participation, Corporate Compliance, Employment, false claims act, Federal Sentencing Guidelines, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Reform, health care reimbursement, Hospital, Hospital, Medicaid, Uncategorized | Tagged: DOJ, false claims act, Health Care Fraud, HEAT, Medicaid, OIG, St. Vincent Christus, Whistleblower | Permalink
Posted by Cynthia Marcotte Stamer

HHS Issues Hurricane Irma Relief For Puerto Rico, U.S. Virgin Islands & Florida

September 8, 2017

In preparation for anticipated disruptions and damage from Hurricane Irma, Health and Human Services (HHS) Secretary Tom Price, M.D. declared a Public Health Emergency in Puerto Rico and the U.S. Virgin Islands on Wednesday, September 6, 2017 and in Florida on Thursday, September 7, 2017.

By declaring the disaster and before the Hurricane makes landfall, HHS seeks to maximize the flexibility of healthcare providers to respond to the anticipated deluge of health care needs anticipated to occur around the Hurricane by using its authority under Social Security Act 1135 to waive and modify certain health care rules under Medicare, Medicaid and certain other federal programs. See here.

Beyond modification of these requirements, the declaration also triggers limited relief for covered health care providers from certain otherwise applicable requirements of the Health Insurance Portability & Accountability Act (HIPAA) Privacy Rules. See here for OCR’s latest guidance on the limited waiver of HIPAA Sanctions and penalties during a declared emergency.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: Erisa & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications. Ms. Stamer works with health industry and related businesses and their management, employee benefit plans, governments and other organizations deal with all aspects of human resources and workforce, internal controls and regulatory compliance, change management, disaster and other crisis preparedness and response, and other performance and operations management and compliance. Her experienced includes career long involvement in advising and defending health industry and other organizations about disaster and other crisis preparation, response and mitigation arising from natural and man-made disasters, government enforcement, financial distress, workplace emergencies and accidents, data breach and other cybersecurity and other events. For additional information about Ms. Stamer, see here, e-mail her here or telephone Ms. Stamer at (214) 452-8297.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources here.
If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advise or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Leave a Comment » | 1335 Waiver, Academic medicine, Ambulatory care, Border Health, Childrens Health Insurance Program, Conditions of Participation, Disaster Relief, DME, Doctor, EMTALA, Federal Health Center, Health Care, Health Care Finance, Health Care Provider, Health Care Quality, health care reimbursement, Health Plan, healthcare, HIPAA, Hospice, Hospital, hospitals, Inpatient Rehabilitation Facility, Medical Privacy, Medical Records, Medicare Fee Schedule, OCR, Physician, Physician Licensing, public health, Public Policy, Reimbursement | Permalink
Posted by Cynthia Marcotte Stamer

SCOTUS Bars State Law Restrictions On Health, Other Arbitration Agreement Enforceability

May 16, 2017

Monday’s U.S. Supreme Court ruling in Kindred Nursing Centers L.P. v. Clark boosts the ability of health care and other businesses and employers to enforce contractual agreements to arbitrate free from limits or other interference by State law imposed restrictions limiting the use or enforcement of arbitration agreements. Healthcare and other businesses and employers operating in States with special requirements for the enforcement of arbitration agreements should consult with legal counsel about the implications of the decision on their ability to use and enforce arbitration agreements with patients and other customers, employees and others prospectively and in ongoing disputes where the enforceability of arbitration agreements based on state law restrictions is an issue, as well as re-evaluate the effects of their own agreements to arbitration in past and future contracts might strengthen the ability of others unexpectedly to force arbitration.

The Kindred decision arose from the efforts of a health care provider, Kindred, to enforce arbitration clauses in nursing home agreements signed by legal representatives of patients admitted to its facilities. Kindred appealed to the federal courts after the Kentucky Supreme Court blocked Kindred from enforcing these contractual agreements to arbitrate because neither power of attorney specifically entitled the representative to enter into an arbitration agreement. The Kentucky Supreme Court imputed the requirement that the power of attorney specifically grant authority to agree to arbitration because the Kentucky Constitution declares the rights of access to the courts and trial by jury to be “sacred” and “inviolate” even though Kentucky law ordinarily would not require a similar express grant of power to enforce other types of contractual provision.

The U.S. Supreme Court in Kindred held that the Kentucky Supreme Court’s clear-statement rule violates the Federal Arbitration Act (FAA) by singling out arbitration agreements for disfavored treatment. Pp. 4–10.

The Supreme Court decision construed the FAA provision that arbitration agreements are “valid, irrevocable, and enforceable, save upon such grounds as exist at law or in equity for the revocation of any contract,” 9 U. S. C. §2, as requiring equal treatment of arbitration provisions with other contractual provisions. Under this equal treatment principle, the Supreme Court ruled a court may invalidate an arbitration agreement based on “generally applicable contract defenses,” but not on legal rules that “apply only to arbitration or that derive their meaning from the fact that an agreement to arbitrate is at issue.” Accordingly, the Supreme Court ruled that the FAA preempts any state rule that discriminates on its face against arbitration or that covertly accomplishes the same objective by disfavoring contracts that have the defining features of arbitration agreements.

Concluding that the Kentucky Supreme Court’s clear statement requirement for enforcement of arbitration provisions fails to put arbitration agreements on an equal plane with other contracts by requiring an explicit statement before an agent can relinquish her principal’s right to go to court and receive a jury trial, the Supreme Court found the Kentucky Supreme Court did exactly what the FAA barred: adopt a legal rule hinging on the primary characteristic of an arbitration agreement. Pp. 4–7. Accordingly the Supreme Court ordered the arbitration agreements enforced in Kindred.

Management Pointers & Action Items

The Supreme Court’s construction in Kindred of the FAA as establishing an “equal protection” rule for arbitration provisions expands the ability of health care organizations and others to enforce arbitration clauses in patient and other customer, employee and other contracts which previously might have been barred by special State statutory, regulatory or judicial requirements on the enforceability of arbitration clauses not generally applicable to other types of contractual provisions. While very valuable for health care organizations, this ruling also is likely to have implications beyond health care contracts to a broad range of other state laws and rules that purport to protect consumers, employees and others to contractually waive their litigation rights. While the Supreme Court ruling leaves open the ability to challenge arbitration clauses on contractual grounds generally applicable to all contracts, special State law rules for enforcing arbitration are not allowed.

Health industry and other management should review their arbitration agreements and related dispute resolution agreements with qualified legal counsel for potential options to reduce risks and manage dispute resolution costs using arbitration agreements with patients and other customers, employees, service providers and others as well as to understand the implications of existing arbitration clause is on their exposures to others arising from contractual agreements to arbitrate previously thought to be subject to state law restrictions on enforceability. Health care and other businesses and individuals considering entering in or enforcing arbitration agreements should keep in mind, however, that the Kindred ruling does not insulate arbitration agreements from State law defenses that apply equally to other non-arbitration contracts.

About The Author

Ms. Stamer works domestically and internationally with health, insurance and financial services, data and technology, services and consulting, energy, retail, hospitality and other businesses and their management, employee benefit plans, governments and other organizations deal with all aspects of human resources and workforce, internal controls and regulatory compliance, change management and other performance and operations management and compliance. Her day-to-day work encompasses both labor and employment issues, as well as independent contractor, outsourcing, employee leasing, management services and other nontraditional service relationships. She supports her clients both on a real-time, “on demand” basis and with longer term basis to deal with all aspects for workforce and human resources management, including, recruitment, hiring, firing, compensation and benefits, promotion, discipline, compliance, trade secret and confidentiality, noncompetition, privacy and data security, safety, daily performance and operations management, emerging crises, strategic planning, process improvement and change management, investigations, defending litigation, audits, investigations or other enforcement challenges, government affairs and public policy.

Well-known for her extensive work with health, insurance, financial services, technology, energy, manufacturing, retail, hospitality and governmental employers, her nearly 30 years’ of experience encompasses domestic and international businesses of all types and sizes.A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her thought leadership, experience and advocacy on these and other concerns by her service in the leadership of a broad range of other professional and civic organization including her involvement as the Vice Chair of the North Texas Healthcare Compliance Association; Executive Director of the Coalition on Responsible Health Policy and its PROJECT COPE: Coalition on Patient Empowerment; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children; former Gulf Coast TEGE Council Exempt Organization Coordinator; a founding Board Member and past President of the Alliance for Healthcare Excellence; former board member and Vice President of the Managed Care Association; past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; a member and advisor to the National Physicians’ Council for Healthcare Policy; current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee; current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section; Past Chair of the ABA Health Law Section Managed Care & Insurance Section; a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group; immediate past RPTE Representative to ABA Joint Committee on Employee Benefits Council Representative and current RPTE Representative to the ABA Health Law Coordinating Council; past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee; a former member of the Board of Directors, Treasurer, Member and Continuing Education Chair of the Southwest Benefits Association and others.

Ms. Stamer also is a highly popular lecturer, symposia chair and author, who publishes and speaks extensively on human resources, labor and employment, employee benefits, compensation, occupational safety and health, and other regulatory and operational risk management. Examples of her many highly regarded publications on these matters include the “Texas Payday Law” Chapter of Texas Employment Law, as well as thousands of other publications, programs and workshops these and other concerns for the American Bar Association, ALI-ABA, American Health Lawyers, Society of Human Resources Professionals, the Southwest Benefits Association, the Society of Employee Benefits Administrators, the American Law Institute, Lexis-Nexis, Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, the HCCA, ISSA, HIMSS, Modern Healthcare, Managed Healthcare, Institute of Internal Auditors, Society of CPAs, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other symposia and publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications and speaks and conducts training for a broad range of professional organizations and for clients on the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications.

Want to know more? See here for details about the author of this update, attorney Cynthia Marcotte Stamer, e-mail her here or telephone Ms. Stamer at (469) 767-8872.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources at www.SolutionsLawPress.com.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please provide your current contact information and preferences including your preferred e-mail by creating or updating your profile here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The publisher and the author expressly disclaim all liability for this content and any responsibility to provide any update or otherwise notify anyone of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. ©2017 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ All other rights reserved.

Leave a Comment » | Ambulatory care, Consumer Driven Health Care, Health Care, Health Care Finance, Health Care Provider, Health Care Quality, Hospital, Hospital, hospitals, Physician, Rural Health Care, Skilled Nursing Facility, Uncategorized | Tagged: arbitration, dispute resolution, Health Care, nursing home, Risk Management, SCOTUS, SNF | Permalink
Posted by Cynthia Marcotte Stamer

Stamer Speaks, Moderates On Medical Cyber Security At LA Medical Privacy Summit

May 12, 2017

Solutions Law Press, Inc. editor and attorney Cynthia Marcotte Stamer will speak and moderate two key panel programs on health care privacy and data security scheduled at the Healthcare Privacy & Security Form hosted on May 19, 2017 by the Information Security Systems Association of Los Angeles County (ISSA-LA) as a component of its 9th Annual ISSA-LA Information Security Summit. The presentations of Ms. Stamer and others at the conference are particularly timely coming on the heels of the May 12 Cyber alerts to U.S. health industry and other businesses about the urgent need to defend against the spread of an epidemic international malware threat targeting U.S. healthcare and other businesses. See Health Care, Health Plan & Other Health IT Systems Warned of E-Mail Cyber Attack; Urgent WannaCry Ransomware Cyber Warning Issued; Alert: Guard Health E-Mail, Other IT Against WannaCry Malware Attack.

The Medical Privacy & Security Summit is part of the 9th Annual ISSA-LA Information Security Summit scheduled for May 18-19, 2017 at the Universal City Hilton in Los Angeles. Recognized as a premier information security education and networking event, the Summit is expected to bring together 1000 or more health industry and other IT and InfoSec executives, leaders, analysts, and practitioners to learn from the experts, exchange ideas with their peers, and enjoy conversations with the community.

The Healthcare Privacy & Security Forum offered for the 5^th year as a component of the annual Summit on May 19 specifically focuses on leading challenges, issues and opportunities confronted by health industry privacy and security professionals and their organizations. Ms. Stamer has served on the steering committee, moderator and popular faculty member for the 2017 Forum for the 5^th consecutive year. During the 2017 Forum, she will moderate and speak on two panels:

“Finding & Negotiating The Mine Fields: CISO, CIO & Privacy Officer’s Playbook for Promoting Compliance & Security Without Getting Fired,” a luncheon interactive panel discussion with the audience exploring the challenging mission CISOs, CIOs and Privacy Officers face to ensure their healthcare, financial and other critical information, data and systems continue to support the patient care and operating functions of their organizations, while at the same time defending these systems, operations and their sensitive, but mission critical data against malicious or innocent misappropriation, use, access or destruction; and
The closing panel on “What Initiatives Are on the Horizon in Healthcare, and How Can We Secure Them?”, which will explore likely future emerging privacy and security threats and technologies, regulatory challenges and enforcement, and other trends that Privacy and Security professionals are likely to face and tips and strategies for preparing to leverage these likely new opportunities and manage new challenges.

Register or get the full schedule of programs and other events scheduled at the Healthcare Privacy & Security Forum specifically along with the overall Information Security Summit here.

About Ms. Stamer

Cynthia Marcotte Stamer is a Martindale-Hubble “AV-Preeminent (Top 1%) rated practicing attorney and management consultant, health industry public policy advocate, widely published author and lecturer, recognized for her nearly 30 years’ of work on health industry and other privacy and data security and other health care, health benefit, health policy and regulatory affairs and other health industry legal and operational as a LexisNexis® Martindale-Hubbell® “LEGAL LEADER™ and “Top Rated Lawyer,” in Health Care Law and Labor and Employment Law; a D Magazine “Best Lawyers In Dallas” in the fields of “Health Care,” “Labor & Employment,” “Tax: Erisa & Employee Benefits” and “Business and Commercial Law,” a Fellow in the American Bar Foundation, the Texas Bar Foundation and the American College of Employee Benefit Counsel.

Scribe for ABA JCEB annual agency meeting with OCR for many years, Ms. Stamer is well-known for her extensive work and leadership throughout her career on HIPAA, FACTA, PCI, IRC and other tax, Social Security, GLB, trade secret, physician and other medical confidentiality and privacy, federal and state data security and data breach and other information privacy and data security rules and concerns. Ms. Stamer has worked extensively throughout her career with health care providers, health plans, health care clearinghouses, their business associates, employers and other plan sponsors, banks, insurers and other financial institutions, and others on trade secret confidentiality, privacy, data security and other risk management and compliance including design, establishment, documentation, implementation, audit and enforcement of policies, procedures, systems and safeguards, drafting and negotiation of business associate, chain of custody, confidentiality, and other contracting; risk assessments, audits and other risk prevention and mitigation; investigation, reporting, mitigation and resolution of known or suspected breaches, violations or other incidents; and defending investigations or other actions by plaintiffs, OCR, FTC, state attorneys’ general and other federal or state agencies, other business partners, patients and others; reporting known or suspected violations; commenting or obtaining other clarification of guidance and other regulatory affairs, training and enforcement, and a host of other related concerns.

Her clients include public and private health care providers, health insurers, health plans, employers, payroll, staffing, recruitment, insurance and financial services, health and other technology and other vendors, and others.

Author of a multitude of highly-regarded works and training programs on HIPAA and other data security, privacy and use published by BNA, the ABA and other premier legal industry publishers In addition to representing and advising these organizations, she also speaks extensively and conducts training on health care and other privacy and data security and many other matters Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

Beyond these involvements, Ms. Stamer also is active in the leadership of a broad range of other professional and civic organizations. Through these and other involvements, she helps develop and build solutions, build consensus, garner funding and other resources, manage compliance and other operations, and take other actions to identify promote tangible improvements in health care and other policy and operational areas.

For additional information about Ms. Stamer, see here or contact Ms. Stamer directly by e-mail here or by telephone at (469) 767-8872. ©2017 Cynthia Marcotte Stamer. Limited, non-exclusive right to republish granted to Solutions Law Press, Inc. All other rights reserved.

Leave a Comment » | Corporate Compliance, Cyber crime, data breach, data security, Disease Management, DME, Doctor, drug treatment, Durable Medical Equipment, E-Prescribing, Electronic Health Records, Electronic Medical Records, Employer, ERISA, FDA, Federal Health Center, Federal Sentencing Guidelines, Fiduciary Responsibility, Genetic Information, GINA, Health Care, Health Care Finance, Health Care Provider, Health Care Quality, Health Insurance Exchange, Health IT, Health Plan, Health Plans, healthcare, HIPAA, HIPAA Cyber Crime, HITECH Act, Home Health, Hospice, Hospital, Hospital, hospitals, Indian Health, Inpatient Rehabilitation, Inpatient Rehabilitation Facility, managed care, Meaningful Use, Medical Malpractice, Medical Privacy, Medical Records, Medicare, Medicare Advantage, Mental Heatlh, OCR, OIG, Pharmaceudical, Pharmacy, Physician, Prescription Drugs, Privacy, Psychiatric, quality reporting, Rural Health Care, Skilled Nursing Facility, substance abuse treatment, Technology, Telemarketing, Telemedicine, Uncategorized | Tagged: Cyber Security, Cybercrime, HIPAA, Malware, Medical Privacy, Medical Security, Technology, WannaCry | Permalink
Posted by Cynthia Marcotte Stamer

Health Care, Health Plan & Other Health IT Systems Warned of E-Mail Cyber Attack

May 12, 2017

Health care providers, health plans, health insurers, healthcare clearinghouses, their business associates and others involved in health information technology or related activities should raise their cyber security defenses and use cyber security best practices to defend their information systems and data against ongoing cyber security attacks targeting health industry information systems in the United States and abroad in a cyber security alert issued by Department of Health and Human Service (HHS) Laura Wolf Critical Infrastructure Protection Lead.

The cyber security alert states that there is evidence that cyber attacks affecting hospitals and healthcare information systems in the UK and other international locations” now are “occurring inside the United States.”

HHS states it is “working with our partners across government and in the private sector to develop a better understanding of the threat and to provide additional information on measures to protect your systems.

Meanwhile,HHS advises U.S. health industry organizations and information systems to exercise cyber security best practices – particularly with respect to email including HHS Ransomware Guidance available here and other information on ransomware in the following HHS Cyber Newsletters:

https://www.hhs.gov/sites/default/files/hippa-cyber-awareness-monthly-issue1.pdf

https://www.hhs.gov/sites/default/files/hipaa-cyber-awareness-monthly-issue3.pdf

https://www.hhs.gov/sites/default/files/february-2017-ocr-cyber-awareness-newsletter.pdf

About The Author

Recognized by LexisNexis® Martindale-Hubbell® as a “AV-Preeminent” (Top 1%/ the highest) and “Top Rated Lawyer,” with special recognition as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Health Care,” “Labor & Employment,” “Tax: Erisa & Employee Benefits” and “Business and Commercial Law” by D Magazine, the author of this update is widely known for her 29 plus years’ of work in health care, health benefit, health policy and regulatory affairs and other health industry concerns as a practicing attorney and management consultant, thought leader, author, public policy advocate and lecturer.

A core focus of this work includes work to establish and administer compliance and risk management policies; comply with requirements, investigate and respond to Board of Medicine, Health, Nursing, Pharmacy, Chiropractic, and other licensing agencies, Department of Aging & Disability, FDA, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; dealings with JCHO and other accreditation and quality organizations; investigation and defense of private litigation and other federal and state health care industry investigations and enforcement; insurance or other liability management and allocation; process and product development; managed care, physician and other staffing, business associate and other contracting; evaluation, commenting or seeking modification of regulatory guidance, and other regulatory and public policy advocacy; training and discipline; and a host of other related concerns for public and private health care providers, health insurers, health plans, technology and other vendors, employers, and others.
Author of leading works on HIPAA and other privacy and data security works and the scribe leading the American Bar Association Joint Committee on Employee Benefits Annual Agency Meeting with OCR, her experience includes extensive compliance, risk management and data breach and other crisis event investigation, response and remediation under HIPAA and other data security, privacy and breach laws.

In connection with this work, Ms. Stamer has worked extensively with health care providers, health plans, health care clearinghouses, their business associates, employers and other plan sponsors, banks and other financial institutions, and others on risk management and compliance with HIPAA, FACTA, trade secret and other information privacy and data security rules, including the establishment, documentation, implementation, audit and enforcement of policies, procedures, systems and safeguards, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and enforcement, and a host of other related concerns. Her clients include public and private health care providers, health insurers, health plans, technology and other vendors, and others.

Her work includes both regulatory and public policy advocacy and thought leadership, as well as advising and representing a broad range of health industry and other clients about policy design, drafting, administration, business associate and other contracting, risk assessments, audits and other risk prevention and mitigation, investigation, reporting, mitigation and resolution of known or suspected violations or other incidents and responding to and defending investigations or other actions by plaintiffs, DOJ, OCR, FTC, state attorneys’ general and other federal or state agencies, other business partners, patients and others.
In addition to representing and advising these organizations, she also has conducted training on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, MGMA, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.
A former lead consultant to the Government of Bolivia on its Pension Privatization Project with extensive domestic and international public policy concerns in Pensions, healthcare, workforce, immigration, tax, education and other areas.

Past Chair of the ABA Managed Care & Insurance Interest Group and, a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also has extensive health care reimbursement and insurance experience advising and defending health plans, health care providers, payers, and others about Medicare, Medicaid, Medicare and Medicaid Advantage, Tri-Care, self-insured group, association, individual and group and other health benefit programs and coverages including but not limited to advising public and private payers about coverage and program design and documentation, advising and defending providers, payers and systems and billing services entities about systems and process design, audits, and other processes; provider credentialing, and contracting; providers and payer billing, reimbursement, claims audits, denials and appeals, coverage coordination, reporting, direct contracting, False Claims Act, Medicare & Medicaid, ERISA, state Prompt Pay, out-of-network and other “nonpar,” insured, and other health care claims, prepayment, post-payment and other coverage, claims denials, appeals, billing and fraud investigations and actions and other reimbursement and payment related investigation, enforcement, litigation and actions.

A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, privacy and data security, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns.
A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her thought leadership, experience and advocacy on these and other related concerns by her service in the leadership of the Solutions Law Press, Inc. Coalition for Responsible Health Policy, its PROJECT COPE: Coalition on Patient Empowerment, and a broad range of other professional and civic organizations including North Texas Healthcare Compliance Association, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children (now Warren Center For Children); current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, past Representative and chair of various committees of ABA Joint Committee on Employee Benefits; an ABA Health Law Coordinating Council representative, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.

Ms. Stamer also is a highly popular lecturer, symposium and chair, faculty member and author, who publishes and speaks extensively on health and managed care industry, human resources, employment and other privacy, data security and other technology, regulatory and operational risk management. Examples of her many highly regarded publications on these matters include “Protecting & Using Patient Data In Disease Management: Opportunities, Liabilities And Prescriptions,” “Privacy Invasions of Medical Care-An Emerging Perspective,” “Cybercrime and Identity Theft: Health Information Security: Beyond HIPAA,” as well as thousands of other publications, programs and workshops these and other concerns for the American Bar Association, ALI-ABA, American Health Lawyers, Society of Human Resources Professionals, the Southwest Benefits Association, the Society of Employee Benefits Administrators, the American Law Institute, Lexis-Nexis, Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, the HCCA, ISSA, HIMSS, Modern Healthcare, Managed Healthcare, Institute of Internal Auditors, Society of CPAs, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other symposia and publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, Insurance Thought Leadership and many other prominent publications and speaks and conducts training for a broad range of professional organizations.

For more information about Ms. Stamer or her health industry and other experience and involvements, see here or contact Ms. Stamer via telephone at (469) 767-8872 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources here.
If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

©2017 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ All other rights reserved. For information about republication or other use, please contact Ms. Stamer here.

Leave a Comment » | Academic medicine, Ambulatory care, CDC, Controlled Substances, Corporate Compliance, data breach, data security, DME, Doctor, drug treatment, Durable Medical Equipment, E-Prescribing, Electronic Health Records, Electronic Medical Records, Employer, FDA, Federal Health Center, Genetic Information, GINA, Health Care, Health Care Fraud, Health Care Provider, Health Care Quality, health care reimbursement, Health Insurance Exchange, Health IT, Health Plans, healthcare, HIPAA, HIPAA Cyber Crime, HITECH Act, Home Health, Hospice, Hospital, Hospital, hospitals, Indian Health, Inpatient Rehabilitation Facility, Laws, managed care, Meaningful Use, Medicaid, Medical Privacy, Medical Records, Medicare, Medicare Advantage, Medicare Fee Schedule, Mental Heatlh, OCR, Pharmaceudical, Pharmacy, Physician, Privacy, Psychiatric, Telemarketing, Uncategorized | Tagged: Cyber Security, Cybercrime, Data Security, E-mail, Health Care, HIPAA, Malware | Permalink
Posted by Cynthia Marcotte Stamer

6/26 Deadline To Comment On Proposed Medicare SNF (Nursing Home) Rule Changes

May 10, 2017

June 26, 2017 is the deadline to submit comments to the Department of Health & Human Services (HHS) Centers for Medicare & Medicaid Services (CMS) on changes to Medicare’s Skilled Nursing Facility (nursing home) reimbursement, quality reporting and various other proposed by CMS in the Medicare Program; Prospective Payment System and Consolidated Billing for Skilled Nursing Facilities for FY 2018, SNF Value-Based Purchasing Program, SNF Quality Reporting Program, Survey Team Composition, and Proposal To Correct the Performance Period for the NHSN HCP Influenza Vaccination Immunization Reporting Measure in the ESRD QIP for PY 2020 (Proposed Rule) published May 4^th. With the U.S. aging population making SNF expenditures both a significant Medicare cost driver and a major care concern for American families and communities, SNF and other health care providers, payers, community leaders, caregivers and other concerned stakeholders should act promptly to review the proposed changes and timely submit feedback in response to the Proposed Rule.

Among other things, the Proposed Rule as currently proposed would revise Medicare reimbursement and terms of participation rules for SNFs to:

Update the Skilled Nursing Facility (SNF) prospective payment rates and other background information for Fiscal Year (FY) 2018 in response to §§ 1888(e)(4)(E) and (H) of the Social Security Act (the Act);
Update the requirements for the Skilled Nursing Facility Quality Reporting Program (SNF QRP) and additional proposals for the Skilled Nursing Facility Value-Based Purchasing Program (SNF VBP);
Clarify requirements related to survey team composition and investigation of complaints under 42 C.F.R §§ 488.30, 488.301, 488.314, and 488.308;
Add a proposal related to the performance period for the National Healthcare Safety Network (NHSN) Healthcare Personnel (HCP) Influenza Vaccination Reporting Measure included in the End-Stage Renal Disease (ESRD) Quality Incentive Program (QIP); and
Solicits comments about potential changes to the recently finalized Requirements for Long-Term Care Facilities that CMS intends to reduce regulatory burdens as well as potential CMMI models and other demonstration projects that would reduce cost and increase quality of care for SNF, or more generally Post-Acute Care patients.

The Proposed Rule regulatory burden reduction proposals primarily focus on three areas also invites input about other areas of burden reduction and cost changes that could be accomplished by revising current SNF requirements for Medicare participation:

The Grievance and Abuse/Neglect Reporting Processes
Quality Assurance and Performance Improvement (QAPI)
Discharge Notices

SNF and other healthcare providers, payers, accreditation and oversight, payers, caregivers and others concerned about SNF care and reimbursement for patients in SNFs should carefully evaluate these proposals and share their input on the proposals and other opportunities to improve the Medicare SNF quality and reimbursement rules as soon as possible.

About The Author

Throughout her adult life and nearly 30-year legal career, Ms. Stamer’s legal, management and governmental affairs work has focused on helping health industry, health benefit and other organizations and their management use the law, performance and risk management tools and process to manage people, performance, quality, compliance, operations and risk. Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer supports these organizations and their leaders on both a real-time, “on demand” basis as well as outsourced operations or special counsel on an interim, special project, or ongoing basis with strategic planning and product and services development and innovation; workforce and operations management, crisis preparedness and response as well as to prevent, stabilize and cleanup legal and operational crises large and small that arise in the course of operations.

Throughout her career, she has helped health industry clients manage workforce, medical staff, vendors and suppliers, medical billing, reimbursement, claims and other provider-payer relations, business partners, and their recruitment, performance, discipline, compliance, safety, compensation, benefits, and training ;board, medical staff and other governance; compliance and internal controls; strategic planning, process and quality improvement; change management; assess, deter, investigate and address staffing, quality, compliance and other performance; meaningful use, EMR, HIPAA and other data security and breach and other health IT and data; crisis preparedness and response; internal, government and third-party reporting, audits, investigations and enforcement; government affairs and public policy; and other compliance and risk management, government and regulatory affairs and operations concerns.

Author of leading works on HIPAA and other privacy and data security works and the scribe leading the American Bar Association Joint Committee on Employee Benefits Annual Agency Meeting with OCR, her experience includes extensive compliance, risk management and data breach and other crisis event investigation, response and remediation under HIPAA and other laws.

As a core component of her work, Ms. Stamer has worked extensively throughout her career with health care providers, health plans and insurers, managed care organizations, health care clearinghouses, their business associates, employers, banks and other financial institutions, management services organizations, professional associations, medical staffs, accreditation agencies, auditors, technology and other vendors and service providers, and others on legal and operational compliance, risk management and compliance, public policies and regulatory affairs, contracting, payer-provider, provider-provider, vendor, patient, governmental and community relations and matters including extensive involvement advising, representing and defending public and private hospitals and health care systems; physicians, physician organizations and medical staffs; specialty clinics and pharmacies; skilled nursing, home health, rehabilitation and other health care providers and facilities; medical staff, accreditation, peer review and quality committees and organizations; billing and management services organizations; consultants; investors; technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, insurers, self-insured health plans and other payers; and other health industry clients to establish and administer compliance and risk management policies; comply with requirements, investigate and respond to Board of Medicine, Health, Nursing, Pharmacy, Chiropractic, and other licensing agencies, Department of Aging & Disability, FDA, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; JCHO and other accreditation and quality organizations; private litigation and other federal and state health care industry investigation, enforcement including insurance or other liability management and allocation; process and product development, contracting, deployment and defense; evaluation, commenting or seeking modification of regulatory guidance, and other regulatory and public policy advocacy; training and discipline; enforcement, and a host of other related concerns for public and private health care providers, health insurers, health plans, technology and other vendors, employers, and others.and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her thought leadership, experience and advocacy on health care, disability, aging, workforce, retirement and other related concerns by her service in the leadership of the Solutions Law Press, Inc. Coalition for Responsible Health Policy, its PROJECT COPE: Coalition on Patient Empowerment, and a broad range of other professional and civic organizations including North Texas Healthcare Compliance Association, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children (now Warren Center For Children); current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, past Representative and chair of various committees of ABA Joint Committee on Employee Benefits; a ABA Health Law Coordinating Council representative, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.

For more information about Ms. Stamer or her health industry and other experience and involvements, see here or contact Ms. Stamer via telephone at (469) 767-8872 or via e-mail here.

About Solutions Law Press, Inc.™

Leave a Comment » | Corporate Compliance, Disease Management, Doctor, Federal Sentencing Guidelines, Health Care, Health care coding, Health Care Fraud, Health Care Provider, Health Care Quality, Health Care Reform, health care reimbursement, Health Plan, Health Policy, healthcare, Hospice, Hospital, hospitals, Laws, Medicaid, Medical Malpractice, Medicare, Medicare Fee Schedule, Medicare Fee Schedule, Outcomes Data, public health, Skilled Nursing Facility, Uncategorized | Tagged: aging, Disability, Health, healthcare, Medicare, Medicare Reimbursement, nursing home, quality reporting, Skilled Nursing, SNF | Permalink
Posted by Cynthia Marcotte Stamer

Medical Clinic HIPAA Resolution Agreement Shows Need For Current Business Associate Agreements

April 24, 2017

Health care providers, health plans, health care clearinghouses and business associates must get and keep their business associate (BA) agreements (BAAs) in place, up- to-date, and readily available for inspection in accordance with the Health Insurance Portability & Accountability Act (HIPAA) Privacy Rule, 45 C.F.R. Part 160 and Subparts A and E of Part 164 (Privacy Rule). That’s the clear message physician practices and other health care providers, health plans, health care clearinghouses (“covered entities”) and their business associates should learn about Privacy Rule compliance from an April 17, 2017 HIPAA Resolution Agreement just announced by the Department of Health & Human Services (HHS) Office of Civil Rights (OCR) with the Center for Children’s Digestive Health (CCDH).

While the Resolution Agreement relates to breaches of the BAA requirements of a small pediatric practice, the Center for Children’s Digestive Health (CCDH), all health plans, health care providers and other covered entities and business associates should focus on the adequacy of their BAAs and their BAA recordkeeping. HIPAA compliance surveys reflect deficiencies with the BAA rules are common throughout the industry. These findings and the involvement of BAs in data breaches or other OCR enforcement activities suggest a high probability that many other covered entities and business associates may be sitting ducks for similar sanctions. See e.g., HIPAA Compliance Survey Churns Up Many Business Associate Problems (January 3, 2017).

The HIPAA Business Associate Agreement Requirements

OCR’s announcement of the CCDH Resolution Agreement is the latest in a growing series of HIPAA enforcement actions showing the growing risk covered entities and their business associates face for failing to take appropriate steps to comply with the BAA and other Privacy Rule requirements of HIPAA.

As compliance audits and surveys of covered entities and business associates suggest a high level of noncompliance with the business associate agreement requirements among covered entities and business associates, While the ever-growing list of Resolution Agreements and Civil Monetary Penalties announced by OCR cover a variety of categories of HIPAA violations, the CCDH Resolution Agreement highlights the importance of covered entities and their business associates ensuring that before the BA creates, accesses, receives, discloses, retains or destroys any PHI for the covered entity, a BAA meeting the Privacy Rule requirements is signed and retained for at least the six year period the Privacy Rule requires in a manner easily producible when and if OCR or another agency asks for a copy as part of an investigation or other compliance audit. See Privacy Rule §§ 164.502(e), 164.504(e), 164.532(d) and (e).

The Privacy Rule requires that covered entities and business associates enter into a written and signed business associate agreement that contains the elements specified in Privacy Rule § 164.504(e) before the business associate creates, uses, accesses or discloses PHI of the covered entity. Meanwhile, the Privacy Rule recordkeeping requirements require that covered entities and BAs maintain copies of these BAAs for a minimum of six years.

Violations of the Privacy Rule can carry stiff civil or even criminal penalties Pursuant to amendments to HIPAA enacted as part of the HITECH Act, civil penalties typically do not apply to violations punished under the criminal penalty rules of HIPAA set forth in Social Security Act , 42 U.S.C § 1320d-6 (Section 1177).

Under Section 1177, the criminal enforcement provisions of HIPAA authorize the Justice Department to prosecute a person who knowingly in violation of the Privacy Rule (1) uses or causes to be used a unique health identifier; (2) obtains individually identifiable health information relating to an individual; or (3) discloses individually identifiable health information to another person, punishable by the following criminal sanctions and penalties:

A fine of up to $50,000, imprisoned not more than 1 year, or both;
If the offense is committed under false pretenses, a fine of up to $100,000, imprisonment of not more than 5 years, or both; and
If the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, a fine of up to $250,000, imprisoned not more than 10 years, or both.

In contrast, as amended by the HITECH Act, the civil enforcement provisions of HIPAA empower OCR to impose Civil Monetary Penalties on both covered entities and BAs for violations of any of the requirements of the Privacy or Security Rules. The penalty ranges for civil violations depends upon the circumstances associated with the violations and are subject to upward adjustment for inflation. As most recently adjusted here effective September 6, 2016, the following currently are the progressively increasing Civil Monetary Penalty tiers:

A minimum penalty of $100 and a maximum penalty of $50,000 per violation, for violations which the CE or BA “did not know, and by exercising reasonable diligence would not have known” about using “the business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances;”
A minimum penalty of $1,000 and a maximum penalty of $50,000 per violation, for violations for “reasonable cause” which do not rise to the level of “willful neglect” where “reasonable cause” means the “circumstances that would make it unreasonable for the covered entity, despite the exercise of ordinary business care and prudence, to comply with the violated Privacy Rule requirement;”
A minimum penalty of $10,000 and a maximum penalty of $50,000 per violation, for violations attributed to “willful neglect,” defined as “the conscious, intentional failure or reckless indifference to the obligation to comply” with the requirement or prohibition; and
A minimum penalty of $50,000 and a maximum penalty of $1.5 million per violation, for violations attributed to “willful neglect” not remedied within 30 days of the date that the covered entity or BA knew or should have known of the violation.

For continuing violations such as failing to implement a required BAA, OCR can treat each day of noncompliance as a separate violation. However, sanctions under each of these tiers generally are subject to a maximum penalty of $1,500,000 for violations of identical requirements or prohibitions during a calendar year. For violations such as the failure to implement and maintain a required BAA where more than one covered entity bears responsibility for the violation, OCR an impose Civil Monetary Penalties against each culpable party. OCR considers a variety of mitigating and aggravating facts and circumstances when arriving at the amount of the penalty within each of these applicable tiers to impose.

While criminal enforcement of HIPAA remains relatively rare, a review of the OCR enforcement record in recent years makes clear that civil enforcement of HIPAA and the sanctions imposed is growing. See e.g., $400K HIPAA Settlement Shows Need To Conduct Timely & Appropriate Risk Assessments; $5.5M Memorial HIPAA Resolution Agreement Shows Need To Audit. For more examples, also see here.

CCDH Sanctions For Violation Of HIPAA Business Associate Agreement Rules

The CCDH Resolution Agreement arises from violations of this requirement that OCR says it discovered as a result of a compliance review conducted in response to an OCR investigation of a CCDH business associate, FileFax, Inc. According to OCR, OCR found from the compliance review of CCDH triggered by OCR’s investigation of FileFax that while CCDH began disclosing PHI to Filefax in 2003 and that Filefax stored records containing protected health information (PHI) for CCDH, neither CCDH nor Filefax could produce a signed Business Associate Agreement (BAA) covering their relationship for any period before October 12, 2015.

Based on the resulting investigation, OCR concluded:

CCDH failed to obtain a BAA providing written assurances from Filefax that it would appropriately safeguard the PHI in Filefax’s possession or control satisfactory assurances as required by Privacy Rule §164.502(e); and
Because CCDH failed to secure the required BAA, it violated the Privacy Rule by impermissibly disclosing the PHI of at least 10,728 individuals to Filefax when CCDH transferred the PHI to Filefax without obtaining the requisite BAA from Filefax (Covered Conduct).

In the Resolution Agreement, CCDH agrees to pay HHS $31,000.00 (Resolution Amount) and enter into and comply with a Corrective Action Plan (CAP) in return for OCR’s release of CCDH from liability for “any actions it may have against CCDH under the HIPAA Rules” for the Covered Conduct. The Resolution Agreement only settles the civil monetary penalty and other OCR enforcement liabilities of CCDH with respect to the Covered Conduct. Its provisions expressly state the Resolution Agreement does not affect any exposures of CCDH to CCDH to OCR civil monetary penalties or other enforcement for any HIPAA violations other than the Covered Conduct.

Perhaps even more noteworthy given the HITECH Act’s provisions coordinating the civil and criminal sanctions of HIPAA, while the Resolution Agreement provides no clear indication that the Justice Department might be considering criminally prosecuting CCDH or any other party in relation to the Covered Conduct, the Resolution Agreement also expressly states that its provisions do not affect CCDH’s potential exposure, if any, to criminal prosecution by the Justice Department for a criminal violation of the Privacy Rules under Section 1177 of the Social Security Act.

Implications For Covered Entities & Business Associates

Covered entities and their business associates should heed the CCDH Resolution Agreement as a strong message from OCR to ensure their organizations are complying with HIPAA’s BAA and other requirements. The Resolution Agreement makes clear that the starting point of this compliance effort must be obtaining and maintaining the requisite BAAs for each BA relationship.

To position their organizations to withstand potential investigation by OCR, covered entities and BAs should start by conducting a well-documented audit within the scope of attorney-client privilege both to verify that an appropriate, signed BAA is in place for each BA relationship as well as adequacy of processes for identifying business associate relationships, ensuring that signed BAAs are in effect before BAs access any PHI, and for investigating, reporting and resolving any breaches of the HIPAA Privacy or Security Rules that may arise in the course of operations.

Conducting this audit as soon as possible is particularly important in light of reported findings of widespread compliance concerns. See HIPAA Compliance Survey Churns Up Many Business Associate Problems (January 3, 2017). As the audit process could identify potential violations or other legally sensitive concerns, covered entities and business associates generally will want to arrange for this audit and evaluation to be conducted under the supervision of legal counsel experienced with HIPAA within or pursuant to processes structured with the assistance of legal counsel within the scope of attorney-client privilege.

Beyond confirming all necessary BAAs are in place, covered entities and business associates also generally will want to evaluate the adequacy of BAs’ processes and procedures for maintaining compliance with the Privacy and Security Rules as well as processes and procedures for responding to audits, investigations and complaints, reporting and addressing breaches of electronic and other PHI and other possible compliance concerns under HIPAA and other related laws. In many instances, parties may n wish to revise and strengthen existing BAAs to more specifically define these policies and procedures more specifically as well as indemnification, cyber or other liability coverage requirements and other contractual provisions for allocating potential costs and liabilities arising from breaches, audits, investigations and other expenses associated with the administration of these provisions.

About The Author

As a core component of her work, Ms. Stamer has worked extensively throughout her career with health care providers, health plans and insurers, managed care organizations, health care clearinghouses, their business associates, employers, banks and other financial institutions, management services organizations, professional associations, medical staffs, accreditation agencies, auditors, technology and other vendors and service providers, and others on legal and operational compliance, risk management and compliance, public policies and regulatory affairs, contracting, payer-provider, provider-provider, vendor, patient, governmental and community relations and matters including extensive involvement advising, representing and defending public and private hospitals and health care systems; physicians, physician organizations and medical staffs; specialty clinics and pharmacies; skilled nursing, home health, rehabilitation and other health care providers and facilities; medical staff, accreditation, peer review and quality committees and organizations; billing and management services organizations; consultants; investors; technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, insurers, self-insured health plans and other payers; and other health industry clients to manage and defend compliance, public policy, regulatory, staffing and other operations and risk management concerns. A core focus of this work includes work to establish and administer compliance and risk management policies; comply with requirements, investigate and respond to Board of Medicine, Health, Nursing, Pharmacy, Chiropractic, and other licensing agencies, Department of Aging & Disability, FDA, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; dealings with JCHO and other accreditation and quality organizations; investigation and defense of private litigation and other federal and state health care industry investigations and enforcement; insurance or other liability management and allocation; process and product development; managed care, physician and other staffing, business associate and other contracting; evaluation, commenting or seeking modification of regulatory guidance, and other regulatory and public policy advocacy; training and discipline; and a host of other related concerns for public and private health care providers, health insurers, health plans, technology and other vendors, employers, and others.

In the course of this work, Ms. Stamer has accumulated extensive experience helping health industry clients manage workforce, medical staff, vendors and suppliers, medical billing, reimbursement, claims and other provider-payer relations, business partners, and their recruitment, performance, discipline, compliance, safety, compensation, benefits, and training, board, medical staff and other governance; compliance and internal controls; strategic planning, process and quality improvement; change management; assess, deter, investigate and address staffing, quality, compliance and other performance; meaningful use, EMR, HIPAA and other data security and breach and other health IT and data; crisis preparedness and response; internal, government and third-party reporting, audits, investigations and enforcement; government affairs and public policy; and other compliance and risk management, government and regulatory affairs and operations concerns.

Past Chair of the ABA Managed Care & Insurance Interest Group and, a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also has extensive health care reimbursement and insurance experience advising and defending health care providers, payers, and others about Medicare, Medicaid, Medicare and Medicaid Advantage, Tri-Care, self-insured group, association, individual and group and other health benefit programs and coverages including but not limited to advising public and private payers about coverage and program design and documentation, advising and defending providers, payers and systems and billing services entities about systems and process design, audits, and other processes; provider credentialing, and contracting; providers and payer billing, reimbursement, claims audits, denials and appeals, coverage coordination, reporting, direct contracting, False Claims Act, Medicare & Medicaid, ERISA, state Prompt Pay, out-of-network and other nonpar, insured, and other health care claims, prepayment, post-payment and other coverage, claims denials, appeals, billing and fraud investigations and actions and other reimbursement and payment related investigation, enforcement, litigation and actions.

In connection with this work, Ms. Stamer has worked extensively with health care providers, health plans, health care clearinghouses, their business associates, employers and other plan sponsors, banks and other financial institutions, and others on risk management and compliance with HIPAA, FACTA, trade secret and other information privacy and data security rules, including the establishment, documentation, implementation, audit and enforcement of policies, procedures, systems and safeguards, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and and enforcement, and a host of other related concerns. Her clients include public and private health care providers, health insurers, health plans, technology and other vendors, and others.

In addition to representing and advising these organizations, she also has conducted training on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, MGMA, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

For more information about Ms. Stamer or her health industry and other experience and involvements, see here or contact Ms. Stamer via telephone at (469) 767-8872 or via e-mail here.

About Solutions Law Press, Inc.™

Leave a Comment » | Corporate Compliance, data breach, data security, DME, Doctor, drug treatment, E-Prescribing, Electronic Health Records, Federal Sentencing Guidelines, Health Care, Health Care Provider, Health Insurance Exchange, Health IT, Health Plan, HIPAA, HIPAA Cyber Crime, HITECH Act, Home Health, Hospice, Hospital, Hospital, hospitals, Inpatient Rehabilitation, Inpatient Rehabilitation Facility, managed care, Medical Privacy, Medical Records, Mental Health, Pharmaceudical, Pharmacy, Psychiatric, Technology, Telemedicine, Uncategorized | Tagged: business associate, clinic, confidentiality, Health Care Provider, Health Plan, HIPAA, HITECH Act, Medical Privacy, Physician, Privacy, Privacy Rule | Permalink
Posted by Cynthia Marcotte Stamer

$400K HIPAA Settlement Shows Need To Conduct Timely & Appropriate Risk Assessments

April 12, 2017

Metro Community Provider Network (MCPN), a federally-qualified health center (FQHC), must pay $400,000 and implement a corrective action plan to resolve U.S. Department of Health and Human Services, Office for Civil Rights (OCR) charges it violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule by failing to implement a security management process to safeguard electronic protected health information (ePHI). The settlement is the latest reminder to health providers, payers and their business associates to conduct timely risk assessments, implement needed security and otherwise manage HIPAA compliance.

The Resolution Agreement and Corrective Action Plan, like most others before it, resulted from an investigation opened in response to a breach report. On January 27, 2012, MCPN filed a breach report with OCR indicating that a hacker accessed employees’ email accounts and obtained 3,200 individuals’ ePHI through a phishing incident. OCR’s investigation revealed that MCPN took necessary corrective action related to the phishing incident. However, the investigation also revealed that MCPN failed to conduct a risk analysis until mid-February 2012 – well after the hacking incident reported in the breach report.

Prior to the breach incident, MCPN had not conducted a risk analysis to assess the risks and vulnerabilities in its ePHI environment, and, consequently, had not implemented any corresponding risk management plans to address the risks and vulnerabilities identified in a risk analysis.

When MCPN finally conducted a risk analysis, OCR found that risk analysis, as well as all subsequent risk analyses, were insufficient to meet the requirements of the Security Rule.

OCR made a point in announcing the Resolution Agreement of noting it considered MCPN’s status as a FQHC when balancing the significance of the violation with MCPN’s ability to maintain sufficient financial standing to ensure the provision of ongoing patient care. MCPN provides primary medical care, dental care, pharmacies, social work, and behavioral health care services throughout the greater Denver, Colorado metropolitan area to approximately 43,000 patients per year, a large majority of whom have incomes at or below the poverty level. It is likely that OCR would have imposed a much greater settlement amount had the covered entity not been a FQHC serving the poor.

About The Author

The American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting, former Vice President of the North Texas Health Care Compliance Professionals Association, past Chair of the ABA Health Law Section Managed Care & Insurance Section, past ABA JCEB Council Representative, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has worked closely with a diverse range of physicians, hospitals and healthcare systems, DME, Pharma, clinics, health care providers, managed care, insurance and other health care payers, quality assurance, credentialing, technical, research, public and private social and community organizations, and other health industry organizations and their management deal with governance; credentialing, patient relations and care; staffing, peer review, human resources and workforce performance management; outsourcing; internal controls and regulatory compliance; billing and reimbursement; physician, employment, vendor, managed care, government and other contracting; business transactions; grants; tax-exemption and not-for-profit; licensure and accreditation; vendor selection and management; privacy and data security; training; risk and change management; regulatory affairs and public policy and other concerns.
As a core component of her work, Ms. Stamer has worked extensively throughout her career with health care providers, health plans and insurers, managed care organizations, health care clearinghouses, their business associates, employers, banks and other financial institutions, management services organizations, professional associations, medical staffs, accreditation agencies, auditors, technology and other vendors and service providers, and others on legal and operational compliance, risk management and compliance, public policies and regulatory affairs, contracting, payer-provider, provider-provider, vendor, patient, governmental and community relations and matters including extensive involvement advising, representing and defending public and private hospitals and health care systems; physicians, physician organizations and medical staffs; specialty clinics and pharmacies; skilled nursing, home health, rehabilitation and other health care providers and facilities; medical staff, accreditation, peer review and quality committees and organizations; billing and management services organizations; consultants; investors; technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, insurers, self-insured health plans and other payers; and other health industry clients to establish and administer compliance and risk management policies; comply with requirements, investigate and respond to Board of Medicine, Health, Nursing, Pharmacy, Chiropractic, and other licensing agencies, Department of Aging & Disability, FDA, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; JCHO and other accreditation and quality organizations; private litigation and other federal and state health care industry investigation, enforcement including insurance or other liability management and allocation; process and product development, contracting, deployment and defense; evaluation, commenting or seeking modification of regulatory guidance, and other regulatory and public policy advocacy; training and discipline; enforcement, and a host of other related concerns for public and private health care providers, health insurers, health plans, technology and other vendors, employers, and others.and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns.
Past Chair of the ABA Managed Care & Insurance Interest Group and, a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also has extensive health care reimbursement and insurance experience advising and defending health care providers, payers, and others about Medicare, Medicaid, Medicare and Medicaid Advantage, Tri-Care, self-insured group, association, individual and group and other health benefit programs and coverages including but not limited to advising public and private payers about coverage and program design and documentation, advising and defending providers, payers and systems and billing services entities about systems and process design, audits, and other processes; provider credentialing, and contracting; providers and payer billing, reimbursement, claims audits, denials and appeals, coverage coordination, reporting, direct contracting, False Claims Act, Medicare & Medicaid, ERISA, state Prompt Pay, out-of-network and other nonpar insured, and other health care claims, prepayment, post-payment and other coverage, claims denials, appeals, billing and fraud investigations and actions and other reimbursement and payment related investigation, enforcement, litigation and actions.

For more information about Ms. Stamer or her health industry and other experience and involvements, see here or contact Ms. Stamer via telephone at (469) 767-8872 or via e-mail here.

About Solutions Law Press, Inc.™

Leave a Comment » | Academic medicine, Ambulatory care, ASC, Border Health, Childrens Health Insurance Program, Civil Rights, Conditions of Participation, Consumer Driven Health Care, Corporate Compliance, data breach, data security, Disease Management, DME, Doctor, drug treatment, E-Prescribing, Electronic Health Records, Electronic Medical Records, Employee Benefits, Employer, Employment, ERISA, Federal Health Center, Federal Sentencing Guidelines, Health Care, Health Care Finance, Health Care Provider, Health Insurance Exchange, Health IT, Health Plans, HIPAA, HIPAA Cyber Crime, HITECH Act, Home Health, Hospice, Hospital, Hospital, hospitals, Inpatient Rehabilitation, Inpatient Rehabilitation Facility, managed care, Meaningful Use, Medical Privacy, Medical Records, Medicare Advantage, Mental Health, Mental Heatlh, OCR, Patient Empowerment, Peer Review, Pharmaceudical, Pharmacy, Physician, Physician Licensing, Prescription Drugs, Privacy, Psychiatric, public health, Rural Health Care, Technology, Telemedicine, Veterans Health, Veterans Health Administration, Veterans Health Care, Wellness | Permalink
Posted by Cynthia Marcotte Stamer

Learn From Children’s New $3.2M+ HIPAA CMP For “Knowing” Violation of HIPAA Security Rules

February 2, 2017

The just-announced $3.2 million Health Insurance Portability & Accountability Act (HIPAA) Civil Monetary Penalty (CMP) that Children’s Medical Center of Dallas (Children’s) recently paid for failing to adequately secure electronic protected health information (ePHI) and correct other HIPAA compliance deficiencies demonstrates the risks healthcare providers, health plans and insurers, healthcare clearinghouses and their business associates (“Covered Entities”) run by failing to take appropriate, well-documented actions to timely to secure ePHI on systems and mobile devices or comply with other HIPAA Privacy or Security requirements.

The Department of Health & Human Services (HHS) Office of Civil Rights (OCR) imposed the $3,217,000.00 Civil Monetary Penalty (CMP) under a January 18, 2017 Final Determination based upon findings that Children’s for years knowingly violated HIPAA by failing to encrypt or otherwise properly secure ePHI on laptops and other mobile devices and failing to comply with many other HIPAA requirements. OCR originally notified Children’s of its intention to impose the CMP based on findings of widespread violations by Children’s of HIPAA in a September 30, 2016 Notice of Proposed Determination (Proposed Determination) that OCR sent to Children’s President of System Clinical Operations, David Berry. Although the Proposed Determination included instructions for requesting a hearing on the Proposed Determination, Children’s paid the CMP rather than exercising these hearing rights.

Breach Notice Investigation Reveals Children’s Failed For Years To Secure ePHI on Mobile Devices Despite Repeated Warnings

According to the Proposed Determination, OCR uncovered widespread HIPAA violations by Children’s while investigating the HIPAA compliance of the Dallas-based pediatric health and hospital system in response to two separate notices of large breaches of ePHI that Children’s filed with OCR in response to the HIPAA Breach Notification Rule. Under the Breach Notification Rule, Covered Entities generally must provide notice of any breach of unsecured ePHI involving more than 500 individuals with OCR, subjects of the breached ePHI and the media within 60 days of receiving notice of the breach. In contrast, for breaches of unsecured ePHI involving fewer than 500 individuals, Covered Entities generally must notify subjects of the breached ePHI within 60 days, but can delay notification to OCR until filing a consolidated annual report of small breaches of ePHI.

The two breach notifications that triggered the OCR investigation leading to the CMP both involved losses of mobile devices containing ePHI that Children’s filed with OCR.

The first breach report, filed on January 18, 2010, notified OCR of the loss at the Dallas/Fort Worth International Airport on November 19, 2009 of an unencrypted, non-password protected BlackBerry device containing the ePHI of approximately 3,800 individuals.

The second reported breach report filed on July 5, 2013, reported the theft of an unencrypted laptop with the ePHI of 2,462 individuals from its premises sometime between April 4 and April 9, 2013. The OCR investigation found that although Children’s implemented some physical safeguards to the operating room storage area (e.g., badge access was required, and a security camera was present at one of the entrances), it also provided access to the area to staff who were not authorized to access ePHI. Children’s janitorial staff had unrestricted access to the area where the laptop was stored but did not provide encryption to protect the ePHI on the laptop from access by such unauthorized persons. Children’s internal investigation concluded that the laptop was probably stolen by a member of the janitorial staff.

In the course of investigating these two reported breaches, OCR took note that Children’s previously reported a small breach of unsecured ePHI on an unencrypted mobile device. In a letter dated August 22, 2011, from Children’s Vice President of Compliance and Internal Audit and Chief Compliance Officer Ron Skillens to OCR Equal Opportunity Specialist Jamie Sorley, Mr. Skillens stated that a Children’s workforce member (an unidentified medical resident) lost an iPod device in December 2010. The iPod had been synched to the resident’s Children’s email account, which resulted in the ePHI of at least 22 individuals being placed on the device. The ePHI on the iPod was not encrypted. The loss of the iPod resulted in the impermissible disclosure of ePHI by the medical resident. OCR concluded the ePHI of 22 individuals was impermissibly disclosed, because the workforce member and agent of Children’s provided access to any unauthorized person who discovered the device.

OCR found that the breaches resulted from Children’s violation of the HIPAA Security Rule by failing to encrypt laptops and other mobile devices or and implement other appropriate safeguards for the protection of ePHI on mobile devices;
Failing to appropriately document its decision to not implement encryption on mobile devices and any applicable rationale behind a decision to use alternative security measures to encryption; and
Failing to implement security measures that were an equivalent alternative to the security protection available from encryption solutions.

The Proposed Determination also reports that the OCR ’s investigation revealed that Children repeatedly over several years knowingly failed to implement and administer proper encryption and other safeguards on laptops and other mobile devices containing ePHI despite actual knowledge of the unaddressed risks to unencrypted ePHI in violation of the HIPAA Security Rule dating back to at least 2007. The Proposed Determination notes, for instance, that:

A Security Gap Analysis and Assessment conducted for Children’s December 2006-February 2007 by Strategic Management Systems, Inc. (SMS) (SMS Gap Analysis) identified the absence of risk management as a major finding and recommended that Children’s implement encryption to avoid loss of PHI on stolen or lost laptops.
A separate PricewaterhouseCoopers (PwC) analysis of threats and vulnerabilities to certain ePHI (PwC Analysis) conducted in August, 2008 for Children’s determined that encryption was necessary and appropriate. The PwC Analysis also determined that a mechanism was not in place to protect data on a laptop, workstation, mobile device, or USB thumb drive if the device was lost or stolen and identified the loss of data at rest through unsecured mobile devices as being “high” risk. PwC identified data encryption as a “high priority” item and recommended that Children’s implement data encryption in the fourth quarter of 2008.
Furthermore, in September 2012, the HHS Office of the Inspector General (OIG) issued the findings from its audit of Children’s that focused on information technology controls for devices such as smartphones and USB drives. Among other things, the report, entitled “Universal Serial Bus Control Weaknesses Found at Children’s Medical Center,” found that Children’s had insufficient controls to prevent data from being written onto unauthorized and unencrypted USB devices and that “without sufficient USB controls, there was a risk that ePHI could have been written onto an unauthorized/unencrypted USB device and taken out of the hospital, resulting in a data breach.” A copy of this report was provided to Mr. Skillens.
Despite the prior breach notifications and warnings from the SMS Gap Analysis, the PwC Analysis and the OIG audit report, Children’s failed to take the necessary steps to encrypt and otherwise safeguard its ePHI on mobile devices. Children’s still had not implemented encryption on all devices as of April 9, 2013 even though appropriate commercial encryption products were available to achieve encryption of laptops, workstations, mobile devices, and USB thumb drives in use by Children’s staff by, at least, the time of the PwC Analysis in 2008. Furthermore, while leaving these deficiencies unresolved, the Proposed Determination notes that Children’s issued unencrypted BlackBerry devices to nurses beginning in 2007 and allowed its workforce members to continue using unencrypted laptops and other mobile devices until at least April 9, 2013 despite the findings of SMS and PwC and Children’s actual knowledge about the risk of maintaining unencrypted ePHI on its devices.

Based on this evidence, OCR concluded that Children’s had “actual knowledge” of the unaddressed threats to ePHI as early as March 2007 and at least one year prior to the reported security incidents. Furthermore, OCR also found that Children’s additionally violated HIPAA by failing to implement sufficient policies and procedures governing the receipt and removal of hardware and electronic media that contain ePHI into and out of its facility, and the movement of these items within the facility prior to at least November 9, 2012. Prior to November 2012, Children’s information technology (IT) assets were inventoried and managed separately from the inventory of devices used within its Biomedical Department. Children’s IT asset policies did not apply to devices that accessed or stored ePHI that were managed by the Biomedical Department. Consequently, Children’s was unable to identify all devices to which the device and media control policy should apply prior to completing a full-scope inventory to identify all information systems containing ePHI in November 9, 2012. As Children’s did not conduct a complete inventory to identify all devices to which its IT asset policies apply to ensure that all devices were covered by its device and media control policies, the Proposed Determination concluded Children’s was out of compliance with the Security Rule at 45 C.P.R. § 164.310(d)(l).

After OCR’s investigation indicated widespread Privacy and Security Rule noncompliance by Children’s, the Proposed Determination states that OCR attempted to negotiate a resolution with Children’s through its informal resolution agreement process from approximately November 6, 2015, to August 30, 2016. When these efforts failed, OCR issued a May 10,2016 Letter of Opportunity that formally informed Children’s that since OCR had been unable to resolve its findings that Children’s violated the Privacy and Security Rules by informal means, OCR was informing Children’s of the preliminary indications of non-compliance and providing Children’s with an opportunity to submit written evidence of mitigating factors under 45 C.F.R. § 160.408 or affirmative defenses under 45 C.F.R. § 160.410 for OCR’s consideration in making a determination of a CMP pursuant to 45 C.F.R. § 160.404. The letter stated that Children’s could also submit written evidence to support a waiver of a CMP for the indicated areas of non-compliance. Each of Children’s indicated acts of noncompliance and the potential CMP for them were described in the letter. The letter was delivered to Children’s and received by Children’s agent on May 12, 2016.

Children’s responded to OCR’s letter on or about June 9, 2016. The Proposed Determination states that OCR determined that the information and arguments submitted by Children’s in its June 9, 2016 letter did not support an affirmative defense pursuant to 45 C.F.R. § 160.410 or a waiver of the CMP pursuant to 45 C.F.R. § 160.412. Accordingly, OCR notified Children’s in its September 30, 2016 Proposed Determination of OCR’s intent to implement the $3,217,000.00 CMP and procedures for appealing this planned CMP assessment. When Children’s did not file an appeal, OCR issued the Final Determination assessing the CMP. OCR reports that Children now has paid the $3,217,000.00 CMP.

Important Lessons For Other Covered Entities & Their Leaders

The Children’s CMP and underlying circumstances provide many key lessons for other Covered Entities. Obviously, the Final Decision drives home the importance of:

Proper encryption and other security and access controls of devices and systems containing ePHI; and
Proper documentation of risk assessments, audits, breach investigations and other events, compliance analysis and conclusions taken in response, and corrective actions selected and implemented in response to these events.

Beyond the importance of documented compliance with encryption and other requirements, the Children’s CMP and its associated Proposed Determination and Final Determinations also illustrate the importance of proper behavior in response to a known or suspected breach. The Proposed Determination and Final Determination make clear that beyond the breaches uncovered in the course of the investigation, OCR’s decision to implement the CMP was influenced by, among other things:

The recurrent disregard and failure by Children to act to address the HIPAA security violations over a period of years despite both repeated notifications of its noncompliance and actual breaches resulting from these compliance deficiencies; and
The failure of Children’s to cooperate with OCR to reach a voluntary resolution agreement which might have allowed Children to resolve its liability for the breaches OCR found by paying a potentially smaller settlement payment and implementing corrective actions to OCR’s satisfaction.

About The Author

Recognized by LexisNexis® Martindale-Hubbell® as a “AV-Preeminent” (Top 1%/ the highest) and “Top Rated Lawyer,” with special recognition as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: Erisa & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, the author of this uProposed Determinationate is widely known for her 28 plus years’ of work in health care, health benefit, health policy and regulatory affairs and other health industry concerns as a practicing attorney and management consultant, thought leader, author, public policy advocate and lecturer.

Throughout her adult life and nearly 30-year legal career, Ms. Stamer’s legal, management and governmental affairs work has focused on helping health industry, health benefit and other organizations and their management use the law, performance and risk management tools and process to manage people, performance, quality, compliance, operations and risk. Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer helps these and other organizations and their leaders manage their employees, vendors and suppliers, and other workforce members, customers and other’ performance, compliance, compensation and benefits, operations, risks and liabilities, as well as to prevent, stabilize and cleanup legal and operational crises large and small that arise in the course of operations.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, current American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting, former Vice President of the North Texas Health Care Compliance Professionals Association, past Chair of the ABA Health Law Section Managed Care & Insurance Section, past ABA JCEB Council Representative, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Compliance Chair of the National Kidney Foundation of North Texas, and Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, Ms. Stamer’s includes nearly 30 years’ of work with a diverse range of health industry clients on an extensive range of matters.

Ms. Stamer has worked closely with health industry, managed care and insurance and other businesses and their management, employee benefit plans, governments and other organizations deal with all aspects of staffing, human resources and workforce performance management, internal controls and regulatory compliance, change management and other performance and operations management and compliance. She supports her clients both on a real-time, “on demand” basis and with longer term basis to deal with daily performance management and operations, emerging crises, strategic planning, process improvement and change management, investigations, defending litigation, audits, investigations or other enforcement challenges, government affairs and public policy.

Heavily involved in health care and health information technology, data and related process and systems development, policy and operations innovation and a Scribe for ABA JCEB annual agency meeting with OCR for many years who has authored numerous highly-regarded works and training programs on HIPAA and other data security, privacy and use, Ms. Stamer also is widely recognized for her extensive work and leadership on HIPAA, FACTA, PCI, trade secret, physician and other medical confidentiality and privacy, federal and state data security and data breach and other information privacy and data security rules and concerns including policy design, drafting, administration and training; business associate and other contracting; risk assessments, audits and other risk prevention and mitigation; investigation, reporting, mitigation and resolution of known or suspected breaches, violations or other incidents; and defending investigations or other actions by plaintiffs, OCR, FTC, state attorneys’ general and other federal or state agencies, other business partners, patients and others. Ms. Stamer has worked extensively with health care providers, health plans, health care clearinghouses, their business associates, employers and other plan sponsors, banks and other financial institutions, and others on risk management and compliance with HIPAA, FACTA, trade secret and other information privacy and data security rules, including the establishment, documentation, implementation, audit and enforcement of policies, procedures, systems and safeguards, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and enforcement, and a host of other related concerns. Her clients include public and private health care providers, health insurers, health plans, technology and other vendors, and others. In addition to representing and advising these organizations, she also has conducted training on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

A former lead consultant to the Government of Bolivia on its Pension Privatization Project with extensive domestic and international public policy and governmental and regulatory affairs experience, Ms. Stamer also is widely recognized for regulatory and policy work, advocacy and outreach on healthcare, education, aging, disability, savings and retirement, workforce, ethics, and other policies. Throughout her adult life and career, Ms. Stamer has provided thought leadership; policy and program design, statutory and regulatory development design and analysis; drafted legislation, proposed regulations and other guidance, position statements and briefs, comments and other critical policy documents; advised, assisted and represented health care providers, health plans and insurers, employers, professional. and trade associations, community and government leaders and others on health care, health, pension and retirement, workers’ compensation, Social Security and other benefit, insurance and financial services, tax, workforce, aging and disability, immigration, privacy and data security and a host of other international and domestic federal, state and local public policy and regulatory reforms through her involvement and participation in numerous client engagements, founder and Executive Director of the Coalition for Responsible Health Policy and its PROJECT COPE: the Coalition on Patient Empowerment, adviser to the National Physicians Congress for Healthcare Policy, leadership involvement with the US-Mexico Chamber of Commerce, the Texas Association of Business, the ABA JCEB, Health Law, RPTE, Tax, Labor, TIPS, International Life Sciences, and other Sections and Committees, SHRM Governmental Affairs Committee and a host of other involvements and activities.

Beyond her extensive involvement advising and representing clients on privacy and data security concerns and other health industry matters, Ms. Stamer also has served for several years as a scrivener for the ABA JCEB’s meeting with OCR, the Chair of the Southern California ISSA Health Care Privacy & Security Summit, and an editorial advisory board member, author, program chair or steering committee member, and faculties for a multitude of other programs and publications regarding privacy, data security, technology and other compliance, risk management and operational concerns in the health care, health and other insurance, employee benefits and human resources, retail, financial services and other arenas.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her thought leadership, experience and advocacy on HIPAA and other concerns by her service in the leadership of a broad range of other professional and civic organization including her involvement as the Vice Chair of the North Texas Healthcare Compliance Association, Executive Director of the Coalition on Responsible Health Policy and its PROJECT COPE: Coalition on Patient Empowerment, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children; former Board Compliance Chair and Board member of the National Kidney Foundation of North Texas, current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, immediate past RPTE Representative to ABA Joint Committee on Employee Benefits Council Representative and current RPTE Representative to the ABA Health Law Coordinating Council, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.

For more information about Ms. Stamer or her health industry and other experience and involvements, see here or contact Ms. Stamer via telephone at (469) 767-8872 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources here such as:

Leave a Comment » | data breach, data security, Doctor, Health Care, Health Care Finance, Health Care Provider, Health Plan, Health Plans, HIPAA, HIPAA Cyber Crime, Hospital, Hospital, hospitals, Medical Privacy, Physician, Privacy, Uncategorized | Tagged: breach, children's health, Children's Medical Center, Civil Monetary Penalties, civil monetary penalty, CMP, Data, Data Breach, Data Security, EPHI, Health Care, Health Plan, HIPAA, medical, Medical Privacy, mobile device, OCR, PHI, Privacy, Security, Technology | Permalink
Posted by Cynthia Marcotte Stamer

$2.4M+ St. Joseph Health HIPAA Settlement Teaching Lesson For Other HIPAA-Covered Entities & Business Associates

October 25, 2016

St. Joseph Health (SJH) has agreed to pay a $2.4 million plus settlement payment, conduct an enterprise-wide risk analysis and implement and administer a comprehensive correction plan under a Resolution Agreement and Corrective Action Plan (SJH Settlement) reached with the Department of Health & Human Services (HHS) Office of Civil Rights (OCR) to settle OCR charges that SJH violated the Privacy & Security Rules of the Health Insurance Portability & Accountability Act (HIPAA) by allowing files containing electronic protected health information (ePHI) of 31,800 individuals that SJH created for its participation in the Medicare meaningful use program to be publicly accessible on the internet from February 1, 2011, until February 13, 2012. The SJH Settlement announced here by OCR on October 18, 2016 demonstrates the mounting HIPAA enforcement exposures that HIPAA-covered health care providers, health plans, healthcare clearinghouses and their business associates (Covered Entities) risk when a breach of ePHI or other prohibited use, access, destruction or disclosure of ePHI or other personal health information (PHI) results from the failure of the Covered Entity or its business associates to properly protect or secure it in accordance with HIPAA. A review of the SJH Settlement drives home the point that Covered Entities should not assume that meaningful use or other electronic recordkeeping systems containing ePHI are properly secured in accordance with HIPAA.

SJH Investigation & Charges Resulting In $2.4 Million+ Settlement

A nonprofit integrated Catholic health care delivery system sponsored by the St. Joseph Health Ministry, who through its 24,000 employees and 6,000 physicians provides a range of health care services to more than 137,000 inpatients and 3.6 million outpatients each year at SHS’ 4 acute care hospitals, home health agencies, hospice care, outpatient services, skilled nursing facilities, community clinics and physician organizations located throughout California and in parts of Texas and New Mexico.

OCR’s charges against SJH arose out of OCR’s investigation into a 2012 breach notification report SJS filed with OCR. On February 14, 2012, SJH reported to OCR that files containing electronic protected health information (ePHI) of 31,800 individuals from five of the SJH hospitals-St. Jude Medical Center, Mission Hospital, Queen of the Valley Medical Center, Santa Rosa Memorial Hospital, and Petaluma Valley Hospital that SJH created for its participation in the meaningful use program were publicly accessible on the internet from February 1, 2011, until February 13, 2012, via Google and possibly other internet search engines.

SJH’s report to OCR indicated that this public access resulted from a configuration within its network server in which PDF files containing following patient information were uploaded: patient names; BMI; blood pressure; lab results; smoking status; diagnoses lists; medication allergies; advance directive status and demographic information (language, ethnicity, race, sex, and birth date). The server SJH purchased to store the files included a file sharing application whose default settings allowed anyone with an internet connection to access them. Upon implementation of this server and the file sharing application, SJH did not examine or modify it. As a result, the public had unrestricted access to PDF files containing the ePHI of 31,800 individuals, including patient names, health statuses, diagnoses, and demographic information from February 14, 2012 until SJH blocked external access to the ePHI when it shut down the application February 13, 2012.

OCR’s investigation indicated the following potential violations of the HIPAA Rules:

From February 1, 2011 to February 13, 2012, SJH potentially disclosed the PHI of 31,800 individuals;
Evidence indicated that SJH failed to conduct an evaluation in response to the environmental and operational changes presented by implementation of a new server for its meaningful use project, thereby compromising the security of ePHI;
Although SJH hired a number of contractors to assess the risks and vulnerabilities to the confidentiality, integrity and availability of ePHI held by SJH, evidence indicated that this was conducted in a patchwork fashion and did not result in an enterprise-wide risk analysis, as required by the HIPAA Security Rule.

SJH Settlement Agreement Highlights

Under the settlement agreement with SJH that OCR announced on October 18, 2016, SJH must pay a $2,140,500 settlement payment and adopt a comprehensive corrective action plan which among other things, requires SJH to conduct an enterprise-wide risk analysis, develop and implement a risk management plan, revise its policies and procedures, and train its staff on these policies and procedures. SJH’s Chief Executive Officer, Annette M. Walker, is named in the Corrective Action Plan as the SJH authorized representative and contact person responsible for overseeing the CAP implementation.

Among other things, the Corrective Action Plan specifically requires that SJH:

Within 240 days, conduct an enterprise-wide analysis and provide a report to OCR which includes a complete inventory of all electronic equipment, data systems, and applications that contain or store ePHI, and prepare and deliver to OCR for review an enterprise-wide risk analysis that identifies all security risks and vulnerabilities that incorporates all electronic equipment, data systems, and applications controlled, administered, or owned by SJH, its workforce members, and affiliated staff that contains, stores, transmits, or receives electronic protected health information (ePHJ);
Revise this risk analysis plan as directed by OCR based on its review of the presented risk analysis;
Develop and implement to the satisfaction of OCR an organization-wide risk management plan to address and mitigate any security risks and vulnerabilities identified in the risk analysis;
Distribute the risk management plan as finally approved by OCR to to workforce members involved with implementation of the plan within 30 days of OCR approval;
Revise to OCR’s satisfaction, adopt and implement within 30 days of OCR’s approval compliant HIPAA policies and procedures;
Prepare for review of OCR training materials and once approved by OCR, provide initial training to required workforce members, and obtain certification of completion of that training from each required workforce member within 60 days of OCR’s approval of the training and thereafter at least annually as long as the Corrective Action Plan remains in force;
Promptly conduct a documented investigation of any information indicating a potential workforce member violation of the new HIPAA policies in the manner required by OCR and if the investigation confirms a violation (Reportable Event), notify OCR of the relevant facts, findings, corrective actions and sanctions imposed against the violating workforce member in the manner required by the Corrective Action Plan;
Submit annual report to OCR signed and attested to by an SJH officer, which contains the information and attestations of compliance with the requirements of the Corrective Action Plan in accordance with the Corrective Action Plan;
Retain for inspection and copying and provide to OCR upon request all documents and records relating to compliance with this Corrective Action Plan for six (6) years from the Effective Date of the SJH Settlement Agreement.

Take Away For Other Covered Entities & Business Associates

To help safeguard their own organizations against potential sanctions from OCR and other HIPAA enforcement risks, Covered Entities and their business associates should ensure that their organization possesses a well-documented current enterprise-wide risk assessment, as well as has in place and is administering as necessary to maintain the currency and adequacy of its risk assessment strong practices for conducting documented evaluations of their own HIPAA security, policies, practices, audits and investigations and other procedures necessary to comply with HIPAA, taking into account recent OCR guidance, its initiation of its Phase II audit program, the insights offered by the SJH and other OCR’s ever growing list of enforcement actions and compliance tools, as well as changes in systems, documentation, software, equipment or other occurrences within the operations of the Covered Entity or business associate’s operations that could impact the currency and adequacy of its risk assessment or otherwise raise compliance risks..

In this respect, Covered Entities and business associates are encouraged to take special note of the advisability of specifically reviewing and updating their HIPAA policies, practices, business associate agreements, training, oversight and documentation to in response to OCR’s;

A series of recent OCR Resolution Agreements emphasizing the need for Covered Entities and their Business Associates to verify that have in place, and review and update as necessary business associate agreements e.g .HIPAA Settlement Illustrates The Importance Of Reviewing And Updating, As Necessary, Business Associate Agreements (September 23, 2016); Business Associate’s Failure to Safeguard Nursing Home Residents’ PHI Leads to $650,000 HIPAA Settlement (June 29, 2016)
Clarification of Permissible Fees for HIPAA Right of Access – Flat Rate Option Up to $6.50 is Not a Cap on All Fees for Copies of PHI (May 23, 2016)
Guidance On HIPAA & Cloud Computing released October 6, 2016, which provides guidance for Covered Entities and business associates about contracting and other procedures that HIPAA-regulated Covered Entities and their business associates should implement when contracting for and using Cloud Computing Services;
Joint Guidance published October 21, 2016 by the Federal Trade Commission and OCR reminding Covered Entities and their business associates of the need to ensure that in addition to fulfilling the technical content requirements of HIPAA, their HIPAA authorizations, privacy practices notices and other HIPAA notices and communications are written and presented in plan language, include required specific terms and descriptions and in a manner that does not mislead individuals about their rights or about what is happening with their PHI. Furthermore, where Covered Entities and their business associates contemplate that businesses associates may request that individuals sign HIPAA authorizations, Covered Entities and their business associates should the Covered Entity and business associate have in place a current, signed HIPAA-compliant business associate agreement that that expressly authorizes the business associate to request the HIPAA authorization in light of statements in the Joint Guidance indicating that OCR views the Privacy Rules as prohibiting a business associate from asking a consumer to sign a HIPAA authorization unless its business associate contract expressly permits the business associate to do so; and
Other OCR enforcement actions, tools and guidance. See, e.g. All Covered Entities Should Learn Lessons From Mississippi Medical Center’s $2.75 Million HIPAA Resolution Agreement; Providers, Health Plans Should Confirm Copy Charges Comply With New OCR HIPAA Guidance; $2 Million+ HIPAA Settlement, FAQ Warn Providers Protect PHI From Media, Other Recording Or Use; Addressing Gaps in Cybersecurity: OCR Releases Crosswalk Between HIPAA Security Rule and NIST Cybersecurity Framework; HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework.

As breaches of PHI and other violations of HIPAA also frequently give rise to responsibilities or risks under a broad range of other federal and state laws medical and financial privacy and data security, Medicare and other terms of federal program participation, medical credentialing, licensure and ethics, insurance and Employee Retirement Income Security Act fiduciary responsibilities in the case of health plans, contractual, tort and other exposures, Covered Entities and their business associates also generally are best served to take into account these other responsibilities and exposures in conjunction with the design and administration of their HIPAA compliance and risk management policies and practices.

Covered Entities and their business associates also should seek advice from legal counsel regarding the adequacy of their compliance, investigatory, training, management oversight, training, reporting, documentation, document retention and other processes and procedures that could reduce risks of HIPAA violations and position the organization to effectively and more efficiently respond to a potential breach, audit, investigation or enforcement action and mitigate the costs and potential liability exposures that increasingly attends these events. In addition, given the typically high financial, operational and legal costs typically incurred to conduct investigations, report and redress breaches, and respond to OCR audits or investigations, much less make any payments and implement any corrective actions required to settle OCR changes, most Covered Entities and their business associations will want to consider the advisability and adequacy of insurance and other sources of funding or indemnification for the often substantial costs that often attend a HIPAA breach, audit or enforcement event. Since HIPAA violations under certain circumstances also can give rise to felony criminal liability, boards of directors and other leaders of Covered Entities and business associates also will want to ensure that their HIPAA compliance policies and practices also are incorporated and monitored by management as part of their organization’s overall Federal Sentencing Guideline Compliance programs and practices.

About The Author

Cynthia Marcotte Stamer is a practicing attorney and management consultant, author, public policy advocate and lecturer widely recognized for her extensive work and pragmatic thought leadership, experience, publications and training on HIPAA and other privacy, medical records and data and other health care and health plan concerns.

Recognized as “LEGAL LEADER™ Texas Top Rated Lawyer” in both Health Care Law and Labor and Employment Law, a “Texas Top Lawyer,” an “AV-Preeminent” and “Top Rated Lawyer” by Martindale-Hubble and as among the “Best Lawyers In Dallas” in employee benefits by D Magazine; Ms. Stamer has more than 28 years of extensive proven, pragmatic knowledge and experience representing and advising health industry clients and others on operational, regulatory and other compliance, risk management, product and process development, public policy and other key concerns.

As a core component of her work as the Managing Shareholder of Cynthia Marcotte Stamer, PC, Ms. Stamer has worked extensively throughout her career with health care providers, health plans, health care clearinghouses, their business associates, employers, banks and other financial institutions, their technology and other vendors and service providers, and others on legal and operational risk management and compliance with HIPAA, FACTA, PCI, trade secret, physician and other medical confidentiality and privacy, federal and state data security and data breach and other information privacy and data security rules and concerns; prevention, investigation, response, mitigation and resolution of known or suspected data or privacy breaches or other incidents; defending investigations or other actions by plaintiffs, OCR, FTC, state attorneys’ general and other federal or state agencies; reporting and redressing known or suspected breaches or other violations; business associate and other contracting; insurance or other liability management and allocation; process and product development, contracting, deployment and defense; evaluation, commenting or seeking modification of regulatory guidance, and other regulatory and public policy advocacy; training and discipline; enforcement, and a host of other related concerns for public and private health care providers, health insurers, health plans, technology and other vendors, employers, and others.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares shared her thought leadership, experience and advocacy on HIPAA and other concerns by her service in the leadership of a broad range of other professional and civic organization including her involvement as the Vice Chair of the North Texas Healthcare Compliance Association, Executive Director of the Coalition on Responsible Health Policy and its PROJECT COPE: Coalition on Patient Empowerment, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children; former Board Compliance Chair and Board member of the National Kidney Foundation of North Texas, current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, immediate past RPTE Representative to ABA Joint Committee on Employee Benefits Council Representative and current RPTE Representative to the ABA Health Law Coordinating Council, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.

Ms. Stamer also is a highly popular lecturer, symposia chair and author, who publishes and speaks extensively on health and managed care industry, human resources, employment and other privacy, data security and other technology, regulatory and operational risk management. Examples of her many highly regarded publications on these matters include “Protecting & Using Patient Data In Disease Management: Opportunities, Liabilities And Prescriptions,” “Privacy Invasions of Medical Care-An Emerging Perspective,” “Cybercrime and Identity Theft: Health Information Security: Beyond HIPAA,” as well as thousands of other publications, programs and workshops these and other concerns for the American Bar Association, ALI-ABA, American Health Lawyers, Society of Human Resources Professionals, the Southwest Benefits Association, the Society of Employee Benefits Administrators, the American Law Institute, Lexis-Nexis, Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, the HCCA, ISSA, HIMSS, Modern Healthcare, Managed Healthcare, Institute of Internal Auditors, Society of CPAs, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other symposia and publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications and speaks and conducts training for a broad range of professional organizations and for clientson the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications. For additional information about Ms. Stamer, see CynthiaStamer.com or contact Ms. Stamer via email here or via telephone to (469) 767-8872.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources at http://www.solutionslawpress.com such as:

Leave a Comment » | Academic medicine, Ambulatory care, ARRA, Civil Rights, Conditions of Participation, Corporate Compliance, data breach, data security, DME, Doctor, drug treatment, Durable Medical Equipment, E-Prescribing, Electronic Health Records, Electronic Medical Records, Employee Benefits, FACTA, Federal Health Center, Federal Sentencing Guidelines, Genetic Information, GINA, Health Care, Health Care Provider, Health IT, Health Plan, Health Plans, Health Policy, HIPAA, HIPAA Cyber Crime, HITECH Act, Home Health, Hospice, Hospital, Hospital, Indian Health, Laws, managed care, Meaningful Use, Medical Malpractice, Medical Privacy, Medical Records, Medicare Advantage, Mental Health, Mental Heatlh, Outcomes Data, Pharmaceudical, Pharmacy, Privacy, Psychiatric, Public Policy, Uncategorized, Wellness | Tagged: HIPAA, Meaningful Use, Technology | Permalink
Posted by Cynthia Marcotte Stamer

New Rule Gives ONC More Power Over Electronic Health Record Providers

October 16, 2016

The Office of the National Coordinator for Health IT (ONC) will have more oversight over certifying electronic health records and other technologies that store, share and analyze health information for consumers and the authority to ask developers to pull noncompliant products from the market under a new Final Rule scheduled for official publication in the Federal Register on October 19, 2016. The Final Rule will give ONC power to decertify health IT products and issue a cease-and-desist notice to prevent the future sale or marketing of products that don’t comply with regulations or found to pose a risk to public health or safety. Developers of decertified products also would have to notify affected customers and providers who purchased the products.

About The Author
Foundation and the Texas Bar Foundation, current American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, former scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting and JCEB Council Representative, former Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, the former Board President and Treasurer of the Richardson Development Center for Children Early Childhood Intervention Agency, and past Board Compliance Chair of the National Kidney Foundation of North Texas, and Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, the author of this update, attorney Cynthia Marcotte Stamer, is AV-Preeminent (the highest) rated attorney repeatedly recognized for her nearly 30 years of experience and knowledge representing and advising healthcare, health plan and other health industry and others on these and other regulatory, workforce, risk management, technology, public policy and operations matters as a Martindale-Hubble as a “LEGAL LEADER™” and “Texas Top Rated Lawyer” in Health Care Law, Labor and Employment Law, and Business & Commercial Law and among the “Best Lawyers In Dallas” by D Magazine.

Ms. Stamer’s health industry experience includes advising hospitals, nursing home, home health, rehabilitation and other health care providers and health industry clients to establish and administer compliance and risk management policies; prevent, conduct and investigate, and respond to peer review and other quality concerns; and to respond to Board of Medicine, Department of Aging & Disability, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns.

Ms. Stamer also is known for her experience in HIPAA and other privacy and data security and breach concerns. The scribe for ABA JCEB annual agency meeting with OCR for many years, Ms. Stamer has worked extensively with health care providers, health plans, health care clearinghouses, their business associates, employers and other plan sponsors, banks and other financial institutions, and others on risk management and compliance with HIPAA, FACTA, trade secret and other information privacy and data security rules, including the establishment, documentation, implementation, audit and enforcement of policies, procedures, systems and safeguards, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and enforcement, and a host of other related concerns. Her clients include public and private health care providers, health insurers, health plans, technology and other vendors, and others. In addition to representing and advising these organizations, she also has conducted training on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

You can get more information about her health industry experience here or contact Ms. Stamer via telephone at (469) 767-8872 or via e-mail here..
About Solutions Law Press Inc.™

Solutions Law Press, Inc.™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns.

If you found these updates of interest, you may be interested in other recent Solutions Law Press, Inc. updates available here.

For important information about this communication see here. THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS. ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

Leave a Comment » | Academic medicine, Accreditation, ASC, Clinical pathway, data breach, data security, DME, Doctor, E-Prescribing, Electronic Health Records, Electronic Medical Records, Federal Health Center, Health Care, Health care coding, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Quality, health care reimbursement, Health IT, HIPAA, Home Health, Hospice, Hospital, Hospital, hospitals, Inpatient Rehabilitation, Inpatient Rehabilitation Facility, Meaningful Use, Medical Records, Medicare Fee Schedule, Medicare Fee Schedule, Physician, Reimbursement, Rural Health Care, Uncategorized | Permalink
Posted by Cynthia Marcotte Stamer

CMS Publishes Final MACRA Rule

October 14, 2016

The Centers for Medicare and Medicaid Services (CMS) has released the 2398 page final rule implementing the Medicare Access & CHIP Reauthorization Act of 2105 (MACRA) reforms that Congress has adopted to replace the Sustainable Growth Rate (SGR) rules for determining physician and other clinician payments under Medicare with the new MACRA Quality Payment Program.

Despite widespread criticism by many physicians and clinicians about the MACRA reforms generally and the proposed regulations implemented in the final rules released today, CMS says the final rule establishes the primary regulatory structure to implement the MACRA reforms in a manner that will replace the current “flawed SGR payment system” with a “Quality Payment Program,” equip clinicians with the tools and flexibility to provide high-quality, and flexibility to provide high-quality, patient-centered care.

The sweeping final rule sets the 2017 performance period as a transition year for the 2019 Merit-Based Incentive Payment System payment year. Ultimately, however, physicians and other clinicians will need to choose between one of two options are having their compensation from Medicare determined under the new Quality Payment Program based on their evaluation of which program best fits their needs based on a thorough understanding and careful evaluation of the complex rules in the final regulations and any refinement to the rules that CMS subsequently issues:

Advanced Alternative Payment Models (APMs) or
The Merit-based Incentive Payment System (MIPS)

If a Clinician decides to participate in an Advanced APM, through Medicare Part B he or she may earn an incentive payment for participating in an innovative payment model.

If the clinician decides to participate in traditional Medicare Part B, then he will participate in MIPS where he earns a performance-based payment adjustment.

In order to position themselves to timely respond to the impending changes, conduct the evaluations necessary to determine which approach is likely to best fit their interests and timely act to submit the data, make elections, implement processes and complete other steps to prepare for and timely comply with the final rule, physicians, clinicians and others impacted by these rules must begin as soon as possible to carefully and systematically become educated about the provisions and terms of the final rule, to modify their processes and procedures to capture the data and administer the billing, coding and other functions necessary to evaluate options, timely submit data and make elections and come into compliance with the requirements of the final rules as they take effect while at the same time positioning themselves to adapt these arrangements in response to additional guidance that CMS and other anticipate will be forthcoming as CMS moves forward to full implementation of MACRA.

Solutions Law Press, Inc. is working to prepare additional summaries and other updates exploring certain key details of the lengthy and highly technical provisions of the final rules, as well as monitoring developments that might impact these rules. Stay tuned here for more details.

About The Author

Foundation and the Texas Bar Foundation, current American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, former scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting and JCEB Council Representative, former Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, the former Board President and Treasurer of the Richardson Development Center for Children Early Childhood Intervention Agency, and past Board Compliance Chair of the National Kidney Foundation of North Texas, and Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, the author of this update, attorney Cynthia Marcotte Stamer, is AV-Preeminent (the highest) rated attorney repeatedly recognized for her nearly 30 years of experience and knowledge representing and advising healthcare, health plan and other health industry and others on these and other regulatory, workforce, risk management, technology, public policy and operations matters as a Martindale-Hubble as a “LEGAL LEADER™” and “Texas Top Rated Lawyer” in Health Care Law, Labor and Employment Law, and Business & Commercial Law and among the “Best Lawyers In Dallas” by D Magazine.

You can get more information about her health industry experience here or contact Ms. Stamer via telephone at (469) 767-8872 or via e-mail here.

About Solutions Law Press Inc.™

If you found these updates of interest, you may be interested in other recent Solutions Law Press, Inc. updates like the following:

Go here to register to receive other Solutions Law Press, Inc. updates and announcements about other upcoming briefings, training or other programs, products, services, and activities or to learn more about Solutions Law Press, Inc., its publications, programs and training, PROJECT COPE: Coalition on Patient Empowerment community service and education projects, event management and other resources and services.

For important information concerning this communication see here. THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS. ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

Leave a Comment » | Academic medicine, Affordable Care Act, Ambulatory care, Anti-KickBack, ASC, billing, Centers For Disease Control, Clinical pathway, Conditions of Participation, Corporate Compliance, DME, Doctor, Durable Medical Equipment, false claims act, Federal Health Center, Federal Sentencing Guidelines, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Quality, Health Care Reform, health care reimbursement, HITECH Act, Home Health, Hospice, Hospital, Hospital, hospitals, Medicaid, Medicare, Uncategorized | Permalink
Posted by Cynthia Marcotte Stamer

Tenet To Pay $513M For Anti-kickback Law Guilty Plea

October 3, 2016

Tenet Healthcare Corp. and two of its hospitals will pay $513 million and enter guilty pleas to resolve criminal charges and civil claims the hospitals illegally paid kickbacks for patient referrals, the U.S. Department of Justice Announce on Monday, October 2, 2016.

Atlanta Medical Center Inc. and North Fulton Medical Center Inc. were charged October 2 in a criminal information in federal court in Atlanta with conspiracy to defraud the United States by obstructing the lawful government functions of the Department of Health & Human Services (HHS) and to violate the Antikickback Statute (AKS), which, among other things, prohibits payments to induce the referral of patients for services paid for by federal health care programs.

Tenet HealthSystem Medical Inc. and its subsidiaries (collectively THSM) entered into a non-prosecution agreement (NPA) with the Criminal Division’s Fraud Section and the U.S. Attorney’s Office of the Northern District of Georgia related to the charges in the criminal information. THSM is the parent company of Atlanta Medical Center Inc., North Fulton Medical Center Inc., Spalding Regional Medical Center Inc. and Hilton Head Hospital, and employed their executives. THSM is a subsidiary of Tenet Healthcare Corporation. Under the terms of the NPA, THSM and Tenet will avoid prosecution if they, among other requirements, cooperate with the government’s ongoing investigation and enhance their compliance and ethics program and internal controls. Tenet has also agreed to retain an independent compliance monitor to address and reduce the risk of any recurrence of violations of the AKS by any entity owned in whole, or in part, by Tenet. The term of THSM’s and Tenet’s obligations under the NPA is three years, but the NPA may be extended for up to one year. the plea deal announced, the two Tenet subsidiaries have agreed to plead guilty to the charges alleged in the criminal information and will forfeit over $145 million to the United States – which represents the amount paid to Atlanta Medical Center Inc. and North Fulton Medical Center Inc. by the Medicare and Georgia Medicaid programs for services provided to patients referred as part of the scheme.

In the concurrently announced civil settlement, Tenet agreed to pay $368 million to the federal government, the state of Georgia and the state of South Carolina to resolve claims asserted in United States ex rel. Williams v. Health Mgmt. Assocs., Tenet Healthcare, et al., a lawsuit filed by Ralph D. Williams, a Georgia resident, in the Middle District of Georgia, under the federal and Georgia False Claims Acts. The acts permit whistleblowers to file suit for false claims against the government entities and to share in any recovery. The federal share of the civil settlement is $244,227,535.30, the state of Georgia will recover $122,880,339.70 and the state of South Carolina will recover $892,125. Mr. Williams’ share of the combined civil settlement amount is approximately $84.43 million.

The Tenet investigations, enforcement actions and settlement demonstrate the continuing criminal and civil risks that health care organizations, individual providers and their employees and representatives run when engaging in aggressive marketing, billing or other practices under the Anti-kickback or other Federal health care fraud laws, as well as the role that employee and other whistleblowers with inside information often play in bringing actions and behaviors that provide the basis for prosecution of these and other charges or claims against healthcare organization and the health care providers, management and other individuals participating in or responsible for managing conduct to comply with these rules.

Health care organizations, their management, providers, and others participating in the planning, administration or oversight of transactions or other activities that could become subject to scrutiny or prosecution under these and other Federal or state healthcare laws should act proactively to manage their risks by using care to adopt and administer documented effective compliance plans and processes that prevent involvement in prohibited actions, to periodically conduct documented audits and other oversight to maintain demonstrated efforts to ensure their organizations and actions in operations comply with these requirements, continuously remain on the alert for and monitor transactions and arrangements in which they are involved for signs of potential violations or other risky conduct, to take prompt, well-documented corrective action to investigate and address as appropriate potential concerns including but not limited to the monitoring and investigation of employee complaints, performance, termination and other events for evidence of potential whistleblower or other concerns.

About The Author

You can get more information about her health industry experience here or contact Ms. Stamer via telephone at (469) 767-8872 or via e-mail here.

About Solutions Law Press Inc.™

If you found these updates of interest, you may be interested in other recent Solutions Law Press, Inc. updates like the following:

Leave a Comment » | Ambulatory care, Anti-KickBack, ASC, billing, Corporate Compliance, Doctor, Employer, Federal Sentencing Guidelines, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, Health Policy, Hospital, hospitals, Medicaid, Medicare, Uncategorized | Permalink
Posted by Cynthia Marcotte Stamer

All Covered Entities Should Learn Lessons From Mississippi Medical Center’s $2.75 Million HIPAA Resolution Agreement

July 27, 2016

Health care providers, health plans, healthcare clearinghouses (covered entities) and their business associates should reevaluate the adequacy of their practices and procedures for the protection of electronic protected health information (ePHI) on or accessible through laptops or other mobile devices in light of the $2.75 million penalty and other schooling the Department of Health and Human Services Office for Civil Rights (OCR) just gave the University of Mississippi (UM) Medical Center (UMMC) documented in a July 7, 2016 Resolution Agreement and Corrective Action Plan (Resolution Agreement) resolving OCR charges of multiple violations of the privacy, security and breach notification requirements of the Health Insurance Portability and Accountability Act (HIPAA) OCR says it uncovered while investigating UMMC’s breach notification report to OCR of the loss a laptop containing 328 files containing the ePHI of an estimated 10,000 patients.

UMMC Report of Missing Laptop Leads To Multiple Charges & Resolution Agreement

Mississippi’s sole public academic health science center, UMMC provides patient care in four specialized hospitals on the Jackson campus and at clinics throughout Jackson and the State as well as conducts medical education and research functions. Its designated health care component, UMMC, includes University Hospital, the site of the breach in this case, located on the main UMMC campus in Jackson.

The settlement agreed to by UMMC stems from charges resulting from an OCR investigation of UMMC triggered by a breach of unsecured electronic protected health information (“ePHI”) affecting approximately 10,000 individuals.

Like many prior resolution agreements previously announced by OCR, UMMC’s HIPAA woes came to light after a laptop went missing. OCR learned of the breach and opened its investigation in response to a March 21, 2013 notification UMMC filed with OCR. UMMC made the breach notification to comply with HIPAA’s Breach Notification Rule requirement that health care providers, health plans and healthcare clearinghouses (Covered Entities) timely notify affected individuals, OCR and others of breaches of unsecured ePHI.

UMMC’s breach notification disclosed that UMMC’s privacy officer had discovered a password-protected laptop containing ePHI of thousands of UMMC patients missing from UMMC’s Medical Intensive Care Unit (MICU). UMMC additionally reported that based on its investigation, UMMC believed that the missing laptop likely was stolen by a visitor to the MICU who had inquired about borrowing one of the laptops.

After discovering the loss, UMMC disclosed the breach to local media and on its website and notified OCR of the breach but apparently did not individually notify the subjects of the missing ePHI.

In keeping with its announced policy of investigating all breach reports impacting 500 or more individuals, OCR opened an investigation into UMMC’s breach report. Based on this investigation, OCR concluded that while the laptop apparently was password protected, UMMC had breached the Security Rules because ePHI stored on a UMMC network drive was vulnerable to unauthorized access via UMMC’s wireless network because users could use a generic username and password to access an active directory containing 67,000 files including 328 files containing the ePHI of an estimated 10,000 patients.

While OCR’s investigation confirmed that UMMC had implemented policies and procedures pursuant to the HIPAA Rules, OCR’s additionally found that the theft of the laptop that prompted UMMC’s breach report resulted from broad deficiencies in UMMC’s implementation and administration of these policies and its practices.

Based on these findings, OCR charged UMMC with the following HIPAA violations:

From the compliance date of the Security Rule, April 20, 2005, through the settlement date, UMMC violated 45 C.F.R. §164.308(a)(1)(i) by failing to implement policies and procedures to prevent, detect, contain, and correct security violations, including conducting an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of the ePHI it holds, and implementing security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level;
From January 19, 2013, until March 1, 2014, UMMC violated 45 C.F.R. §164.310(c) by failing to implement physical safeguards for all workstations that access ePHI to restrict access to authorized users;
From the compliance date of the Security Rule, April 20, 2005, to March 14, 2013, UM violated 45 C.F.R. § 164.312 (a)(2)(i) by failing to assign a unique user name and/or number for identifying and tracking user identity in information systems containing ePHI including, for example, allowing workforce members to access ePHI on a shared department network drive through a generic account, preventing UMMC from tracking which specific users were accessing ePHI; and
While UMMC provided notification on UMMC’s website and in local media outlets following the discovery of the reported breach of unsecured ePHI,, UMMC violated the Breach Notification Rule by failing to notify each individual whose unsecured ePHI was reasonably believed to have been accessed, acquired, used, or disclosed as a result of the breach.

Finally, OCR determined that UMMC was aware of risks and vulnerabilities to its systems as far back as April 2005, yet took no significant risk management activity until after the breach, due largely to organizational deficiencies and insufficient institutional oversight.

To resolve these charges, UMMC agrees in the Resolution Agreement to pay OCR $2.75 million and implement a comprehensive compliance plan which among other things, requires UMMC to conduct a sweeping review and correct its HIPAA privacy, security and breach notification policies and their implementation and administration to comply with HIPAA as well as implement and administer detailed management and OCR oversight and reporting processes over the implementation and administration of these procedures.

Lessons For Other Covered Entities From UMMC Resolution Agreement

The UMMC charges and Resolution Agreement contains several key lessons for other covered entities and their business associates, which OCR’s July 21, 2016 announcement warns other covered entities and business associates to heed..

Certainly, the $2.75 million settlement amount reaffirms that covered entities and their business associates risk substantial liability for failing to properly assess and protect the security of ePHI in accordance with HIPAA’s Privacy and Security Rule.

Furthermore, the charges and Resolution Agreement also adds a new twist to OCR’s now well established to stiffly sanction covered entities and their business associates that fail appropriately assess and address risks to the security of their ePHI on or accessible from laptops or other mobile devices. Through previous resolution agreements and guidance, OCR has made clear that it interprets the HIPAA Security Rule as generally requiring that covered entities and business associates encrypt all laptops or other mobile devices containing ePHI. The UMMC charges and Resolution Agreement makes clear that the responsibility to protect ePHI on or accessible through laptops or other mobile devices does not end with encryption. Rather, the Resolution Agreement makes clear that covered entities and their business associates also must take appropriate, well-documented steps to monitor, assess, identify, and timely and effectively address other potential risks to the security of the ePHI.

The Resolution Agreement makes clear that these additional responsibilities include, but are not necessarily limited to ensuring that proper safeguards are implemented and enforced to secure access not only to the ePHI contained on the laptop as well as other data bases and systems containing ePHI accessible through the laptop. In this respect, the Resolution Agreement particularly highlights the need for covered entities and their business associates to assess risks and take appropriate steps:

To safeguard the physical security of laptops and other mobile devices;
To prevent the use of generic or other unsecure passwords to access ePHI on or accessible through the laptop or other mobile device;
To establish and administer appropriate, well-documented processes for assessing and addressing the adequacy of safeguards for and potential threats to the security of ePHI both initially and on an ongoing basis in a manner that meaningfully assesses the actual risks and effectiveness of safeguards against these risks, including those resulting from nonadherence to required safeguards and practices such as the sharing of passwords, changing systems or circumstances, and other developments that potentially threaten the adequacy of ePHI security.

Furthermore, OCR’s July 21, 2016 press release concerning the Resolution Agreement also sends a clear message to all covered entities and business associates that OCR views HIPAA as requiring organizations not only to adopt written policies and procedures that comply on paper or in theory with HIPAA, but also to take steps to monitor and maintain the effectiveness of their safeguard by continuously assessing and monitoring their HIPAA risks and acting as necessary to ensure that required safeguards of protected health information and ePHI and other HIPAA requirements are effectively implemented and administered in operation as well as form.

In OCR’s Press Release announcing the Resolution Agreement, OCR Director Jocelyn Samuels. Stated, “We at OCR remain particularly concerned with unaddressed risks that may lead to impermissible access to ePHI.” She also warned “In addition to identifying risks and vulnerabilities to their ePHI, entities must also implement reasonable and appropriate safeguards to address them within an appropriate time frame.”

Additionally, the Resolution Agreement also illustrates need for covered entities and business associates to timely provide all individual and other notifications and otherwise fully comply with all requirements of the Breach Notification Rules.

Since the risk of a breach is ever-present even for Covered Entities and business associates exercising the highest degree of care to safeguard PHI and maintain compliance with HIPAA, Covered Entities and business associates are wise to take steps to position themselves to be able to demonstrate the adequacy of both their written policies and procedures and the effectiveness of their implementation and enforcement including ongoing documented practices for assessing, monitoring and addressing security risks and other compliance concerns as well as prepare to comply with the breach notification requirements in the event they experience their own breach of unsecured ePHI.

About The Author

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, current American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, former scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting and JCEB Council Representative, former Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, the former Board President and Treasurer of the Richardson Development Center for Children Early Childhood Intervention Agency, and past Board Compliance Chair of the National Kidney Foundation of North Texas, and Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, the author of this update, attorney Cynthia Marcotte Stamer, is AV-Preeminent (the highest) rated attorney repeatedly recognized for her nearly 30 years of experience and knowledge representing and advising healthcare, health plan and other health industry and others on these and other regulatory, workforce, risk management, technology, public policy and operations matters as a Martindale-Hubble as a “LEGAL LEADER™” and “Texas Top Rated Lawyer” in Health Care Law, Labor and Employment Law, and Business & Commercial Law and among the “Best Lawyers In Dallas” by D Magazine.

You can get more information about her health industry experience here or contact Ms. Stamer via telephone at (469) 767-8872 or via e-mail here.

About Solutions Law Press Inc.™

If you found these updates of interest, you may be interested in other recent Solutions Law Press, Inc. updates like the following:

Go here to register to receive other Solutions Law Press, Inc. updates and announcements about other upcoming briefings, training or other programs, products, services, and activities or to learn more about Solutions Law Press, Inc., its publications, programs and training, PROJECT COPE: Coalition on Patient Empowerment community service and education projects, event management and other resources and services.

Leave a Comment » | Academic medicine, Ambulatory care, ASC, Childrens Health Insurance Program, Civil Rights, Corporate Compliance, data breach, data security, Disease Management, DME, Doctor, drug treatment, Durable Medical Equipment, E-Prescribing, Electronic Health Records, Electronic Medical Records, Employee Benefits, FACTA, Federal Health Center, Federal Sentencing Guidelines, Genetic Information, GINA, Health Care, Health Insurance Exchange, Health IT, Health Plan, Health Plans, HIPAA, HIPAA Cyber Crime, HITECH Act, Home Health, Hospice, Hospital, Hospital, hospitals, Indian Health, Inpatient Rehabilitation, Inpatient Rehabilitation Facility, Licensing, managed care, Medical Privacy, Medical Records, Mental Health, Mental Heatlh, OCR, Outpatient, Pharmacy, Physician, Prescription Drugs, Privacy, Psychiatric, Rural Health Care, substance abuse treatment, Technology, Telemedicine, Uncategorized, Union, Veterans Health, Veterans Health Care, Wellness | Tagged: Employers, Health Care, Health Care Provider, Health Plans, HIPAA, Hospital, Medicaid, OCR, Physician, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

Providers, Health Plans Should Confirm Copy Charges Comply With New OCR HIPAA Guidance

May 26, 2016

Healthcare providers, health plans, healthcare clearinghouses (Covered Entities) and their business associates should verify that their copying charges and other policies and practices for responding to requests of individuals for copies and other access to protected health information (PHI) comply with the Privacy and Security Rules (Privacy Rule) of the Health Insurance Portability & Accountability Act of 1996 (HIPAA) as construed in a new Frequently Asked Question (FAQ published May 24, 2016 as follow up to two other sets of guidance about HIPAA assess rights published by the Department of Health & Human Services Office of Civil Rights (OCR) since January, 2016.

New OCR Guidance Sheds New Light On HIPAA Access Rule Requirements

The OCR FAQ titled New Clarification – Up to $6.50 Flat Rate Option published May 24, 2016 is the third in a series of guidance materials OCR discussing OCR’s interpretation of individuals’ core right under HIPAA to access and obtain a copy of their PHI from Covered Entities since January, 2016 (the “Access Rule”). With OCR Enforcement Data already showing Access Rule violations among the top 5 issues in cases investigated by OCR every year since HIPAA took effect in 2003, Covered Entities can expect OCR to include Access Rule violations among the Privacy Rule violations OCR likely will target as it continues to ramp up its HIPAA audit, investigation and enforcement efforts.

As part of its sweeping requirements concerning the use, access, protection and disclosure of PHI, the Access Rule provisions of the Privacy Rule generally require Covered Entities to provide individuals, upon request, with access to the protected health information (PHI) about them in one or more “designated record sets” maintained by or for the Covered Entity or its business associate. This includes the right to inspect or obtain a copy, or both, of the PHI, as well as to direct the Covered Entity to transmit a copy to a designated person or entity of the individual’s choice as long as the Covered Entity or a business associate on its behalf maintains the PHI, regardless of the date the information was created; whether the information is maintained in paper or electronic systems onsite, remotely, or is archived; or where the PHI originated (e.g., whether the Covered Entity, another provider, the patient, etc.).

With its publication of the New Clarification FAQ on May 24, 2016, OCR now has published three pieces of guidance (the Access Guidance) about its interpretation of the Access Rule since January, 2016 that it hopes will promote greater understanding of and compliance with the Access Rule by Covered Entities:

In January, OCR published a comprehensive Fact Sheet (Fact Sheet) and the first in a series of topical frequently asked questions (FAQs) addressing patients’ right to access their medical records, which set forth requirements providers must follow in sharing medical records with patients, including that they must do so in a timely manner and in a format that works for the patient;
On March 1, OCR published a second set of FAQs accessible here addressing when Covered Entities may charge individuals to provide requested copies of their PHI, how Covered Entities must calculate these fees, when Covered Entities must send an individual’s PHI to a third party designated by the individual in its request for copies, and other issues relating to access rights guaranteed by the Privacy Rule; and
On May 24, 2016 OCR clarified this prior Access Guidance by publishing another FAQ titled New Clarification – Up to $6.50 Flat Rate Option .

Collectively, the Access Guidance addresses a broad range of questions and issues about the responsibilities of Covered Entities under the Access Rule including what PHI Covered Entities must provide as well as detailed guidance about when and how much Covered Entities can charge individuals for requested copies of their PHI or summaries of their PHI. Since the OCR Access Guidance may restrict the charge that health care providers or other Covered Entities can charge for copies or other access more than applicable state law rules, Covered Entities need to verify their practices comply with OCR’s Access Guidance in addition to any applicable state law rules. The Access Guidance makes clear that OCR expects Covered Entities and their business associates to ensure that their charges for copying or providing other access to PHI guaranteed by the Privacy Rule complies with this Access Guidance even if that practice does not violate applicable state law.

Are You Charging Too Much? Charges For Copies of PHI Must Meet OCR Privacy Rule Guidance

Concerning charges for copies of PHI requested by an individual, Privacy Rule § 164.524(c)(4) permits a Covered Entity to impose a reasonable, cost-based fee if the individual requests a copy of the PHI (or agrees to receive a summary or explanation of the information) provided that the Covered Entity properly and timely notifies the individual of the cost and properly determines the cost in accordance with OCR guidance.

Many physicians or other health care providers that use electronic health records (EHRs) certified to allow individuals to access their PHI in the system may be unaware that OCR views the availability of electronic access from the EHR affects the health care provider’s ability to charge for copies of requested PHI. OCR’s position is that the Privacy Rule prohibits a Covered Entity from charging an individual for requested copies of PHI when the request is fulfilled by the individual accessing the requested PHI using the View, Download, and Transmit functionality of the provider’s certified electronic health record.

Assuming the request for access or copies is not fulfilled through download from an HER, the Access Guidance indicates q Covered Entity must use one of three potentially applicable OCR-approved methods to calculate the fee the Covered Entity charges an individual for copies of PHI or an agreed upon summary provided that the method used takes into account only labor costs for copying or producing an agreed upon summary as defined by OCR.:

The “Actual Cost” Method;
The “Average Cost” Method; or
For electronic copies of PHI maintained electronically, the “Flat Fee” Method.

Charging a flat fee not to exceed $6.50 is an option available to those entities that do not want to go through the process of calculating actual or average costs for requests for electronic copies of PHI under either the Actual Cost or Average Cost Methods. However, by its terms, the “Flat Fee” Method is only an allowable for Covered Entities to use to avoid calculating actual or average allowable costs when a Covered Entity is providing electronic copies of PHI maintained electronically (and presumably when the access request is not fulfilled through download from an EHR). When applicable, the Flat Fee Method allows a Covered Entity to charge a flat fee for all requests for electronic copies of PHI maintained electronically, provided the fee does not exceed $6.50, inclusive of all labor, supplies, and any applicable postage. The New Clarification – Up to $6.50 Flat Rate Option clarifies that use of the Flat Rate Method is permitted not required when a Covered Entity provides copies of PHI maintained electronically other through download directly from a certified EHR. Covered Entities that wish to charge more than the $6.50 flat rate allowed under the Flat Rate Option retain the right, if the facts and evidence warrant, to use either the Actual Cost Method or Average Cost Method to calculate the fee for providing electronic records electronically within the boundaries of what is permissible under the Privacy Rule.

Where the Flat Fee Method is inapplicable or the Covered Entity elects not to use it, the Covered Entity must use either the Actual Cost Method or the Average Cost Method to calculate the fee in accordance with OCR’s rules.

Under the “Actual Cost Method,” a Covered Entity may calculate actual labor costs to fulfill the request, as long as the labor included is only for copying (and/or creating a summary or explanation if the individual chooses to receive a summary or explanation) and the labor rates used are reasonable for such activity. The Covered Entity may add to the actual labor costs any applicable supply (e.g., paper, or CD or USB drive) or postage costs. Covered Entities that charge individuals actual costs based on each individual access request still must be prepared to inform individuals in advance of the approximate fee that may be charged for providing the individual with a copy of her PHI. An example of an actual labor cost calculation would be to time how long it takes for the workforce member of the Covered Entity (or business associate) to make and send the copy in the form and format and manner requested or agreed to by the individual and multiply the time by the reasonable hourly rate of the person copying and sending the PHI. What is reasonable for purposes of an hourly rate will vary depending on the level of skill needed to create and transmit the copy in the manner requested or agreed to by the individual (e.g., administrative level labor to make and mail a paper copy versus more technical skill needed to convert and transmit the PHI in a particular electronic format);

Under the “Average Cost” Method, in lieu of calculating labor costs individually for each request, a Covered Entity can develop a schedule of costs for labor based on average labor costs to fulfill standard types of access requests, as long as the types of labor costs included are the ones which the Privacy Rule permits to be included in a fee (e.g., labor costs for copying but not for search and retrieval) and are reasonable. Covered Entities may add to that amount any applicable supply (e.g., paper, or CD or USB drive) or postage costs. This standard rate can be calculated and charged as a per page fee only in cases where the PHI requested is maintained in paper form and the individual requests a paper copy of the PHI or asks that the paper PHI be scanned into an electronic format. However OCR’s guidance states that OCR does not consider per page fees for copies of PHI maintained electronically to be reasonable for purposes of 45 CFR 164.524(c)(4);

Whether using the Actual Cost Method or the Average Cost Method, a Covered Entity must only take into account only “reasonable labor costs associated only with the: (1) labor for copying the PHI requested by the individual, whether in paper or electronic form; and (2) labor to prepare an explanation or summary of the PHI, if the individual in advance both chooses to receive an explanation or summary and agrees to the fee that may be charged.

OCR’s guidance makes clear that the reasonability of the charges for labor must reflect the technology available for providing this access. In this respect, OCR’s guidance states that a Covered Entity cannot charge a fee under HIPAA for individuals to access the PHI from a health care provider’s EHR technology that has been certified as being capable of making the PHI accessible. OCR’s position is that where a Covered Entity fulfills an individual’s HIPAA access request by allowing the individual to access the requested PHI using the View, Download, and Transmit functionality of the provider’s certified electronic health record (CEHRT), an individual requests or agrees to access her PHI available through the View, Download, and Transmit functionality of the CEHRT, there are no labor costs and no costs for supplies to enable such access.

To the extent that access is not provided through an CEHRT, the fee a Covered Entity charges an individual to provide copies of requested PHI or an agreed upon summary may include only the cost of:

Copying the PHI; and
Preparation of an explanation or summary of the PHI, if agreed to by the individual.

As interpreted by OCR, labor for copying includes only labor for creating and delivering the electronic or paper copy in the form and format requested or agreed upon by the individual, once the PHI that is responsive to the request has been identified, retrieved or collected, compiled and/or collated, and is ready to be copied. For example, labor for copying may include labor associated with the following, as necessary to copy and deliver the PHI in the form and format and manner requested or agreed to by the individual:

Labor for copying the PHI requested by the individual, whether in paper or electronic form;

Supplies for creating the paper copy or electronic media (e.g., CD or USB drive) if the individual requests that the electronic copy be provided on portable media;
Postage, when the individual requests that the copy, or the summary or explanation, be mailed; and
Creating and executing a mailing or e-mail with the responsive PHI.

See 45 CFR 164.524(c)(4).

The Access Guidance states the fee may not include costs associated with verification; documentation; searching for and retrieving the PHI; maintaining systems; recouping capital for data access, storage, or infrastructure; outsourcing the function of responding to individual requests for PHI copies or other costs not listed above even if such costs are authorized by State law. See 45 CFR 164.524(c)(4).

Of course, in any case, OCR’s guidance makes clear that regardless of how a entity chooses to calculate its fee to copy PHI, the Privacy Rule requires that the Covered Entity inform the requesting individual in advance of the approximate fee that may be charged for providing the copy requested and otherwise comply with the Privacy Rule as interpreted by OCR’s latest guidance concerning providing individuals access to PHI and other requirements.

Documented, Timely Action Needed To Mitigate OCR Audit, Investigation & Enforcement Risks

Beyond operationally complying with the Access Guidance, Covered Entities and their business associates generally will want to update their policies, practices and training to position themselves to defend their calculation of any charges made for copies provided in response to a request for access protected by the Privacy Rule and other compliance with the requirements of that rule and the otherwise applicable provisions of HIPAA as well as include monitoring and enforcement of these requirements as part of their ongoing HIPAA compliance efforts.

These and other HIPAA compliance efforts are particularly critical in light of the expanding audit, investigation and enforcement activities of OCR under the Privacy Rule. OCR’s publication of the Access Guidance coincides with a surge in OCR’s HIPAA audit, investigation and enforcement activities.

OCR’s publication of the new Access Guidance comes as OCR is ramping up its interpretation, oversight and enforcement of HIPAA generally. See, Brace For OCR HIPAA Audits & Enforcement; Update Privacy Practices For New OCR HIPAA Enforcement, Security & Records Access Guidance. While continuing to offer guidance like the Access Guidance and other tools to encourage and help Covered Entities and their business to understand and comply with the Privacy Rule, OCR also increasingly now uses the expanded penalties and authority created by the HITECH Act to punish Covered Entities for violating Privacy Rule requirements. HITECH Act amendments, among other things, broadened the duties of OCR to audit, investigate and sanction HIPAA violations as well as tightened various requirements of the Privacy Rules.

The risks to Covered Entities from violating the Privacy Rules are significant and growing. Since the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) amended HIPAA, Covered Entities and their business associates face heightened risks that violations of HIPAA will trigger liability to pay a Civil Monetary Penalty (CMP) to OCR or other sanctions. The two, multimillion dollar CMPs now imposed by OCR against two different Covered Entities caught violating the Privacy Rules only reflect a small part of OCR’s CMP enforcement. Equally or perhaps more significant are the growing stream of high dollar settlement payments that an ever-growing list of Covered Entities to resolve OCR Privacy Rule violation charges that otherwise also might result in OCR’s assessment of a CMP against them. See, e.g. $2 Million+ HIPAA Settlement, FAQ Warn Providers Protect PHI From Media, Other Recording Or Use; Provider Pays $750K To Settle HIPAA Business Associate Rule Breach Charges; North Memorial Hit With $3.9M HIPAA Fine For HIPAA Violations; OCR’s 2nd-Ever HIPAA CMP Nails Lincare For $239,000; Lehey Pays $850K After Unencrypted Laptop Stolen.

These already substantial enforcement risks are likely to rise as OCR begins auditing the compliance of selected Covered Entities as part of its recently announced 2016 audit program. As a result of audit requirements enacted as part of the HITECH Act, Covered Entities now need to be prepared to demonstrate the adequacy of their HIPAA compliance in case their organization becomes targeted for audit under OCR’s 2016 audit program. Even if not selected for audit, however, Covered Entities and their business associates still face the risk that a complaint filed with OCR will trigger an OCR investigation of their practices for providing copies or other access or other compliance with the Privacy Rules. In light of the growing aggressiveness of OCR’s enforcement, Covered Entities and their business associates need to be prepared to demonstrate their efforts to comply. Those that cannot show adequate compliance efforts should be prepared for potentially substantial CMP or Resolution Agreement payments and other sanctions. Consequently, Covered Entities and their business associates should move quickly to review and update their practices, communications and training to comply with this new Access Guidance as well as other guidance, enforcement and other developments that might impact the adequacy of their existing practices under the Privacy Rule generally. Because of the risk that any review or investigation of the adequacy of its practices or complaints under the Privacy Rule will involve sensitive information or analysis, Covered Entities and their business associates are cautioned to consider the advisability of arranging for this analysis and review to be conducted within the scope of attorney-client privilege under the guidance of legal counsel experienced with the Privacy Rules and other related legal concerns.

About The Author

Recognized as “LEGAL LEADER™ Texas Top Rated Lawyer” in both Health Care Law and Labor and Employment Law, a “Texas Top Lawyer,” an “AV-Preeminent” and “Top Rated Lawyer” by Martindale-Hubble and as among the “Best Lawyers In Dallas” in employee benefits 2015 by D Magazine; Ms. Stamer has more than 28 years of extensive proven, pragmatic knowledge and experience representing and advising health industry clients and others on operational, regulatory and other compliance, risk management, product and process development, public policy and other key concerns.

As a core component of her work as the Managing Shareholder of Cynthia Marcotte Stamer, PC, Ms. Stamer has worked extensively throughout her nearly 30 year career with health care providers, health plans, health care clearinghouses, their business associates, employers, banks and other financial institutions, their technology and other vendors and service providers, and others on legal and operational risk management and compliance with HIPAA, FACTA, PCI, trade secret, physician and other medical confidentiality and privacy, federal and state data security and data breach and other information privacy and data security rules and concerns; prevention, investigation, response, mitigation and resolution of known or suspected data or privacy breaches or other incidents; defending investigations or other actions by plaintiffs, OCR, FTC, state attorneys’ general and other federal or state agencies; reporting and redressing known or suspected breaches or other violations; business associate and other contracting; insurance or other liability management and allocation; process and product development, contracting, deployment and defense; evaluation, commenting or seeking modification of regulatory guidance, and other regulatory and public policy advocacy; training and discipline; enforcement, and a host of other related concerns for public and private health care providers, health insurers, health plans, technology and other vendors, employers, and others.

Beyond her extensive involvement advising and defending clients on these matters, Ms. Stamer also has served for several years as the scrivener for the ABA JCEB’s meeting with OCR for many years. She returns as Chair of the Southern California ISSA Health Care Privacy & Security Summit for the third year in 2016, as well as speaks and serves on the steering committee of a multitude of other programs.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares shared her thought leadership, experience and advocacy on HIPAA and other concerns by her service in the leadership of a broad range of other professional and civic organization including her involvement as the Vice Chair of the North Texas Healthcare Compliance Association, Executive Director of the Coalition on Responsible Health Policy and its PROJECT COPE; Coalition on Patient Empowerment, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children; former Board Compliance Chair and Board member of the National Kidney Foundation of North Texas, current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, immediate past RPTE Representative to ABA Joint Committee on Employee Benefits Council Representative and current RPTE Representative to the ABA Health Law Coordinating Counsel, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.

Ms. Stamer also is a highly popular lecturer, symposia chair and author, who publishes and speaks extensively on health and managed care industry, human resources, employment and other privacy, data security and other technology, regulatory and operational risk management. Examples of her many highly regarded publications on these matters include “Protecting & Using Patient Data In Disease Management: Opportunities, Liabilities And Prescriptions,” “Privacy Invasions of Medical Care-An Emerging Perspective,” “Cybercrime and Identity Theft: Health Information Security: Beyond HIPAA,” as well as thousands of other publications, programs and workshops these and other concerns for the American Bar Association, ALI-ABA, American Health Lawyers, Society of Human Resources Professionals, the Southwest Benefits Association, the Society of Employee Benefits Administrators, the American Law Institute, Lexis-Nexis, Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, the HCCA, ISSA, HIMSS, Modern Healthcare, Managed Healthcare, Institute of Internal Auditors, Society of CPAs, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other symposia and publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications and speaks and conducts training for a broad range of professional organizations and for clients, on the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications. For additional information about Ms. Stamer, see www.CynthiaStamer.com, email Ms. Stamer cstamer@solutionslawyer.net or telephone her at (469) 767-8872.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources at www.SolutionsLawPress.com such as:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here. ©2016 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ All other rights reserved.

1 Comment | Electronic Health Records, Electronic Medical Records, Health Care, Health care coding, Health Care Provider, Health Care Quality, health care reimbursement, HIPAA, Hospital, Hospital, hospitals, Meaningful Use, Medical Privacy, Medical Records, Physician, Physician Licensing, Privacy, Rural Health Care, Uncategorized, Veterans Health Care | Tagged: Data Security, Electronic Health Records, EMR, Health Care, Health Plan, HIPAA, Hospital, Meaningful Use, Medical Records, Privacy, Privacy Rule | Permalink
Posted by Cynthia Marcotte Stamer

North Memorial Hit With $3.9M HIPAA Fine For HIPAA Violations

March 25, 2016

Just one day after the announcement of a $1,555,000 settlement with North Memorial Health Care of Minnesota under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules, the Department of Health & Human Services (HHS) Office of Civil Rights (OCR) announced March 17, 2016 that Feinstein Institute for Medical Research has agreed to pay $3.9 million and will undertake a substantial corrective action plan to settle charges of HIPAA violations and bring its operations into compliance. The two settlements drive home again the substantial liability that health care providers, health plans, health care clearinghouses and their business associates risk for violating HIPAA. Register for March 30, 2016 Solutions Law Press, Inc. briefing to learn the latest about this and other new regulatory and enforcement guidance impacting the HIPAA compliance obligations and risks of health care providers, health plans, health care clearinghouses and their business associates. 3/30 Webex Shares Latest On Security, Patient Access & Other HIPAA Developments.

Feinstein Settlement

Feinstein is a biomedical research institute that is organized as a New York not-for-profit corporation and is sponsored by Northwell Health, Inc., formerly known as North Shore Long Island Jewish Health System, a large health system headquartered in Manhasset, New York that is comprised of twenty one hospitals and over 450 patient facilities and physician practices.

OCR’s investigation began after Feinstein filed a breach report indicating that on September 2, 2012, a laptop computer containing the electronic protected health information (ePHI) of approximately 13,000 patients and research participants was stolen from an employee’s car. The ePHI stored in the laptop included the names of research participants, dates of birth, addresses, social security numbers, diagnoses, laboratory results, medications, and medical information relating to potential participation in a research study.

OCR’s investigation discovered that Feinstein’s security management process was limited in scope, incomplete, and insufficient to address potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the entity. Further, Feinstein lacked policies and procedures for authorizing access to ePHI by its workforce members, failed to implement safeguards to restrict access to unauthorized users, and lacked policies and procedures to govern the receipt and removal of laptops that contained ePHI into and out of its facilities. For electronic equipment procured outside of Feinstein’s standard acquisition process, Feinstein failed to implement proper mechanisms for safeguarding ePHI as required by the Security Rule.

“Research institutions subject to HIPAA must be held to the same compliance standards as all other HIPAA-covered entities,” said OCR Director Jocelyn Samuels. “For individuals to trust in the research process and for patients to trust in those institutions, they must have some assurance that their information is kept private and secure.”

The resolution agreement and corrective action plan may be found here.

The Feinstein settlement announcement follows yesterday’s announcement of a $1.5 million plus settlement with North Memorial to resolve HIPAA charges that it failed to implement a business associate agreement with a major contractor and failed to institute an organization-wide risk analysis to address the risks and vulnerabilities to its patient information. North Memorial is a comprehensive, not-for-profit health care system in Minnesota that serves the Twin Cities and surrounding communities. The settlement highlights the importance for healthcare providers, health plans, healthcare clearinghouses and their business associates to comply with HIPAA’s business associate agreement and other HIPAA organizational, risk assessment, privacy and security, and other requirements.

OCR’s announcement emphasizes the importance of meeting these requirements. “Two major cornerstones of the HIPAA Rules were overlooked by this entity,” said Jocelyn Samuels, Director of the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). “Organizations must have in place compliant business associate agreements as well as an accurate and thorough risk analysis that addresses their enterprise-wide IT infrastructure.”

The settlement comes from charges filed after OCR initiated its investigation of North Memorial following receipt of a breach report on September 27, 2011, which indicated that an unencrypted, password-protected laptop was stolen from a business associate’s workforce member’s locked vehicle, impacting the electronic protected health information (ePHI) of 9,497 individuals.

OCR’s investigation indicated that North Memorial failed to have in place a business associate agreement, as required under the HIPAA Privacy and Security Rules, so that its business associate could perform certain payment and health care operations activities on its behalf. North Memorial gave its business associate, Accretive, access to North Memorial’s hospital database, which stored the ePHI of 289,904 patients. Accretive also received access to non-electronic protected health information as it performed services on-site at North Memorial.

The investigation further determined that North Memorial failed to complete a risk analysis to address all of the potential risks and vulnerabilities to the ePHI that it maintained, accessed, or transmitted across its entire IT infrastructure — including but not limited to all applications, software, databases, servers, workstations, mobile devices and electronic media, network administration and security devices, and associated business processes.

In addition to the $1,550,000 payment, North Memorial is required to develop an organization-wide risk analysis and risk management plan, as required under the Security Rule. North Memorial will also train appropriate workforce members on all policies and procedures newly developed or revised pursuant to this corrective action plan.

The Resolution Agreement and Corrective Action Plan can be found here.

Settlement Latest Reminder To Manage HIPAA Risks

Following up on OCR’s imposition of its second-ever HIPAA Civil Monetary Penalty (CMP) and the latest in an ever-growing list of settlements by Covered Entities under HIPAA, the North Memorial settlement is another example of the substantial liability that Covered Entities face for violating HIPAA. To avoid these liabilities, Covered Entities must constantly be diligent to comply with the latest guidance of OCR concerning their obligations under HIPAA. As OCR continues to issue additional guidance as well as supplement this guidance through information shared in settlement agreements like the North Memorial settlement, even if Covered Entities reviewed their practices in the last 12-months, most will want to update this review in response to new OCR guidance and enforcement actions, including new guidance on obligations to provide plan members or other subjects of protected health information with access to or copies of their records and other guidance, as well as the ever expanding list of enforcement actions by OCR.

Since the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) amended HIPAA, Covered Entities face growing responsibilities and liability for maintaining the security of ePHI. In response to HITECH, OCR continues to use a carrot and stick approach to encouraging and enforcing compliance. As demonstrated by OCR’s imposition of the second-ever HIPAA Civil Monetary Penalty (CMP) of $239,000 against Lincare and the ever-growing list of Resolution Agreements OCR announces with other Covered Entities, OCR continues to step up enforcement against Covered Entities that breach the Privacy and Security Rules. See OCR’s 2nd-Ever HIPAA CMP Nails Lincare For $239,000.

On the other hand, OCR also continues to encourage voluntary compliance by Covered Entities by sharing guidance and tools to aid Covered Entities to understand fulfill their HIPAA responsibilities such as the HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework (Crosswalk) unveiled by OCR on February 24, 2016.The crosswalk that maps the HIPAA Security Rule to the standards of the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (the Cybersecurity Framework) as well as mappings to certain other commonly used security frameworks.

While stating that the HIPAA Security Rule does not require use of the NIST Cybersecurity Framework, OCR says it hopes the Crosswalk will provide “a helpful roadmap” for HIPAA Covered Entities and their business associates to understand the overlap between the NIST Cybersecurity Framework, the HIPAA Security Rule, and other security frameworks that can help Covered Entities safeguard health data in a time of increasing risks and help them to identify potential gaps in their programs. At the same time, OCR’s announcement of its release of the Crosswalk also cautions users that “use of the Framework does not guarantee HIPAA compliance.” Rather, OCR says “the crosswalk provides an informative tool for entities to use to help them more comprehensively manage security risks in their environments.

With a USA Today report attributing more than 40 percent of data breaches to the healthcare industry over the last three years 91 percent of all health organizations having reporting breaches over the last two years, OCR has made clear that it intends to zealously investigate and enforce the Security Rules against Covered Entities that violate the Security Rules against Covered Entities that fail to take suitable steps to safeguard the security of PHI as required by the HIPAA Security Rule. To meet these requirements, the HIPAA Security Rule requires that Covered Entities conduct and be prepared to product documentation of their audit and other efforts to comply with the Security Rule Most Covered Entities will want to consider including an assessment of the adequacy of their existing practices under the Crosswalk and other requirements disclosed by OCR in these assessments to help position the Covered Entity to defend or mitigate HIPAA CMP and other liabilities in the event of a HIPAA breach or audit.

Latest Guidance Clarifies Patient Rights To Access PHI & Allowable Charges

In addition to maintaining adequate security, HIPAA also requires Covered Entities to provide individuals with the right to access and receive a copy of their health information from their providers, hospitals, and health insurance plans in accordance with the HIPAA Privacy Rule. In response to recurrent difficulties experienced by individuals in exercising these rights, OCR recently published supplemental guidance to clarify and promote better understanding and compliance with these rules by Covered Entities.

OCR started this process in January, 2015 by releasing a comprehensive fact sheet (Access fact sheet) and the first in a series of topical frequently asked questions (FAQs) addressing patients’ right to access their medical records, which set forth requirements providers must follow in sharing medical records with patients, including that they must do so in a timely manner and in a format that works for the patient.

Earlier this month, OCR followed up by publishing on March 1, 2016 a second set of FAQs addresses additional issues, including the fees individuals may be charged for copies of their health information and the right of individuals to have their health information sent directly to a third party if they so choose.

Covered entities and their business associates should move quickly to review and update their business associate agreements and other practices to comply with this new guidance as well as watch for further guidance and enforcement about these practices from OCR.

Other Key HIPAA Regulatory & Enforcement Changes Raise Responsibilities & Risks

OCR’s new guidance on access to PHI follows a host of other regulatory and enforcement activities. While the particulars of each of these new actions and guidance vary, all send a very clear message: OCR expects Covered Entities and their business associates to comply with HIPAA and is offering tools and other guidance to aid them in that process.. In the event of a breach or audit, Covered Entities and their business associates need to be prepared to demonstrate their efforts to comply. Those that cannot show adequate compliance efforts should be prepared for potentially substantial CMP or Resolution Agreement payments and other sanctions.

Register For 3/30 Webex Briefing

Solutions Law Press, Inc.™ invites to catch up on the latest guidance on the Covered Entities’ responsibility under HIPAA to provide access to patients to PHI by registering here to participate in the “HIPAA Update: The Latest On Security, Patient Access & Other HIPAA Developments” Webex briefing by attorney Cynthia Marcotte Stamer that Solutions Law Press, Inc.™ will host beginning at Noon Central Time on Wednesday, March 30, 2016. Get additional information or register here.

About The Author

Recognized as “LEGAL LEADER™ Texas Top Rated Lawyer” in both Health Care Law and Labor and Employment Law, a “Texas Top Lawyer,” an “AV-Preeminent” and “Top Rated Lawyer” by Martindale-Hubble and as among the “Best Lawyers In Dallas” in employee benefits 2015 by D Magazine; Ms. Stamer has more than 28 years of extensive proven, pragmatic knowledge and experience representing and advising health industry clients and others on operational, regulatory and other compliance, risk management, product and process development, public policy and other key concerns.

As a core component of her work as the Managing Shareholder of Cynthia Marcotte Stamer, PC, the Co-Managing Member of Stamer Chadwick Soefje PLLC, Ms. Stamer has worked extensively throughout her nearly 30 year career with health care providers, health plans, health care clearinghouses, their business associates, employers, banks and other financial institutions, their technology and other vendors and service providers, and others on legal and operational risk management and compliance with HIPAA, FACTA, PCI, trade secret, physician and other medical confidentiality and privacy, federal and state data security and data breach and other information privacy and data security rules and concerns; prevention, investigation, response, mitigation and resolution of known or suspected data or privacy breaches or other incidents; defending investigations or other actions by plaintiffs, OCR, FTC, state attorneys’ general and other federal or state agencies; reporting and redressing known or suspected breaches or other violations; business associate and other contracting; insurance or other liability management and allocation; process and product development, contracting, deployment and defense; evaluation, commenting or seeking modification of regulatory guidance, and other regulatory and public policy advocacy; training and discipline; enforcement, and a host of other related concerns for public and private health care providers, health insurers, health plans, technology and other vendors, employers, and others.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares shared her thought leadership, experience and advocacy on HIPAA and other concerns by her service in the leadership of a broad range of other professional and civic organization including her involvement as the Vice Chair of the North Texas Healthcare Compliance Association, Executive Director of the Coalition on Responsible Health Policy and its PROJECT COPE; Coalition on Patient Empowerment, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children; former Board Compliance Chair and Board member of the National Kidney Foundation of North Texas, current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, immediate past RPTE Representative to ABA Joint Committee on Employee Benefits Council Representative and current RPTE Representative to the ABA Health Law Coordinating Counsel, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.

Ms. Stamer also is a highly popular lecturer, symposia chair and author, who publishes and speaks extensively on health and managed care industry, human resources, employment and other privacy, data security and other technology, regulatory and operational risk management. Examples of her many highly regarded publications on these matters include “Protecting & Using Patient Data In Disease Management: Opportunities, Liabilities And Prescriptions,” “Privacy Invasions of Medical Care-An Emerging Perspective,” “Cybercrime and Identity Theft: Health Information Security: Beyond HIPAA,” as well as thousands of other publications, programs and workshops these and other concerns for the American Bar Association, ALI-ABA, American Health Lawyers, Society of Human Resources Professionals, the Southwest Benefits Association, the Society of Employee Benefits Administrators, the American Law Institute, Lexis-Nexis, Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, the HCCA, ISSA, HIMSS, Modern Healthcare, Managed Healthcare, Institute of Internal Auditors, Society of CPAs, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other symposia and publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications and speaks and conducts training for a broad range of professional organizations and for clientson the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications. For additional information about Ms. Stamer, see CynthiaStamer.com or the Stamer│Chadwick │Soefje PLLC or contact Ms. Stamer via email to here or via telephone to (469) 767-8872.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources at http://www.solutionslawpress.com such as:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here. ©2016 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ All other rights reserved.

Leave a Comment » | Academic medicine, ASC, Childrens Health Insurance Program, Consumer Driven Health Care, data breach, data security, Disease Management, Doctor, drug treatment, E-Prescribing, Electronic Health Records, Electronic Medical Records, Employer, Employment law, FACTA, Federal Health Center, Federal Sentencing Guidelines, Genetic Information, GINA, Health Care, Health Care Provider, Health Insurance Exchange, Health IT, Health Plan, Health Plans, HIPAA, HIPAA Cyber Crime, HITECH Act, Home Health, Hospice, Hospital, Hospital, hospitals, Indian Health, Inpatient Rehabilitation, Inpatient Rehabilitation Facility, Labor Law, Laws, managed care, Meaningful Use, Medicaid, Medical Licensure, Medical Malpractice, Medicare, Medicare Advantage, Medicare Prescription Drug Program, Mental Health, Mental Heatlh, OCR, Outpatient, Patient Empowerment, Pharmacy, Physician, Physician Licensing, Prescription Drugs, Privacy, Psychiatric, Reproductive Rights, Rural Health Care, substance abuse treatment, Technology, Telemarketing, Telemedicine, Union, Veterans Health, Wellness | Tagged: breech, Data Breech, HIPAA, Medical Confidentiality, Medical Privacy, North Memorial, OCR, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

North Memorial Health Care Pays $1.5M Plus HIPAA Settlement For Business Associate Agreement Deficiencies

March 16, 2016

North Memorial Health Care of Minnesota has agreed to pay $1,550,000 to settle charges that it potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by failing to implement a business associate agreement with a major contractor and failing to institute an organization-wide risk analysis to address the risks and vulnerabilities to its patient information. North Memorial is a comprehensive, not-for-profit health care system in Minnesota that serves the Twin Cities and surrounding communities. The settlement highlights the importance for healthcare providers, health plans, healthcare clearinghouses and their business associates to comply with HIPAA’s business associate agreement and other HIPAA organizational, risk assessment, privacy and security, and other requirements.

The Resolution Agreement and Corrective Action Plan can be found on the HHS website at: http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/north-memorial-health-care/index.html.

Settlement Latest Reminder To Manage HIPAA Risks

Latest Guidance Clarifies Patient Rights To Access PHI & Allowable Charges

Other Key HIPAA Regulatory & Enforcement Changes Raise Responsibilities & Risks

Register For 3/30 Webex Briefing

About The Author

Recognized as “LEGAL LEADER™ Texas Top Rated Lawyer” in both Health Care Law and Labor and Employment Law, a “Texas Top Lawyer,” an “AV-Preeminent” and “Top Rated Lawyer” by Martindale-Hubble and as among the “Best Lawyers In Dallas” in employee benefits 2015 by D Magazine; Ms. Stamer has more than 28 years of extensive proven, pragmatic knowledge and experience representing and advising health industry clients and others on operational, regulatory and other compliance, risk management, product and process development, public policy and other key concerns.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares shared her thought leadership, experience and advocacy on HIPAA and other concerns by her service in the leadership of a broad range of other professional and civic organization including her involvement as the Vice Chair of the North Texas Healthcare Compliance Association, Executive Director of the Coalition on Responsible Health Policy and its PROJECT COPE; Coalition on Patient Empowerment, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children; former Board Compliance Chair and Board member of the National Kidney Foundation of North Texas, current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, immediate past RPTE Representative to ABA Joint Committee on Employee Benefits Council Representative and current RPTE Representative to the ABA Health Law Coordinating Counsel, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.

Ms. Stamer also is a highly popular lecturer, symposia chair and author, who publishes and speaks extensively on health and managed care industry, human resources, employment and other privacy, data security and other technology, regulatory and operational risk management. Examples of her many highly regarded publications on these matters include “Protecting & Using Patient Data In Disease Management: Opportunities, Liabilities And Prescriptions,” “Privacy Invasions of Medical Care-An Emerging Perspective,” “Cybercrime and Identity Theft: Health Information Security: Beyond HIPAA,” as well as thousands of other publications, programs and workshops these and other concerns for the American Bar Association, ALI-ABA, American Health Lawyers, Society of Human Resources Professionals, the Southwest Benefits Association, the Society of Employee Benefits Administrators, the American Law Institute, Lexis-Nexis, Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, the HCCA, ISSA, HIMSS, Modern Healthcare, Managed Healthcare, Institute of Internal Auditors, Society of CPAs, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other symposia and publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications and speaks and conducts training for a broad range of professional organizations and for clientson the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications. For additional information about Ms. Stamer, see CynthiaStamer.com or the Stamer│Chadwick │Soefje PLLC or contact Ms. Stamer via email to here or via telephone to (469) 767-8872.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources at http://www.solutionslawpress.com such as:

Leave a Comment » | Academic medicine, Corporate Compliance, data breach, data security, Disease Management, DME, Doctor, E-Prescribing, Electronic Health Records, Electronic Medical Records, Employee Benefits, Employer, Federal Health Center, Genetic Information, Health Care, Health Care Provider, Health Care Quality, Health IT, Health Plan, HIPAA, HIPAA Cyber Crime, HITECH Act, Home Health, Hospice, Hospital, Hospital, hospitals, Inpatient Rehabilitation Facility, managed care, Medical Malpractice, Medicare, Medicare Advantage, Medicare Fee Schedule, Medicare Prescription Drug Program, Mental Health, OCR, Outpatient, Pandemic, Patient Empowerment, Pharmacy, Physician, Privacy, Psychiatric, Rural Health Care, Technology, Telemarketing, Telemedicine | Tagged: business associate, covered entity, Health Care, Health Plan, HIPAA, Hospital, Medical Privacy, North Memorial, OCR, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

OIG Modifies Past Ruling, Blesses Two New Medicare Co-Pay Financial Programs

January 4, 2016

Healthcare providers interested in or offering financial assistance with co-pays or other out-of-pocket charges to Medicare or Medicaid patients should review carefully two new and one modified opinion just published by the Department of Health and Human Services Office of Inspector General (OIG).

OIG generally interprets federal healthcare fraud laws as prohibiting healthcare providers from paying for or providing financial assistance with co-pay or other out-of-pocket costs for Medicare or Medicaid beneficiaries unless the arrangement Falls then an exemption approved by OIG.

In recent years the OIG increasingly has approved certain nearly defined co-pay or other financial assistance for him arrangements in a series of specific opinion letters. The three Advisory Opinions released today are the latest of these opinions. See Advisory Opinion 15-17 at http://go.usa.gov/c5ekz; Advisory Opinion 15-16 at http://go.usa.gov/c5e8C; and Modification of Advisory Opinion 06-04 http://go.usa.gov/c5e8W.

Healthcare providers reading these opinions must keep in mind the opinions only protect the parties who receive that opinion; other parties interested in offering financial assistance to Medicare or Medicaid beneficiaries with copayments or other out-of-pocket costs must get the OIG to issue them an opinion specifically blessing their proposed arrangement before moving forward to avoid risking triggering fraud enforcement.

While non parties cannot rely n opinions issued to others, health care providers offering or considering offering financial assistance carefully should review the guidance published in these opinions as a roadmap for designing and operating their own arrangements. Guidance in these opinions helps identify key criteria for qualification and enforcement.

For More Information Or Assistance

If you need assistance reviewing or responding to these or other health care related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, may be able to help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, Board Certified in Labor & Employment Law, and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 26 years of experience advising health industry clients about these and other matters. Her experience includes advising hospitals, nursing home, home health, rehabilitation and other health care providers and health industry clients to establish and administer compliance and risk management policies; prevent, conduct and investigate, and respond to peer review and other quality concerns; and to respond to Board of Medicine, Department of Aging & Disability, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. The scribe for the American Bar Association (ABA) Joint Committee on Employee Benefits annual agency meeting with the Department of Health & Human Services Office of Civil Rights, Ms. Stamer has worked extensively with health care providers, health plans, health care clearinghouses, their business associates, employers, banks and other financial institutions, and others on risk management and compliance with HIPAA and other information privacy and data security rules, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and enforcement, and a host of other related concerns. Her clients include public and private health care providers, health insurers, health plans, technology and other vendors, and others. In addition to representing and advising these organizations, she also has conducted training on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

If you or someone else you know would like to receive future updates about developments on these and other concerns from Ms. Stamer, see here.

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns.

Other Helpful Resources & Other Information

We hope that this information is useful to you. If you found these updates of interest, you also be interested in one or more of the following other recent articles published on the Coalition for Responsible Health Care Reform electronic publication available here, our electronic Solutions Law Press Health Care Update publication available here, or our HR & Benefits Update electronic publication available here. You also can get access to information about how you can arrange for training on “Building Your Family’s Health Care Toolkit,” using the “PlayForLife” resources to organize low-cost wellness programs in your workplace, school, church or other communities, and other process improvement, compliance and other training and other resources for health care providers, employers, health plans, community leaders and others here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail by creating or updating your profile here. You can reach other recent updates and other informative publications and resources.

Examples of some of these recent health care related publications include:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here. For important information concerning this communication click here. THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS. ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

Leave a Comment » | Anti-KickBack, DME, Doctor, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, health care reimbursement, Home Health, Hospice, Hospital, Hospital, hospitals, Medicaid, Medicare, Medicare Fee Schedule, Medicare Fee Schedule, Medicare Prescription Drug Program, Money Laundering, Nonprofits, OIG, Outpatient, Pharmacy, Physician, Prescription Drugs, Stark, Uncategorized | Tagged: Fianancial Assistance, Fraud & Abuse, Health Care Fraud, OIG, Rebate, STARK | Permalink
Posted by Cynthia Marcotte Stamer

Health Care Fraud Prosecutions Target Owners, Operators & Other Leaders

December 11, 2015

Lengthy prison sentences imposed against the five former owners and operators convicted or having plead guilty to involvement in health care fraud schemes carried out by their various health care organizations in the first 10 days of December drive home the growing effectiveness of the Departments of Justice, Health & Human Services and other federal state agencies at investigating and prosecuting health care fraud. Owners, operators and other leaders of health care organizations should administer well documented health care fraud compliance and other defensive actions to avoid becoming one of these lessons as a result of their involvement with their own organizations.

Mississippi Hospice Owner Gets 36 Months

On December 4, 2015; U.S. Attorney; Northern District of Mississippi that the owner-operator of Millstone Hospice in Grenada, Mississippi, Sandra Livingston on January 25, 2016 will begin serving a 36 month prison sentence imposed by a Federal judge on December 3, 2015 as part of her punishment for her health care fraud conviction. In addition to her prison sentence, Ms. Livingston also must serve three years of supervised release and pay $1,098,639 in restitution to the Medicare program.

Ms. Livingston previously pled guilty on July 30, 2015 to conspiracy to commit healthcare fraud in violation of 18 U.S.C. §§ 1347 & 1349. Ms. Livingston admitted that while she owned and operated Milestone Hospice in Grenada, Mississippi, Millstone Hospice used patient recruiters to solicit patients that were not hospice appropriate and then received more than $1 million of Medicare payments for fraudulent charges for these services submitted to Medicare. In announcing the sentence, Donald Alway, Special Agent in Charge of the FBI in Mississippi said “This scheme is particularly sickening because the defendant charged Medicare over a million dollars in services for “treating” folks who have no idea they were on hospice because they weren’t at the end of the lives.”

Ms. Livingston’s conviction is the third conviction as part of a joint effort by the United States Attorney’s Office, the U.S. Department of Health and Human Services Office of Inspector General, the Federal Bureau of Investigation, the Mississippi Attorney General’s Medicaid Fraud Control Unit and targeting fraudulent hospice providers who have billed Medicare and Medicaid for medically unnecessary services.

Southern California Ambulance Company Owners & Management Combined 168 Months Sentence

Following the Livingston sentencing, the Justice Department on December 7, 2015 announced the sentencing of the former owner, operator and managers of a Southern California ambulance company for their role in a fraud scheme that resulted in more than $1.5 million in fraudulent claims to Medicare.

U.S. District Judge S. James Otero of the Central District of California sentenced Yaroslav Proshak, aka Steven Proshakof Valley Village, California to serve 108 months in prison. On December 2, 2015, Judge Otero sentenced Emilia Zverev of Van Nuys, California; and Sharetta Michelle Wallace of Inglewood, California, to serve 36 months and 24 months in prison, respectively. In addition to their prison terms, Judge Otero ordered Zverev and Wallace to pay restitution jointly and severally with Proshak in the amount of $804,755.

The sentences are imposed for health care fraud convictions obtained last summer. On August 18, 2015 a federal jury in Los Angeles convicted Proshak, Zverev and Wallace of one count of conspiracy to commit health care fraud and five counts of health care fraud. Zverev and Wallace worked for ProMed Medical Transportation, an ambulance transportation company owned and operated by Proshak in the greater Los Angeles area that provided non-emergency services to Medicare beneficiaries, many of whom were dialysis patients. Zverev was the billing manager and Wallace supervised the ProMed EMTs.

The evidence at trial showed that between May 2008 and October 2010, the defendants conspired to bill Medicare for ambulance transportation services for individuals that did not need such services. The defendants also instructed ProMed EMTs to conceal the patients’ true medical conditions by altering paperwork and creating fraudulent documents to justify the services. During the course of the conspiracy, ProMed submitted at least $1.5 million in false and fraudulent claims to Medicare for medically unnecessary transportation services; Medicare paid at least $804,755 on those claims.

Pharmacy Owner Gets 108 Months Sentence

Subsequently on December 10, 2015, the Justice Department announced that U.S. District Judge Donald M. Middlebrooks sentenced Daniel Suarez to 108 months in prison, followed by three years of supervised release and ordered Suarez to pay $20,988,632 in restitution for pleading guilty to one count of conspiracy to commit health care fraud and wire fraud, in violation of Title 18, United States Code, Section 1349.

According to the court record, Suarez and his co-conspirators were the owners of eight separate pharmacies that submitted and caused the submission of false and fraudulent claims to Medicare that they provided pharmaceutical drugs pursuant to properly written prescriptions when, in fact, such items were not properly prescribed or actually provided to Medicare beneficiaries. This fraud was accomplished in part by the use of a number of patient recruiters who received kickbacks in return for referring Medicare Part D beneficiaries to the eight separate pharmacies that Suarez controlled. These patient recruiters then purchased the prescriptions for the medically unnecessary pharmaceutical items that the pharmacies billed to Medicare. Suarez placed the pharmacies he controlled in the names of co-conspirator family members. In total, Suarez and his co-conspirators submitted and caused the submission of more than $20 million in false claims to the Medicare Part D program. Suarez used the fraudulently obtained proceeds to benefit himself and his family, including the purchase of luxury automobiles (i.e.: a Rolls Royce Ghost, Bentley, Range Rover and Mercedes Benz S63 AMG).

Like the lengthy and ever growing list of convictions and sentencings of other owners, operators, management, marketing representatives and others charged with involvement in health care fraud, these sentences drive home the commitment and effectiveness of the Justice Department, the Department of Health & Human Resources Office of Inspector General, and other federal and state agencies to investigating and prosecuting health care organizations and their leaders or others acting on their behalf to inappropriately bill or otherwise defraud Medicare, Medicaid or other federal health care programs. These convictions and settlements are intended to and should send a strong message to other health care organizations and their owners, leaders and other representatives about the need to exercise care to avoid wrongful or questionable billing for health care services. As reflected in these prosecutions and sentences, health care organizations found guilty of engaging in health care fraud can expect crippling if not fatal restitution requirements, Medicare and other federal program participation exclusion and other serious consequences. However, these stiff organizational sanctions pale to the prison sentences, program exclusion, restitution and other punishment that individual owners, operators, management, and marketing or other staff generally incur when convicted of these schemes. In light of the heavy handed interpretation and enforcement of federal and state health care fraud rules, health care organization owners, operators, and others involved in the marketing, billing, delivery, recruitment or other elements of health care billed to Medicare, Medicaid or other public or private health care programs should exercise care both to verify that their practices comply with applicable requirements and that they carefully preserve the necessary documentation and other evidence to defend the actions of themselves and their organizations.

With health care fraud enforcement a key component of the federal government’s efforts to bring down health care costs and the continuing success of federal and state health care fraud investigation and enforcement efforts like those already achieved by the Justice Department against the 12 defendants that already pleaded guilty, health care providers providing substance abuse or other treatments reimbursed by federal or state programs should must ensure that their care and billings are appropriately delivered and documented to withstand almost inevitable government scrutiny of their operations and activities.

For More Information Or Assistance

If you or someone else you know would like to receive future updates about developments on these and other concerns from Ms. Stamer, see here.

About Solutions Law Press

Other Helpful Resources & Other Information

Examples of some of these recent health care related publications include:

Leave a Comment » | Anti-KickBack, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, Home Health, Hospice, Hospital, hospitals, Uncategorized | Permalink
Posted by Cynthia Marcotte Stamer

NLRB 29 Unfair Labor Practice Charges Against Community Health Systems, Inc. Shows Industry Labor Risks

October 19, 2015

A 29-count unfair labor practices complaint brought by the National Labor Relations Board (NLRB) against national hospital giant, Community Health Systems, Inc. and seven of its hospitals (CHS), reminds other hospital and health care systems about the need to take steps to maintain and strengthen the defensibility of their own union organizing and other labor-management relations processes as well as to prepare for the added complication the necessity of dealing with a union could present to their ability to manage already complex compliance, employment and employee benefit and other responsibilities.

The consolidated complaint announced by the NLRB today (October 19, 2015) alleges that CHS and seven wholly owned subsidiary hospitals make up a single integrated employer that has violated the National Labor Relations Act (NLRA) by engaging in a series of unfair labor practices. Specifically, the complaint claims CHS violated employee rights by, among other things: maintaining rules that infringe on employees’ rights to discuss wages, hours, and working conditions with one another and to advocate for better treatment; making statements and taking actions against employees for participating in union activities; and failing to engage in good-faith collective bargaining with the unions the NLRB says employees have selected as their exclusive collective-bargaining representatives.

The complaint involves 29 charges filed against CHS hospitals by the following NLRB Regional Offices:

Region 8, Cleveland against Affinity Medical Center – Massillon, Ohio
Region 9, Cincinnati against Kentucky River Medical Center – Jackson, Kentucky
Region 10, Atlanta against Bluefield Regional Medical Center – Bluefield, West Virginia and Greenbrier Valley Medical Center – Ronceverte, West Virginia
Region 21, Los Angeles against Fallbrook Hospital – Fallbrook, California
Region 31, Los Angeles against Barstow Community Hospital – Barstow, California and
Region 32, Oakland against Watsonville Community Hospital – Watsonville, California.

The consolidated complaint requests specific remedial relief, including: reimbursement for negotiation expenses; a make-whole remedy, including reinstatement, for employees who were the subject of discretionary discharges prior to any bargaining with the employees’ exclusive collective bargaining representatives; the reading and electronic transmission of a Notice to Employees; and a broad, corporate-wide cease and desist order given prior findings of serious unfair labor practices involving many of the facilities in the current matter. To avoid unnecessary delay and to conserve public and private resources, the General Counsel transferred all of these cases to Region 8, Cleveland, which issued the consolidated complaint. Absent settlement, the NLRB is scheduled to begin litigation in Cleveland on December 15, 2015.

The NLRB complaint against CHS is one of a growing number of actions where the NLRB, packed with Obama Administration appointees have gone after hospital or other health care employers as part of their broader pro-Labor agenda. See e.g., Specialty Healthcare and Rehabilitation of Mobile, Board Case No. 15-CA-68248 (reported at 357 NLRB No. 174) (6^th Cir. decided August 15, 2013 under the name Kindred Nursing Centers East, LLC f/k/a Specialty Healthcare and Rehabilitation of Mobile v. NLRB).

These decisions should remind health care and other employers of the highly union-friendly bent of the NLRB under the current administration, as well as the hazards of mishandling efforts to defend against union organizing and other protected activities under the NLRA. Beyond the obligation to recognize and bargain with properly certified collective bargaining unions, the NLRB and other federal labor laws also grant employees a host of other protections. Among these are recently affirmed rights-even for a worker not represented by a union – to insist another employee be present when participating in disciplinary and certain other meetings with management, rules limit the ability of employers to prohibit or restrict employees requiring employees to keep confidential and not discuss among each other salary, wages or other terms of compensation or employment terms and conditions, and others. The Obama Administration has made known its desire to expand these rights further and has carried out an aggressive legislative, regulatory and enforcement campaign in pursuit of this goal since taking office. For this reason, health care or other organizations should seek the advice and assistance of qualified legal counsel experienced with labor management relations matters to review policies for compliance, to prepare and administer anti-organizing activities, and to evaluate and respond to union organizing or bargaining activities.

Amid these obligations and the pro-Labor enforcement attitude of the current administration, health industry organizations and their leaders must be prepared both to deal appropriately with labor-management relations organizing, bargaining and other obligations and to manage these responsibilities along with other critical compliance and operations management responsibilities. Beyond dealing with organizing and certification details, the recognition of a union also generally brings obligations for the employer to bargain on a wide range of matters. While most employers understand that this might include wages and benefits, it also includes bargaining about other terms and conditions of employment such as policies on compliance, investigations, discipline and a broad range of other concerns. For this reason, organization also can complicate compliance, risk management, financial and other critical management operations. Furthermore, union organizers and representatives often look for whistleblower or other opportunities to use compliance obligations as tools to strengthen bargaining or undermine employer credibility. For this reason, health industry and other employers targeted for organization or facing other labor-management risks should act early to tighten their compliance and manage risks in anticipation of the need to defend their actions in the event of a union organization or other action.

For More Information Or Assistance

The author of this article, Cynthia Marcotte Stamer, is a Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization concurrently recognized a “Top” Health Care, Labor & Employment and ERISA/Employee Benefits Lawyer for her more than 28 years’ experience advising and defending public and private, rural and metro area hospital; health care system; nursing home; home health; rehabilitation; physical therapy; medical clinic; medical staff, physician practice group, independent practice association, and management services organization; staffing; HMOs, PPOs, ACOs, Medicare and Medicaid Advantage and other managed care organization; pharmacy; life sciences; durable medical equipment; allied health; health care technology; and other health industry clients.

As a Board Certified in Labor and Employment Law whose practice focuses on health industry clients, Ms. Stamer’s work throughout her career has included continuous involvement advising and representing health care organizations about employment, labor-management, peer review and staffing and other workforce management and compensation concerns. Ms. Stamer also continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance management and discipline; quality; governance; privacy, data security and breach; health care and other fraud prevention, risk management and defense; Medicare, Medicaid, managed care and insurance and other billing and reimbursement; safety and contagious disease; FDA; DEA; STARK, Fraud & Abuse, False Claims Act and other fraud prevention, investigation, remediation, and defense; managed care contracting and compliance; health care, insurance and other licensure and accreditation; managed care, government and other contracting and contract enforcement; antitrust; nonprofit and other general corporate and business matters and transactions; disaster preparedness and response; government audits and other enforcement; investigation and discipline; board and corporate governance; and other compliance, reengineering and change management, risk management, regulatory and government affairs, public policy and operations concerns.

Scribe for the ABA JCEB annual Technical Sessions meeting with OCR for the past five years, Ms. Stamer also is recognized for her extensive publications and programs including numerous highly regarding publications and programs on HIPAA and other privacy and data security concerns.

Ms. Stamer’s experience includes extensive involvement helping these and other health industry clients to establish, administer, and defend their practices and to conduct other dealings with the Department of Labor, Health and Human Services (HHS), Board of Medicine, Department of Insurance, NLRB, Department of Aging & Disability, Drug Enforcement Agency, OCR Privacy and Civil Rights, Wage and Hour and other Labor Department, Department of Defense, Justice Department and state attorneys’ general, Department of Health and other health care industry regulators.

Recognized in the International Who’s Who of Professionals; Vice President of the North Texas Health Care Compliance Professionals Association; founder and Executive Director of the Coalition for Responsible Health Policy and Project COPE: The Coalition on Patient Empowerment; Past Chair of the ABA Health Law Section Managed Care & Insurance Section, Past Compliance Chair of the National Kidney Foundation of North Texas Board, Past Board President of the Richardson Development Center Early Child Intervention Agency (not Warren Center for Children) and a Fellow in the American College of Employee Benefits Council, the American Bar Association (ABA) and State Bar of Texas, Cindy serves on the Editorial Advisory Board of Insurance Thought Leadership, Employee Benefit News, HR.com, on the leadership of the ABA JCEB Council and several ABA Sections, and in many other professional and civic organizations and educational faculties, Ms. Stamer also is a prolific and popular lecturer and widely published author on health industry, labor and employment and other related concerns. She publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns as well as conducts workshops and programs and publications on these and many other compliance, operational and risk management, and other health industry matters. Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications.

For more information about Ms. Stamer and her health industry or other experience, see here or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here. If you or someone else you know would like to receive future updates about developments on these and other concerns from Ms. Stamer, register here.

About Solutions Law Press

©2015 Cynthia Marcotte Stamer, P.C. Non-exclusive license to republish granted to Solutions Law Press. All other rights reserved. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here. For important information about this communication, see here. THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS. ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

2 Comments | Academic medicine, Ambulatory care, ASC, Corporate Compliance, DME, Doctor, Employer, Employment, Employment law, Federal Health Center, Health Care, Home Health, Hospital, Hospital, hospitals, Inpatient Rehabilitation, Physician, Psychiatric, Uncategorized | Tagged: collective bargaining, Health Care, Labor-Managment Relations, NLRB, NRLA, unfair labor practice, Union, Union Organizing, Union-managment relations, workforce | Permalink
Posted by Cynthia Marcotte Stamer

Former National Quality Forum Committee Co-Chair Pays $1M, Excluded From Medicare In Fraud Settlement

March 5, 2015

A former National Quality Forum Committee Safe Practices Co-Chair landed in hot water under the False Claims Act for receiving compensation to use his influence and position to influence safety practices standards. Patient safety consultant Dr. Charles Denham, will pay $1 million to settle Justice Department allegations that he violated the False Claims Act by soliciting and accepting kickbacks while he co-chaired the Safe Practices Committee 2009 and 2010, according to a Justice Department announcement. The consulting company Health Care Concepts Inc. and the research organization Texas Medical Institute of Technology, operated by Denham both also are parties to the settlement.

With physicians and other health care organizations increasingly stepping up involvement in credentialing organizations and government advisory and other task forces, the enforcement action highlights another area where health care organizations and their people need to be careful to avoid violations of the False Claims Act or other laws. The settlement illustrates both the need for health care providers participating in HHS or other government advisory or other consulting roles to carefully evaluate their compensation and other arrangements for illegal remuneration or other prohibited elements in light of the continuing emphasis on and success of the Departments of Health & Human Services (HHS) and Justice in investigating and prosecuting arrangements they view as health care fraud under the Health Care Fraud Prevention and Enforcement Action Team (HEAT) initiative announced in 2009.

The charges against Denham resolved by the settlement stem from payments he and his companies received while he co-chaired the Safe Practices Committee. The Safe Practices Committee reviews, endorses and recommends standardized healthcare performance measures and practices. The settlement resolves allegations that, under agreements entered into in 2008, Denham received monthly payments from CareFusion Corporation while serving as the co-chair of the Safe Practices Committee. The Justice Department charged that Denham did not disclose to the committee, or any other individual or component of the National Quality Forum, that he was receiving payments from CareFusion while co-chairing the Committee and that Denham solicited and received these payments in exchange for influencing the recommendations of the National Quality Forum and for recommending, promoting and/or arranging for the purchase of CareFusion’s product, ChloraPrep, in violation of the Federal Anti-Kickback Statute. The United States alleged that this conduct caused the submission of false or fraudulent claims for ChloraPrep to federal health care programs.

In addition to paying $1 million to the United States, Dr. Denham and his two businesses will be excluded from Medicare, Medicaid and all federal health programs as part of the settlement.

The settlement highlights another example of the widespread success HHS, the Justice Department and other agencies participating in the HEAT initiative in using the False Claims Act against doctors, hospitals and other health care providers and organizations. Since January 2009, the Justice Department reports recovery of more than $23.8 billion through False Claims Act cases, with more than $15.2 billion of that amount recovered in cases involving fraud against federal health care programs. With HHS and the Justice Department claiming it recovers an average return of $8 for each $1 invested in health care fraud enforcement, the enforcement initiative is a key player in Federal efforts to control and reduce federal health care expenditures. The Obama Administration tout the success of these efforts to fuel Congressional and public support for continuation and expansion of these and other health care fraud enforcement efforts by HHS, the Justice Department and other agencies.

“Kickback schemes undermine the integrity of medical decisions, subvert the health marketplace and waste taxpayer dollars,” said Acting Assistant Attorney General Benjamin C. Mizer of the Justice Department’s Civil Division. “Doctors and other health care professionals who accept illegal inducements undermine the public’s trust in federal health care programs and will continue to be the focus of our enforcement efforts

Given the success of the programs and the HEAT agencies commitment to continuing their heavy-handed enforcement efforts, physicians, hospitals, skilled nursing, home health, durable medical equipment, and other health care providers and their leaders should stay ever diligent in their efforts to maintain compliance and other necessary defenses in anticipation of government scrutiny of their operations and activities. As part of these efforts, health care providers and organizations serving on advisory task forces or committees to government agencies or to credentialing or standard settling organizations that provide input on regulatory, standard setting or other activities need to use special care to ensure that any potential conflicts of interest are properly identified and disclosed and that the arrangements otherwise are structured and conducted to avoid violations of both the Anti-Kickback and other health care fraud laws and lobbying, conflict of interest and other laws, regulations and policies applicable to those activities.

For More Information Or Assistance

If you need assistance reviewing or responding to these or other health care related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, may be able to help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, Board Certified in Labor & Employment Law, and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 26 years experience advising health industry clients about these and other matters. Her experience includes advising hospitals, nursing home, home health, rehabilitation and other health care providers and health industry clients to establish and administer compliance and risk management policies; prevent, conduct and investigate, and respond to peer review and other quality concerns; and to respond to Board of Medicine, Department of Aging & Disability, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. The scribe for the American Bar Association (ABA) Joint Committee on Employee Benefits annual agency meeting with the Department of Health & Human Services Office of Civil Rights, Ms. Stamer has worked extensively with health care providers, health plans, health care clearinghouses, their business associates, employers, banks and other financial institutions, and others on risk management and compliance with HIPAA and other information privacy and data security rules, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and enforcement, and a host of other related concerns. Her clients include public and private health care providers, health insurers, health plans, technology and other vendors, and others. In addition to representing and advising these organizations, she also has conducted training on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

If you or someone else you know would like to receive future updates about developments on these and other concerns from Ms. Stamer, see here.

About Solutions Law Press

Other Helpful Resources & Other Information

We hope that this information is useful to you. If you found these updates of interest, you also be interested in one or more of the following other recent articles published on the Coalition for Responsible Health Care Reform electronic publication available here, our electronic Solutions Law Press Health Care Update publication available here, or our HR & Benefits Update electronic publication available here. You also can get access to information about how you can arrange for training on “Building Your Family’s Health Care Toolkit,” using the “PlayForLife” resources to organize low-cost wellness programs in your workplace, school, church or other communities, and other process improvement, compliance and other training and other resources for health care providers, employers, health plans, community leaders and others here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail by creating or updating your profile here. You can reach other recent updates and other informative publications and resources.

Examples of some of these recent health care related publications include:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here. For important information concerning this communication click here.THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS. ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

1 Comment | Academic medicine, Accreditation, ADA, ASC, Corporate Compliance, Disability Discrimination, Discrimination, DME, Doctor, Durable Medical Equipment, Employer, Employment, Employment law, Federal Health Center, Health Care, Health Care Provider, Home Health, Hospital, Hospital, Medicare, Medicare Advantage, Medicare Fee Schedule, Mental Heatlh, OCR, Physician, Rehabilitation Act, Veterans Health | Tagged: Anti-Kickback, Health Care Fraud, HEAT, HHS, Illegal Remuneration, Medicare Exclusion, National Quality Forum, Physician | Permalink
Posted by Cynthia Marcotte Stamer

State Exchange Problems Added ACA Threat Regardless of SCOTUS Decision In King v. Burwell

March 3, 2015

While most Americans are familiar with the well-publicized issues and higher than projected premium costs of coverage offered to Americans enrolling in health care coverage through the federal healthcare marketplace Healthcare.gov created under the health care reforms of the Patient Protection & Affordable Care Act (ACA), many Americans are just beginning to recognize the growing problems and concerns emerging with state exchanges in those states that elected to enact their own exchange. As the Supreme Court prepares to hear arguments in the challenge to the payment of ACA subsidies to individuals in states that elected not to adopt a state-run health care exchangeto pay for coverage purchased through the federal healthcare.gov marketplace in King v. Burwell on Wednesday, March 4, 2015, the growing evidence of rapidly emerging funding and other challenges affecting state-run exchanges raise concerns about the solvency and reliability of coverage promised and purchased through those state-run exchanges. These state exchange funding difficulties create concerns not only for state lawmakers, but also for the health care providers and patients that are relying upon adequate funding to ensure that patients can receive promised care and coverage and the health care providers caring for these patients will receive promised payment for these services.

During the Congressional debates leading up to the enactment of ACA, for instance, ACA advocates touted the Massachusetts health care mandates and reform law of Massachusetts as part of the model for ACA and evidence of the potential benefits offered by enactment of ACA. Now Massachusetts officials are blaming ACA for serious underfunding and other problems in their state’s health care connector.

Massachusetts Governor Charlie Baker recently cited the Health Connector and its challenges in enrolling Massachusetts residents in health insurance plans as part of the Affordable Care Act that forced the state to temporarily transition hundreds of thousands of state residents into the commonwealth’s Medicaid program as a primary reason for the state’s projected $1.5 billion budget deficit. He now has asked for the resignations of four Massachusetts Health Connector board members: MIT professor Jonathan Gruber, Covered California actuarial consultant John Bertko; Massachusetts Nonprofit Network CEO Rick Jakious and Spring Insurance Group CEO George Conser.

The Massachusetts experience is not unique. Other states also are experiencing significant funding and other problems dealing with the ACA mandates and implementation. See, e.g., Funding Woes Imperil Future of State Run Exchanges; State Insurance Exchanges Face Challenges In Offering Standardized Choices Alongside Innovative Value-Based Insurance.

This mounting evidence of serious cost, financing and other concerns in state-run exchanges creates new reason for concern about the future of ACA’s health care reforms even for those citizens of states whose eligibility for subsidies is not challenged by the King v. Burwell Supreme Court challenge. These state exchange funding difficulties create concerns not only for state lawmakers, but also for the health care providers and patients that are relying upon adequate funding to ensure that patients can receive promised care and coverage and the health care providers caring for these patients will receive promised payment for these services.These and other budget overruns and operational challenges raise serious questions about the ability of the federal government or the states to fund the promises currently made by ACA in its present form. Congress and state governments almost certainly will be forced to deal with these broader challenges regardless of the outcome of King v. Burwell. As American leaders continue to struggle to deal with these and other mounting problems impacting the U.S. health care system, the input of individual Americans and businesses and community leaders is more critical than ever. Get involved in helping to shape improvements and solutions to the U.S. health care system and the Americans it cares for by sharing your ideas and input through the Coalition For Responsible Health Care Policy and exchanging information and ideas for helping American families deal with their family member’s illnesses, disabilities and other healthcare challenges through Project COPE: Coalition for Patient Empowerment here.

About Project COPE: The Coalition On Patient Empowerment & Coalition on Responsible Health Policy

Do you have ideas or experiences to share about medical debit, ACA or other health care challenges? Have ideas for helping improve ACA and other health care policies impacting the US health care system, helping Americans cope with these and other health care challenges or other health care matters? Know other helpful resources or experiences that you are willing to share? Are you concerned about health care coverage or other health care and disability issues or policy concerns? Join the discussion and share your input by joining Project COPE: Coalition for Patient Empowerment here.

Sharing and promoting the use of practical practices, tools, information and ideas that patients and their families, health care providers, employers, health plans, communities and policymakers can share and offer to help patients, their families and others in their care communities to understand and work together to better help the patients, their family and their professional and private care community plan for and manage these needs is the purpose of

The Coalition and its Project COPE arise and operate on the belief that health care reform and policy must be patient focused, patient centric and patient empowering. The best opportunity to improve access to quality, affordable health care for all Americans is for every American, and every employer, insurer, and community organization to seize the opportunity to be good Samaritans. The government, health care providers, insurers and community organizations can help by providing education and resources to make understanding and dealing with the realities of illness, disability or aging easier for a patient and their family, the affected employers and others. At the end of the day, however, caring for people requires the human touch. Americans can best improve health care by not waiting for someone else to step up: Step up and help bridge the gap when you or your organization can. Speak up to help communicate and facilitate when you can. Building health care neighborhoods filled with good neighbors throughout the community is the key.

The outcome of this latest health care reform push is only a small part of a continuing process. Whether or not the Affordable Care Act makes financing care better or worse, the same challenges exist. The real meaning of the enacted reforms will be determined largely by the shaping and implementation of regulations and enforcement actions which generally are conducted outside the public eye. Americans individually and collectively clearly should monitor and continue to provide input through this critical time to help shape constructive rather than obstructive policy. Regardless of how the policy ultimately evolves, however, Americans, American businesses, and American communities still will need to roll up their sleeves and work to deal with the realities of dealing with ill, aging and disabled people and their families. While the reimbursement and coverage map will change and new government mandates will confine providers, payers and patients, the practical needs and challenges of patients and families will be the same and confusion about the new configuration will create new challenges as patients, providers and payers work through the changes.

We also encourage you and others to help develop real meaningful improvements by joining Project COPE: Coalition for Patient Empowerment here by sharing ideas, tools and other solutions and other resources. The Coalition For Responsible Health Care Policy provides a resource that concerned Americans can use to share, monitor and discuss the Health Care Reform law and other health care, insurance and related laws, regulations, policies and practices and options for promoting access to quality, affordable healthcare through the design, administration and enforcement of these regulations.

You also may be interested in one or more of the following other recent articles published on the Coalition for Responsible Health Care Reform electronic publication available here, our electronic Solutions Law Press Health Care Update publication available here, or our HR & Benefits Update electronic publication available here such as:

You also can find out about how you can arrange for training for you, your employees or other communities to participate in training on “Building Your Family’s Health Care Toolkit,” using the “PlayForLife” resources to organize low-cost wellness programs in your workplace, school, church or other communities, and other process improvement, compliance and other training and other resources for health care providers, employers, health plans, community leaders and others here.

For More Information Or Assistance

If you need assistance reviewing or responding to these or other health care related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, may be able to help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, Board Certified in Labor & Employment Law, and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 26 years experience advising health industry clients about these and other matters. Her experience includes advising hospitals, nursing home, home health, rehabilitation and other health care providers and health industry clients to establish and administer compliance and risk management policies; prevent, conduct and investigate, and respond to peer review and other quality concerns; and to respond to Board of Medicine, Department of Aging & Disability, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. The scribe for the American Bar Association (ABA) Joint Committee on Employee Benefits annual agency meeting with the Department of Health & Human Services Office of Civil Rights, Ms. Stamer has worked extensively with health care providers, health plans, health care clearinghouses, their business associates, employers, banks and other financial institutions, and others on risk management and compliance with HIPAA and other information privacy and data security rules, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and enforcement, and a host of other related concerns. Her clients include employers and their health and other employee benefit plans, public and private health care providers, health insurers, plan fiduciaries and service providers, technology and other vendors, and others. In addition to representing and advising these organizations, she also has conducted training on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

If you or someone else you know would like to receive future updates about developments on these and other concerns from Ms. Stamer, see here.

About Solutions Law Press

Other Helpful Resources & Other Information

We hope that this information is useful to you. If you found these updates of interest, you also be interested in one or more of the following other recent articles published on the Coalition for Responsible Health Care Reform electronic publication available here, our electronic Solutions Law Press Health Care Update publication available here, or our HR & Benefits Update electronic publication available here. You also can get access to information about how you can arrange for training on “Building Your Family’s Health Care Toolkit,” using the “PlayForLife” resources to organize low-cost wellness programs in your workplace, school, church or other communities, and other process improvement, compliance and other training and other resources for health care providers, employers, health plans, community leaders and others here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail by creating or updating your profile here. You can reach other recent updates and other informative publications and resources.

Examples of some of these recent health care related publications include:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here. For important information concerning this communication click here.THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS. ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

Health Care Employer’s Discrimination Triggers Medicare, EEOC Prosecutions

March 2, 2015

Health care employers and organizations should review and tighten their employment and other discrimination policies and risk management in light of recent employment discrimination enforcement actions targeting health care organization staffing decisions by the Department of Health & Human Services (HHS) Office of Civil Rights (OCR) and the Equal Employment Opportunity Commission.

OCR Race Discrimination Medicare Action

A new OCR Voluntary Resolution Agreement with Shiawassee County Medical Facility reminds health care providers of the frequently underappreciated Medicare/Medicaid program participation risks of certain types of employment discrimination to be careful not to allow patient preferences to lead them into the trap of violating the prohibition against race, color, and national origin under Title VI of the Civil Rights Act of 1964 or other federal nondiscrimination laws when making patient staffing assignments.

Title VI of the Civil Rights Act prohibits discrimination in the administration of any federally-funded program based on race, color, or national origin. OCR’s longstanding “Guidelines for Compliance of Hospitals with Title VI of the Civil Rights Act of 1964,” make clear that OCR interprets Title VI prohibits assignment of hospital staff based on the racial preference of the patient.

A newly announced OCR investigation and Resolution Agreement Shiawassee County Medical Care Facility, a 136-bed Medicare and Medicaid certified skilled nursing facility, illustrates the need for Medicare and Medicaid certified health care providers of all types to ensure their compliance with Title VI and, in particular, to refrain from making any staff assignments based on racial considerations.

The Resolution Agreement between OCR and Shiawassee, a 136-bed Medicare and Medicaid certified skilled nursing facility, resolved charges that the facility violated Title VI by giving a nursing staff instruction to not assign African-American staff to a Caucasian Resident. Based on an investigation, OCR found Shiawassee needed to change its policies and procedures to bring them into full compliance with Title VI. To implement fully the prohibition against consideration of race in staff assignments, Shiawassee signed a with OCR which calls for the appointment of a Title VI Coordinator to oversee Shiawassee’s overall compliance with Title VI including special responsibilities for the investigation and adjudication of any Title VI complaints filed internally with Shiawassee. In addition, Shiawassee must train its workforce on Title VI, and submit reports to OCR regarding compliance.

The Shiawassee charges and Resolution agreement follow a similar Agreement in August 2014 between OCR and Hurley Medical Center in Flint, Michigan , which also resolved OCR charges arising from that facilities staff assignment based on a patient’s racial preference. Read the Hurley Agreement here.

Phoenix EEOC ADA Discrimination Action

The HHS against Shiawassee enforcement action coincides with an Equal Employment Opportunity Commission (EEOC) announcement of its filing of disability discrimination lawsuit under the Americans With Disabilities Act (ADA) against another health care provider, ValleyLife of Phoenix, Arizona. EEOC charges that ValleyLife engaged in illegal disability discrimination in violation of the ADA when it allegedly fired employees with disabilities instead of providing them with reasonable accommodations when their eligibility for family leave ended under the Family & Medical Leave Act ended and allegedly failed to keep employees’ medical records confidential. See EEOC v. ValleyLife, Civil Action No. 2:15-cv-00340-GMS (N.Az).

In EEOC v. ValleyLife, the EEOC charges that ValleyLife fired employees with disabilities rather than provide them with reasonable accommodations due to its inflexible leave policy. The policy compelled the termination of employees who had exhausted their paid time off and/or any unpaid leave to which they were eligible under the Family Medical Leave Act (FMLA). According to the EEOC, ValleyLife fired supervisor, Glenn Stephens, due to his need for further surgery when his FMLA leave eligibility ended. EEOC claims this termination violated the ADA because ValleyLife did not engage in any interactive process to determine whether any accommodations (including additional leave) were possible. Stephens had worked for ValleyLife for over ten years at the time of his termination. The EEOC contends that ValleyLife’s failure to offer extended leave or other accommodation to Stephens when his leave eligibility ended violated the ADA, which protects workers from discrimination based upon disability and requires employers to provide reasonable accommodations to the known physical or mental impairments of disabled employees unless doing so would cause an undue hardship.

The suit also alleges that ValleyLife commingled medical records in employee personnel files and failed to maintain these medical records confidential in violation of the medical record confidentiality requirements of the ADA, which requires employees’ to keep medical documents confidential and separate from other personnel records.

The lawsuit seeks lost wages and compensatory and punitive damages for the alleged victims, as well as appropriate injunctive relief to prevent discriminatory practices in the future.

Prepare Employment Discrimination Defenses

The OCR action against Shiawassee and the EEOC suit against ValleyLife remind health industry employers of the need to use care to monitor and manage employment discrimination risks. Health care organizations should avoid the temptation to assume that their organizations can rely upon patient preferences or other common industry concerns to defend against claims of disability, race or other discrimination. Instead, health care organizations should review and update their policies and practices to ensure that they properly comply with applicable employment and other federal and state disability discrimination law and are operationalized in a manner to create and keep appropriate documentation to defend staffing decisions against potential claims of illegal discrimination under the ADA, Civil Rights, or other laws that could adversely impact their organization’s eligibility to participate in Medicare, Medicaid or other federal programs, trigger judgments or penalties, or both.

Health care organizations also need to exercise care to ensure that their patient access, care and other policies also comply and are administered to withstand scrutiny under Medicare terms of participation, the ADA, the Civil Rights Act and other federal discrimination laws. These health industry employers should both evaluate their existing policies and practices, as well as their processes for conducting and documenting investigations and other activities associated with the administration of FMLA or other disability accommodation, patient and other staffing and other activities to position their organization to identify potential exposures and position themselves to defend their decisions against OCR, EEOC or other government agency investigations, private plaintiff claims or both.

For More Information Or Assistance

If you need assistance reviewing or responding to these or other health care related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, may be able to help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, Board Certified in Labor & Employment Law, and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 26 years experience advising health industry clients about these and other matters. Her experience includes advising hospitals, nursing home, home health, rehabilitation and other health care providers and health industry clients to establish and administer compliance and risk management policies; prevent, conduct and investigate, and respond to peer review and other quality concerns; and to respond to Board of Medicine, Department of Aging & Disability, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. The scribe for the American Bar Association (ABA) Joint Committee on Employee Benefits annual agency meeting with the Department of Health & Human Services Office of Civil Rights, Ms. Stamer has worked extensively with health care providers, health plans, health care clearinghouses, their business associates, employers, banks and other financial institutions, and others on risk management and compliance with HIPAA and other information privacy and data security rules, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and enforcement, and a host of other related concerns. Her clients include public and private health care providers, health insurers, health plans, technology and other vendors, and others. In addition to representing and advising these organizations, she also has conducted training on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

If you or someone else you know would like to receive future updates about developments on these and other concerns from Ms. Stamer, see here.

About Solutions Law Press

Other Helpful Resources & Other Information

We hope that this information is useful to you. If you found these updates of interest, you also be interested in one or more of the following other recent articles published on the Coalition for Responsible Health Care Reform electronic publication available here, our electronic Solutions Law Press Health Care Update publication available here, or our HR & Benefits Update electronic publication available here. You also can get access to information about how you can arrange for training on “Building Your Family’s Health Care Toolkit,” using the “PlayForLife” resources to organize low-cost wellness programs in your workplace, school, church or other communities, and other process improvement, compliance and other training and other resources for health care providers, employers, health plans, community leaders and others here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail by creating or updating your profile here. You can reach other recent updates and other informative publications and resources.

Examples of some of these recent health care related publications include:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here. For important information concerning this communication click here.THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS. ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

Leave a Comment » | Academic medicine, Accreditation, ADA, ASC, Corporate Compliance, Disability Discrimination, Discrimination, DME, Doctor, Durable Medical Equipment, Employer, Employment, Employment law, Federal Health Center, Health Care, Health Care Provider, Home Health, Hospital, Hospital, Medicare, Medicare Advantage, Medicare Fee Schedule, Mental Heatlh, OCR, Physician, Rehabilitation Act, Veterans Health | Permalink
Posted by Cynthia Marcotte Stamer

Health Care Providers, Provide ACO, Reimbursement Reform Input To HHS

March 2, 2015

Physicians, nurses, hospitals and other health care providers, patients and others concerned about health care reimbursement and other health care reforms in the United States should sign up and participate in the new Health Care Payment Learning and Action Network (“Network”) the Department of Health and Human Services (HHS) is creating to help shape ongoing reform of the US health care delivery system to promote better care, smarter spending, and healthier people through the expansion of new health care payment models and other reforms. HHS is inviting private payers, employers, providers, patients, states, consumer groups, consumers, and other partners within the health care community to register here to participate in the Network activities including kickoff event scheduled for Wednesday, March 25, 2015.

HHS hopes cooperation through the Network will help the entire U.S. health care system match and exceed the following HHS goals for Medicare:

Tying 30 percent of payments to quality or value through alternative payment models, such as Accountable Care Organizations (ACOs) or bundled payment arrangements by the end of 2016, and
Tying 50 percent of payments to alternative payment models by the end of 2018. The Network will also support the broader goal of tying the vast majority of payments in the health care system to quality or value.

As HHS moves forward to promote ACOs and other reforms, it is particularly important that providers and patients provide feedback and input about the goals and ideas HHS is promoting as solutions for “improving” health care. While HHS often touts consolidation of care into ACOs and other reimbursement strategies using government generated standards of quality as the best means of improving quality and cost-effectiveness, many patients, providers and others worry that HHS ACO and other reimbursement reforms as presently implemented or contemplated by HHS cut costs at the expense of patients by denying reimbursement or other access for effective care options based on cost or ignore other patient needs in the name of cost savings. Active, consistent participation in these and other opportunities for input is critical for those concerned about these and other issues to question and shape the goals, assumptions and actions HHS, Congress and others take to change the U.S. health care system.

HHS says most Network meetings will occur virtually by teleconference or webinar. In-person meetings will occur in the Washington D.C. area. HHS plans to hold the first live streaming of the kickoff event on Wednesday, March 25, 2015. HHS will share details through e-mails to those registered online to participate in the network. Individuals and organizations concerned about ACO and other HHS-lead health care reforms are urged to register and participate in the Network as one of the ways to help monitor and shape health care reform as lead by HHS.

About Project COPE: The Coalition On Patient Empowerment & Coalition on Responsible Health Policy

Do you have feedback or other experiences to share about medical debit, ACA or other health care challenges? Have ideas for helping improve our system, helping Americans cope with these and other health care challenges or other health care matters? Know other helpful resources or experiences that you are willing to share? Are you concerned about health care coverage or other health care and disability issues or policy concerns? Join the discussion and share your input by joining Project COPE: Coalition for Patient Empowerment here.

The Coalition and its Project COPE are founded and operate based on the belief that health care reform and policy must be patient focused, patient centric and patient empowering. The best opportunity to improve access to quality, affordable health care for all Americans is for every American, and every employer, insurer, and community organization to seize the opportunity to be good Samaritans. The government, health care providers, insurers and community organizations can help by providing education and resources to make understanding and dealing with the realities of illness, disability or aging easier for a patient and their family, the affected employers and others. At the end of the day, however, caring for people requires the human touch. Americans can best improve health care by not waiting for someone else to step up: Step up and help bridge the gap when you or your organization can. Speak up to help communicate and facilitate when you can. Building health care neighborhoods filled with good neighbors throughout the community is the key.

Other Helpful Resources & Other Information

We hope that this information is useful to you. If you found these updates of interest, you also be interested in one or more of the following other recent articles published on the Coalition for Responsible Health Care Reform electronic publication available here, our electronic Solutions Law Press Health Care Update publication available here, or our HR & Benefits Update electronic publication available here. You also can get access to information about how you can arrange for training on “Building Your Family’s Health Care Toolkit,” using the “PlayForLife” resources to organize low-cost wellness programs in your workplace, school, church or other communities, and other process improvement, compliance and other training and other resources for health care providers, employers, health plans, community leaders and others here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail by creating or updating your profile here. You can reach other recent updates and other informative publications and resources.

Examples of some of these recent health care related publications include:

For More Information Or Assistance

If you need assistance reviewing or responding to these or other health care related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, may be able to help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 26 years experience advising health industry clients about these and other matters. Her experience includes advising hospitals, nursing home, home health, rehabilitation and other health care providers and health industry clients to establish and administer compliance and risk management policies; prevent, conduct and investigate, and respond to peer review and other quality concerns; and to respond to Board of Medicine, Department of Aging & Disability, Drug Enforcement Agency, OCR Privacy and Civil Rights, HHS, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. The scribe for the American Bar Association (ABA) Joint Committee on Employee Benefits annual agency meeting with the Department of Health & Human Services Office of Civil Rights, Ms. Stamer has worked extensively with health care providers, health plans, health care clearinghouses, their business associates, employers, banks and other financial institutions, and others on risk management and compliance with HIPAA and other information privacy and data security rules, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and enforcement, and a host of other related concerns. Her clients include public and private health care providers, health insurers, health plans, technology and other vendors, and others. In addition to representing and advising these organizations, she also has conducted training on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

If you or someone else you know would like to receive future updates about developments on these and other concerns from Ms. Stamer, see here.

About Solutions Law Press

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here. For important information concerning this communication click here.THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS. ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

Leave a Comment » | Academic medicine, Affordable Care Act, Ambulatory care, Anti-KickBack, ASC, Border Health, Centers For Disease Control, Conditions of Participation, Consumer Driven Health Care, Disease Management, DME, Doctor, Durable Medical Equipment, Electronic Medical Records, Employer, Evidence Based Medicine, false claims act, FDA, Federal Health Center, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Quality, Health Care Reform, Health Insurance Exchange, Health IT, Health Plan, Health Policy, Home Health, Hospital, Hospital, Indian Health, Inpatient Rehabilitation, Inpatient Rehabilitation Facility, Meaningful Use, Medicaid, Medical Licensure, Medical Malpractice, Medicare, Medicare Advantage, Medicare Fee Schedule, Medicare Fee Schedule, Medicare Prescription Drug Program, OIG, Outcomes Data, Patient Empowerment, Pharmacy, Physician, Prospective Payment, Public Policy, Rural Health Care, Stark, Telemedicine | Permalink
Posted by Cynthia Marcotte Stamer

For More Information

About the Author

About Solutions Law Press, Inc.™

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Share this:

For More Information

About the Author

About Solutions Law Press, Inc.™

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Share this:

Proposed HHS Grants Rule Overview

For More Information

About the Author

About Solutions Law Press, Inc.™

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Share this:

More Information

About the Author

About Solutions Law Press, Inc.™

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Share this:

False Claims Act Liability Arising From Participation In Or Filing Claims Involving Improper Inducements

Gampel, Modern Vascular FCA Complaint

Warning To Other Heath Care Providers & Suppliers

For More Information

Other Helpful Resources & Information

Share this:

eCQMs As Measure of Health Care Quality

2022 eCQMs Updates

More Information

About the Author

About Solutions Law Press, Inc.™

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Share this:

Share this:

More Information

About the Author

About Solutions Law Press, Inc.™

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Share this:

More Information

About the Author

About Solutions Law Press, Inc.™

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Share this:

More Information

About the Author

About Solutions Law Press, Inc.™

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Share this:

About Solutions Law Press, Inc.™

Important Information About This Communication

Share this:

More Information

About the Author

About Solutions Law Press, Inc.™

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this: