Privacy | | Page 2

Use New State Ebola Protocol Table In Ebola Prevention & Management Planning

January 10, 2015

Health care providers, public health, school, and other community organizations, employers and other business leaders and others concerned about continuing Ebola and other pandemic prevention and containment should check out the new table of State Ebola Protocols Table compiled by the Centers for Disease Control (CDC) to help law and policy makers prepare for and respond to Ebola-related situations As part of continuing Federal efforts to make up for lost time on helping U.S. health care providers and communities prepare to prevent and respond to Ebola outbreak risks since the death of Liberian Ebola patient Thomas Eric Duncan at a in Dallas hospital last year alerted Americans to the risks and need for tighter preparations.

While the Dallas hospital that treated Mr. Duncan paid a settlement to his family and faced other widespread criticism and negative publicity, it then has become clear that misinformation provided by the patient, the original presentation of the patient with flu-like symptoms, the Obama Administration’s reluctance to adopt policies or communications that might interfere with its pro-immigration political agenda, the CDC’s failure to maintain and communicate the most current health care information to health care providers and communities, the CDC’s academic rather than operational emphasis, EMTALA mandates that forced the hospital to triage the patient, Medicaid and other insurance payment protocols that would have as medically unnecessary screening tests in the absence of more clear risk factors, federal licensing restrictions on the use of testing and a host of other limits and deficiencies in the Federal government’s preparations and response to Ebola and other communication risks, left Texas Health Resources and other U.S. health care providers, as well as U.S schools, public service agencies, employers and others at a great disadvantage in their efforts to deal with the outbreak. After denying the seriousness of Ebola risk concerns for several weeks, the diagnosis with Ebola of health care providers that treated Mr. Duncan and subsequent death and diagnosis resulted in the CDC and other federal and state agencies stepping up their Ebola preparation and guidelines. In keeping with this ongoing commitment, CDC says the CDC now will continue to update the State guidelines table as states continue to modify their Ebola response protocols.

For More Information Or Assistance

If you need assistance reviewing or responding to these or other health care related developments or other risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, may be able to help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 26 years experience advising health industry clients about these and other matters. Her experience includes advising hospitals, nursing home, home health, rehabilitation and other health care providers and health industry clients to establish and administer compliance and risk management policies; prevent, conduct and investigate, and respond to peer review and other quality concerns; and to respond to Board of Medicine, Department of Aging & Disability, Drug Enforcement Agency, OCR Privacy and Civil Rights, HHS, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. The scribe for the American Bar Association (ABA) Joint Committee on Employee Benefits annual agency meeting with the Department of Health & Human Services Office of Civil Rights, Ms. Stamer has worked extensively with health care providers, health plans, health care clearinghouses, their business associates, employers, banks and other financial institutions, and others on risk management and compliance with HIPAA and other information privacy and data security rules, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and enforcement, and a host of other related concerns. Her clients include public and private health care providers, health insurers, health plans, technology and other vendors, and others. In addition to representing and advising these organizations, she also has conducted training on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. You can get more information about her health industry experience here. If you need assistance responding to concerns about the matters discussed in this publication or other health care concerns, wish to obtain information about arranging for training or presentations by Ms. Stamer, wish to suggest a topic for a future program or update, or wish to request other information or materials, please contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

If you or someone else you know would like to receive future updates about developments on these and other concerns from Ms. Stamer, see here.

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources including:

THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS. ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

Leave a Comment » | Centers For Disease Control, Childrens Health Insurance Program, Disability Discrimination, DME, Doctor, Durable Medical Equipment, E-Prescribing, Employee Benefits, FDA, Health Care, Health Care Fraud, Health Care Provider, Health Care Quality, Health Plan, Health Plans, HIPAA, HITECH Act, Hospital, Inpatient Rehabilitation, Inpatient Rehabilitation Facility, Licensing, Medical Licensure, Medical Malpractice, OIG, Pandemic, Patient Empowerment, Pharmacy, Prescription Drugs, Privacy, Prospective Payment, Public Policy, Substance Abuse | Tagged: controlled substance, DEA, DOJ, Drug Testing, drugs, false claims act, Grants, Health Care, Health Care Compliance, Health Care Fraud, Health Plans, HEAT, HIPAA, licensure, Medicaid, Medical Board, pain management, pharmacist, pharmacy, physical therapy, Physician | Permalink
Posted by Cynthia Marcotte Stamer

Unpatched and Unsupported Software Triggers Latest HIPAA Security Breach Resolution Agreement

December 11, 2014

Health care providers, health plans, health care clearinghouses (covered entities) and their business associates need to watch for and protect protected health information (PHI) against security exposures from unpatched or unsupported software and other weaknesses in their data security protections as part of their compliance obligations under the Security Rules of the Health Insurance Portability & Accountability Act (HIPAA).

The need to monitor and address data security threats associated with unpatched or unsupported software is demonstrated by the December 9, 2014 announcement by the U.S. Department of Health & Human Services (HHS) Office of Civil Rights (OCR) that Anchorage Community Mental Health Services (ACMHS) will pay $150,000 and adopt a corrective action plan to correct deficiencies in its HIPAA compliance program resulting from unpatched and unsupported software.

OCR opened an investigation against the five-facility, nonprofit provider of behavioral health care services to children, adults, and families in Anchorage, Alaska after receiving notification from ACMHS of a breach of unsecured electronic protected health information (ePHI) affecting 2,743 individuals due to malware compromising the security of its information technology resources.

According to the OCR announcement of the ACMHS Resolution Agreement with OCR, OCR’s investigation revealed that ACMHS had adopted sample Security Rule policies and procedures in 2005, but failed to follow these procedures. Moreover, OCR found that the reported security incident directly resulted of ACMHS failing to identify and address basic risks, such as not regularly updating their IT resources with available patches and running outdated, unsupported software.

“Successful HIPAA compliance requires a common sense approach to assessing and addressing the risks to ePHI on a regular basis,” said OCR Director Jocelyn Samuels. “This includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.”

In an effort to promote awareness of the need to assess and monitor the security of ePHI by covered entities and business associates, OCR continues to encourage covered entities and business associates to conduct regular documented evaluations of the adequacy of their ePHI safeguards and systems. To aid in this process, OCR and the Office of the National Coordinator for Health Information Technology have created a Security Rule Risk Assessment Tool available here to assist organizations that handle PHI in conducting a regular review of the administrative, physical and technical safeguards they have in place to protect the security of the information. Since OCR points to the Tool as a resource, covered entities and business associates should anticipate that their failure to identify and address any deficiencies in the areas identified by the tools as a potentially serious compliance issue. As a result, covered entities and business associates likely will want to take steps to ensure that their records include documented review of the adequacy of the security safeguards identified in the Tool. At the same time, covered entities and their business associates should not assume that the Tool adequately covers all potential HIPAA Security Rule exposures. OCR has made clear in this and other Resolution Agreements that HIPAA’s Security Rule requires ongoing monitoring and assessment of the adequacy of security in response to changes in software or system, emerging threats and other developments.

For More Information Or Assistance

If you need assistance reviewing or responding to these or other health care related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, may be able to help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 26 years experience advising health industry clients about these and other matters. Her experience includes advising hospitals, nursing home, home health, rehabilitation and other health care providers and health industry clients to establish and administer compliance and risk management policies; prevent, conduct and investigate, and respond to peer review and other quality concerns; and to respond to Board of Medicine, Department of Aging & Disability, Drug Enforcement Agency, OCR Privacy and Civil Rights, HHS, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. The scribe for the American Bar Association (ABA) Joint Committee on Employee Benefits annual agency meeting with the Department of Health & Human Services Office of Civil Rights, Ms. Stamer has worked extensively with health care providers, health plans, health care clearinghouses, their business associates, employers, banks and other financial institutions, and others on risk management and compliance with HIPAA and other information privacy and data security rules, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and enforcement, and a host of other related concerns. Her clients include public and private health care providers, health insurers, health plans, technology and other vendors, and others. In addition to representing and advising these organizations, she also has conducted training on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

If you or someone else you know would like to receive future updates about developments on these and other concerns from Ms. Stamer, see here.

About Solutions Law Press

Leave a Comment » | Centers For Disease Control, Childrens Health Insurance Program, Disability Discrimination, DME, Doctor, Durable Medical Equipment, E-Prescribing, Employee Benefits, FDA, Health Care, Health Care Fraud, Health Care Provider, Health Care Quality, Health Plan, Health Plans, HIPAA, HITECH Act, Hospital, Hospital, Inpatient Rehabilitation, Inpatient Rehabilitation Facility, Licensing, Medical Licensure, Medical Malpractice, OIG, Pandemic, Patient Empowerment, Pharmacy, Prescription Drugs, Privacy, Prospective Payment, Public Policy, Substance Abuse | Tagged: controlled substance, DEA, DOJ, Drug Testing, drugs, false claims act, Grants, Health Care, Health Care Compliance, Health Care Fraud, Health Plans, HEAT, HIPAA, licensure, Medicaid, Medical Board, pain management, pharmacist, pharmacy, physical therapy, Physician | Permalink
Posted by Cynthia Marcotte Stamer

Congress Sends Bill To Fast Track FDA Ebola Treatment Review & HHS Declaration Gives Ebola Treatment Manufacturers Special Immunity

December 11, 2014

As part of Washington’s late response to the Ebola outbreak crisis, the House and Senate in the past week have passed legislation that if signed by the President as expected will add Ebola and other filoviruses to the list of diseases eligible for fast track review by the Food and Drug Administration (FDA) under the FDA Priority Review Voucher Program (Program).

The FDA Program awards vouchers to sponsors of human drug applications that are approved to prevent or treat designated tropical diseases. A voucher entitles the holder to have a future human drug application acted upon by the FDA within six months.

The House on December 3, 2014 and the Senate on December 10, 2014 respectively passed the “FDA Priority Review Voucher Program Act,” (S.B. 2917/H.B. 5729) (the “Bill”) that will amend the Federal Food, Drug, and Cosmetic Act to add Ebola and other filoviruses to the list of diseases covered by the Program. The Bill also seeks to expedite FDA approval of Ebola and other designated disease treatments by:

Changing the process by which infectious diseases that do not significantly impact developed nations and disproportionately affect poor and marginalized populations can be designated as tropical diseases from rulemaking to order of the Secretary of Health and Human Services (HHS).
Allowing priority review vouchers to be transferred between sponsors of human drug applications any number of times.
Reducing from 365 days to 90 days the advance notice required before submitting a human drug application subject to a priority review voucher.

Congress sent the Bill to the President just one day after Department of Health & Human Services (HHS) Secretary Sylvia M. Burwell today announced a declaration under the Public Readiness and Emergency Preparedness (PREP) Act HHS says it hopes will “facilitate the development and availability of experimental Ebola vaccines in hopes of helping combat the current epidemic in West Africa and help prevent future outbreaks there.”

Fighting the disease in Africa has been the primary focus of the Obama Administration’s Ebola response. The December 9, 2014 HHS declaration provides immunity under United States law against legal claims related to the manufacturing, testing, development, distribution, and administration of three vaccines for Ebola virus disease. It does not, generally, provide immunity for a claim brought in a court outside the United States.

For many years, the U.S. has encouraged vaccine development by managing liability and compensation, starting with the National Childhood Vaccine Injury Act of 1986. The PREP Act was designed to facilitate the development of medical countermeasures to respond to urgent public health needs, including the development of critical vaccines like those to prevent the spread of Ebola. This U.S. declaration under the PREP act is part of a global dialogue to address these issues in the U.S., and other countries where the vaccine is being developed, manufactured and potentially used.

“My strong hope in issuing this PREP Act declaration in the United States is that other nations will also enact appropriate liability protection and compensation legislation,” said Secretary Burwell. “As a global community, we must ensure that legitimate concerns about liability do not hold back the possibility of developing an Ebola vaccine, an essential strategy in our global response to the Ebola epidemic in West Africa.”

HHS hopes the PREP Act declaration will strengthen the incentive to conduct research and spur development, manufacturing, and the potential use of the vaccines in large scale vaccination campaigns in West Africa. The PREP Act declaration provides legal protection under U.S. law for three vaccine candidates:

the GlaxoSmithKline’s Recombinant Replication Deficient Chimpanzee Adenovirus Type 3-Vectored Ebola Zaire Vaccine known as ChAd3-EBO-Z;
the BPSC1001 vaccine, known as rVSV-ZEBOV-GP, made by BioProtection Services Corporation, a subsidiary of Newlink Genetics; and
the Ad26.ZEBOV/MVA-BN-Filo vaccine manufactured by Janssen Corporation, subsidiary of Johnson & Johnson/Bavarian Nordic.

Similar PREP Act declarations have been issued, revised or renewed 14 times since the Act was signed in 2005. Past declarations have covered vaccines used in H5N1 pandemic influenza clinical trials in 2008, products related to the H1N1 influenza pandemic in 2009, and the development and manufacturing of antitoxins to treat botulism in 2008. For more information about the PREP Act, see here .

The Bill and the HHS PREP Act declaration are the latest efforts to provide what many health care providers see as a long overdue response to the Ebola outbreak in the wake of the diagnosis and subsequent death of an Ebola patient in Dallas lead to his death and the infection of nurses involved in his treatment, and a small number of other Ebola victims in the United States raised national awareness and concern.

For More Information Or Assistance

If you or someone else you know would like to receive future updates about developments on these and other concerns from Ms. Stamer, see here.

About Solutions Law Press

Preparing Privacy Compliance For Emergencies-Ebola Crisis Prompts HHS OCR To Share Guidance On HIPAA Privacy in Emergency Situations

November 11, 2014

The recent US Ebola scare provided an important reminder to health care providers, health insurers and health plans, health care clearinghouses, employers and others of the importance of understanding and preparing to deal with health care privacy and other challenges arising from epidemics and other emergencies. In response to the recent Ebola and other contagious disease outbreaks and just as U.S. health care and other business leaders are working to prepare for the biggest contagious disease time of the year, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is reminding health care providers, health plans, health care clearinghouses (Covered Entities) and their business associates that the privacy rules of the Health Insurance Portability & Accountability Act (HIPAA) requiring Covered Entities and their business associates to limit the use, access and disclosure of patient’s protected health information (PHI) continue to apply during emergency situations and help them understand when HIPAA allows them to share PHI in emergency situations in a new notice titled “HIPAA Privacy in Emergency Situations” (Guidance) published November 10, 2014. A business associate of a covered entity (including a business associate that is a subcontractor) also must continue to comply with HIPAA and may only make disclosures permitted by the Privacy Rule on behalf of a Covered Entity or another business associate to the extent authorized by its business associate agreement and consistent with HIPAA’s requirements.

Sharing Patient Information

The Guidance begins by reminding Covered Entities and their business associates that HIPAA’s Privacy Rule continues to apply in emergency situations and requires Covered Entities protect and prohibits their use, access or disclosure of patient’s protected health information except as allowed by HIPAA unless the patient authorizes the Covered Entity to disclose the PHI in accordance with HIPAA’s requirements for authorization set forth in 45 CFR 164.508.

The Guidance then goes on to discuss the following circumstances that the HIPAA Privacy Rule might allow Covered Entities to share PHI without getting patient authorization, subject to the reminder that in many cases, HIPAA will require that the Covered Entity limit the disclosure to the minimum necessary disclosure necessary for the allowable purpose and require other conditions to be fulfilled:

Treatment.

Under the Privacy Rule, covered entities may disclose, without a patient’s authorization, protected health information about the patient as necessary to treat the patient or to treat a different patient. Treatment includes the coordination or management of health care and related services by one or more health care providers and others, consultation between providers, and the referral of patients for treatment. See 45 CFR §§ 164.502(a)(1)(ii), 164.506(c), and the definition of “treatment” at 164.501.

Public Health Activities.

The HIPAA Privacy Rule recognizes the legitimate need for public health authorities and others responsible for ensuring public health and safety to have access to protected health information that is necessary to carry out their public health mission. Therefore, the Privacy Rule permits covered entities to disclose needed protected health information without individual authorization:

To Or At The Direction Of A Public Health Authority.

The HIPAA Privacy Rule allows Covered Entities to share protected health information with Public Health Authorities authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury or disability like the Centers for Disease Control and Prevention (CDC) or a state or local health department. This would include, for example, the reporting of disease or injury; reporting vital events, such as births or deaths; and conducting public health surveillance, investigations, or interventions. A “public health authority” is an agency or authority of the United States government, a State, a territory, a political subdivision of a State or territory, or Indian tribe that is responsible for public health matters as part of its official mandate, as well as a person or entity acting under a grant of authority from, or under a contract with, a public health agency. See 45 CFR §§ 164.501 and 164.512(b)(1)(i). For example, a covered entity may disclose to the CDC protected health information on an ongoing basis as needed to report all prior and prospective cases of patients exposed to or suspected or confirmed to have Ebola virus disease.

The HIPAA Privacy Rule also allows Covered Entities to share information at the direction of a public health authority:

To a foreign government agency that is acting in collaboration with the public health authority. See 45 CFR 164.512(b)(1)(i); and
To persons at risk of contracting or spreading a disease or condition if other law, such as state law, authorizes the covered entity to notify such persons as necessary to prevent or control the spread of the disease or otherwise to carry out public health interventions or investigations. See 45 CFR 164.512(b)(1)(iv)

Disclosures to Family, Friends, and Others Involved in an Individual’s Care and for Notification.

The HIPAA Privacy Rule allows a Covered Entity to share protected health information:

With a patient’s family members, relatives, friends, or other persons identified by the patient as involved in the patient’s care;
About a patient as necessary to identify, locate, and notify family members, guardians, or anyone else responsible for the patient’s care, of the patient’s location, general condition, or death including where necessary to notify family members and others, the police, the press, or the public at large. See 45 CFR 164.510(b).

The Guidance reminds Covered Entities, however, that the Privacy Rule requires the Covered Entity to get verbal permission from individuals or otherwise be able to reasonably infer that the patient does not object, when possible. If the individual is incapacitated or not available, the Guidance states Covered Entities may share information for these purposes if, in their professional judgment, doing so is in the patient’s best interest.

The Guidance also confirms that Covered Entities may share protected health information with disaster relief organizations authorized by law or by their charters to assist in disaster relief efforts like the American Red Cross for the purpose of coordinating the notification of family members or other persons involved in the patient’s care, of the patient’s location, general condition, or death. It is unnecessary to obtain a patient’s permission to share the information in this situation if doing so would interfere with the organization’s ability to respond to the emergency.

Imminent Danger

The Guidance also states that Covered Entities that are health care providers may share patient information with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public – consistent with applicable law (such as state statutes, regulations, or case law) and the provider’s standards of ethical conduct. See 45 CFR 164.512(j).

Disclosures to the Media & Others Not Involved in the Care of the Patient/Notification

The Guidance also reminds Covered Entities of the importance of closely adhering to HIPAA’s rules when responding to information requests from the medial or others not involved in the care of a patient. The Guidance states that when the media or other other party not involved un the patient’s care asks the Covered Entity for information about a particular patient by name, a hospital or other health care facility may release limited facility directory information to acknowledge an individual is a patient at the facility and provide basic information about the patient’s condition in general terms (e.g., critical or stable, deceased, or treated and released) if the patient has not objected to or restricted the release of such information or, if the patient is incapacitated, if the disclosure is believed to be in the best interest of the patient and is consistent with any prior expressed preferences of the patient. See 45 CFR 164.510(a). In general, except in the limited circumstances authorized in the HIPAA Privacy Rule, affirmative reporting to the media or the public at large about an identifiable patient, or the disclosure to the public or media of specific information about treatment of an identifiable patient, such as specific tests, test results or details of a patient’s illness, may not be done without the patient’s written authorization (or the written authorization of a personal representative who is a person legally authorized to make health care decisions for the patient).

Minimum Necessary Restriction Requirement

The Guidance cautions Covered Entities and their business associates that for most disclosures, a Covered Entity generally must make reasonable efforts to limit the information disclosed to that which is the “minimum necessary” to accomplish the purpose. However, this minimum necessary requirement does not apply to disclosures to health care providers for treatment purposes.

Covered Entities may rely on representations from a public health authority or other public official that the requested information is the minimum necessary when making disclosures in response to request from those parties. For example, a covered entity may rely on representations from the CDC that the protected health information requested by the CDC about all patients exposed to or suspected or confirmed to have Ebola virus disease is the minimum necessary for the public health purpose.

Required Internal Restrictions On Use, Access & Disclosure

Internally, covered entities should continue to apply their role-based access policies to limit access to protected health information to only those workforce members who need it to carry out their duties. See 45 CFR §§ 164.502(b), 164.514(d).

Safeguarding Patient Information

Beyond limiting the use, access and disclosure of PHI, the Guidance also reminds Covered Entities and their business associates that even in emergency situations, HIPAA continues to require them to implement reasonable safeguards to protect patient information against intentional or unintentional impermissible uses and disclosures as well as to apply the administrative, physical, and technical safeguards of the HIPAA Security Rule to electronic PHI.

Limited Waiver

Although HHS has yet to take steps to trigger a limited waiver, the Guidance also reminds Covered Entities and their business associates that HHS has the power to do so, the effect of a limited waiver and the circumstances under which HHS could elect to apply a limited waiver to waive sanctions against a hospital for certain specific types of HIPAA violations while the waiver is in effect.

As the Guidance notes, the HIPAA Privacy Rule is not suspended during a public health or other emergency. Rather, the limited waiver rules only operates to permit the Secretary of HHS to waive certain provisions of the Privacy Rule under the Project Bioshield Act of 2004 (PL 108-276) and section 1135(b)(7) of the Social Security Act. The limited waiver only applies when the President declares an emergency or disaster and HHS declares a public health emergency. When and if these requirements are met, HHS may waive sanctions and penalties against a Covered Entity that is a hospital for failing to comply with the following HIPAA Privacy Rule provisions:

The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
The requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
The requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
The patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
The patient’s right to request confidential communications. See 45 CFR 164.522(b).

If the Secretary issues such a waiver, Covered Entities and their business associates should keep in mind the waiver only applies to the list violations and only applies:

For so long as the waiver remains in effect;
In the emergency area and for the emergency period identified in the public health emergency declaration
To hospitals that have instituted a disaster protocol; and
For up to 72 hours from the time the hospital implements its disaster protocol.

When the Presidential or Secretarial declaration terminates, a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours has not elapsed since implementation of its disaster protocol.

Not Necessarily Just About HIPAA

HIPAA is not necessarily the only law that Covered Entities, business associates or others need to consider when deciding what to disclose during an emergency or otherwise. The HIPAA Privacy Rule applies to disclosures made by and Covered Entities, business associates employees, volunteers, and other members of a Covered Entity’s or Business Associate’s workforce. The Privacy Rule does not apply to disclosures made by entities or other persons who are not Covered Entities.

Beyond HIPAA, Covered Entities, their business associates or members of their workforce, employers, and other organizations also need to consider whether other federal or state laws, ethical rules, contracts or policies may restrict use or disclosure, safeguard, or take other steps to protect PHI or other information. For instance, other federal laws, state law, professional ethical rules, contracts, facility policies or procedures, or other restrictions often apply to health care provides, insurers, brokers, employers or others. Employers, health care organizations, insurers and others also need to be concerned about potential discrimination, common law and statutory privacy, retaliation, defamation and other exposures.

Prepare For Compliance Now

The recent experiences of various health care organizations intimately involved in caring for the Ebola patients highlights the importance of anticipating, preparing and conducting training, and having your workforce practice to prepare to deal with the special challenges of dealing with HIPAA and other legal responsibilities in advance of emergency events. When preparing for these events, Covered Entities and business associates need to take into account the need to comply operationally as well as to document and retain records of compliance. They should both should anticipate and prepare to respond to both typical inquiries as well as those from the media, public and others. They also should consider how various types of emergencies could create new privacy or security risks. For instance, in certain emergency situations, recordkeeping or other systems could be disrupted, impacting the ability retain and subsequently produce required documentation. Furthermore, Covered Entities also should prepare to manage the patient and public relations aspects of these events including adverse impressions that often arise when the media or others are disappointed at being denied information because of compliance obligations, from breaches or perceived breaches, or other similar events.

For More Information Or Assistance

If you or someone else you know would like to receive future updates about developments on these and other concerns from Ms. Stamer, see here.

About Solutions Law Press

Leave a Comment » | Centers For Disease Control, Childrens Health Insurance Program, Disability Discrimination, DME, Doctor, Durable Medical Equipment, E-Prescribing, Employee Benefits, FDA, Health Care, Health Care Fraud, Health Care Provider, Health Care Quality, Health Plan, Health Plans, HIPAA, HITECH Act, Hospital, Hospital, Inpatient Rehabilitation, Inpatient Rehabilitation Facility, Licensing, Medical Licensure, Medical Malpractice, OIG, Pandemic, Patient Empowerment, Pharmacy, Prescription Drugs, Privacy, Prospective Payment, Public Policy, Substance Abuse | Tagged: controlled substance, DEA, DOJ, Drug Testing, drugs, false claims act, Grants, Health Care, Health Care Compliance, Health Care Fraud, Health Plans, HEAT, HIPAA, licensure, Medicaid, Medical Board, pain management, pharmacist, pharmacy, physical therapy, Physician | Permalink
Posted by Cynthia Marcotte Stamer

Parkview Hospital To Pay $800K To Settle HIPAA Charges After Retiring Physician Blows The Whistle

July 6, 2014

Health care providers, health plans, heath care clearinghouses and their business associates heed both the lesson about properly protecting protected health information and the more subtle lesson about the role of employees and other whistleblowers in bringing these violations to the attention of regulators contained in the latest Health Insurance Portability & Accountability Act (HIPAA) resolution agreement.

Late last month, the Department of Health & Human Services Office of Civil Rights (HHS) announced that complaints of a retiring physician over the mishandling of her patient records by Parkview Health System, Inc. (Parkview) prompted the investigation that lead Parkview to agree to pay $800,000 to settle charges that it violated HIPAA’s Privacy Rule.

The resolution agreement settles charges lodged by HHS based on an OCR investigation into the retiring physician’s allegations that Parkview violated the HIPAA Privacy Rule by failing to properly safeguard the records when it returned them to the physician following her retirement.

As a covered entity under the HIPAA Privacy Rule, HIPAA requires that Parkview appropriately and reasonably safeguard all protected health information in its possession, from the time it is acquired through its disposition.

In an investigation prompted by the physician’s complaint, OCR found that Parkview breached this responsibility in its handling of certain physician patient records in helping the physician to transition to retirement.

According to OCR, in September 2008, Parkview took custody of medical records pertaining to approximately 5,000 to 8,000 patients while assisting the retiring physician to transition her patients to new providers, and while considering the possibility of purchasing some of the physician’s practice.

Subsequently on June 4, 2009, Parkview employees, with notice that the physician was not at home, left 71 cardboard boxes of these medical records unattended and accessible to unauthorized persons on the driveway of the physician’s home, within 20 feet of the public road and a short distance away from a heavily trafficked public shopping venue. OCR concluded this conduct violated the Privacy Rule.

To settle OCR’s charges that these actions violated HIPAA, OCR has agreed to pay the $800,000 resolution amount and to adopt and implement a corrective action plan requiring Parkview to revise their policies and procedures, train staff, and provide an implementation report to OCR.

The resolution agreement highlights the role that current or former physicians, employees or others can play in helping OCR to identify HIPAA violations. Health care providers and other covered entities and their business associates should take into account the likelihood that physicians on their own or other facility medical staffs, their employees and other participants in the care delivery system often may have and be motivated to report to government sensitive information about violations of HIPAA or other laws. Since HIPAA and most other laws prohibited covered entities from forbidding or retaliating against a person for objectiving to or reporting the concern and offer whistleblowers potential participation in the reporting and prosecution of violations, employees or other workforce members increasingly make the complaints bring violations to OCR and other regulators.

Whether from an internal employee complaint, a patient or competitor complaint or other source, HIPAA violations carry significant liability risks. The HITECH Act tightened certain rules applicable to the use, access or disclosure of protected health information by covered entities and their business associates. In addition, the HITECH Act added breach notification rules, extended direct responsibility for compliance with HIPAA to business associates, increased penalties for noncompliance with HIPAA and made other refinements to HIPAA’s medical privacy rules and made certain other changes. Furthermore, enforcement of HIPAA and the resulting penalties have increased since the HITECH Act took effect.

With OCR stepping up both audits and enforcement and penalties for violations higher than ever since the HITECH Act amended HIPAA, Covered Entities and business associates should act quickly to review and update their policies, practices and training to implement any adjustments needed to maintain compliance and manage other risks under these ever-evolving HIPAA standards.

When conducting these efforts, Covered Entities and business associates not only carefully watch for and react promptly to new OCR guidance and enforcement actions, but also document their commitment and ongoing compliance and risk management activities to help support their ability to show their organization maintains the necessary “culture of compliance” commitment needed to mitigate risks in the event of a breach or other HIPAA violation and take well-documented, reasonable steps to encourage their business associates to do the same. When carrying out these activities, most covered entities and business associates also will want to take steps to monitor potential responsibilities and exposures under other federal and state laws like the privacy and data security requirements that often apply to personal financial information, trade secrets or other sensitive data under applicable federal and state laws and judicial precedent.

For Help With Investigations, Policy Review & Updates Or Other Needs

If you need assistance in auditing or assessing, updating or defending your HIPAA, or other health or other employee benefit, labor and employment, compensation, privacy and data security, or other internal controls and practices, please contact the author of this update, attorney Cynthia Marcotte Stamer at cstamer@solutionslawyer.net or at (469)767-8872.

The Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Committee, a Council Representative on the ABA Joint Committee on Employee Benefits, Government Affairs Committee Legislative Chair for the Dallas Human Resources Management Association, and past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Ms. Stamer works, publishes and speaks extensively on HIPAA and other privacy and data security, health plan, health care and other human resources and workforce, employee benefits, compensation, internal controls and related matters.

For more than 23 years, Ms. Stamer has counseled, represented and trained employers and other employee benefit plan sponsors, plan administrators and fiduciaries, insurers and financial services providers, third party administrators, human resources and employee benefit information technology vendors and others privacy and data security, fiduciary responsibility, plan design and administration and other compliance, risk management and operations matters. She also is recognized for her publications, industry leadership, workshops and presentations on privacy and data security and other human resources, employee benefits and health care concerns. Her many highly regarded publications on privacy and data security concerns include “Privacy Invasions of Medical Care-An Emerging Perspective.” ERISA Litigation Manual. BNA, 2003-2009; “Privacy & Securities Standards-A Brief Nutshell.” BNA Tax Management and Compliance Journal. February 4, 2005; “Cybercrime and Identity Theft: Health Information Security beyond HIPAA.” ABA Health eSource. May, 2005 and many others. She also regularly conducts training on HIPAA and other privacy and data security compliance and other risk management matters for a broad range of organizations including the Association of State and Territorial Healthcare Organizations (ASTHO), the Los Angeles County Health Department, a multitude of health plans and their sponsors, health care providers, the American Bar Association, SHRM, the Society for Professional Benefits Administrators and many others. Her insights on these and other matters appear in the Bureau of National Affairs, Spencer Publications, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, and many other national and local publications. For additional information about Ms. Stamer and her experience or to access other publications by Ms. Stamer see www.CynthiaStamer.com or contact Ms. Stamer directly.

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also may be interested reviewing some of our other Solutions Law Press resources available at http://www.solutionslawpress.com including:

Leave a Comment » | Academic medicine, ASC, Childrens Health Insurance Program, Doctor, Electronic Medical Records, Employment, Federal Health Center, Federal Sentencing Guidelines, Genetic Information, GINA, Health Care, Health Care Provider, Health Plan, Health Plans, HIPAA, HITECH Act, Hospital, Hospital, Indian Health, Medicare Advantage, Mental Heatlh, OCR, Pharmacy, Physician, Privacy, Rural Health Care | Tagged: Civil Monetary Penalties, HIPAA, Mass General, OCR, PHI, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

Health Care & Other HIPAA Covered Entities Should Review New Reports As Part of HIPAA Risk Management Efforts

June 11, 2014

Health care providers, health plans and insurers, health care clearinghouses (collectively “Covered Entities”), their business associates, and others concerned about medical privacy regulations or protections should check out two new reports to Congress about breach notifications reported and other compliance data under the Health Insurance Portability & Accountability Act (HIPAA) by the U.S. Department of Health and Human Services, Office for Civil Rights (OCR). Reviewing this data can help Covered Entities and their business associates identify potential areas of exposures and enforcement that can be helpful to minimize their HIPAA liability as well as to expect OCR enforcement and audit inquiries.

Required by the Health Information Technology for Economic and Clinical Health (HITECH) Act, the two new reports discuss various details about HIPAA compliance for calendar years 2011 and 2012. They include the following:

Report to Congress on Breach Notifications, discussing the breach notification requirements and reports OCR received as a result of these breach notification requirements; and
Report to Congress on Compliance with the HIPAA Privacy and Security Rules, summarizing complaints received by OCR of alleged violations of the provisions of Subtitle D of the HITECH Act, as well as of the HIPAA Privacy and Security Rules at 45 CFR Parts 160 and 164 .
Covered entities and their business associates should review the finding reported as part of their compliance practices. Others concerned about medical or other privacy or data security regulations or events also may find the information in the reports of interest.

Under HIPAA, covered entities generally are prohibited from using, accessing or disclosing protected health information about individuals except as specifically allowed by HIPAA, In addition, HIPAA also requires Covered Entities to establish safeguards to protect protected health information against improper access, use or destruction, to afford certain rights to individuals who are the subjects of protected information, to obtain certain written assurances from service providers who are business associates before allowing those service providers to use, access or disclose protected health information when carrying out covered functions for the Covered Entity, and meet other requirements.

The HITECH Act tightened certain rules applicable to the use, access or disclosure of protected health information by covered entities and their business associates. In addition, the HITECH Act added breach notification rules, extended direct responsibility for compliance with HIPAA to business associates, increased penalties for noncompliance with HIPAA and made other refinements to HIPAA’s medical privacy rules and made certain other changes.

Enforcement of HIPAA and the resulting penalties have increased since the HITECH Act took effect.

Covered Entities generally have been required to comply with most requirements the Omnibus Final Rule’s restated regulations restating OCR’s regulations implementing the Health Insurance Portability & Accountability Act (HIPAA) Privacy, Security and Breach Notification Rules to reflect HIPAA amendments enacted by the HITECH Act since March 26, 2013 and to have updated business associate agreements in place since September 23, 2013. Although these deadlines are long past, many Covered Entities and business associates have yet to complete the policy, process and training updates required to comply with the rule changes implemented in the Omnibus Final Rule.

Even if a Covered Entity or business associate completed the updates required to comply with the Omnibus Final Rule, however, recent supplemental guidance published by OCR means that most organizations now have even more work to do on HIPAA compliance. This includes the following supplemental guidance on its interpretation and enforcement of HIPAA against Covered Entities and business associates published by OCR since January 1, 2014 alone:

HIPAA Privacy Rule and Sharing Information Related to Mental Health published on
Spanish Language Model Notices of Privacy Practices published on 2/13/14
CLIA Program and HIPAA Privacy Rule; Patients’ Access to Test Reports published on 2/3/14; and
Proposed Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and the National Instant Criminal Background Check System (NICS) published on 1/7/14.

Beyond this 2014 guidance, Covered Entities and their business associates also should look at enforcement actions and data as well as other guidance OCR issued during 2013 after publishing the Omnibus Final Rule such as:

For Help With Investigations, Policy Review & Updates Or Other Needs

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also may be interested reviewing some of our other Solutions Law Press resources available at http://www.solutionslawpress.com including:

CMS To Host Provider Webinar To Celebrate National Health IT Week

September 13, 2013

In celebration of the third annual National Health IT Week is September 16-20, the Centers for Medicare & Medicaid Services (CMS) will host several webinars and launching new eHealth tools and resources that it intends to help providers participate in eHealth programs. These programs may be of interest to providers as well as payers who are interested in what providers are doing to use eHealth tools.

Details of Webinar

The eHealth Provider Webinar will be held on Thursday, September 19^th from 12:00 p.m. to 1:30 p.m. ET. CMS plans to present an overview of the eHealth programs and its eHealth initiative—an initiative that aligns health IT and electronic standards programs on:

Administrative Simplification
eRx Incentive Program
ICD-10
Quality Measurement

A portion of the webinar will also be dedicated to Q&A.

Registration Information

Space is limited. Register now to secure your spot for the eHealth Provider Webinar. Once registration is complete, you will receive a follow-up email with step-by-step instructions on how to log-in to the webinar. Listserv messages are sent prior to each webinar session with registration information.

If you’d like to view past webinars, the PowerPoint presentations and recordings can now be accessed on the Resources page of the eHealth website. For more information about CMS’ eHealth Initiatives, visit the CMS eHealth website for the latest news and updates on CMS’ eHealth initiatives.

For More Information Or Assistance

If you need assistance responding to this invitation or with other health industry regulatory, enforcement or other developments, reviewing or tightening your policies and procedures, conducting training or audits, responding to or defending an investigation or other enforcement action or with other health care related risk management, compliance, training, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, may be able to help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 25 years experience advising health industry clients about these and other matters. Her experience includes extensive work advising, representing and training health industry and other clients on HIPAA and other privacy, data protection and breach and other related matters. She also advises hospitals, nursing home, home health, rehabilitation and other health care providers and health industry clients to establish and administer compliance and risk management policies; prevent, conduct and investigate, and respond to peer review and other quality concerns; and to respond to Board of Medicine, Department of Aging & Disability, Drug Enforcement Agency, OCR Privacy and Civil Rights, HHS, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Scribe for the ABA JCEB annual Technical Sessions meeting with OCR for the past three years, Ms. Stamer also is recognized for her extensive publications and programs including numerous highly regarding publications and programs on HIPAA and other privacy and data security concerns as well as a wide range of other workshops, programs and publications on other compliance, operational and risk management, and other health industry matters. Ms. Stamer also has extensive other public policy and regulatory experience with HHS and other U.S. federal and state agencies as well as internationally. Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. You can get more information about her health industry experience here. If you need assistance responding to concerns about the matters discussed in this publication or other health care concerns, wish to obtain information about arranging for training or presentations by Ms. Stamer, wish to suggest a topic for a future program or update, or wish to request other information or materials, please contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here. If you or someone else you know would like to receive future updates about developments on these and other concerns from Ms. Stamer, see here.

About Solutions Law Press

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here. For important information about this communication click here. THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS. ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

Leave a Comment » | Academic medicine, Affordable Care Act, Ambulatory care, Anti-KickBack, ASC, Childrens Health Insurance Program, Conditions of Participation, Consumer Driven Health Care, Controlled Substances, Corporate Compliance, Disability Discrimination, Disease Management, DME, Doctor, Durable Medical Equipment, E-Prescribing, Employee Benefits, Employment, Evidence Based Medicine, Federal Health Center, Genetic Information, Grants, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Quality, Health Care Qulity, Health Care Reform, Health Insurance Exchange, Health Plan, Health Plans, Health Policy, HIPAA, Home Health, Hospital, Hospital, Indian Health, Inpatient Rehabilitation, Inpatient Rehabilitation Facility, Licensing, Meaningful Use, Medicaid, Medical Licensure, Medical Malpractice, Medicare, Medicare Advantage, Medicare Fee Schedule, Medicare Fee Schedule, Medicare Prescription Drug Program, Mental Heatlh, Money Laundering, OCR, OIG, Outcomes Data, Outpatient, Pandemic, Patient Empowerment, Patient Protection and Affordable Care Act, Peer Review, Physician, Physician Licensing, Prescription Drugs, Privacy, Prospective Payment, Public Policy, Real Estate, Rehabilitation Act, Reimbursement, Reproductive Rights, Rural Health Care, Stark, Substance Abuse, Swine Flu, Technology, Telemedicine, Veterans Health, Veterans Health Care | Tagged: Breach Notification, CMS, eHealth, Health IT, HHS, HIPAA Privacy, Hospital, Physicians, Providers, Security | Permalink
Posted by Cynthia Marcotte Stamer

Tell HHS What You Think-Comment On HHS Strategic Plan Now!

September 9, 2013

Health care providers, health plans, employers and others concerned about the regulatory and enforcement activities of the Department of Health & Human Services (HHS) can make their concerns known by speaking up now. Share your input on the draft HHS strategic plan that will guide HHS’ regulatory and enforcement agenda for the next 4 years.

Every 4 years, HHS updates its strategic plan, which describes its work to address complex, multifaceted, and ever-evolving health and human service issues, including:

Health Care
Research and Innovation
Prevention and Wellness

HHS is inviting public input on the draft HHS Strategic Plan for FY 2014-2018. The comment period is open until October 15, 2013. Individuals or organizations wishing to respond to this invitation can read the HHS Strategic Plan FY 2014-2018 (Draft) and submit your comments several ways including:

Submit your comments online here
Via Email to: strategicplanning@hhs.gov
Via Fax: (202) 690-8252
U.S. Mail (not recommended as security screening results in significant delay.

For More Information Or Assistance

If you need assistance responding to this invitation for comment or other health industry regulatory, enforcement or other developments, reviewing or tightening your policies and procedures, conducting training or audits, responding to or defending an investigation or other enforcement action or with other health care related risk management, compliance, training, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, may be able to help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 25 years experience advising health industry clients about these and other matters. Her experience includes extensive work advising, representing and training health industry and other clients on HIPAA and other privacy, data protection and breach and other related matters. She also advises hospitals, nursing home, home health, rehabilitation and other health care providers and health industry clients to establish and administer compliance and risk management policies; prevent, conduct and investigate, and respond to peer review and other quality concerns; and to respond to Board of Medicine, Department of Aging & Disability, Drug Enforcement Agency, OCR Privacy and Civil Rights, HHS, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Scribe for the ABA JCEB annual Technical Sessions meeting with OCR for the past three years, Ms. Stamer also is recognized for her extensive publications and programs including numerous highly regarding publications and programs on HIPAA and other privacy and data security concerns as well as a wide range of other workshops, programs and publications on other compliance, operational and risk management, and other health industry matters. Ms. Stamer also has extensive other public policy and regulatory experience with HHS and other U.S. federal and state agencies as well as internationally. Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. You can get more information about her health industry experience here. If you need assistance responding to concerns about the matters discussed in this publication or other health care concerns, wish to obtain information about arranging for training or presentations by Ms. Stamer, wish to suggest a topic for a future program or update, or wish to request other information or materials, please contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here. If you or someone else you know would like to receive future updates about developments on these and other concerns from Ms. Stamer, see here.

About Solutions Law Press

Leave a Comment » | Academic medicine, Affordable Care Act, Ambulatory care, Anti-KickBack, ASC, Childrens Health Insurance Program, Conditions of Participation, Consumer Driven Health Care, Controlled Substances, Corporate Compliance, Disability Discrimination, Disease Management, DME, Doctor, Durable Medical Equipment, E-Prescribing, Employee Benefits, Employment, Evidence Based Medicine, Federal Health Center, Genetic Information, Grants, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Quality, Health Care Qulity, Health Care Reform, Health Insurance Exchange, Health Plan, Health Plans, Health Policy, HIPAA, Home Health, Hospital, Hospital, Indian Health, Inpatient Rehabilitation, Inpatient Rehabilitation Facility, Licensing, Meaningful Use, Medicaid, Medical Licensure, Medical Malpractice, Medicare, Medicare Advantage, Medicare Fee Schedule, Medicare Fee Schedule, Medicare Prescription Drug Program, Mental Heatlh, Money Laundering, OCR, OIG, Outcomes Data, Outpatient, Pandemic, Patient Empowerment, Patient Protection and Affordable Care Act, Peer Review, Physician, Physician Licensing, Prescription Drugs, Privacy, Prospective Payment, Public Policy, Real Estate, Rehabilitation Act, Reimbursement, Reproductive Rights, Rural Health Care, Stark, Substance Abuse, Swine Flu, Technology, Telemedicine, Veterans Health, Veterans Health Care | Tagged: Breach Notification, HHS, HIPAA Privacy, Hospital, Security | Permalink
Posted by Cynthia Marcotte Stamer

Medical Device Excise Tax Rules Supplemented

December 9, 2012

Medical device manufacturers heads up! The Internal Revenue Service (IRS) has adopted interim rules for relating to the excise tax on medical devices imposed by § 4191 (the “medical device excise tax”) of the Internal Revenue Code (the “Code”).

Section 4191, enacted by section 1405 of the Health Care and Education Reconciliation Act of 2010 in conjunction with the Patient Protection and Affordable Care Act (the Affordable Care Act) enacted a new excise tax on the sale of certain medical devices. The excise tax imposed by Code section 4191 is 2.3% of the price for which the taxable medical device is sold. The medical device excise tax is codified in chapter 32, subtitle D of the Code (“chapter 32”), which pertains to excise taxes imposed on the sale or use of taxable articles by manufacturers, producers, and importers (commonly referred to as “manufacturers excise taxes”). See § 48.0-2(a)(4)(i) of the Manufacturers and Retailers Excise Tax Regulations (Regulations). The Code defines the term “manufacturer” to include a “producer” and an “importer”.

On December 7, 2012, the Internal Revenue Service (IRS) and the Treasury Department issued TD 9604, containing final regulations under § 4191. The final regulations did not address certain issues that the IRS and the Treasury Department continue to study. These issues included the determination of price under § 4216(b); the tax treatment of medical software licenses; the taxability of donated medical devices; and the taxability of medical convenience kits.

The IRS recently followed up by issuing Notice 2012-77. Notice 2012-77 available here contains the IRS’ rules about:

How to determine price for purposes of the medical device excised tax under Code section 4216(b);
Donated taxable medical devices;
Licensing of taxable medical devices;
The tax treatment of medical convenience kits;
Transition relief to medical device manufacturers from the failure to deposit penalties imposed by § 6656; and
Invites comments from taxpayers about its rules.

As these rules take effect January 1, 2013, device manufacturers should review the new guidance and update their procedures to provide for timely determination and payment of any required device taxes. In addition, device manufacturers also will need to kep an eye out for potential changes in the rules. The IRS and the Treasury Department have said they may issue additional published guidance on these issues in the future.

For Help With Monitoring Developments, Compliance, Investigations Or Other Needs

If you need help reviewing or commenting on the Tests Procedures or monitoring or responding to these or other health care or health IT related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, can help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, and A Fellow in the American Bar Association, State Bar of Texas and other prominent organizations, Ms. Stamer has more than 24 years experience advising health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers, health plans, their business associates and other health industry clients to set up and administer medical privacy, EHR and other technology and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. She regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others.

Ms. Stamer also regularly works with OCR and other agencies, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. For instance, Ms. Stamer for the second year will serve as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR. Her insights on HIPAA risk management and compliance often appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.

You can get more information about her experience here.

Other Recent Updates & Resources

If you found this information of interest, you also may be interested in the following recent updates on health care, health plan and employee benefits, human resources and other risk management and compliance matters. Recent examples on health care compliance and risk management matters include:

Congress Sends Bill Amending Lab Testing Rule Violation Sanctions

Learn Latest On OCR New HIPAA De-Identification Guidance & Other HIPAA Developments In 12/12 HIPAA Update Workshop!

$12M+ Settlement Recoveries In 2 Health Care Fraud Whistleblower Claims Shows Providers, Owners, Management & Staff Must Manage Compliance & Risks

Feds Health Fraud Suit Against Psychiatrists Shows Risks Providers Run From Aggressive Referral or Billing Activities

ONC Releases Next Wave of 2014 Draft Test Methods For Public Review and Comment; Plans 11/13 Virtual Workshop

Recent OIG Audit Reports Provide Insights Where Fraud Audits Likely To Look Next

Hospital Chain HCA Inc. Pays $16.5 Million to Settle False Claims Act Allegations That Hospital

Detroit-Area Doctor Charged for Role in Alleged $40 Million Medicare Fraud Scheme

Five More Individuals Charged in Detroit for Alleged Roles in $24.7 Million Medicare Fraud Scheme

Massachusetts Ear Group To Pay $1.5 Million To Resolve HIPAA Charges

Personal Consumer Information Protection In Health Care Operations Topic of Stamer’s 11/1 Speech

ONC Releases First Wave of EHR Test Procedures; More To Come

OCR Releases HIPAA Compliance Training Tool As Enforcement Risks Rise

Health Care Orgs Disability Exposure High As $475K Paid To Settle Justice Department Charges Medical Fitness Screenings of EMTs, Others Violated ADA

HHS/DOJ Partner With Private Health Plans To Further Ramp Up Health Care Fraud Heat!

AHRQ Issues New Guide for Use of Interactive Preventive Care Record

Nextcare Inc. $10 Million False Claims Act Settlement Shows Qui Tam Role In False Claims Act Prosecutions

For more resources and publications training materials by Ms. Stamer, see here.

Leave a Comment » | Academic medicine, ARRA, Disease Management, DME, Doctor, Durable Medical Equipment, Electronic Health Records, Electronic Medical Records, Employee Benefits, Employer, Health Care, Health Care Provider, Health Insurance Exchange, Health IT, Health Plan, Health Plans, HIPAA, HITECH Act, Home Health, Hospital, Hospital, Indian Health, Meaningful Use, Mental Heatlh, Pharmacy, Physician, Privacy | Tagged: Affordable Care Act, DME, medical device, medical device excise tax, Tax | Permalink
Posted by Cynthia Marcotte Stamer

Updated 2013 ACA Prescription Drug Fee Calculation & Payment Rules Released; 12/18 Deadline To File Form 8947

December 4, 2012

December 17, 2012 is the deadline for covered entities to file a Form 8947 as part if its reporting and payment of the Form 8947The Internal Revenue Service (IRS) Notice 2012-74 sets forth the instructions for calculation and reporting branded prescription drug fee for the 2013 fee year under Section 9008 of the Patient Protection and Affordable Care Act, as amended by section 1404 of the Health Care and Education Reconciliation Act of 2010 (Affordable Care Act).

The Act imposes an annual fee on covered entities engaged in the business of manufacturing or importing branded prescription drugs. The Branded Prescription Drug Fee Regulations in 26 C.F.R. Part 51 published on August 18, 2011 provide the method for calculating each covered entity’s annual fee and the fee year for purposes of these rules and how the fee must be reported and paid. See 76 Fed. Reg. 51245. These regulations also define terms for the administration of the fee.

Notice 2012-74/s instructions on the 2013 prescription drug fee discusses:

The submission of Form 8947, “Report of Branded Prescription Drug Information,”
The time and manner for notifying covered entities of their preliminary fee calculation;
the time and manner for covered entities to submit error reports for the dispute resolution; process; and
The time for the IRS to notify covered entities of their final fee calculation.

12/18/12 Deadline to File Form 8947

One of the deadlines for this process is rapidly approaching. Section 51.3T provides that annually, each covered entity may submit a completed Form 8947, “Report of Branded Prescription Drug Information,” in accordance with the instructions for the form. Generally, the form solicits information from covered entities on National Drug Codes, orphan drugs, designated entities, rebates, and other information specified by the form or its instructions. The form is to be filed by the date prescribed in guidance published in the Internal Revenue Bulletin.

Notice 2012-74 sets the deadline for a covered entity that chooses to submit Form 8947 for 2013 at December 17, 2012.

Preliminary Fee Calculation

For the 2013 fee year, the IRS will mail each covered entity a paper notice of its preliminary fee calculation by April 1, 2013. This mailing will include a National Drug Code (NDC) attachment (NDC attachment) that lists the covered entity’s NDCs and the sales data reported to the IRS by each government program pursuant to § 51.4T.

A covered entity may request that the IRS send a CD-ROM with the NDC attachment in Microsoft Excel format. The covered entity must make this request by March 15, 2013. This request must be made either by telephone to Ingrid Taylor at (908) 301-2118 or Mi Lim at (312) 292-3775 (not toll-free calls) or by email to it.bpd.fee@irs.gov. If a covered entity makes this request timely, the IRS will mail the covered entity its notice of preliminary fee calculation on paper and the NDC attachment on paper and CD-ROM by April 1, 2013.

Submitting Error Reports For The Dispute Resolution Process

For the 2013 fee year, a covered entity that chooses to submit an error report regarding its preliminary fee calculation must mail the error report by May 16, 2013. When the IRS mails each covered entity a notice of its preliminary fee calculation by April 1, 2013, the IRS will also send each covered entity a template on a CD-ROM that the covered entity must use to prepare its error report. All completed templates and the supporting documentation must be submitted on a CD-ROM to the IRS in a timely fashion.

Final Fee Calculation & Payment

The IRS will notify each covered entity of its final fee calculation for 2013 by August 31, 2013. In accordance with § 51.8T(c), each covered entity must pay this fee by September 30, 2013.

For Help With Monitoring Developments, Compliance, Investigations Or Other Needs

Ms. Stamer also regularly works with OCR and other agencies, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. For instance, Ms. Stamer for the second year will serve as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR. Her insights on HIPAA risk management and compliance often appear in medical privacy and other technology, risk management and compliance-related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.

You can get more information about her experience here.

Other Recent Updates & Resources

OIG Recommends CMS, ONC Tighten EMR Incentive Program Rules To Improve Oversight

Congress Sends Bill Amending Lab Testing Rule Violation Sanctions

Learn Latest On OCR New HIPAA De-Identification Guidance & Other HIPAA Developments In 12/12 HIPAA Update Workshop!

$12M+ Settlement Recoveries In 2 Health Care Fraud Whistleblower Claims Shows Providers, Owners, Management & Staff Must Manage Compliance & Risks

Feds Health Fraud Suit Against Psychiatrists Shows Risks Providers Run From Aggressive Referral or Billing Activities

ONC Releases Next Wave of 2014 Draft Test Methods For Public Review and Comment; Plans 11/13 Virtual Workshop

Recent OIG Audit Reports Provide Insights Where Fraud Audits Likely To Look Next

Hospital Chain HCA Inc. Pays $16.5 Million to Settle False Claims Act Allegations That Hospital

Detroit-Area Doctor Charged for Role in Alleged $40 Million Medicare Fraud Scheme

Five More Individuals Charged in Detroit for Alleged Roles in $24.7 Million Medicare Fraud Scheme

Massachusetts Ear Group To Pay $1.5 Million To Resolve HIPAA Charges

Personal Consumer Information Protection In Health Care Operations Topic of Stamer’s 11/1 Speech

ONC Releases First Wave of EHR Test Procedures; More To Come

OCR Releases HIPAA Compliance Training Tool As Enforcement Risks Rise

Health Care Orgs Disability Exposure High As $475K Paid To Settle Justice Department Charges Medical Fitness Screenings of EMTs, Others Violated ADA

HHS/DOJ Partner With Private Health Plans To Further Ramp Up Health Care Fraud Heat!

AHRQ Issues New Guide for Use of Interactive Preventive Care Record

Nextcare Inc. $10 Million False Claims Act Settlement Shows Qui Tam Role In False Claims Act Prosecutions

For more resources and publications training materials by Ms. Stamer, see here.

Leave a Comment » | Academic medicine, ARRA, Disease Management, DME, Doctor, Durable Medical Equipment, Electronic Health Records, Electronic Medical Records, Employee Benefits, Employer, Health Care, Health Care Provider, Health Insurance Exchange, Health IT, Health Plan, Health Plans, HIPAA, HITECH Act, Home Health, Hospital, Hospital, Indian Health, Meaningful Use, Mental Heatlh, Pharmacy, Physician, Privacy | Tagged: CMS, Health Care Fraud, Health Care Fraud Task Force, Health Care Reimbursement, HHS, Hospitals, Inpatient, Medicare, OIG, outpatient, Physicians | Permalink
Posted by Cynthia Marcotte Stamer

Hospitals Urged To Tighten Inpatient & Outpatient Admission Records As OIG Audits Hospitals for New vs. Established Patients,

November 29, 2012

Hospitals should act quickly to adopt appropriate compliance policies and tighten outpatient and inpatient admissions recordkeeping and associated billing activities to minimize exposures signaled by audits announced by the Department of Health & Human Services (HHS) Office of Inspector General (OIG).

OIG reportedly is auditing inpatient and outpatient hospital claims for new and established patients to identify potential overcharges by some hospital-based outpatient clinics that may have resulted from treating established patients as if they were new patients. OIG’s Office of Audit Services reportedly sent letters to some hospitals in October, asking about a handful of claims for new patient visits that OIG suspects the hospital should have billed as established patient visits. In addition to requesting specific information about line items on the claims and their internal controls for billing new versus established patients and provide descriptions of written policies and procedures governing the facilities classification of new versus established patients and internal controls for detecting errors.

Medicare typically pays more for new versus established patients since CMS implemented the outpatient prospective payment system in 2000. Since 2008, CMS rules have specified that patients who visit the hospital outpatient clinic within three years are established patients, and after that they are new, with Medicare paying more for the latter. See(73 Fed. Reg. 68502, 68679 (November 18, 2009). Data mining technology increasingly used by CMS and other federal fraud investigators facilities the ability of Medicare and others to identify errors in coding and billing resulting from misclassication of existing patients as new.

Many hospitals may be exposed under this requirement for a variety of reasons including failure to appropriately track and coordinate inpatient and outpatient admission data, defaults built into recordkeeping systems and omissions to timely update practices or training. In contrast to the risk of overbilling from incorrectly treating patients as new, hospitals that bill all patients as established to overcome inadequacies in their ability to track new versus established patients often leave money on the table unnecessarily by foregoing added reimbursement that the facility otherwise would qualify for it could reliably identify new patients.

While strengthening coding and billing to ward of risks, may debate the appropriateness of CMS’ new versus existing patient distinction outside the physician office context. Critics contend that unlike in the physician office context, the level of care or resources delivered for a new patient compared to a patient who previously visited the hospital doesn’t generally differ. Parties with these concerns should continue to ensure appropriate compliance with existing rules while providing input and feedback to CMS and other regulators about their concerns with the policy’s suitability.

For Help With Monitoring Developments, Compliance, Investigations Or Other Needs

Ms. Stamer also regularly works with OCR and other agencies, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. For instance, Ms. Stamer for the second year will serve as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR. Her insights on HIPAA risk management and compliance often appear in medical privacy and other technology, risk management and compliance-related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.

You can get more information about her experience here.

Other Recent Updates & Resources

OIG Recommends CMS, ONC Tighten EMR Incentive Program Rules To Improve Oversight

Congress Sends Bill Amending Lab Testing Rule Violation Sanctions

Learn Latest On OCR New HIPAA De-Identification Guidance & Other HIPAA Developments In 12/12 HIPAA Update Workshop!

$12M+ Settlement Recoveries In 2 Health Care Fraud Whistleblower Claims Shows Providers, Owners, Management & Staff Must Manage Compliance & Risks

Feds Health Fraud Suit Against Psychiatrists Shows Risks Providers Run From Aggressive Referral or Billing Activities

ONC Releases Next Wave of 2014 Draft Test Methods For Public Review and Comment; Plans 11/13 Virtual Workshop

Recent OIG Audit Reports Provide Insights Where Fraud Audits Likely To Look Next

Hospital Chain HCA Inc. Pays $16.5 Million to Settle False Claims Act Allegations That Hospital

Detroit-Area Doctor Charged for Role in Alleged $40 Million Medicare Fraud Scheme

Five More Individuals Charged in Detroit for Alleged Roles in $24.7 Million Medicare Fraud Scheme

Massachusetts Ear Group To Pay $1.5 Million To Resolve HIPAA Charges

Personal Consumer Information Protection In Health Care Operations Topic of Stamer’s 11/1 Speech

ONC Releases First Wave of EHR Test Procedures; More To Come

OCR Releases HIPAA Compliance Training Tool As Enforcement Risks Rise

Health Care Orgs Disability Exposure High As $475K Paid To Settle Justice Department Charges Medical Fitness Screenings of EMTs, Others Violated ADA

HHS/DOJ Partner With Private Health Plans To Further Ramp Up Health Care Fraud Heat!

AHRQ Issues New Guide for Use of Interactive Preventive Care Record

Nextcare Inc. $10 Million False Claims Act Settlement Shows Qui Tam Role In False Claims Act Prosecutions

For more resources and publications training materials by Ms. Stamer, see here.

Leave a Comment » | Academic medicine, ARRA, Disease Management, DME, Doctor, Durable Medical Equipment, Electronic Health Records, Electronic Medical Records, Employee Benefits, Employer, Health Care, Health Care Provider, Health Insurance Exchange, Health IT, Health Plan, Health Plans, HIPAA, HITECH Act, Home Health, Hospital, Hospital, Indian Health, Meaningful Use, Mental Heatlh, Pharmacy, Physician, Privacy | Tagged: CMS, Health Care Fraud, Health Care Fraud Task Force, Health Care Reimbursement, HHS, Hospitals, Inpatient, Medicare, OIG, outpatient, Physicians | Permalink
Posted by Cynthia Marcotte Stamer

OIG Recommends CMS, ONC Tighten EMR Incentive Program Rules To Improve Oversight

November 29, 2012

The Department of Health & Human Services Office of Inspector General is recommending the Centers for Medicare & Medicaid Services (CMS) and the Office of the National Coordinator for Health IT (ONC) act to improve the effectiveness of its oversight and management of the Medicare electronic health record (EHR) incentive program. The recommendations are likely to impact on the requirements that hospitals and other professionals will be required to meet to get and keep EHR program incentive payments. Consequently, hospitals, physicians and other providers and their technology and other systems advisors and vendors should carefully watch and respond to changes that these two agencies implement in response to the OIG feedback.

According to an OIG study reported here, the CMS estimates that it will pay $6.6 billion in EHR incentive payments to providers under the program between 2011 and 2016. Many hospitals, physician organizations and other providers are making substantial investments in EHR and related technologies in reliance of expectation of receiving program incentive payments. Accordingly, parties hoping to qualify for incentive programs need to watch closely the actions that the agencies take in response to this OIG input or otherwise that impacts on qualification and audits.

OIG Study & Findings

OIG’s early assessment of CMS’s oversight of the Program found that because professionals and hospitals self-report data to prove fulfillment of program requirements, CMS’s efforts to verify these data will help make sure the integrity of Medicare EHR incentive payments.

The recommendation comes from an OIG study reviewing CMS’s oversight of professionals’ and hospitals’ self-reported meaningful use of certified EHR technology in 2011, the first year of the program. OIG evaluated self-reported information against program requirements. It also looked at CMS’s audit planning documents, regulations and guidance for the program and conducted structured interviews with CMS staff on CMS’s oversight.

Based on this evaluation, OIG foundCMS faces obstacles to overseeing the Medicare EHR incentive program that leave the program vulnerable to paying incentives to professionals and hospitals that do not fully meet the meaningful use requirements. OIG says CMS has not yet implemented strong prepayment safeguards, and has limited ability to safeguard incentive payments postpayment. OIG also reports that the ONC requirements for EHR reports may contribute to CMS’s oversight obstacles.

OIG Recommended Corrective Action

Based on its study, OIG is recommending that CMS take the following actions.

Obtain and review supporting documentation from selected professionals and hospitals prior to payment to verify the accuracy of their self‑reported information and
Issue guidance with specific examples of documentation that professionals and hospitals should maintain to support their compliance.

CMS did not agree with our first recommendation, stating that prepayment reviews would increase the burden on practitioners and hospitals and could delay incentive payments. Despite this CMS feedback, OIG nevertheless is continuing to recommend that CMS conduct prepayment reviews to improve program oversight. CMS concurred with our second recommendation.

OIG also recommended that ONC take the following actions:

Require that certified EHR technology be capable of producing reports for yes/no meaningful use measures where possible and
Improve the certification process for EHR technology to make sure applicants provide accurate EHR reports.

ONC concurred with both recommendations.

Recommended Provider Action

Hospitals and providers looking to take advantage of the HER incentive payments should carefully monitor the developments resulting from these recommendations and take proper actions to stay compliant with evolving requirements as they move forward.

Along with monitoring these responses, providers participating in the incentive program also need to stay abreast of other developments. For instance, last month, ONC announced the release of the Wave 7 2014 Edition Draft Test Methods (test procedures, tools, and applicable test data and files). See 2014 Edition Draft Test Procedures webpage. Additional waves of test methods are impending. ONC says it expects the final set of Test Methods to be available for use in early 2013.

For Help With Monitoring Developments, Compliance, Investigations Or Other Needs

You can get more information about her experience here.

Other Recent Updates & Resources

Congress Sends Bill Amending Lab Testing Rule Violation Sanctions

Learn Latest On OCR New HIPAA De-Identification Guidance & Other HIPAA Developments In 12/12 HIPAA Update Workshop!

$12M+ Settlement Recoveries In 2 Health Care Fraud Whistleblower Claims Shows Providers, Owners, Management & Staff Must Manage Compliance & Risks

Feds Health Fraud Suit Against Psychiatrists Shows Risks Providers Run From Aggressive Referral or Billing Activities

ONC Releases Next Wave of 2014 Draft Test Methods For Public Review and Comment; Plans 11/13 Virtual Workshop

Recent OIG Audit Reports Provide Insights Where Fraud Audits Likely To Look Next

Hospital Chain HCA Inc. Pays $16.5 Million to Settle False Claims Act Allegations That Hospital

Detroit-Area Doctor Charged for Role in Alleged $40 Million Medicare Fraud Scheme

Five More Individuals Charged in Detroit for Alleged Roles in $24.7 Million Medicare Fraud Scheme

Massachusetts Ear Group To Pay $1.5 Million To Resolve HIPAA Charges

Personal Consumer Information Protection In Health Care Operations Topic of Stamer’s 11/1 Speech

ONC Releases First Wave of EHR Test Procedures; More To Come

OCR Releases HIPAA Compliance Training Tool As Enforcement Risks Rise

Health Care Orgs Disability Exposure High As $475K Paid To Settle Justice Department Charges Medical Fitness Screenings of EMTs, Others Violated ADA

HHS/DOJ Partner With Private Health Plans To Further Ramp Up Health Care Fraud Heat!

AHRQ Issues New Guide for Use of Interactive Preventive Care Record

Nextcare Inc. $10 Million False Claims Act Settlement Shows Qui Tam Role In False Claims Act Prosecutions

For more resources and publications training materials by Ms. Stamer, see here.

Leave a Comment » | Academic medicine, ARRA, Disease Management, DME, Doctor, Durable Medical Equipment, Electronic Health Records, Electronic Medical Records, Employee Benefits, Employer, Health Care, Health Care Provider, Health Insurance Exchange, Health IT, Health Plan, Health Plans, HIPAA, HITECH Act, Home Health, Hospital, Hospital, Indian Health, Meaningful Use, Mental Heatlh, Pharmacy, Physician, Privacy | Tagged: Affordable Care Act, CMS, EHR, Electronic Health Records, Health Care, health care IT, Health Care Provider, Health Plans, HIPAA, OIG, ONC, PHI, Physicians, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

ONC Changes Start Time, Releases Agenda For 11/13 Virtual Workshop On Health IT Test Standards

November 9, 2012

The Office of the National Coordinator for Health IT (ONC) today (November 9, 2012) announced a preliminary agenda of topics and the procedures that health care providers and other interested parties wishing to participate in a public virtual workshop on the ONC Health Information Technology (IT) Certification Program and 2014 Edition Test Methods that ONC plans to host on Tuesday, November 13, 2012 from 8:15 AM-4:30PM EST.

The announced commencement time is 45 minutes earlier than the originally announced 9:00 AM start time that ONC had announced as the start time for the workshop in November 8 announcements.

To review the preliminary agenda for the workshop, see http://www.healthit.gov/policy-researchers-implementers/2014-edition-draft-test-methods.

According to today’s ONC announcement, parties wishing to participate in the virtual workshop should register for ONC Certification Technical Workshop on Nov 13, 2012 8:15 AM EST at https://attendee.gotowebinar.com/register/2114316126469925632 . ONC says that successful registrants will receive a confirmation email containing information about joining the webinar.

The planned workshop follows ONC’s anno0uncement of the release for review of the latest in a series of electronic medical records Test Standards that ONC has issued recently in its march to implement its mandate. ONC says all Test Methods will undergo public review and comment before being finalized and approved by ONC for use in testing and certification. ONC typically allows a two week period of public review and comment from the date posted for public review and comment on each Wave.

In keeping with this process, ONC is inviting interested persons to submit comments and suggestions to ONC.Certification@hhs.gov. All submissions should include “2014 Test Methods” in the subject line. ONC asks that parties submitting input to be as specific as possible in their comment submissions.

ONC says it expects the final set of Test Methods to be available for use in early 2013.

For Help With Monitoring Developments, Compliance, Investigations Or Other Needs

If you need help reviewing or commenting on the Tests Procedures or monitoring or responding to these or other health care or health IT related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, can help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 24 years experience advising health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical privacy and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. She regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others.

Ms. Stamer also regularly works with OCR and other agencies, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. For instance, Ms. Stamer for the second year will serve as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR. Her insights on HIPAA risk management and compliance frequently appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.

You can get more information about her HIPAA and other experience here.

Other Recent Updates & Resources

For additional resources and publications training materials by Ms. Stamer, see here.

Leave a Comment » | Academic medicine, ARRA, Disease Management, DME, Doctor, Durable Medical Equipment, Electronic Health Records, Electronic Medical Records, Employee Benefits, Employer, Health Care, Health Care Provider, Health Insurance Exchange, Health IT, Health Plan, Health Plans, HIPAA, HITECH Act, Home Health, Hospital, Hospital, Indian Health, Meaningful Use, Mental Heatlh, Pharmacy, Physician, Privacy | Tagged: Affordable Care Act, EHR, Electronic Health Records, Health Care, health care IT, Health Care Provider, Health Plans, HIPAA, ONC, PHI, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

ONC Releases Next Wave of 2014 Draft Test Methods For Public Review and Comment; Plans 11/13 Virtual Workshop

November 8, 2012

The Office of the National Coordinator for Health IT (ONC) today (November 8, 2012) announced the release of the Wave 7 2014 Edition Draft Test Methods (test procedures, tools, and applicable test data and files). To review the 2014 Edition draft Test Methods, visit the 2014 Edition Draft Test Procedures webpage. As a follow up to this announcement, ONC is inviting interested parties to participate in a public workshop on the ONC HIT Certification Program and 2014 Edition Test Methods on Tuesday, November 13^th, 9AM-4:30PM EST.

The Test Procedures announced today are the latest in a series ONC has issued recently. ONC says all Test Methods will undergo public review and comment before being finalized and approved by ONC for use in testing and certification. ONC typically allows a two week period of public review and comment from the date posted for public review and comment on each Wave.

ONC says it expects the final set of Test Methods to be available for use in early 2013.

To help interested parties stay informed about the Test Messages, ONC also announced today it will host a virtual public workshop on the ONC HIT Certification Program and 2014 Edition Test Methods on Tuesday, November 13^th, 9AM-4:30PM EST. According to ONC, the topics to be covered include 2014 Test Procedures, Test Tools, Test Data, ONC Timeline, and the Certified Health IT Product List (CHPL). ONC says additional details regarding access and agenda will be forthcoming. Watch the ONC website.

For Help With Monitoring Developments, Compliance, Investigations Or Other Needs

If you need help reviewing or commenting on the Tests Procedures or monitoring or responding to these or other health care or health IT related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, can help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 24 years experience advising health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical privacy and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. She regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others.

Ms. Stamer also regularly works with OCR and other agencies, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. For instance, Ms. Stamer for the second year will serve as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR. Her insights on HIPAA risk management and compliance frequently appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.

You can get more information about her HIPAA and other experience here.

Other Recent Updates & Resources

For additional resources and publications training materials by Ms. Stamer, see here.

Leave a Comment » | Academic medicine, ARRA, Disease Management, DME, Doctor, Durable Medical Equipment, Electronic Health Records, Electronic Medical Records, Employee Benefits, Employer, Health Care, Health Care Provider, Health Insurance Exchange, Health IT, Health Plan, Health Plans, HIPAA, HITECH Act, Home Health, Hospital, Hospital, Indian Health, Meaningful Use, Mental Heatlh, Pharmacy, Physician, Privacy | Tagged: Affordable Care Act, EHR, Electronic Health Records, Health Care, health care IT, Health Care Provider, Health Plans, HIPAA, ONC, PHI, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

Massachusetts Ear Group To Pay $1.5 Million To Resolve HIPAA Charges

September 17, 2012

Physician practices and other health care providers, health plans, health care clearinghouses and their business associates have yet another $1 million plus reminder of the importance of taking proper steps to secure electronic protected health information and take other steps required to comply with the Health Insurance Portability & Accountability Act of 1996 (HIPAA).

Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (collectively referred to as “MEEI”) will pay the U.S. Department of Health and Human Services’ (HHS) $1.5 million and take a series of corrective actions to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule under the resolution agreement available here (“Resolution Agreement”) announced by the Department of Health & Human Services (HHS) Office of Civil Rights (OCR) on September 17, 2012.

MEEI Resolution Agreement

The Resolution Agreement settles charges that resulted from an OCR investigation commenced in response to a HIPAA breach report submitted by MEEI reporting the theft of an unencrypted personal laptop containing the electronic protected health information (ePHI) of MEEI patients and research subjects. The laptop information included patient prescriptions and clinical information.

OCR’s investigation indicated that MEEI failed to take necessary steps to comply with certain requirements of the HIPAA Security Rule, such as conducting a thorough analysis of the risk to the confidentiality of ePHI maintained on portable devices, implementing security measures sufficient to ensure the confidentiality of ePHI that MEEI created, maintained, and transmitted using portable devices, adopting and implementing policies and procedures to restrict access to ePHI to authorized users of portable devices , and adopting and implementing policies and procedures to address security incident identification, reporting, and response. OCR’s investigation indicated that these failures continued over an extended period of time, demonstrating a long-term organizational disregard for the requirements of the Security Rule.

To settle the charges, MEEI will pay a $1.5 million settlement to OCR. In addition, the Resolution Agreement also requires MEEI to adhere to a corrective action plan which includes reviewing, revising and maintaining policies and procedures to ensure compliance with the Security Rule, and retaining an independent monitor who will conduct assessments of MEEI’s compliance with the corrective action plan and render semi-annual reports to HHS for a 3-year period.

High Dollar Resolution Agreements Increasingly Common

The MEEI Resolution Agreement follows on the resolution agreement previously announced this year with Arizona-based Phoenix Cardiac Surgery, P.C. (PCS). That resolution agreement required PCS to pay $100,000 and take corrective action to implement policies and procedures to safeguard the protected health information of its patients to settle OCR charges PCS violated HIPAA.

Health care providers and other HIPAA-covered entities should heed the MEEI, PSC and other recent settlements as the latest signal of the risks that health care providers and other covered entities run by failing to adequately implement and administer appropriate HIPAA compliance practices.

Following the announcement by OCR last month that Blue Cross Blue Shield of Tennessee (BCBST) would pay $1,500,000 to resolve HIPAA violations charges, and the latest in a series of Resolution Agreements announced by OCR in recent years, the PCS highlights the willingness to sanction health care providers and other covered entities of all sizes. “The case is significant because it highlights a multi-year, continuing failure on the part of this provider to comply with the requirements of the Privacy and Security Rules,” said Leon Rodriguez, director of OCR. “We hope that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.”

Enforcement Actions Highlight Growing HIPAA Exposures For Covered Entities

Like the PCS, BCBST and other announced resolution agreements, the MEEI Resolution Agreement provides more evidence of the growing exposures that health care providers, health plans, health care clearinghouses and their business associates need to carefully and appropriately manage their HIPAA responsibilities. See HIPAA Heats Up: HITECH Act Changes Take Effect & OCR Begins Posting Names, Other Details Of Unsecured PHI Breach Reports On Website. Covered entities are urged to heed these warning by strengthening their HIPAA compliance and adopting other suitable safeguards to minimize HIPAA exposures. For tips, see here.

For Help With Monitoring Developments, Compliance, Investigations Or Other Needs

If you need assistance monitoring federal health reform, policy or enforcement developments, or to review or respond to these or other health care or health IT related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, can help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 24 years experience advising health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical privacy and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. She regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others.

Ms. Stamer also regularly works with OCR and other agencies, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. For instance, Ms. Stamer for the second year will serve as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR. Her insights on HIPAA risk management and compliance frequently appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.

You can get more information about her HIPAA and other experience here or contact Ms Stamer here or at (469) 767-8872.

[1] The Breach Notification Rule also requires that covered entities report smaller breaches annually to OCR as part of a consolidated disclosure.

For more tips, see here.

Other Recent Updates & Resources

For additional resources and publications training materials by Ms. Stamer, see here.

[*] The Breach Notification Rule also requires that covered entities report smaller breaches annually to OCR as part of a consolidated disclosure.

Leave a Comment » | Academic medicine, ARRA, Disease Management, DME, Doctor, Durable Medical Equipment, Electronic Health Records, Electronic Medical Records, Employee Benefits, Employer, Health Care, Health Care Provider, Health Insurance Exchange, Health IT, Health Plan, Health Plans, HIPAA, HITECH Act, Home Health, Hospital, Hospital, Indian Health, Meaningful Use, Mental Heatlh, Pharmacy, Physician, Privacy | Tagged: Breach Notification, Health Care, Health Insurance Portability & Accountability Act, HIPAA, OCR, Office of Civil Rights, PHI, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

ONC Releases First Wave of EHR Test Procedures; More To Come

September 14, 2012

On September 7th the ONC published the first wave of draft Test Procedures and applicable test data files for the 2014 Edition Elelctronic Health Record (EHR) certification criteria for public review and comment. ONC will release additional Test Procedures in waves on a weekly or bi-weekly basis. Each set of draft test procedures will undergo a two week period of public review and comment from the date posted. You can now provide input on Wave One 2014 draft Test Procedures. Visit the site for detailed information on the 2014 Test Procedure development process at http://www.healthit.gov/policy-researchers-implementers/2014-edition-draft-test-procedures.

For Help With Monitoring Developments, Compliance, Investigations Or Other Needs

If you need help monitoring federal health reform, policy or enforcement developments, or to review or respond to these or other health care or health IT related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, can help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 24 years experience advising health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical privacy and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. She regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others.

Ms. Stamer also regularly works with OCR and other agencies, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. For instance, Ms. Stamer for the second year will serve as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR. Her insights on HIPAA risk management and compliance frequently appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.

You can get more information about her HIPAA and other experience here.

Other Recent Updates & Resources

For additional resources and publications training materials by Ms. Stamer, see here.

Leave a Comment » | Academic medicine, ARRA, Disease Management, DME, Doctor, Durable Medical Equipment, Electronic Health Records, Electronic Medical Records, Employee Benefits, Employer, Health Care, Health Care Provider, Health Insurance Exchange, Health IT, Health Plan, Health Plans, HIPAA, HITECH Act, Home Health, Hospital, Hospital, Indian Health, Meaningful Use, Mental Heatlh, Pharmacy, Physician, Privacy | Tagged: Affordable Care Act, EHR, Electronic Health Records, Health Care, health care IT, Health Care Provider, Health Plans, HIPAA, ONC, PHI, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

OCR Releases HIPAA Compliance Training Tool As Enforcement Risks Rise

September 14, 2012

Along with its stepped up enforcement and new audit programs, the Department of Health & Human Services (HHS) Office of Civil Rights (OCR) is working to promote and encourage better voluntary compliance by physician and other health care providers by releasing a new interactive security and privacy training game to help educate healthcare providers and their staffs to make more informed decisions regarding privacy and security of health information. Using a game format, the game asks users to respond to privacy and security challenges often faced in a typical medical practice.

With the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) stepping up enforcement and sanctions for health care providers, health plans, health care providers and their businesses associates (covered entities) that violate the Health Insurance Portability & Accountability Act (HIPAA) Privacy, Security and Breach Notification Rules and OCR now auditing HIPAA compliance, covered entities should self-audit within the scope of attorney-client privilege and tighten as necessary existing policies, practices and documentation to comply with evolving requirements of HIPAA and other laws requiring the protection of protected health information (PHI), personal financial information and sensitive data.

As the HIPAA Privacy, Security and Breach Rules include mandates that covered entities train members of their workforce, the new game could be a helpful component for health care providers as part of their organization’s training efforts.

The mounting list of settlement agreements – most of which have required settlement payments of more than $1 million – that OCR has announced show the growing exposures that covered entities face when violating HIPAA. See HIPAA Heats Up: HITECH Act Changes Take Effect & OCR Begins Posting Names, Other Details Of Unsecured PHI Breach Reports On Website. These settlements and sanctions prove the importance of covered entities strengthening their HIPAA compliance and adopting other suitable safeguards to keep up HIPAA compliance and minimize HIPAA and other exposures that can arise if PHI, personal financial information and other sensitive data. For tips, see here.

For Help With Monitoring Developments, Compliance, Investigations Or Other Needs

Ms. Stamer also regularly works with OCR and other agencies, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. For instance, Ms. Stamer for the second year will serve as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR. Her insights on HIPAA risk management and compliance frequently appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.

You can get more information about her HIPAA and other experience here.

Other Recent Updates & Resources

For additional resources and publications training materials by Ms. Stamer, see here.

Leave a Comment » | Academic medicine, ARRA, Disease Management, DME, Doctor, Durable Medical Equipment, Electronic Health Records, Electronic Medical Records, Employee Benefits, Employer, Health Care, Health Care Provider, Health Insurance Exchange, Health IT, Health Plan, Health Plans, HIPAA, HITECH Act, Home Health, Hospital, Hospital, Indian Health, Meaningful Use, Mental Heatlh, Pharmacy, Physician, Privacy | Tagged: Health Care, Health Plans, HIPAA, PHI, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

Director of Texas Office of e-Health Coodination To Discuss Texas HIE Strategy in 3/14 HHS Sponsored Teleconference

March 14, 2012

On Wednesday, March 14, 2012 at 1 p.m. EDT, National eHealth Collaborative’s NeHC University will host Stephen Palmer, Director of the Office of e-Health Coordination at the Texas Health and Human Services Commission, to describe the HIE strategy being pursued by the state of Texas. Palmer will be joined by Kem McClelland of the Integrated Care Collaboration, Tony Gilman of the Texas Health Services Authority, and Bryan White of the North Texas Accountable Healthcare Partnership to showcase the Texas strategy in action and detail the progress that has been made on the ground.

To participate register and join NeHC University’s Spotlight on the Texas Statewide HIE Strategy.

For Help With Monitoring Developments, Compliance, Investigations Or Other Needs

Ms. Stamer also regularly works with OCR and other agencies, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. For instance, Ms. Stamer for the second year will serve as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR. Her insights on HIPAA risk management and compliance frequently appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.

You can get more information about her HIPAA and other experience here.

If you need assistance with these or other compliance concerns, wish to inquire about arranging for compliance audit or training, or need legal representation on other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here.

If you need help investigating or responding to a known or suspected compliance, litigation or enforcement or other risk management concern, assistance with reviewing, updating, administering or defending a current or proposed employment, employee benefit, compensation or other management practice, wish to inquire about federal or state regulatory compliance audits, risk management or training, or need legal representation on other matters please contact Ms Stamer here or at (469) 767-8872.

[1] The Breach Notification Rule also requires that covered entities report smaller breaches annually to OCR as part of a consolidated disclosure.

For more tips, see here.

For Help With Monitoring Developments, Compliance, Investigations Or Other Needs

Ms. Stamer also regularly works with OCR and other agencies, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. For instance, Ms. Stamer for the second year will serve as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR. Her insights on HIPAA risk management and compliance frequently appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.

You can get more information about her HIPAA and other experience here.

Other Recent Updates & Resources

For additional resources and publications training materials by Ms. Stamer, see here.

[*] The Breach Notification Rule also requires that covered entities report smaller breaches annually to OCR as part of a consolidated disclosure.

Leave a Comment » | Academic medicine, ARRA, Disease Management, DME, Doctor, Durable Medical Equipment, Electronic Health Records, Electronic Medical Records, Employee Benefits, Employer, Health Care, Health Care Provider, Health Insurance Exchange, Health IT, Health Plan, Health Plans, HIPAA, HITECH Act, Home Health, Hospital, Hospital, Indian Health, Meaningful Use, Mental Heatlh, Pharmacy, Physician, Privacy | Tagged: Breach Notification, business associate, Health Care, Health Plan, HIPAA, HITECH Act, OCR | Permalink
Posted by Cynthia Marcotte Stamer

$1.5 Million HIPAA Settlement Reached To Resolve 1st OCR Enforcement Action Prompted By HITECH Act Breach Report

March 13, 2012

Resolution Agreement Also 1^st Announced With Health Plan

Health care providers, health plans and other covered entities beware and prepare! Reporting a large breach under the HITECH Act breach notification rules will trigger a Department of Health & Human Services (HHS) Office of Civil Rights (OCR) investigation into whether OCR should impose civil monetary penalties against the reporting covered entity under the Privacy and Security Rules of the Health Insurance Portability & Accountability Act of 1996 (HIPAA).

Blue Cross Blue Shield of Tennessee (BCBST) has agreed to pay OCR $1,500,000 and to take certain other actions specified in a corrective action plan to avoid civil monetary penalties for charges of HIPAA violations. The BCBST Resolution Agreement is particularly significant, both as:

The first reported enforcement action directly resulting from the filing by a covered entity of a breach report required by the Health Information Technology for Economic and Clinical Health (HITECH) Act Breach Notification Rule; and
The first reported resolution agreement reached with a covered entity that is a health plan.

These notable enforcement firsts show the HITECH Breach Notification Rule’s significance as an OCR HIPAA enforcement tool, the heightened exposure to an OCR opening a HIPAA civil monetary penalty (CMP) investigation following a report, as well as the willingness of OCR to sanction health plans as well as other covered entities that breach HIPAA’s Privacy or Security Rules.

BCBST Investigation Began In Response to HITECH Act Breach Notification Rule Report

The OCR investigation that lead to the BCBST settlement began in response to BCBST making a report required under the Breach Notification Rule of the theft of 57 unencrypted computer hard drives from a leased facility in Tennessee, which contained the protected health information (PHI) of over 1 million individuals. Read more details here.

The Breach Notification Rule enacted as part of amendments to HIPAA under the HITECH Act requires covered entities to report an impermissible use or disclosure of protected health information, or a “breach,” of 500 individuals or more to HHS and the media as well as an annual consolidated report of smaller breaches to HHS.[1] Along with the Breach Notification Rules, the HITECH Act also increased the civil monetary penalties (CMPs) that covered entities like BCBST can incur for HIPAA violations. When it imposed its first ever CMP last year, OCR imposed a $4.3 million CMP against Cignet Health of Prince George’s County, Md. (Cignet).

In an apparent effort to impose a potentially larger CMP assessment arising from the investigation of its breach report, BCBST greed to pay $1,500,000 and adopt other corrective actions detailed in a corrective action plan.

Enforcement Actions Highlight Growing HIPAA Exposures For Covered Entities

The BCBST Resolution Agreements, like the Cignet CMP and other high dollar Resolution Agreements OCR has announced against various health care providers highlight the significance of the HITECH Act amendments to HIPAA’s enforcement and CMP rules, as well as the significance of its Breach Notification Rule as a tool in OCR’s investigation and enforcement efforts.

“This settlement sends an important message that OCR expects health plans and health care providers to have in place a carefully designed, delivered, and monitored HIPAA compliance program,” said OCR Director Leon Rodriguez. “The HITECH Breach Notification Rule is an important enforcement tool and OCR will continue to vigorously protect patients’ right to private and secure health information.”

The BCBST Resolution Agreement provides yet another reminder to covered entities and their business associates of the need to carefully and appropriately manage their HIPAA responsibilities. See HIPAA Heats Up: HITECH Act Changes Take Effect & OCR Begins Posting Names, Other Details Of Unsecured PHI Breach Reports On Website. Covered entities are urged to heed these warning by strengthening their HIPAA compliance and adopting other suitable safeguards to minimize HIPAA exposures. Fortips, see here.

For Help With Monitoring Developments, Compliance, Investigations Or Other Needs

Ms. Stamer also regularly works with OCR and other agencies, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. For instance, Ms. Stamer for the second year will serve as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR. Her insights on HIPAA risk management and compliance frequently appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.

You can get more information about her HIPAA and other experience here.

[1] The Breach Notification Rule also requires that covered entities report smaller breaches annually to OCR as part of a consolidated disclosure.

For more tips, see here.

For Help With Monitoring Developments, Compliance, Investigations Or Other Needs

Ms. Stamer also regularly works with OCR and other agencies, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. For instance, Ms. Stamer for the second year will serve as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR. Her insights on HIPAA risk management and compliance frequently appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.

You can get more information about her HIPAA and other experience here.

Other Recent Updates & Resources

For additional resources and publications training materials by Ms. Stamer, see here.

[*] The Breach Notification Rule also requires that covered entities report smaller breaches annually to OCR as part of a consolidated disclosure.

Leave a Comment » | Academic medicine, ARRA, Disease Management, DME, Doctor, Durable Medical Equipment, Electronic Health Records, Electronic Medical Records, Employee Benefits, Employer, Health Care, Health Care Provider, Health Insurance Exchange, Health IT, Health Plan, Health Plans, HIPAA, HITECH Act, Home Health, Hospital, Hospital, Indian Health, Meaningful Use, Mental Heatlh, Pharmacy, Physician, Privacy | Tagged: Breach Notification, business associate, Health Care, Health Plan, HIPAA, HITECH Act, OCR | Permalink
Posted by Cynthia Marcotte Stamer

OCR Audit Program Kickoff Further Heats HIPAA Privacy Risks

November 9, 2011

The kickoff of a new compliance audit pilot program provides another reason for health care providers, health plans, healthcare clearinghouses and their business associates to get serious about compliance with the privacy, security and data breach requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

OCR Pilot Audit Program Begins

On November 8, 2011, the Office of Civil Rights (OCR) of the Department of Health & Human Services (HHS) announced that it will begin auditing HIPAA compliance this month under a new pilot program.

As amended by the American Recovery and Reinvestment Act of 2009 in Section 13411 of the HITECH Act, requires HHS to provide for periodic audits to make sure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards. To carry out this mandate, OCR is piloting a program to perform up to 150 audits of covered entities to assess privacy and security compliance between November 2011 and December 2012.

The commencement of OCR HIPAA compliance audits is yet another sign that covered entities and their business associates should get serious about HIPAA compliance. The audit program serves as a new part of OCR’s health information privacy and security compliance program. While OCR says that it presently views the pilot audits as primarily a compliance improvement tool, this does not mean violators should expect a free walk.

Even before the impending audits, HIPAA Privacy exposures of covered entities for failing to comply with HIPAA already had risen significantly. Earlier this year, OCR imposed a $4.3 Million Civil Money Penalty (CMP) against Cignet Health of Prince George’s County (Cignet) for violating HIPAA. Meanwhile, the Department of Justice has secured several criminal convictions or pleas under HIPAA’s criminal provisions. Under amendments made by the HITECH Act, state attorneys general also now are empowered to bring civil lawsuits against covered entities and business associates that commit HIPAA violations that injure citizens in their state under certain circumstances. Eventually, individuals injured by HIPAA violations also will get the right to share in a portion of certain HIPAA recoveries.

These and other audit and enforcement activities send a strong message that covered entities and their business associates need to get serious about HIPAA compliance. As stated by OCR Director Georgina Verdugo when announcing the Mass General Resolution Agreement, “To avoid enforcement penalties, covered entities must ensure they are always in compliance with the HIPAA Privacy and Security Rules,” Verdugo added, “A robust compliance program includes employee training, vigilant implementation of policies and procedures, regular internal audits, and a prompt action plan to respond to incidents.” Learn more here.

For Help With Monitoring Developments, Compliance, Investigations Or Other Needs

Vice President of the North Texas Health Care Compliance Professionals Association, a member of the American College of Employee Benefit Counsel, Past Chair of the ABA RPTE Employee Benefits & Other Compensation Arrangements Group, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has extensive experience advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical privacy and other compliance and risk management policies. Ms. Stamer also regularly helps clients deal with OCR and other agencies, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. Her insights on the required “culture of compliance” with HIPAA are frequently included in medical privacy related publications of the Atlantic Information Service, Modern Health Care, HealthLeaders and many others. Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, employee benefit and other clients, trade and professional associations and others. You can get more information about her HIPAA and other experience here or may contact her at (469) 767-8872 or via e-mail here.

You can review other selected publications and resources and additional information about the employment, employee benefits and other experience of Ms. Stamer here.

About Solutions Law Press

Leave a Comment » | Academic medicine, ASC, Centers For Disease Control, Childrens Health Insurance Program, DEA, Disease Management, DME, Doctor, Durable Medical Equipment, E-Prescribing, Electronic Medical Records, Employee Benefits, Employer, FACTA, Genetic Information, GINA, Health Care, Health Care Provider, Health IT, Health Plan, Health Plans, HIPAA, HITECH Act, Home Health, Hospital, Hospital, Indian Health, Inpatient Rehabilitation Facility, Medicaid, Medicare, Mental Heatlh, OCR, Outpatient, Pharmacy, Physician, Prescription Drugs, Privacy, Rural Health Care | Tagged: Data Security, Doctor, Health Care Provider, HIPAA, HITECH, home health, Hospital, Physician, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

Health Care Providers Brace For New HIPAA Enforcement As OCR Announces Hospital Resolution Agreement Requiring $1 Million Settlement Payment

February 25, 2011

Announcement Made 2 Days After OCR Announces $4.3 Million HIPAA Civil Penalty Against Cignet

General Hospital Corporation and Massachusetts General Physicians Organization Inc. (Mass General) has agreed to pay the U.S. government $1,000,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. The incident giving rise to the agreement involved the loss of protected health information (PHI) of 192 patients of Mass General’s Infectious Disease Associates outpatient practice The U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) announced the Resolution Agreement two days after announcing that its first official assessment of a civil monetary penalty CMP under HIPAA – a $4.3 million against Cignet Health of Prince George’s County, Md., (Cignet). Read more details here

HIPAA Privacy Rule restricts the use, access and disclosure by covered entities of PHI and other individually identifiable health care information to those outlined within the Rules. Under HIPAA covered entities also are responsible for establishing and enforcing policies and procedures that safeguard PHI against improper use, access or disclosure by employees, business associates, and other third parties. Noncompliance with the Privacy and Security Rules exposes a covered entity to criminal prosecution and penalties, civil penalties or both. The Privacy Rule requires health plans, health care clearinghouses and most health care providers (covered entities) to safeguard the privacy of patient information, including such information during its disposal. Under amendments to HIPAA enacted under the HITECH Act, business associates now also are accountable and subject to direct liability for failing to comply with HIPAA’s requirements. Amendments to HIPAA under the HITECH Act, further expand the risks and responsibilities of health care providers and other covered entities.

Announced just two days before the Mass General Resolution Agreement, the Cignet CMP announced February 22, 2011 is the first CMP ever assessed by OCR under the HIPAA Privacy Rule. The assessment resulted after OCR found Cignet violated 41 patients’ HIPAA rights and committed other HIPAA violations. The $4.3 million CMP against Cignet applies the expanded HIPAA violation categories and increased HIPAA civil monetary penalty amounts authorized by HIPAA amendments made by Section 13410(d) of the Health Information Technology for Economic and Clinical Health (HITECH) Act. Read more details.

Even before the Mass General Resolution Agreement and Cignet CMP announcements, HIPAA Privacy exposures of covered entities for failing to comply with HIPAA already had risen significantly. While OCR had not assessed any civil monetary penalties against any covered entity for violation of HIPAA before Cignet, OCR’s collection of $1 Million from Rite Aid in a 2010 Resolution Agreement, $2.25 million from CVS Pharmacy, Inc. under a 2009 Resolution Agreement and $100,000 from Providence Health & Services under a 2008 Resolution Agreement demonstrated that covered entities could face significant civil liability for willful violations of the Privacy Rules. In addition to these civil enforcement actions by OCR, the Department of Justice has secured several criminal convictions or pleas under HIPAA’s criminal provisions. OCR data confirms that the covered entities involved in these actions included health care providers, health plans, and others. Coupled with the HITECH Act changes, these and other enforcement actions signal growing potential hazards for covered entities and their business associates that fail to properly manage their HIPAA compliance obligations and risks.

The Mass General and Cignet announcements and other enforcement actions demonstrate that OCR is moving forward on its announced plans to hold health plans, health care providers, health care clearinghouses (covered entities) and their business associates that violate HIPAA accountable. Added to other recent developments, the Mass General and Cignet enforcement actions demonstrate that OCR’s commitment to enforcing HIPAA and illustrate the significant exposures that covered entities and business associates risk by disregarding their HIPAA obligations.

As stated by OCR Director Georgina Verdugo when announcing the Mass General Resolution Agreement, stating, “We hope the health care industry will take a close look at this agreement and recognize that OCR is serious about HIPAA enforcement. It is a covered entity’s responsibility to protect its patients’ health information.”

“To avoid enforcement penalties, covered entities must ensure they are always in compliance with the HIPAA Privacy and Security Rules,” Verdugo added, “A robust compliance program includes employee training, vigilant implementation of policies and procedures, regular internal audits, and a prompt action plan to respond to incidents.”

Covered entities are urged to heed these warning by strengthening their HIPAA compliance and adopting other suitable safeguards to minimize HIPAA exposures. Health plans and other covered entities as well as their business associates should tighten privacy policies, breach and other monitoring, training and other practices to mitigate against exposures in light of recently tightened requirements and new enforcement risks. To minimize the potential that the health plan’s sharing of information with the employer will create or spread HIPAA or other privacy risks to the employer or members of its workforce, employers and other plan sponsors and members of their workforce also should take steps to ensure not only that their health plan documents, policies and procedures, as well as those policies and practices applicable to the employer, its human resources, and benefits advisors when accessing or handling health plan or other medical information on behalf of the employer, rather than the plan, are appropriately designed and administered.

Act To Manage HIPAA Exposures

In response to these expanding exposures, covered entities and their business associates should review the adequacy of their current HIPAA Privacy and Security compliance policies, monitoring, training, breach notification and other practices taking into consideration the Cignet, Rite Aid, Provident and CVS enforcement actions, emerging litigation and other enforcement data; their own and reports of other security and privacy breaches and near misses, and other developments to determine if additional steps are necessary or advisable. As part of these compliance and risk management efforts, most covered entities and their business associates will find it advisable to devote significant attention to the business associate relationship and its associated business associate agreements.

For Help With Investigations, Policy Review & Updates Or Other Needs

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also may be interested reviewing some of our other Solutions Law Press resources available at http://www.solutionslawpress.com including:

HHS Imposes 1st HIPAA Privacy Civil Penalty of $4.3 million

February 22, 2011

Health Care Providers Should Strengthen HIPAA Compliance & Defenses As Risks Rise

$4.3 million is the amount of the civil monetary penalty (CMP) that the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has ordered Cignet Health of Prince George’s County, Md., (Cignet) to pay for violating the Health Insurance Portability & Accountability Act (HIPAA) Privacy Rule.

The first CMP ever assessed by OCR under the HIPAA Privacy Rule, the Cignet CMP assessment is the latest in a series of developments documenting the rising risks that health care providers, health plans, health care clearinghouses and their business associates (“covered entities”) face for violations of HIPAA. Covered entities and their business associates should tighten privacy policies, breach and other monitoring, training and other practices to mitigate against exposures in light of recently tightened requirements and new enforcement risks. Read more details.

Even before the announcement of the Cignet CMP, the HIPAA Privacy exposures of covered entities for failing to comply with HIPAA already had risen significantly. As of January 1, 2011, OCR reports that 12,781 of the cases it has investigated have been resolved by requiring changes in privacy practices and other corrective actions by the covered entities and has referred more than 484 Privacy Rule breach investigations to the Department of Justice for consideration for potential criminal prosecution.

While OCR had not assessed any civil monetary penalties against any covered entity for violation of HIPAA before Cignet, OCR’s collection of $2.25 million from CVS Pharmacy, Inc. under a 2009 Resolution Agreement and $100,000 from Providence Health & Services under a 2008 Resolution Agreement demonstrated the willingness of OCR to pursue significant civil remedies against covered entities that it determined willfully violated the Privacy Rules.

For Help With Compliance, Investigations Or Other Needs

If you need assistance auditing or tightening your existing HIPAA and other confidentiality practices or addressing other health care related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, may be able to help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 23 years experience advising health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers and other health industry clients to establish and administer medical privacy and other compliance and risk management policies and to respond to OCR, FTC, medical board and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns including a number of programs and publications on Medicare quality and other compliance concerns. Her publications and insights on HIPAA and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. You can get more information about her health industry experience here. If you need assistance with these or other compliance concerns, wish to inquire about arranging for compliance audit or training, or need legal representation on other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here.

About Solutions Law Press

Leave a Comment » | Academic medicine, ARRA, ASC, Centers For Disease Control, Disease Management, DME, Doctor, E-Prescribing, Electronic Health Records, Electronic Medical Records, Federal Health Center, Genetic Information, Health Care, Health Care Provider, Health Care Quality, Health IT, Health Plans, HIPAA, HITECH Act, Hospital, Hospital, Indian Health, Medicaid, Medical Licensure, Medicare, Medicare Advantage, Medicare Fee Schedule, Mental Heatlh, OCR, Peer Review, Pharmacy, Physician, Privacy, Reimbursement, Telemedicine | Tagged: covered entity, Health Care, HIPAA, Hospital, Medical Confidentiality, OCR, Physician, Privacy Rule, Security Rule | Permalink
Posted by Cynthia Marcotte Stamer

Health Providers, Plans Make Recommendations To ONC Working Group On Governance Mechanisms By 11/3

October 26, 2010

The Office of the National Coordinator for Health Information Technology (ONC) Governance Workgroup (Workgroup) is developing recommendations on governance mechanisms for the nationwide health information network.

The Workgroup identified overarching objectives, key principles, and core functions for governance in its Preliminary Report and Recommendations on the Scope of Governance presented to the Health Information Technology (HIT) Policy Committee on October 20^th. The Workgroup is now preparing final recommendations on how governance functions should be implemented and by whom.

As a first step, the Workgroup would like to identify:

Existing mechanisms that might be appropriate, with or without modifications, and with or without some added coordination; and
Whether and what new mechanisms are needed.

The Workgroup would like public input on these issues and has created a table listing the core functions and questions to frame the input.

Submit your comments here by November 3, 2010.

For More Information or Assistance

If you need assistance evaluating or responding to this development of other health care technology and process, compliance, risk management, transactional, operational, reimbursement, enforcement or public policy concerns, please contact the author of this update, Cynthia Marcotte Stamer, at (469) 767-8872, cstamer@Solutionslawyer.net.

Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 23 years experience advising health industry clients about these and other matters. She continuously advises health industry clients about the use of technology, process and other mechanisms to promote compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, and other risk management and operational needs. As part of this experience, she has worked extensively with health care providers, payers, health care technology and consulting and other health industry clients on the design and use of health information systems, technology, privacy and other related. A popular lecturer and widely published author on health industry concerns, Ms. Stamer also publishes and speaks extensively on health care privacy, technology, and other health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. To review some of her many publications and presentations, or for additional information about Ms. Stamer, her experience, involvements, programs or publications, see here.

Other Recent Developments

If you found this information of interest, you also may be interested in reviewing some of the following recent Updates available online by clicking on the article title:

OIG Shares Key Insights On When Owners, Officers & Managers Face OIG Program Exclusion Based On Health Care Entity Misconduct

HHS to Host Regional 11/18 Meeting in LA as Part of HITECH Act Psychotherapy Notes &Testing Data Study

CMS Delegated Lead Responsibility For Development of New Affordable Care Act-Required Medicare Self-Referral Disclosure Protocol

HHS announces Rules Implementing Tools Added By Affordable Care Act to Prevent Federal Health Program Fraud

Monday 9/13 Deadline To Comment Proposed HITECH Act HIPAA Privacy Rules; 9/14 Meeting Studies Proposed Changes

DMEPOS Suppliers Face 9/27 Deadline To Meet Tightened Medicare Standards Initial EHR Certification Bodies Named

HHS Announces Adjustments to Federal Medical Assistance Percentage (FMAP) Rates

CMS Publishes Corrections To Proposed 2011 Physician Fee Schedule Rules

Medicare Changing How It Pays For Outpatient Dialysis

Rite Aid Agrees to Pay $1 Million to Settle HIPAA Privacy Case As OCR Moves To Tighten Privacy Rules

HHS Invites Input On Medicaid Changes To Promote Children’s Health Quality

CMS Adopts ESRD Facility Prospective Payment System & Proposes New Quality Incentive Program

CMS Rule Clarifies When Outpatient Services Subject to 3-Day Rule & Finalizes FY 2011 Inpatient Payment Rates

New Affordable Care Act Mandated High Risk Pre-Existing Condition Insurance Pool Program Regulations Set Program Rules, Prohibit Plan Dumping of High Risk Members

CMS Proposes Changes To Civil Monetary Penalty Rules For Nursing Homes

For More Information

We hope that this information is useful to you. You can review other recent health care and internal controls resources and additional information about the health industry and other experience of Ms. Stamer here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile at here or e-mailing this information here. To unsubscribe, e-mail here.

Leave a Comment » | Affordable Care Act, ARRA, Electronic Health Records, Health Care, Health IT, Health Policy, Patient Protection and Affordable Care Act, Privacy, Public Policy, Technology | Tagged: ARRA, Corporate Governance, Governance, health information network, Health IT, HIPAA, internal controls, ONC | Permalink
Posted by Cynthia Marcotte Stamer

Monday 9/13 Deadline To Comment Proposed HITECH Act HIPAA Privacy Rules; 9/14 Meeting Studies Proposed Changes

September 10, 2010

9/14 NTHCPA Meeting on Strategies for Managing HIPAA Privacy Compliance After The HITECH Act

Health care providers, payers, healthcare clearinghouses and their businesses associates (Covered Entities) face a Monday, September 13, 2010 deadline to comment on proposed changes to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Enforcement Rules proposed by the U.S. Department of Health & Human Services Office for Civil Rights (OCR) on July 8, 2010 in response to amendments enacted under the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. If adopted as proposed, the more than 220 page Notice of Proposed Rulemaking (NPRM) will significantly tighten the requirements that existing Standards for Privacy of Individually Identifiable Health Information (Privacy Rule); the Security Standards for the Protection of Electronic Protected Health Information (Security Rule); and the rules pertaining to Compliance and Investigations, Imposition of Civil Money Penalties, and Procedures for Hearings (Enforcement Rule) applicable to Covered Entities under HIPAA. With the risks of HIPAA noncompliance highlighted by OCR’s August announcement that drugstore giant RiteAid would pay $1 million to settle OCR charges that it violated the existing HIPAA’s Privacy & Security Rules and considering , Covered Entities Learn more about Rite Aid Resolution Agreement here. Learn more about Breach Notification Rules here.

The North Texas Health Care Compliance Professionals Association invites health industry compliance professionals share and learn Strategies for Managing HIPAA Privacy Compliance After the HITECH Act by participating in its September 14, 2010 meeting from 11:30 a.m. – 1:30 p.m. hosted by Cynthia Marcotte Stamer, P.C., at One Hanover Park, 16633 North Dallas Parkway, 6^th Floor, Addison Room, Addison, Texas 75001.

The author of this update, attorney Cynthia Marcotte Stamer, has extensive experience advising and assisting health care providers and other health industry clients with HIPAA and other privacy and data security, reimbursement, compliance, public policy, regulatory, staffing, and other operations and risk management matters. Ms. Stamer also regularly conducts training on HIPAA and other health industry compliance, management and operations matters. You can get more information about her health industry experience here. If you need assistance with these or other compliance concerns, wish to inquire about arranging for compliance audit or training, or need legal representation on other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here.

Other Recent Developments

If you found this information of interest, you also may be interested in reviewing some of the following recent Updates available online by clicking on the article title:

For More Information

We hope that this information is useful to you. If you need assistance evaluating or responding to the Health Care Reform Law or health care compliance, risk management, transactional, operational, reimbursement, or public policy concerns, please contact the author of this update, Cynthia Marcotte Stamer, at (469) 767-8872, cstamer@Solutionslawyer.net.

You can review other recent health care and internal controls resources and additional information about the health industry and other experience of Ms. Stamer here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile at here or e-mailing this information here. To unsubscribe, e-mail here.

Leave a Comment » | Doctor, Electronic Health Records, Electronic Medical Records, Federal Sentencing Guidelines, Genetic Information, GINA, Health Care, Health IT, Health Plan, Health Plans, HIPAA, HITECH Act, Hospital, Physician, Privacy, Technology, Telemedicine | Tagged: Breach Notification, EPHI, Health Care, HIPAA, HIPAA Security, HITECH, PHI, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

CMS & ONC To Co-Host 7/22 ONC Certification & Medicare/Medicaid EHR Incentive Program Audio Training

July 20, 2010

The Centers for Medicare & Medicaid Services (CMS) and the Office of the National Coordinator for Health Information Technology (ONC) will co-host an Audio Training on the Final Rules for ONC Certification and Medicare and Medicaid Electronic Health Record (EHR) Incentive Programs on July 22, 2010 from 2:00-3:30 pm EST.

During the training, the Agencies plan to discuss:

Benefits of HIT
Summary of the final rules
ONC temporary certification process
ONC initial set of standards and implementation specifications
Medicare and Medicaid EHR Incentives Programs including the initial definition of meaningful Use

To join the audio training, dial 1-877-251-0301 and enter the Conference ID pass code: 87841621

Materials will be made available prior to the training at the following web address here.

For more information about CMS EMR incentives, see here.

The author of this update, attorney Cynthia Marcotte Stamer, has extensive experience advising and assisting health care providers, health plans and insurers, and other health and insurance industry clients with HIPAA, EMR and other privacy and data security, reimbursement, compliance, public policy, regulatory, staffing, and other operations and risk management matters. Ms. Stamer also regularly conducts training on these and other health industry technology, compliance, management and operations matters. You can get more information about her health industry experience here. If you need assistance with these or other compliance concerns, wish to inquire about arranging for compliance audit or training, or need legal representation on other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here.

Other Recent Developments

If you found this information of interest, you also may be interested in reviewing some of the following recent Updates available online by clicking on the article title:

For More Information

Leave a Comment » | Affordable Care Act, ARRA, Doctor, E-Prescribing, Electronic Health Records, Genetic Information, GINA, Health Care, Health Care Provider, Health Care Reform, Health IT, Health Plan, Health Plans, HIPAA, HITECH Act, Hospital, Hospital, Meaningful Use, Medicaid, Medicare, Medicare Advantage, OCR, Privacy, Technology, Telemedicine | Tagged: Data Security, EHR, Electronic Health Records, EMR, Health Information Technology, Health IT, Hi-TECH Act, HIPAA, HITECH Act, IT, ONC, ONC Certification, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

NCPDP SCRIPT 10.6 Approved As Medicare Part D/Advantage E-Prescribing Option

July 1, 2010

The Centers for Medicare & Medicaid Services (CMS) today (July 1, 2010) issued an interim final rule (Rule) that permits the voluntary use of the National Council for the Prescription Drug Programs (NCPDP) Prescriber/Pharmacist Interface SCRIPT standard, Implementation Guide, Version 10, Release 6 (Version 10.6) (NCPDP SCRIPT 10.6) for conducting certain e-prescribing transactions for the Medicare Part D electronic prescription drug program. Review the Rule here.

Prior to the adoption the Rule, only NCPDP SCRIPT 8.1 was authorized for use in communicating Medicare Part D medication history among sponsors, prescribers and dispensers. The Rule revises Regulation §423.160(b)(4) to specify that entities now may use either NCPDP SCRIPT 10.6 or 8.1 for the communication of Medicare Part D medication history among sponsors, prescribers, and dispensers.

Along with the rule, CMS issued a request for comments on the Rule. The deadline for interested parties to comment is 5 p.m. Eastern Daylight Time on August 30, 2010.

Section 101 of the Medicare Prescription Drug, Improvement, and Modernization Act of 2003 (MMA) (Pub. L. 108-173) requires that Prescription Drug Plan (PDP) sponsors, Medicare Advantage (MA) organizations offering Medicare Advantage-Prescription Drug Plans and other Medicare Part D sponsors (Plans) provide for electronic transmittal the prescribing provider, dispensing pharmacy and the dispenser of information about:

Eligibility,
Benefits (including drugs included in the applicable formulary, any tiered formulary structure and any requirements for prior authorization),
The drug being prescribed or dispensed and other drugs listed in the medication history,
The availability of lower cost, therapeutically appropriate alternatives (if any) for the drug prescribed, and
Certain other information.

Before the Rule, CMS had approved NCPDP SCRIPT 8.1 for conducting these electronic transmittals.

As a consequence of the Rule, Plans, prescribers and dispensers now may use either NCPDP SCRIPT 10.6 or 8.1 when conducting e-Prescribing to conduct:

Get message transaction.
Status response transaction.
Error response transaction.
New prescription transaction.
Prescription change request transaction.
Prescription change response transaction.
Refill prescription request transaction.
Refill prescription response transaction.
Verification transaction.
Password change transaction.
Cancel prescription request transaction.
Cancel prescription response transaction.
Fill status notification transaction.
For the communication of Medicare Part D medication history among sponsors, prescribers, and dispensers.

The MMD does not require that prescribers or dispensers implement e-Prescribing, prescribers and dispensers who electronically transmit prescription and certain other prescription-related information for Medicare Part D covered drugs prescribed for Medicare Part D eligible individuals, directly or through an intermediary, must comply with any applicable final standards that are in effect. The Rule provides new choices on how to accomplish this.

The author of this update, attorney Cynthia Marcotte Stamer, has extensive experience advising and assisting health care providers and other health industry clients with reimbursement, compliance, public policy, regulatory, staffing, and other operations and risk management matters. You can get more information about her health industry experience here. If you need help with these or other compliance concerns, wish to ask about arranging for compliance audit or training, or need legal representation on other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here.

Other Recent Developments

If you found this information of interest, you also may be interested in reviewing some of the following recent Updates available online by clicking on the article title:

For More Information

Leave a Comment » | Controlled Substances, DEA, Doctor, Electronic Health Records, Electronic Medical Records, Health Care, Health Care Provider, Health IT, Health Plan, Health Plans, Hospital, Hospital, Meaningful Use, Medicare, Medicare Advantage, Pharmacy, Physician, Prescription Drugs, Privacy, Reimbursement, Telemedicine | Tagged: E-Prescribing, Health Care, Health Plans, Medicare Advantage, Medicare Part D NCPDP SCRIPTI, Payers, Physicians, Providers | Permalink
Posted by Cynthia Marcotte Stamer

DEA/DOJ Release Interim Final E-Prescribing Rules

March 25, 2010

Health care providers wishing to electronically prescribe controlled substance should begin reviewing and updating their practices and technology to comply with requirements of the Interim Final Regulations scheduled for publication in the Federal Register on March 31, 2010. Read details at http://wp.me/ptOGJ-94

An advance copy of the new Interim Final Regulation with Request for Comments released March 24, 2010 by the Drug Enforcement Administration (DEA) and Department of Justice on Electronic Prescribing of Controlled Substance on is posted for review here.

Concurrent with publication of the Interim Final Rule, the DEA is inviting comment on DEA is seeking additional comments on the following issues: identity proofing, access control, authentication, biometric subsystems and testing of those subsystems, internal audit trails for electronic prescription applications, and third-party auditors and certification organizations.

About The Author

If you need assistance with health industry human resources or other management, concerns, wish to inquire about compliance, risk management or training, or need legal representation on other matters please contact Cynthia Marcotte Stamer at cstamer@solutionslawyer.net or (469) 767-8872.

Nationally and internationally recognized for more than 22 years of work with health industry technology, privacy and data security, regulatory compliance, reimbursement, workforce and staffing, licensure and accreditation, and other quality, risk management, operations and public policy matters organizations, publications, workshops and presentations and leadership Cynthia Marcotte Stamer has worked extensively with physicians, health systems, specialty and other pharmacy, telemedicine and other health technology, and other health industry clients on a diverse range of operational, product and process development, regulatory, licensure, public policy and risk management protections relating to e-prescribing, telemedicine, interoperable and other electronic health and medicine arrangements and other health care internal controls, process and privacy and technology matters. The publisher of the Solutions Law Press Health Care Update, and Solutions Law Press Health Care Privacy & Technology Update, Ms. Stamer also is a popular speaker and author of these and other health industry topics. She regularly publishes, speaks and conducts training for health industry and other organizations, the ABA, American Health Lawyers Association (AHLA), Health Care Compliance Association, Institute of Internal Auditors, various medical society and other professional organizations, the Medical Group Management Association, and many other organizations. Her many publications and programs include“Changing Regulations Will Ease Way for E-Prescribing, But Physicians Shouldn’t Jump the Gun,” “Telemedicine, E-Prescribing & Electronic Health Records: Opportunities & Exposures,” “Telemedicine & E-Prescribing: Evolving Ethical, Licensing & Reimbursement Rules & Realities,” the “Tort & Other Liability” Chapter of the ABA Health Law Section/BNA E-Health & Technology Treatise, “Protecting & Using Patient Data in Disease Management Opportunities, Liabilities and Prescriptions,” Chapter 1: Privacy.” The Quest for Interoperable Electronic Health Records: A Guide to Legal Issues in Establishing Health Information Networks (AHLA 2005) (Contributing Author), “Cybercrime and Identity Theft: Health Information Security beyond HIPAA,” “Privacy & Securities Standards-A Brief Nutshell” and numerous other programs and publications on telemedicine and e-prescribing, HIPAA and other privacy and data security, and other related internal controls and operational matters. Publishers of her many highly regarded writings on health industry and human resources matters include the Bureau of National Affairs, Aspen Publishers, ABA, AHLA, Spencer Publications, World At Work, SHRM, Business Insurance, James Publishing and many others. You can review other highlights of Ms. Stamer’s health care experience here, and employment experience here. Her insights on these and other matters appear in Managed Care Executive, Modern Health Care, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, MDNews, Kentucky Physician, and many other national and local publications.

Other Resources

If you found this information of interest, you also may be interested in reviewing other updates and publications by Ms. Stamer including:

For More Information

We hope that this information is useful to you. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile at here or e-mailing this information here. To unsubscribe, e-mail here.

Leave a Comment » | Centers For Disease Control, Controlled Substances, Corporate Compliance, DEA, Doctor, E-Prescribing, Electronic Health Records, Electronic Medical Records, false claims act, FDA, Federal Sentencing Guidelines, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Quality, Health Care Reform, Health IT, HIPAA, HITECH Act, Hospital, Licensing, Meaningful Use, Medicaid, Medical Licensure, Medicare, Medicare Advantage, Medicare Prescription Drug Program, Pharmacy, Physician, Physician Licensing, Prescription Drugs, Privacy, Reimbursement, Telemedicine | Tagged: Controlled Substances, DEA, E-Prescribing, Health IT, Health Technology, HIPAA, HITECH Act, Meaningful Use, Telemedicine | Permalink
Posted by Cynthia Marcotte Stamer

HIPAA Heats Up: HITECH Act Changes Take Effect & OCR Begins Posting Names, Other Details Of Unsecured PHI Breach Reports On Website

February 25, 2010

By Cynthia Marcotte Stamer

The Department of Health and Human Services Office of Civil Rights (OCR) has begun posting on its website the names and certain information about health care providers, health insurers, employer and other health plans, health care clearinghouses and their business associates (Covered Entities) reporting to OCR “breaches” of “unsecured protected health information” (UPHI) under new breach notice rules added by the Health Information Technology for Economic and Clinical Health Act (HITECH Act).

Covered Entities should anticipate the posting of the breach information and other HITECH Act breach notices coupled with amendments to the medical privacy and security requirements of the Health Insurance Portability & Accountability Act (HIPAA) effective since February 17, 2010, will heighten enforcement risks and public sensitivities about medical information privacy safeguards. As failing to comply with the amended rules effective February 17, 2010 can trigger obligations under the Breach Regulations and other significant liability exposures, Covered Entities should act quickly to manage these emerging risks.

Covered Entity Breach Notification Requirements

The initial list of Covered Entities reporting breaches of UPHI affecting 500 or more individuals posted by OCR on February 22, 2010 discloses the Covered Entity’s name and State, the approximate number of individuals affected, the date and type of breach and the location of the breached information. OCR’s posting of this information is required under the HITECH Act breach notification requirements as part of its implementation and enforcement of new breach notification requirements added to HIPAA by Section 13402(e)(3) of the HITECH Act.

The HITECH Act amended HIPAA to require Covered Entities to require Covered Entities provide notification to individuals, OCR and others when certain breaches of UPHI happen. The implementing interim “Breach Notification For Unsecured Protected Health Information” regulations (Breach Regulation) published by OCR here require Covered Entities subject to HIPAA to notify affected individuals, OCR and in some cases the media within specified periods following a “breach” of UPHI occurring on or after September 23, 2009 unless the Covered Entity can demonstrate that the breach qualified as exempt from the breach notification obligation under the Breach Regulations.

Covered Entities generally should consider the need to provide breach notification under the Breach Regulation whenever electronic or non-electronic protected health information which is not adequately encrypted or destroyed to qualify as “secured” under the breach rules is used, accessed or disclosed in violation of HIPAA.

Since the potential need to provide breach notification is triggered by an impermissible use, access or disclosure of UPHI, up-to-date maintenance, monitoring and enforcement is at the heart of compliance with the Breach Regulation as well as HIPAA generally.

You can review the currently posted list of Covered Entities that have reported breaches on the OCR website here. Learn more about the Breach Regulation requirements here.

Broader & Stricter Medical Privacy Mandates Effective 2/17/210

The new breach notification requirements are part of a series of changes made to HIPAA under the HITECH Act that are increasing the responsibilities and liability exposures of Covered Entities. On February 17, 2010, Covered Entities and their business associates also became subject to tighter federal requirements for the use, access, protection and disclosure of protected health information under amendments to HIPAA’s Privacy & Security Standards enacted in the HITECH Act. When the HITECH Act was signed into law on February 17, 2009, Covered Entities also became subject to expanded sanctions and remedies for HIPAA violations.

To comply with the HITECH Act changes to HIPAA effective on February 17, 2010, most Covered Entities and their business associates generally will need to update their written policies, operational procedures, technical safeguards, privacy notices, vendor and other agreements, training, and other management procedures in several respects. For more details, see here.

While the HITECH Act gave Covered Entities and business associates a year to complete the necessary arrangements to comply with these HITECH Act changes, many Covered Entities and business associates have not adequately implemented the necessary arrangements. To mitigate these exposures, Covered Entities and their business associates should act quickly to review and update their policies, procedures, training, business associate and other services agreements, and other practices and procedures, as well as to implement the training, oversight, and other management necessary to comply with the HITECH Act changes and to mitigate other HIPAA risks.

Exposures Significant & Growing

HIPAA-associated exposures for Covered Entities are significant and growing. Timely action to comply with the amended HIPAA requirements and Breach Regulations is important to avoid triggering the breach notification requirements; to prevent loss of public trust and reputation; and to minimize exposures to legal actions, administrative complaints and sanctions and the investigation, defense and correction costs likely to result when a Covered Entity violates or is accused of violating HIPAA or otherwise mishandling medical or other personal information.

Even before the HITECH Act changes became effective, federal regulators were stepping up HIPAA enforcement. The HITECH Act amendments further increase the risk that Covered Entities violating HIPAA face investigation and sanction. The HITECH Act amendments increase the likelihood that Covered Entities violating HIPAA will get caught and will face some form of damage or penalty assessment. Heightened awareness of UPHI breaches resulting from HITECH Act mandated breach notifications are likely to fuel new HIPAA-related complaints, charges and demands. Covered Entities, workforce members who wrongfully access protected health information now face potential civil penalties, criminal prosecution, civil lawsuits and other actions. Allowing state attorneys general to bring suit adds more manpower to the enforcement team. Furthermore, the wrongful use, access or disclosure of protected health information or other confidential information also increasingly is the basis of civil or criminal actions brought under a variety of other federal and state laws.

New Risks Created By HITECH Act Amendments

Heightened HIPAA exposures stem in part from the HITECH Act’s amendments to HIPAA’s remedy provisions. Among other things, the HITECH Act amended HIPAA to:

Allow a State Attorney General to sue Covered Entities that commit HIPAA violations after February 16, 2009 for damages caused to state citizens;
Expand the mandate by OCR to investigate violations and audit compliance with HIPAA;
Require OCR to impose civil sanctions against Covered Entities and business associates involved in violations of HIPAA in accordance with tightened standards added to HIPAA by the HITECH Act;
Revise the criminal sanctions that the Department of Justice can seek against Covered Entities and others for violations of HIPAA; and
Amend HIPAA to make clear that workforce members and others improperly using, accessing or disclosing protected health information in violation of HIPAA can face criminal prosecution.

State Attorney General Lawsuit Exposures

Covered Entities must be concerned about the potential that a state Attorney General may bring civil suit to remedy damages caused to state citizens by a breach of HIPAA. In certain situations, the HITECH Act empowers a state attorney general to sue Covered Entities for damages if their HIPAA violations harm state citizens. Statutory damages equal to the sum of the number of violations multiplied by 100 up to a maximum of $25,000 per calendar year plus attorneys fees and costs are authorized.

A HIPAA civil lawsuit demonstrates the willingness of at least some states to exercise the new authority to sue Covered Entities. On January 13, 2010 Connecticut Attorney General Richard Blumenthal sued Health Net of Connecticut, Inc. (Health Net) for failing to secure private patient medical records and financial information involving 446,000 Connecticut enrollees and promptly notify consumers endangered by the security breach. The first attorney general enforcement action brought based on amendments made to HIPAA under the HITECH Act, Connecticut charges that Health Net violated HIPAA by failing to safeguard protected medical records and financial information on almost a half million Health Net enrollees in Connecticut then allowing this information to remain exposed for at least six months before notifying authorities and consumers. The suit also names UnitedHealth Group Inc. and Oxford Health Plans LLC, who have acquired Health Net.

Stepped Up Federal Enforcement

Even before the HITECH Act amendments, OCR and Department of Justice increased HIPAA investigation and enforcement. The Department of Justice has obtained a variety of criminal convictions against violators of HIPAA. See, e.g., 2 New HIPAA Criminal Actions Highlight Risks From Wrongful Use/Access of Health Information. Meanwhile, OCR also is emphasizing HIPAA enforcement. In February, 2009, OCR announced that CVS Pharmacies, Inc. would pay $2.25 million to resolve HIPAA charges. This announcement followed OCR’s announcement in July, 2008 that Providence Health Care would pay $100,000 to resolve HIPAA violation charges. OCR also has taken HIPAA enforcement actions against a broad range of other Covered Entities. See more details here. While not resulting in the significant payments involved in CVS or Providence, all Covered Entities involved in these and other enforcement actions or investigations have incurred significant legal and other defense costs, loss of community trust, or both.

In addition to these HIPAA-specific exposures, wrongful use, access or disclosure of medical information also can expose Covered Entities, members of their workforce and others improperly using, accessing or disclosing protected health information to liability under other federal or state laws. Federal and state prosecutors may and increasingly do bring criminal or civil actions against organizations or individuals for improperly accessing or using medical or other personal information under a variety of other federal or state laws . See e.g., Cybercrime & Identity Theft: Health Information Security Beyond HIPAA; NY AG Cuomo Announcement of 1st Settlement For Violation of NY Security Breach Notification Law; Woman Who Revealed AIDs Info Gets A Year.

State Civil Lawsuits

Covered Entities also need to prepare to defend HIPAA-related conduct in state civil actions. Individual plaintiffs increasingly used alleged HIPAA violations in state privacy, negligence, retaliation, wrongful discharge or other lawsuits. State courts have allowed private plaintiffs to use the obligations imposed by HIPAA as the basis of a Covered Entity’s duty for purposes of certain state law lawsuits. In Sorensen v. Barbuto, 143 P.3d 295 (Utah Ct. App. 2006), for example, a Utah appeals court ruled a private plaintiff could use HIPAA standards to establish that a physician owed a duty of confidentiality to his patients for purposes of maintaining a state law damages claim. Similarly, the Court in Acosta v. Byrum, 638 S.E. 2d 246 (N.C. Ct. App. 2006) ruled that a plaintiff could use HIPAA to establish the “standard of care” in a negligence lawsuit. Meanwhile, disgruntled employees or other business partners performing services for Covered Entities also increasingly are pointing to HIPAA as the basis for their retaliation or wrongful discharge claims. See, e.g., Retaliation For Filing HIPAA Complaint Recognized As Basis For State Retaliatory Discharge Claim. Read more here.

Coupled with the HITECH Act changes, these and other enforcement actions signal growing potential hazards for Covered Entities that fail to properly manage their HIPAA compliance obligations and risks. To help guard against these exposures, Covered Entities should act quickly to strengthen their HIPAA defenses by updating policies, contracts, practices, security, training, oversight, documentation and management.

Covered Entities & Business Associates Urged To Act Promptly To Manage Mitigating Expanded HIPAA Risks & Obligations

Faced with these expanding obligations and exposures, Covered Entities should prepare for the need to defend the adequacy of their HIPAA compliance efforts on paper and in operation. As part of these efforts, Covered Entities should consider:

Reviewing the adequacy of the practices, policies and procedures of the Covered Entities, business associates, and others that may come into contact with protected health information within the scope of attorney-client privilege taking into consideration the Corrective Action Plan, published OCR noncompliance and enforcement statistics, their own and reports of other security and privacy breaches and near misses, and other developments to determine if additional steps are necessary or advisable;
Updating policies, privacy and other notices, practices, procedures, training and other practices as needed to promote compliance and defensibility;
Renegotiating and enhancing service provider agreements to detail the specific compliance obligations of each party; to clarify the respective rights, procedures and responsibilities of each party in regards to compliance audits, investigation, breach reporting, and mitigation; to clarify rights of indemnification; and other related relevant matters;
Improving technological and other tracking, documentation and safeguards and controls to the use, access and disclosure of protected health information;
Conducting well-documented training as necessary to ensure that members of the Covered Entity’s workforce understand and are prepared to comply with the expanded requirements of HIPAA, can detect potential breaches or other compliance concerns, and understand and are prepared to follow appropriate procedures for reporting and responding to suspected violations;
Tracking actual and near miss violations and making adjustments to policies, practices, training, safeguards and other compliance components as necessary to deter future concern
Establishing and providing well-documented monitoring of compliance;
Establishing and providing well-documented timely investigation and redress of reported violations or other compliance concerns;
Establishing contingency plans for responding in the event of a breach;
Establishing a well-documented process for monitoring and updating policies, practices and other efforts in response to changes in risks, practices and requirements;
Preparing and maintaining a well-documented record of compliance activities; and
Pursuing other appropriate strategies to enhance the Covered Entity’s ability to demonstrate its compliance commitment both on paper and in operation.

For Assistance With Compliance Or Other Concerns

The author of this article, Ms. Stamer has extensive experience advising and assisting health care practitioners and other businesses and business leaders to establish, administer, investigate and defend health care fraud and other compliance and internal control policies and practices to reduce risk under federal and state health care and other laws. If you need assistance with these or other compliance concerns, wish to inquire about arranging for compliance audit or training, or need legal representation on other matters please contact the author of this article, Cynthia Marcotte Stamer, CTT Health Care Practice Group Chair, at cstamer@cttlegal.com, 214.270.2402 or another Curran Tomko Tarski LLP attorney of your choice. You can get more information about the CTT Health Care Practice and more specifics about Ms. Stamer’s health industry experience here.

Ms. Stamer is nationally known for her work, training and presentations, and publications on privacy and security of health and other sensitive information in health and managed care, employment, employee benefits, financial services, education and other contexts.

Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 22 years experience advising clients, conducting workshops and other training, and providing policy advice about health care, privacy, data security, and other matters. She advises health care providers, health insurers and administrators, employer and other health plan sponsors, employee benefit plan fiduciaries, schools, financial services providers, governments and others about privacy and data security, health care, insurance, human resources, ERISA, technology, and other legal and operational concerns. Ms. Stamer also publishes and speaks extensively on health and managed care industry privacy, data security and other technology, regulatory and operational risk management matters. A widely published author on privacy, data security, health care and other related matters, Ms. Stamer is the author of “Protecting & Using Patient Data In Disease Management: Opportunities, Liabilities And Prescriptions,” “Privacy Invasions of Medical Care-An Emerging Perspective,” “Cybercrime and Identity Theft: Health Information Security Beyond HIPAA,” and a host of other highly regarded publications. Her insights on health care, health insurance, human resources and related matters appear in the Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Managed Healthcare, Health Leaders, and a many other national and local publications. For additional information about Ms. Stamer, her experience, involvements, programs or publications, see here.

Other Helpful Resources & Other Information

If you found these updates of interest, you also be interested in one or more of the following other recent articles:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail- by creating or updating your profile at here. You can access other recent updates and other informative publications and resources provided by Curran Tomko Tarski LLP attorneys and get information about its attorneys’ experience, briefings, speeches and other credentials here.

For important information concerning this communication click here. If you do not wish to receive these updates in the future, send an e-mail with the word “Remove” in the Subject to here.

Leave a Comment » | ARRA, Electronic Health Records, Genetic Information, GINA, Health Care, Health Care Provider, Health IT, Health Plan, Health Plans, HIPAA, HITECH Act, Hospital, Medicare, Medicare Advantage, Mental Heatlh, Pharmacy, Prescription Drugs, Privacy, Wellness | Tagged: ARRA, Corporate Compliance, Data Security, Doctor, Federal Sentencing Guidelines, Health Care, Health Care Policy, Health Care Provider, Health Insurance, Health Plans, HIPAA, Hospital, Identity Theft, Physicians, Privacy, retaliation, Retalitory Discharge | Permalink
Posted by Cynthia Marcotte Stamer

HIT Policy Committee’s Nationwide Health Information Network Workgroup Meets December 16, 2009

December 1, 2009

The Office of the National Coordinator for Health Information Technology (ONC) HIT Policy Committee’s Nationwide Health Information Network Workgroup will hold a public meeting on December 16, 2009. The meeting is scheduled from 10 a.m. to 5 p.m./Eastern Time at the OMNI Shoreham Hotel, 2500 Calvert Street, NW., Washington, DC. Members of the public care invited to participate live, via telephone, or Webcast. For details about options for participation, instructions to present input, and other details, see here.

For More Information

We hope that this information is useful to you. If you need assistance with these or other health care public policy, regulatory, compliance, risk management, workforce and other staffing, transactional or operational concerns, please contact the author of this update, Curran Tomko Tarski LLP Health Practice Group Chair, Cynthia Marcotte Stamer, at (214) 270‑2402, cstamer@cttlegal.com. Ms. Stamer has extensive experience advising clients and writes and speaks extensively on these and other health industry and other reimbursement, operations, internal controls and risk management matters. You can review other recent health care and related resources and additional information about the health industry and other experience of Ms. Stamer here.

Leave a Comment » | Electronic Health Records, Health Care, Health Care Reform, Health IT, Health Plan, Health Plans, HIPAA, HITECH Act, Hospital, Inpatient Rehabilitation Facility, Privacy | Tagged: ARRA, Corporate Compliance, Electronic Health Records, Electronic Medical Records, EMR, Health Care, Health Care Policy, Health Care Provider, Health Care Reform, Health Care Reimbursement, Health Plans, Health Policy, HHS, Hospital | Permalink
Posted by Cynthia Marcotte Stamer

North Texas Healthcare Compliance Professional Association To Meet At Texas Health Resources On October 13

September 29, 2009

NORTH TEXAS HEALTHCARE COMPLIANCE PROFESSIONAL ASSOCIATION

October 13, 2009 Meeting Reminder

2:00 – 4:00 p.m. at the Texas Health Resources Pavilion

North Texas Health Care Compliance Professional Association’s October 13, 2009 Meeting will feature a participatory Health Care Compliance Roundtable Discussion of Hot Topics moderated by the Erma E. Lee, JPS Health Network District Compliance Officer and NTPCA President on Tuesday, October 13, 2009 from 2:00 – 4:00 p.m at the Texas Health Resources Pavilion located at 612 E. Lamar Blvd., Arlington, TX. Topics to be discussed include:

HIPAA Data Breach, Red Flag & Other Evolving Privacy & Data Security Obligations & Risks
Office of Civil Rights Health Industry Disability & Other Civil Rights Enforcement
Tax-Exemption Issues Including Proposed Form 990 and Exemption Reforms In Health Care Reform
Health Care Fraud Enforcement
Other Hot Developments

Come catch up on these and other new developments and exchange thoughts and insights with other Health Care Compliance Professionals!

NTHCPA thanks Texas Health Resources for hosting this month’s meeting.

For additional information, please contact NTHCPA Vice-President Cynthia Marcotte Stamer at (214) 270-2402 or by e-mail at cstamer@solutionslawyer.net.

We look forward to seeing you there!

About the NTHCPA

NTHCPA exists to champion ethical practice and compliance standards and to provide the necessary resources for ethics and compliance Professionals and others in North Texas who share these principles.

The vision of NTHCPA is to be a pre-eminent compliance and ethics group promoting lasting success and integrity of organizations within North Texas.

To register or update your registration or to receive notice of future meetings, e-mail here .

This communication may be considered a marketing communication for certain purposes. If you wish to update your e-mail for purposes of or would prefer not to receive future e-mail concerning meetings or other activities of the North Texas Healthcare Compliance Professionals Association or other marketing and promotional mailings from it, please send an email with the word “unsubscribe” in its subject heading to here.

Leave a Comment » | Anti-KickBack, ARRA, Disability Discrimination, Discrimination, Doctor, Electronic Health Records, Electronic Medical Records, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Quality, Health IT, Health Policy, HIPAA, HITECH Act, Medicaid, Medicare, OCR, OIG, Physician, Privacy, Reimbursement, Tax, Tax-Exemption, Technology | Tagged: Data Security, Doctor, Events, false claims act, Form 990, Health Care, Health Care Compliance, Health Care Discrimination, Health Care Fraud, Health Care Policy, Health Care Reform, Health Care Reimbursement, Health Policy, HIPAA, HITECH Act, Hospital, North Texas Health Care Compliance Professionals Association, Physician, Red Flag Rules, Reimbursement, Tax-Exemption | Permalink
Posted by Cynthia Marcotte Stamer

Health Care Providers & Other HIPAA-Covered Entities & Their Business Associates Must Comply With New HHS Health Information Data Breach Rules By September 24

August 24, 2009

Register Now To Participate in September 9 “HITECH Act Health Data Security & Breach Update”

Health care providers, health clearinghouses, health plans and their business associates generally must start complying with new federal data breach notification rules on September 24, 2009.

The new “Breach Notification For Unsecured Protected Health Information” regulation (Breach Regulation) published here in today’s Federal Register requires health care providers, health plans, health care clearinghouses and their business associates (Covered Entities) covered under the personal health information privacy and security rules of the Health Insurance Portability & Accountability Act (HIPAA) to notify affected individuals following a “breach” of “unsecured” protected health information. The Breach Regulation is part of a series of guidance that HHS is issuing to implement new and stricter personal health information privacy and data security requirements for Covered Entities added to HIPAA under the Health Information Technology for Economic and Clinical Health (HITECH) Act signed into law on February 17, 2009 as part of American Recovery and Reinvestment Act of 2009 (ARRA).

You are invited to catch up on what these new rules mean for your organization and how it must respond by participating in the “HITECH Act Health Data Security & Breach Update” on Wednesday, September 9, 2009 from Noon to 1:30 P.M. Central Time.

HITECH Act Data Breach and Unsecured PHI Rules

Scheduled for publication in the Federal Register on August 24, 2009, the new Breach Regulation implements the HITECH Act requirement that Covered Entities and their business associates notify affected individuals, the Secretary of HHS, and in some cases, the media, when a breach of “unsecured protected health information” happens and the form, manner, and timing of that notification. Covered Entities must begin complying with the new Breach Regulation on September 24, 2009.

Part of a series of new HHS rules implementing recent changes to HIPAA enacted under the HITECH Act to strengthen existing federally mandates requiring Covered Entities to safeguard protected health information, the Breach Regulation will obligate Covered Entities and business associates to provide certain notifications following a breach of “protected health information” that not secured at the time of the breach through the use of a technology or methodology meeting minimum standards issued by HHS pursuant to other provisions of the HITECH Act.

Under the HITECH Act, the breach notification obligations contained in the Breach Notification only apply to a breach of “unsecured protected health information.” The Breach Regulation exempts breaches of protected health information that qualify as “secured” under separately issued HHS and Federal Trade Commission (FTC) standards for encryption and destruction of protected health information from its breach notification requirements.

For purposes of the HITECH Act, electronic protected health information is considered “unsecured” unless the Covered Entity has satisfied certain minimum standards for the protection of that data established pursuant to the HITECH Act. Earlier this year, HHS and the FTC issued interim rules defining the minimum encryption and destruction technologies and methodologies that Covered Entities must use to render protected health information unusable, unreadable, or indecipherable to unauthorized individuals for purposes of determining when protected health information is “unsecured” for purposes of the HITECH Act. Concurrent with its publication of the Breach Regulation, HHS also released guidance updating and clarifying this previously issued guidance.

Read the Breach Regulation here. To review the HITECH Act Breach Notification Guidance and Request for Information, see here.

September 9 “HITECH Act Health Data Security & Breach Update” Briefing

Interested persons are invited to register here now to learn what these new rules mean for your organization and how it must respond by participating in the “HITECH Act Health Data Security & Breach Update” on Wednesday, September 9, 2009 from Noon to 1:30 P.M. Central Time. For a registration fee of $45.00, registrants will have the option to participate via teleconference or in person at the offices of Curran Tomko Tarski LLP, 2001 Bryan Street, Suite 2050, Dallas Texas 75201. For information about registering for this program or other questions here.

Conducted by Curran Tomko and Tarski LLP Partner Cynthia Marcotte Stamer, the briefing will cover:

Who must comply
What your organization must do
How to qualify protected health information as exempt from the breach regulations as “secure” protected health information
What is considered a breach of unsecured protected health information
What steps must a covered entity take if a breach of unsecured protected information happens
What liabilities do covered entities face for non-compliance
What new contractual requirements, policies and procedures Covered Entities and Business Associates will need
How the Breach Regulation, the Privacy Regulation, impending FTC red flag rules and state data breach and privacy rules interrelate
Other recent developments
Practical tips for assessing, planning, moving to and defending compliance
Participant questions
More

About The Presenter

The program will be presented by Curran Tomko Tarski LLP Partner Cynthia Marcotte Stamer. Ms. Stamer is nationally known for her work, publications and presentations on privacy and security of health and other sensitive information in health and managed care, employment, employee benefits, financial services, education and other contexts.

Vice President of the North Texas Health Care Compliance Professionals Association and Past Chair of the ABA Health Law Section Managed Care & Insurance Section, and Former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 20 years experience advising clients about health and other privacy and security matters. A popular lecturer and widely published author on privacy and data security and other related health care and health plan matters, Ms. Stamer is the Editor in Chief of the forthcoming 2010 edition of the Information Security Guide to be published by the American Bar Association Information Security Committee in 2010, as well as the author of “Protecting & Using Patient Data In Disease Management: Opportunities, Liabilities And Prescriptions,” “Privacy Invasions of Medical Care-An Emerging Perspective,” “Cybercrime and Identity Theft: Health Information Security Beyond HIPAA,” and a host of other highly regarded publications. She has continuously advises employers, health care providers, health insurers and administrators, health plan sponsors, employee benefit plan fiduciaries, schools, financial services providers, governments and others about privacy and data security, health care, insurance, human resources, technology, and other legal and operational concerns. Ms. Stamer also publishes and speaks extensively on health and managed care industry privacy, data security and other technology, regulatory and operational risk management matters. Her insights on health care, health insurance, human resources and related matters appear in the Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Managed Healthcare, Health Leaders, and a many other national and local publications. For additional information about Ms. Stamer, her experience, involvements, programs or publications, see here.

We hope that this information is useful to you. If you need assistance monitoring, evaluating or responding to these or other compliance, risk management, transaction or operation concerns, please contact the author of this update, Cynthia Marcotte Stamer, at (214) 270-2402, cstamer@cttlegal.com or another Curran Tomko Tarski LLP Partner of your choice.

Other Helpful Resources & Other Information

If you found these updates of interest, you also be interested in one or more of the following other recent articles published on our electronic Curran Tomko Tarski LLP publications available for review here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail- by creating or updating your profile at here. You can access other recent updates and other informative publications and resources provided by Curran Tomko Tarski LLP attorneys and get information about its attorneys’ experience, briefings, speeches and other credentials here.

Leave a Comment » | ARRA, Disease Management, Doctor, Electronic Health Records, Electronic Medical Records, Employer, FACTA, FDA, Health Care, Health IT, Health Plan, Health Plans, HIPAA, Hospital, Indian Health, Inpatient Rehabilitation Facility, Medicaid, Medical Licensure, Medical Malpractice, Medicare, Medicare Advantage, Mental Heatlh, OCR, Outcomes Data, Peer Review, Physician, Prescription Drugs, Privacy, Reimbursement, Tax | Tagged: ARRA, Corporate Compliance, Data Security, Doctor, Health Care, Health Care Provider, Health Care Reimbursement, HHS, HIPAA, Hospital, Identity Theft, Long Term Care Hospital, Medicare, Medicare Part B, Physician, Physicians, Privacy, public health, Public Policy, Red Flag Rules, Reimbursement | Permalink
Posted by Cynthia Marcotte Stamer

HHS Issues Interim Final Requiring Health Care Provider, Health Plans & Other Covered Entities To Give Breach Notifications When Certain Personal Health Information Breached Beginning In September; Register to Participate In September 10th Briefing on New Rules In Person or Via Telephone

August 20, 2009

The U.S. Department of Health and Human Services (HHS) yesterday (August 19, 2009) issued “breach notification” regulations requiring health care providers, health plans and other covered entities (Covered Entities) under the personal health information privacy and security rules of the Health Insurance Portability & Accountability (HIPAA) to notify affected individuals following a “breach” of “unsecured” protected health information. Scheduled for publication in the Federal Register on August 24, 2009, the new breach notification regulations are part of a series of new rules that implement new electronic personal health information data security and data breach notification requirements for Covered Entities added to HIPAA under the Health Information Technology for Economic and Clinical Health (HITECH) Act signed into law on February 17, 2009 as part of American Recovery and Reinvestment Act of 2009 (ARRA). Covered entities must begin complying with the new rules no later than September 24, 2009.

Curran Tomko Tarski, LLP Health Practice leader Cynthia Marcotte Stamer will conduct a briefing on these new protected health information data security and data breach rules on Thursday, September 10, 2009 from Noon to 1:30 P.M. Central Time. For a registration fee of $45.00, registrants will have the option to participate via teleconference or in person at the offices of Curran Tomko Tarski LLP, 2001 Bryan Street, Suite 2050, Dallas Texas 75201. For more information, e-mail here.

HITECH Act Data Breach and Unsecured PHI Rules

The new data breach notification rules are part of a series of recent HIPAA enacted under the HITECH Act to strengthen the federal rules requiring HIPAA covered entities to safeguard electronic and certain other protected health information. Enhanced data security and data breach rules added as part of these HITECH Act amendments obligate covered entities and business associates to provide certain notifications following a breach of “unsecured” “protected health information” within the meaning of HIPAA, as amended. “Unsecured protected health information” is defined as protected health information that is not secured through the use of a technology or methodology specified by the HHS Secretary.

The new data breach regulations implement the HITECH Act requirement that Covered Entities and their business associates notify affected individuals, the Secretary of HHS, and in some cases, the media, of a breach and the form, manner, and timing of that notification. For purposes of the HITECH Act, electronic protected health information is considered “unsecured” unless the covered entity has satisfied certain minimum standards for the protection of that data established pursuant to the HITECH Act. HHS and the Federal Trade Commission previously issued certain initial guidance concerning the HITECH Act standards for determining when electronic personal health information qualifies as secure. To help further define when electronic health information is treated as “unsecured” and therefore subject to the breach notification requirements, the data breach rules also update and clarify the previously issued existing HHS guidance specifying encryption and destruction as the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals published earlier this year by HHS to for purposes of determining when protected health information will be considered “unsecured” for purposes of the HITECH Act data breach rules. Entities subject to the HHS and FTC regulations that secure health information as specified by the guidance through encryption or destruction are relieved from having to notify in the event of a breach of such information.

The HHS interim final regulations are effective September 24, 2009, which is the date 30 days after the date they will be published on the Federal Register and include a 60-day public comment period. To review the interim final data breach regulations, see here. To review the HITECH Act Breach Notification Guidance and Request for Information, see here.

For More Information

The author of this article, Curran Tomko and Tarski LLP Health Care Practice Chair Cynthia Marcotte Stamer has extensive experience advising and assisting health care providers, payors and their business associates about HIPAA and other privacy and data security matters, as well as a diverse range of health care policy, regulatory, compliance, risk management and operational concerns.

Past chair of the American Bar Association Health Law Section Managed Care & Insurance Section, Martindale Hubble AV-rated and recognized in International Who’s Who of Professionals, Ms. Stamer continuously advises health care providers, health care payers and administrators, employers, governments and others about health care, insurance, human resources, privacy and data security, technology, and other legal and operational concerns. A popular lecturer and widely published author on privacy and data security and other related health care and health plan matters, Ms. Stamer also writes and speaks extensively on health and managed care industry privacy, data security and other technology, regulatory and operational risk management matters. She currently serves as the Editor in Chief of the forthcoming 2010 edition of the Information Security Guide to be published by the American Bar Association Information Security Committee in 2010. Examples of her other works include “Protecting & Using Patient Data In Disease Management: Opportunities, Liabilities And Prescriptions,” “Privacy Invasions of Medical Care-An Emerging Perspective,” “Cybercrime and Identity Theft: Health Information Security Beyond HIPAA,” and a host of others. Her insights on health care, health insurance, human resources and related matters appear in the Atlantic Information Service Privacy Report, The Wall Street Journal, Business Insurance, the Dallas Morning News, Managed Healthcare, Health Leaders, and a various other national and local publications. For additional information about Ms. Stamer, her experience, involvements, programs or publications, see here.

We hope that this information is useful to you. If you need assistance monitoring, evaluating or responding to these or other proposed health care or other regulatory reforms or with other health care compliance, risk management, transaction or operation concerns, please contact the author of this update, Curran Tomko Tarski LLP Health Practice Group Chair, Cynthia Marcotte Stamer, at (214) 270-2402, cstamer@cttlegal.com or your other favorite Curran Tomko Tarski LLP Partner.

We also encourage you and others to join the discussion about these and other health care reform proposals and concerns by joining the Coalition for Responsible Health Care Reform Group on Linkedin, registering to receive these updates here.

Other Helpful Resources & Other Information

We hope that this information is useful to you. If you found these updates of interest, you also be interested in one or more of the following other recent articles published on our electronic Solutions Law Press Health Care Update publication available here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please register to receive this Solutions Law Press Health Care Update here and be sure that we have your current contact information – including your preferred e-mail- by creating or updating your profile at here. You can access other recent updates and other informative publications and resources provided by Curran Tomko Tarski LLP attorneys and get information about its attorneys’ experience, briefings, speeches and other credentials here.

Leave a Comment » | ARRA Funding, Corporate Compliance, Doctor, Electronic Health Records, Electronic Medical Records, FACTA, Health Care, Health IT, Health Plan, Health Plans, HIPAA, Hospital, Physician, Privacy | Tagged: ARRA, Corporate Compliance, Data Security, Doctor, Federal Sentencing Guidelines, Health Care, Health Care Policy, Health Care Provider, Health Insurance, Health Plans, Hospital, Identity Theft, Physician, Physicians, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

HHS Hiring to Expand its Health Information Enforcement Team Again

August 4, 2009

The Department of Health and Human Services (HHS) this week announced additional job openings on its Office For Civil Rights (OCR) Health Information Privacy Enforcement Team.

These new positions are located in the OCR Office of the Deputy Director Health Information Privacy (ODDHIP). OCR provides the oversight, leadership, and coordination necessary to ensure that individuals have nondiscriminatory access to HHS services or programs and that the privacy of their health information is protected. The Division of Health Information Privacy enforces the HIPAA Privacy Rule and the confidentiality provisions of the Patient Safety and Quality Improvement Act.

For more information on these available positions, go here and enter the corresponding job announcement number applicable to the position of interest below.

Health Information Privacy Specialist, GS-301-13/14 HHS-OS-14-2009-0012

Health Information Privacy Specialist, GS-301-13/14 HHS-OS-14-2009-0013

The open period for these positions is Friday, July 31, 2009 to Thursday, August 13, 2009.

For More Information

We hope that this information is useful to you. If you need assistance with EMR or other health care technology, privacy or other health care compliance, risk management, transaction or operation concerns, please contact the author of this update, Curran Tomko Tarski LLP Health Practice Group Chair, Cynthia Marcotte Stamer, at (214) 270-2402, cstamer@cttlegal.com or your other favorite Curran Tomko Tarski LLP Partner.

Leave a Comment » | Electronic Health Records, Health Care, Health IT, Health Plan, Health Plans, HIPAA, Hospital, Physician, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

Reassignment of HIPAA Security Rule Enforcement Signals Growing Seriousness About Enforcing HIPAA

August 4, 2009

The Department of Health & Human Services (HHS) today (August 3, 2009) transferred authority for the administration and enforcement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule to the Office for Civil Rights (OCR). Prior to this announcement, responsibility for interpretation and enforcement of the Security Rule rested with the Centers for Medicare & Medicaid Services (CMS). The change reflects the growing seriousness of HHS and others about enforcing federal privacy and data security mandates for health information. HHS anticipates the transfer of authority will eliminate duplication and increase efficiencies in how the department ensures that Americans’ health information privacy is protected.

HHS has the authority for administration and enforcement of the federal standards for health information privacy called for in HIPAA. The Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. OCR has been responsible for enforcement of the Privacy Rule since 2003. The Security Rule specifies a series of administrative, technical, and physical security procedures for covered entities to use to assure the confidentiality of electronic protected health information. The Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009 (ARRA), mandated improved enforcement of the Privacy Rule and the Security Rule.

Through a separate delegation, CMS continues to have authority for administration and enforcement of the HIPAA Administrative Simplification regulations, other than privacy and security of health information.

The transfer of Security Rule enforcement authority comes as guidance about new data breach rules for electronic protected health information is impending. This impending guidance relates to the implementation of new breach notification rules for covered entities and their business associates concerning their obligation to use of technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals, as required by amendments to HIPAA enacted under the Health Information Technology for Economic and Clinical Health (HITECH) Act passed as part of the American Recovery and Reinvestment Act of 2009 (ARRA) last February. OCR officials have stated that they are working to publish the next set of regulations regarding these new breach notifications before the end of August, 2009.

In addition to adding the breach notification requirements, the HITECH Act also tightened the HIPAA mandates in several other respects. Among other things, it amended HIPAA to:

Broaden the applicability of the HIPAA’s Privacy Rules and penalties to include business associates;
Clarify that HIPAA’s criminal sanctions apply to employees or other individuals that wrongfully use or access PHI held by a covered entity;
Increase criminal and civil penalties for HIPAA Privacy Rules violators;
Allow State Attorneys General to bring civil damages actions on behalf of certain state citizens who are victims of HIPAA Privacy and Security Rule violations;
Modify certain HIPAA use and disclosure and accounting requirements and risks;
Prohibits sales of PHI without prior consent;
Tighten certain other HIPAA restrictions on uses or disclosures;
Tighten certain HIPAA accounting for disclosure requirements;
Clarify the definition of health care operations to excludes certain promotional communications; and
Expand the Business Associates Agreement Requirements.

These and other developments make it imperative HIPAA covered entities and their business associates take prompt action to immediately review and update their data security and privacy practices to guard against growing liability exposures under HIPAA and other federal and state laws. Covered entities must update policies and practices to avoid these growing liabilities. Business associates that have not already done so also must appoint privacy officers and adopt and implement privacy and data security policies and procedures fully compliant with HIPAA and other applicable federal and state rules, including amendments enacted as part of the American Recovery and Reinvestment Act of 2009 signed into law on February 17, 2009.

For more information about today’s announcement, see here. See here for the initial guidance and request for comments issued by HHS regarding these new security standards.

For More Information

We hope that this information is useful to you. If you need assistance with health care privacy and data security, technology, or other health care compliance, risk management, transaction or operation concerns, please contact the author of this update, Curran Tomko Tarski LLP Health Practice Group Chair, Cynthia Marcotte Stamer, at (214) 270-2402, cstamer@cttlegal.com or your other favorite Curran Tomko Tarski LLP Partner. Ms. Stamer has extensive experience advising clients and writes and speaks extensively on these and other health care privacy and data security and related matters.

Leave a Comment » | Doctor, Electronic Health Records, Electronic Medical Records, Health Care, Health Care Reform, Health IT, Health Plan, Health Plans, HIPAA, Hospital, Physician, Privacy, Technology | Tagged: Data Security, Health Care, Health Care Provider, Health Insurance, Health Plans, HIPAA, Hospital, Identity Theft, Nonprofits, Personal Health Information, PHI, Physicians, Privacy, Red Flag Rules | Permalink
Posted by Cynthia Marcotte Stamer

FTC Issues FAQ Guidance On Red Flag Rules Applicable To Health Care Providers & Others

June 12, 2009

The Federal Trade Commission (FTC) and five other federal agencies yesterday (June 11, 2009) jointly issued a set of frequently asked questions (FAQs) about federal regulations on the “Red Flags and Address Discrepancy Rules” (Red Flag Rules) implementing sections of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act) now scheduled to take effect on August 1, 2009.

Health care providers and a broad range of other entities are among the organizations generally required to comply with the broadly reaching Red Flag Rules, which require “financial institutions” and “creditors” to develop and implement written Identity Theft Prevention Programs and require issuers of credit cards and debit cards to assess the validity of notifications of changes of address. The rules also provide guidance for users of consumer reports regarding reasonable policies and procedures to employ when consumer reporting agencies send them notices of address discrepancy.

The sweeping reach of the definition of “creditor: and “financial institutions” in the Red Flag Rules and other confusion about the Red Flag Rules have prompted the agencies to delay the deadline for compliance several times. The most recent delay, which extended the compliance deadline from May 1 to August 1, 2009, was announced by the FTC on April 30, 2009. The FTC promised to issue additional guidance to help promote better understanding of the rules when it announced this latest delay in the compliance deadline on April 30, 2009.

Fulfilling this promise, the FAQs discuss numerous aspects of the Red Flag Rules, including:

Types of entities and accounts covered;
Establishment and administration of an Identity Theft Prevention Program;
Address validation requirements applicable to card issuers; and
Obligations of users of consumer reports upon receiving a notice of address discrepancy.

FACTA directed financial regulatory agencies, including the FTC, to promulgate rules requiring “creditors” and “financial institutions” with covered accounts to implement programs to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft. FACTA’s definition of “creditor” applies to any entity that regularly extends or renews credit – or arranges for others to do so – and includes all entities that regularly permit deferred payments for goods or services. Accepting credit cards as a form of payment does not, by itself, make an entity a creditor. Some examples of creditors are finance companies; automobile dealers that provide or arrange financing; mortgage brokers; utility companies; telecommunications companies; non-profit and government entities that defer payment for goods or services; and businesses that provide services and bill later, including many doctors and other health care providers and other professionals. “Financial institutions” include entities that offer accounts that enable consumers to write checks or make payments to third parties through other means, such as other negotiable instruments or telephone transfers. The FTC has made clear it perceives most health care providers as falling within the scope of these rules.

FACTA is only one of a growing list of the evolving privacy and data security mandates applicable to businesses under federal and state laws that organizations must address under applicable federal laws. In addition to FACTA, most businesses also face other specific data security and data breach requirements under a tapestry of other federal and state laws which are constantly evolving. In addition to these FACTA and other generally applicable data security and breach rules, many organizations face evolving industry specific mandates. For example, health care providers, health plans, health care and their business associates also are required to update their privacy and data security practices to comply with recent amendments to the Health Insurance Portability & Accountability Act Privacy & Security Standards signed into law February 17, 2009.

Many of these federal laws provide for both civil penalties as well as criminal penalties that bring violations of these regulations under the Federal Sentencing Guidelines. As a consequence, most organizations need to implement and administer compliance programs to manage these Federal Sentencing Guideline risks. Even where criminal sanctions are not triggered, noncompliance with these and other data security mandates can trigger substantial judgment awards, administrative penalties or both.

If you need assistance with auditing, updating, administering or defending your privacy, data security or other privacy and data security practices or addressing other health care compliance, risk management, transactions or operations concerns, please contact Cynthia Marcotte Stamer at (214) 270-2402, CStamer@CTTLegal.com.

For More Information

We hope that this information is useful to you. You can find more information about the Red Flag Rules and other privacy and identity theft matters at here. You also can review other recent health care and internal controls resources and additional information about the health industry and other experience of Ms. Stamer here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile at here or e-mailing this information to CStamer@CTTLegal.com.

Leave a Comment » | Corporate Compliance, Doctor, FACTA, Federal Sentencing Guidelines, Health Care, Health IT, HIPAA, Privacy | Tagged: ARRA, Corporate Compliance, Data Security, Doctor, Federal Sentencing Guidelines, Health Care, Health Care Provider, Health Insurance, Health Plans, Health Policy, HIPAA, Hospital, Identity Theft, Physician, Physicians, Privacy, Red Flag Rules | Permalink
Posted by Cynthia Marcotte Stamer

DOJ/HHS Step Up Health Care Fraud Enforcement By Announcing New Interagency Health Care Fraud Prevention and Enforcement Action Team

May 20, 2009

Lead DOJ Health Care Fraud Enforcer Speaks In Dallas Tomorrow

The joint announcement today (May 20, 2009) by the U.S. Departments of Justice (DOJ) and Health & Human Services (HHS) of a new interagency team to combat health care fraud highlights the increasing need for health care providers and health plans to review and tighten their practices for dealing with Medicare and other federal programs to survive scrutiny under federal health care fraud initiatives. Houston and Detroit are targeted for the attention of a new Strike Force.

Participants attending tomorrow’s Dallas Health Industry Council Southwest Healthcare Transaction Conference will get to hear the latest about these and other federal health care fraud prevention and enforcement activities from one of its key players. The Justice Department’s lead federal health care fraud prosecutor, John “Jay” S. Darden, the U.S. Department of Justice Assistant Chief for Healthcare Fraud is scheduled to provide an update on these and other federal regulatory and enforcement activities affecting health care transactions when he speaks at the Conference tomorrow afternoon at the Omni Mandalay Hotel Dallas at Las Colinas at 1:30 p.m.

Attorney General Eric Holder and Health and Human Services (HHS) Secretary Kathleen Sebelius announced the creation of the Health Care Fraud Prevention and Enforcement Action Team (HEAT), to combat Medicare fraud and the expansion of Strike Force team operations to Detroit and Houston. Medicare Fraud Strike Forces, currently in operation in South Florida and Los Angeles, fight Medicare fraud on a targeted local level. Statements made by Secretary Sebelius and Attorney General Holder in connection with the announcement of HEAT and the Strike Force Expansion make clear that the Obama Administration views health care fraud enforcement and prevention as a key element of its efforts to control health care costs.

The HEAT team will include senior officials from DOJ and HHS who will build upon and strengthen existing programs to combat fraud while also investing new resources and technology to prevent fraud, waste and abuse before it happens. Efforts will include the expansion of joint DOJ-HHS Medicare Fraud Strike Force teams that have been successfully fighting fraud in South Florida and Los Angeles.

Established in 2007, these Strike Force teams have a proven record of success using a “data-driven” approach to identify unexplainable billing patterns and investigating these providers for possible fraudulent activity. The Medicare Fraud Strike Force team operating in South Florida has already convicted 146 defendants and secured $186 million in criminal fines and civil recoveries. After the success of operations in South Florida, the Medicare Fraud Strike Force expanded in May 2008 to phase two in Los Angeles, where 37 defendants have been charged with criminal health care fraud offenses. To date in the Los Angeles cases, more than $55 million has been ordered in restitution to the Medicare program.

In addition to health care fraud enforcement and prosecution, HHS and DOJ also view prevention as critical to reforming the system. Therefore, in addition to investigating and prosecuting fraud, the HEAT team will also focus critical resources on preventing fraud from occurring in the first place. These efforts are expected to include:

Drawing from demonstration projects by the HHS Inspector General and the Centers for Medicare & Medicaid Services (CMS) that have focused on suppliers of durable medical equipment (DME) including increasing site visits to potential suppliers to prevent imposters from posing as legitimate DME providers.
Increasing training for providers on Medicare compliance, offering providers the resources and the knowledge they need to help identify and prevent fraud.
Improving data sharing between CMS and law enforcement to help identify patterns that lead to fraud.
Strengthening program integrity activities to monitor and ensure Medicare Parts C (Medicare Advantage plans) and D (prescription drug programs) compliance and enforcement.

The Attorney General and the HHS Secretary also called on the American people to visit a new Web site http://www.hhs.gov/stopmedicarefraud or call 1-800-HHS-TIPS (1-800-447-8477) to report suspected Medicare fraud.

The HEAT Team and Strike Force activities are part of a broader emphasis in the enforcement of federal health care fraud laws. President Obama’s proposed Fiscal Year 2010 budget seeks to further increase funding for fraud prevention and enforcement by investing $311 million — a 50 percent increase from 2009 funding — to strengthen program integrity activities within the Medicare and Medicaid programs. The Obama Administration anticipates that all combined, the anti-fraud efforts in the President’s budget could save $2.7 billion over five years by improving oversight and stopping fraud in the Medicare and Medicaid programs, including the Medicare Advantage and Medicare prescription drug programs.

For More Information

We hope that this information is useful to you. If you need assistance responding to concerns about the matters discussed in this publication or other health care concerns, wish to obtain information about arranging for training or presentations by Ms. Stamer, wish to suggest a topic for a future program or update, or wish to request other information or materials, please contact Ms. Stamer via telephone at (214) 270-2402 or via e-mail to cstamer@CTTLegal.com.

You can review other recent updates and other publications by Ms. Stamer and other helpful health care resources and additional information about Ms. Stamer and her experience, see Stamer Health Industry Experience. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail- by creating or updating your profile at here or by registering to participate in the Solutions Law Press Health Care Update blog at Health Care Update Blog. For important information concerning this communication click here. If you do not wish to receive these updates in the future, send an e-mail with the word “Remove” in the Subject to support@SolutionsLawyer.net.

Leave a Comment » | Anti-KickBack, ARRA, ARRA Funding, Corporate Compliance, Doctor, Federal Sentencing Guidelines, Health Care, Health Care Fraud, Health Care Provider, Health Care Reform, Health Policy, Hospital, Medicare Advantage, OCR, OIG, Physician, Prescription Drugs, Privacy, Reimbursement, Stark | Tagged: Corporate Compliance, Federal Sentencing Guidelines, Fraud, Health Care Reform, Health Care Reimbursement, Health Insurance, Health Policy, HHS, Hospital, Medicare, Medicare Part B, Physician, Physicians, Prescription Drugs, public health, Public Policy, Reimbursement | Permalink
Posted by Cynthia Marcotte Stamer

FTC Extends Red Flag Rule Compliance Deadline From May 1 to August 1, 2009

May 1, 2009

Today is no longer the deadline for health care providers and other businesses regulated by the Fair and Accurate Credit Transactions Act of 2003 (“FACTA”) to begin complying with the identity theft detection and prevention (“Red Flag Rules”) adopted by the Federal Trade Commission (“FTC”).

While health care providers have more time to comply, they can’t breathe easy. Finalizing arrangements to comply with these new mandates and other recent amendments to the health care privacy and data security requirements applicable to health care providers under recently enacted amendments to the Health Insurance Portability & Accountability Act (“HIPAA”) and FACTA and other recent regulatory and enforcement changes to these rules requires that health care providers move quickly. Learn more about these recent changes at http://solutionslaw.wordpress.com/2009/04/18/hhs-ftc-release-guidance-on-hitech-act-data-breach-rules-for-hipaa-covered-entities-entities-dealing-with-personal-health-records.

The FTC announced yesterday (April 30, 2009) its extension of the Red Flag Rule enforcement date to until August 1, 2009. Before yesterday’s announcement, health care providers and certain other FACTA-regulated businesses were required to comply with the Red Flag Rules today. The announcment means these organizations now have an additional three months to adopt the necessary policies and processes to monitor and respond to possible identity theft required under the Red Flag Rules.

According to the FTC announcement, organizations regulated by FACTA also will need to review their practices in light of additional guidance that the FTC expects to issue soon. For entities that have a low risk of identity theft, such as businesses that know their customers personally, the FTC plans to soon release a template to help them comply with the law. Yesterday’s announcement does not affect other federal agencies’ enforcement of the original November 1, 2008 compliance deadline for institutions subject to their oversight.

The FACTA directed financial regulatory agencies, including the FTC, to promulgate rules requiring “creditors” and “financial institutions” with covered accounts to implement programs to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft. FACTA’s definition of “creditor” applies to any entity that regularly extends or renews credit – or arranges for others to do so – and includes all entities that regularly permit deferred payments for goods or services. Accepting credit cards as a form of payment does not, by itself, make an entity a creditor. Some examples of creditors are finance companies; automobile dealers that provide or arrange financing; mortgage brokers; utility companies; telecommunications companies; non-profit and government entities that defer payment for goods or services; and businesses that provide services and bill later, including many doctors and other health care providers and other professionals. “Financial institutions” include entities that offer accounts that enable consumers to write checks or make payments to third parties through other means, such as other negotiable instruments or telephone transfers.

During outreach efforts last year, the FTC staff learned that some industries and entities within the agency’s jurisdiction were uncertain about their coverage under the Red Flags Rule. During this time, FTC staff developed and published materials to help explain what types of entities are covered, and how they might develop their identity theft prevention programs. Among these materials was an alert on the Rule’s requirements, www.ftc.gov/bcp/edu/pubs/business/alerts/alt050.shtm. The resources also included a Web site with more resources to help covered entities design and implement identity theft prevention programs, www.ftc.gov/redflagsrule.

You can find more information about the Red Flag Rules and other privacy and identity theft matters at CynthiaStamer.com. If you need assistance with questions or compliance with these or other privacy and data security rules or other health law matters, contact Cynthia Marcotte Stamer at (214) 270.2402, or cstamer@cttlegal.com. To receive future Solutions Law Press Health Care Updates, register to participate in this Solution Law Press Health Care Update blog, register at CynthiaStamer.com or join the SLP Health Care Risk Management & Operations Group on linkedin.com.

Leave a Comment » | Anti-KickBack, Corporate Compliance, Doctor, Federal Sentencing Guidelines, Health Care, Health Care Provider, HIPAA, Hospital, Medicare Advantage, Physician, Privacy | Tagged: Doctor, Health Care, HIPAA, Hospital, Identity Theft, Physicians, Privacy, Red Flag Rules | Permalink
Posted by Cynthia Marcotte Stamer

Swine Flu Treatment & Pandemic Response Information Updated

April 30, 2009

With U.S. officials confirming the first swine flu attributed death in the U.S. yesterday and the number of U.S. reported cases expected to top 100 today, health care providers and organizations are initiating their pandemic response plans to help their organizations, people, patients and communities respond to the rapidly spreading epidemic.

Whether or not the swine flu outbreak reaches the level of an official pandemic, official reports reflect a legitimate need for concern. According to officials from the Centers for Disease Control and Prevention (CDC), victims of the swine influenza A (H1N1) virus infection already have been reported in 10 states, and the number of people known to be infected with the 2009 H1N1 influenza strain grew to 91 in the U.S. as of Wednesday. That number includes the first U.S. swine flu fatality: a 22-month-old child from Mexico who died of the illness Monday at a Houston, Texas hospital while visiting the United States. While swine flu victims have been reported in more than 11 countries, the majority of the incidents of the disease and deaths as of Wednesday morning had occurred in Mexico. Alarm that the outbreak will reach pandemic proportions continues to grow.

In response to the expanding crisis, the CDC yesterday released updated interim guidance on the use of antiviral agents for treatment and chemoprophylaxis of patients with confirmed, probable or suspected swine influenza virus infection and their close contacts. This guidance is only part of a host of growing resources for health care providers and other parties posted at http://www.pandemicflu.gov, the website founded by the U.S government to provide one-stop access to U.S. Government swine, avian and pandemic flu information. The website links to a growing list of special guidance provided by the CDC and other organizations for health care organizations and providers, public officials, schools, businesses, the public and others. Health care providers and other concerned parties should check this site regularly for updates about the latest guidance for responding to and treating swine flu.

Health care providers, schools, government agencies and others concerned about preparing to cope with pandemic or other infectious disease challenges also may want to review the guidance for health care providers and public health officials as health care providers, employers, and public entities contained in the pandemic and privacy planning workshop materials “Planning for the Pandemic” authored by Curran Tomko Tarski LLP partner Cynthia Marcotte Stamer available at http://www.cynthiastamer.com/documents/speeches/20070530%20Pan%20Flu%20Workplace%20Privacy%20Issues%20Final%20Merged.pdf.

Health care providers also should educate employees, patients and the public about the steps they should take to help minimize their risk of contracting the disease. While the CDC says getting employees and their families to get a flu shot remains the best defense against a flu outbreak, it also says getting individuals to consistently practice good health habits like covering a cough and washing hands also is another important key to prevent the spread of germs and prevent the spread of respiratory illnesses like the flu. Health care providers, employers, public officials and others should encourage patients, employees and their families and others to take the following steps and to coach others they know to do so as well:

Avoid close contact with people who are sick. When you are sick, keep your distance from others to protect them from getting sick too.
Stay home when you are sick to help prevent others from catching your illness. Cover your mouth and nose.
Cover your mouth and nose with a tissue when coughing or sneezing. It may prevent those around you from getting sick.
Clean your hands to protect yourself from germs.
Avoid touching your eyes, nose or mouth.
Germs are often spread when a person touches something that is contaminated with germs and then touches his or her eyes, nose, or mouth.
Practice other good health habits. Get plenty of sleep, be physically active, manage your stress, drink plenty of fluids, and eat nutritious food.

To help promote this message, health care providers, public officials and businesses may want to download and circulate some of the many free resources published by the CDC at http://www.cdc.gov/flu/protect/habits.htm.

Cynthia Marcotte Stamer and other members of Curran Tomko and Tarski LLP are experienced with advising and assisting health care providers, public agencies, schools, businesses and others employers with these and other health care, workforce, crisis preparedness and response and related matters. If your organization needs assistance with assessing, , please contact Ms. Stamer at cstamer@cttlegal.com, (214) 270-2402. For additional information about the experience and services of Ms. Stamer and to access some of her publications, see www.cynthiastamer.com or www.cttlegal.com.

Leave a Comment » | Doctor, Health Plan, HIPAA, Hospital, Pandemic, Privacy, Uncategorized | Tagged: Health Care, Health Care Provider, Pandemic, Privacy, public health, Swine Flu | Permalink
Posted by Cynthia Marcotte Stamer

HIPAA Complaint Basis For Texas Whistleblower Claim

April 4, 2009

In a March 19, 2009 ruling, the U.S. District Court for the Northern District of Texas recently recognized that the Texas Whistleblower Act prohibits health care organizations run by the State of Texas from retaliating against employees for making good faith complaints of violations of the Privacy Rules of the Health Insurance Portability Act (“HIPAA”).Nevertheless, the court dismissed the wrongful discharge lawsuit brought by a former Terrell State Hospital security guard who alleged he was wrongfully fired for complaining to the U.S. Department of Health and Human Services Office of Civil Rights (”OCR”) that the Hospital violated the HIPAA Privacy Rules because the plaintiff had failed to present sufficient proof that he was terminated in retaliation for filing a HIPAA complaint.

Illustrative of a growing number of state law retaliatory discharge claims brought be employees claiming to have been retaliated against for complaining about alleged violations of HIPAA’s Privacy Rules, Faulkner v. Department of State Health Servs., 2009 U.S. Dist. LEXIS 22419 (N.D. Tex. Mar. 19, 2009), involved claims made by plaintiff Anthony Faulkner (”Faulkner”) that the Texas Department of State Health Services (”DSHS”); Terrell State Hospital; Texas DSHS Commissioner David L. Lakey, M.D.; Terrell State Hospital Superintendent Fred Hale; and Terrell State Hospital Risk Management Coordinator Clent Holmes, R.N. violated the Whistleblower Act and the First and Fourteenth Amendments by firing him seven days after he complained to OCR that Terrell State Hospital violated the HIPAA Privacy Rule by leaving admissions logs containing patient names and admission dates in a public area.

The Texas Whistleblower Act generally prohibits a state or local governmental entity from terminating or taking any other adverse personnel action against a public employee who in good faith reports a violation of law by the employing governmental entity or another public employee to an appropriate law enforcement authority.See Tex. Gov’t Code § 554.002(a).While the Court affirmed that the Texas Whistleblower Act permits a public employee of the State of Texas discharged or otherwise retaliated against for complaining in good faith to OCR that his public employer or its employee violated the HIPAA Privacy Rules, the Court nevertheless granted summary judgment to the defendants.

According to the court, Faulkner’s failure to introduce evidence rebutting defendant’s affidavit that he was terminated for repeatedly violating rules requiring him to report suspected abuse of patients precluded him from proving his termination was in retaliation for his filing of the HIPAA complaint.Meanwhile, the court also ruled that Faulkner’s claims against the individual defendants should be dismissed as the Whistleblower Act only creates a cause of action against governmental entities and not their employees. Having found Faulkner’s constitutional claims also without merit, the District Court granted the defendant’s motion for summary judgment.

While the defendants were able to overcome Faulkner’s retaliatory discharge claim, the decision highlights the need for health care providers and other HIPAA covered entities to take appropriate precautions to defend against potential wrongful discharge, retaliation or other claims by employees or other service providers for complaining of possible HIPAA violations or for attempting to exercise other HIPAA-protected rights.HIPAA covered entities now should avoid engaging in actions that might unnecessarily fuel claims of retaliation. They also should carefully document and preserve evidence necessary to demonstrate the legitimacy of their disciplinary actions on an ongoing basis.

We hope you found this information helpful. If your organization needs assistance with understanding or managing its responsibilities or liabilities under HIPAA or other health care or employment laws or wishes to inquire about HIPAA training or other services and experience of Cynthia Marcotte Stamer, please contact Ms. Stamer via e-mail at Cstamer@Solutionslawyer.net or by telephoning Ms. Stamer at 469.767.8872.You also can review other helpful resources and register to receive other updates at CynthiaStamer.com.

Leave a Comment » | Corporate Compliance, Health Care, Health Care Provider, Health Plan, HIPAA, Hospital, Physician, Privacy | Tagged: Corporate Compliance, Data Security, Employer, Health Care Provider, HIPAA, Hospital, Privacy, retaliation, Retalitory Discharge, Whistleblower | Permalink
Posted by Cynthia Marcotte Stamer

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Health Care Providers Should Strengthen HIPAA Compliance & Defenses As Risks Rise

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Covered Entity Breach Notification Requirements

Broader & Stricter Medical Privacy Mandates Effective 2/17/210

Exposures Significant & Growing

New Risks Created By HITECH Act Amendments

State Attorney General Lawsuit Exposures

Stepped Up Federal Enforcement

State Civil Lawsuits

Covered Entities & Business Associates Urged To Act Promptly To Manage Mitigating Expanded HIPAA Risks & Obligations

For Assistance With Compliance Or Other Concerns

Other Helpful Resources & Other Information

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Recent Posts

Archives

About Cynthia Marcotte Stamer

Share this blog

Archives

Solutions Law Press Health Care Update