The more than $560,000 in civil monetary penalties (“CMPs”) collected since March by the Department of Health and Human Services (“HHS”) Office of Civil Rights (“OCR”) from three HIPAA-covered entities for failing to respond to medical record requests within 30 days as required by the Health Insurance Portability & Accountability Act (“HIPAA”) right of access rule (“Access Rule”) shows patients, their personal representatives and health care providers, health plans, health care clearinghouses (“Covered Entities”) the seriousness of OCR’s commitment to enforcement of the Access Rule.

On August 2, 2024, OCR announced emergency medical provider American Medical Response (“AMR”) paid a $115,200 civil monetary penalty (“AMR CMP”) for waiting 370 days before delivering medical records requested by a patient’s personal representative.  OCR’s AMR CMP announcement follows its April 1, 2024 announcement Hackensack Meridian Health, West Caldwell Care Center (“Hackensack Meridian Health”) paid a $100,000 CMP (“HMH CMP”) for waiting 161 days to provide medical records requested by a patient’s personal representative and March 29, 2024 announcement of its agreement to accept payment of $35,000 in satisfaction the previously assessed $250,000 CMP against Phoenix Healthcare LLC d/b/a Green County Care Center (“Phoenix”) for Access Rule violations.  With these three actions, OCR collected $565,000 in CMPs for Access Rule violations since March 29, 2024, and has announced a total of 49 high-dollar Access Rule CMP or settlement collections since announcing its Access Rule enforcement initiative in 2019.

OCR’s pursuit of CMPs in excess of $100,000 against each of these three entities for failing to respond to a single request for patient records makes clear OCR’s readiness to investigate and pursue big dollar penalties against Covered Entities for even a single failure to deliver documents to a requesting patient or personal representative.  In light of OCR’s clear commitment holding all Covered Entities accountable for Access Rule compliance, all Covered Entities should recognize the importance of timely responding to each access request in accordance with the Access Rule to avoid similar CMP exposure for their organizations.

HIPAA Right Of Access Rule

HIPAA’s Privacy Rule right of access (“Access Rule”) is part of the national standards that HIPAA Privacy, Security, and Breach Notification Rules (“Privacy Rule”) require that Covered Entities and their business associates meet for protecting to protect individuals’ protected health information (“PHI”), limit uses and disclosures of PHI, and give individuals the right to timely access and to obtain a copy of their PHI records and certain other rights.  Like other Privacy Rule violations, Access Rule violations can subject a Covered Entity or business associate to expensive HIPAA civil monetary penalties (“CMPs”).

The Access Rule codified in 45 C.F.R. 164.524 generally requires that a Covered Entity to respond to a request from an individual or its personal representative to access or for a copy of protected health information (“PHI”) in any records set of a Covered Entity or its business associate within 30 days of receipt of the individual’s request.  OCR Access Rule guidance makes clear OCR views this deadline as the maximum allowed period

The Covered Entity can respond to a right of access request by granting or denying the request in whole or in part, or if it is unable to provide the records within 30 days for a legitimate reason, the Access Rule allows the Covered Entity a one-time 30-day extension of the response timeframe by sending the requestor a written statement of the reasons for the delay and the date within the extended response deadline by which the Covered Entity will complete its action on the request. 45 C.F.R. § 164.524(b)(2).

The Access Rule also contains specific guidance governing the calculation of the allowable fee, if any, the Covered Entity can charge for providing the PHI to a reasonable cost-based fee calculated following the Access Rule.  It also sets forth other requirements about the manner and format in which the Covered Entity must deliver the PHI.

OCR is responsible for implementing the Privacy Rules and enforcing non-criminal violations of its requirements.  When OCR finds violations of the Access Rule or other HIPAA violations, HIPAA as amended by the HITECH Act,¹ generally authorizes OCR to impose and collect a CMP determined based on the following penalty schedule, with adjustments for inflation:

• A minimum of $100 for each violation where the Covered Entity or business associate did not know and, by exercising reasonable diligence, would not have known that it violated the HIPAA provision, provided the total amount of CMPs imposed on the Covered Entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $25,000.
• A minimum of $1,000 for each violation due to reasonable cause and not to willful neglect, except that the total amount imposed on the Covered Entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $100,000.
• A minimum of $10,000 for each violation due to willful neglect and corrected within 30 days, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $250,000.
• A minimum of $50,000 for each violation due to willful neglect and uncorrected within 30 days, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $1,500,000.

As required by law, OCR has adjusted the CMP ranges for each penalty tier for inflation.³ The adjusted amounts apply only to CMPs whose violations occurred after November 2, 2015.

$115,200 AMR CMP

According to the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) August 1, 2024 announcement of the AMR CMP, AMR paid OCR the $115,200 AMR CMP after OCR assessed the CMP in a Notice of Final Determination that AMR violated the Access Rule.

The Notice of Final Determination arose from an OCR investigation of a complaint made by an attorney (“the Patient’s Attorney”) on behalf of a patient transported by AMR alleging that AMR failed to provide a patient with timely access to its medical records after many failed attempts by the patient to obtain the records.

According to the Proposed Notice of Determination, the Patient’s Attorney sent AMR a fax on the patient’s behalf on October 31. 2018 asking for copies of a patient’s medical records including, “all billing records pertaining to treatment rendered for 9/15/2015 injury date; Patient Balance Verification; all medical records pertaining to treatment rendered for 9/15/2015 injury date” in electronic format to the patient’s attorney (“access request”). The access request was in writing, signed by the Patient’s Attorney, that clearly identified the Patient’s Attorney and where to send the copy of the Patient’s Attorney’s PHI. The Patient’s Attorney received a fax transmission report reflecting that AMR received her request on October 31, 2018. Although AMR uses an electronic health record (EHR) for its medical records and maintains the Patient’s Attorney’s requested PHI in its HER, it did not respond to this request by November 30, 2018, the date 30 days from receipt.

On November 8, 2018, the Patient’s Attorney also mailed a copy of her October 31, 2018, access request to AMR’s Seattle, Washington office via certified mail and received confirmation of delivery on November 13, 2018 from the United States Postal Service. The Patient’s Attorney also subsequently sent two follow-up requests for the PHI records on January 24, 2019.

Although AMR’s electronic medical record confirmed AMR received these requests, AMR did not respond to the Patient’s Attorney’s request until March 1, 2019, 121 days after the initial request, when AMR sent the Patient’s Attorney an invoice requiring payment of an access fee before AMR would provide the requested records to Complainant.

On March 18, 2019, the Patient’s Attorney then sent AMR another follow-up letter that reiterated the Patient’s Attorney’s multiple access requests and advised AMR that if AMR did not send the PHI to the Patient’s Attorney electronically within seven days the Patient’s Attorney would file a complaint with OCR.  Since AMR failed to deliver the requested records in electronic format within the specified period, the Patient’s Attorney filed a complaint with OCR on July 29, 2019, alleging that AMR violated the Access Rule by failing to provide a copy of the patient’s PHI in response to the Patient’s Attorney’s multiple access requests.

OCR’s October, 2019 investigation found AMR repeatedly failed to timely respond to the patient’s access request even though AMR had procedures in place for processing individuals’ written access requests.

In response to OCR’s investigation, AMR sent the requested records to the Patient’s Attorney on November 5, 2019, 370 days after the Patient’s Attorney’s initial request.

In response to OCR’s investigation, AMR also amended its internal procedures to streamline and better track access requests. OCR notified AMR of the results of OCR’s investigation on August 3, 2021, and offered AMR an opportunity to resolve the matter informally.  Rather than accepting this offer, however, AMR responded to OCR through counsel on August 9, 2021, asking OCR to “reconsider its position” without providing a counteroffer or otherwise engaging in negotiations with OCR. While OCR did not disclose the terms of its proposed offer of resolution, acceptance of this offer presumably would have allowed AMR to resolve the charges for an amount less than the $115,200 CMP ultimately imposed.

OCR then sent an April 15, 2022 Letter of Opportunity (LOO) to AMR, which informed AMR that OCR’s investigation indicated that AMR violated HIPAA’s Access Rule and providing AMR with an opportunity to submit written evidence of mitigating factors and affirmative defenses to this violation as well as evidence to support a waiver of a CMP for violating the Access Rule.  OCR determined AMR’s May 16, 2022 response to the LOO did not support any affirmative defense to the charges or grounds for waiver of the CMP but weighed AMR’s LOO response alleging mitigating factors in determining the amount of the CMP.

Based on these factual findings, OCR sent AMER a Notice of Proposed Determination that announced OCR’s intent to impose the $155,200 AMR CMP for its violation of the Access Rule by failing to provide timely access to the Patient’s Attorney after receiving her lawful requests.

Finding the Reasonable Cause penalty tier applicable for purposes of determining the CMP for  AMR’s Access Rule violation from December 1, 2018, to February 28, 2019, OCR calculated the AMR CMP as follows: $39,680 CMP Calendar Year 2018 (31 days from 12/1/18-12/31/18 at $1,280 per day); plus           $75.520 CMP Calendar Year 2019 (59 days from 1/1/19 to 2//19, at $1,280 per day) = $115,200 Total CMP

While AMR argued that OCR should exercise its discretion and choose not to apply any CMPs because of “multiple mitigating factors, OCR determined AMR’s arguments factually inaccurate and not meriting change of the CMP assessment from the reasonable cause level. Accordingly, OCR refused to reduce the original $115,200 based on alleged mitigating factors. 

After AMR did not challenge the determinations of OCR in the Notice of Proposed Determination within the allowed period, OCR issued the Final Notice of Determination imposing the $115,200 AMR CMP and AMR paid that amount.

Since as early as 2016, OCR has made Access Rule enforcement a priority.  Along with its assessment of the AMR CMP, OCR’s commitment to continued Access Rule enforcement is demonstrated by the 48 other previously announced Access Rule enforcement actions through July 31, 2024. 

$100,000 Hackensack Meridian Health CMP

Before it collected the AMR CMP, on April 1, 2024, OCR already had announced its collection of a $100,000 CMP from a New Jersey skilled nursing facility for violating the Access Rule in April.

Essex Residential Care, LLC, doing business as Hackensack Meridian Health, West Caldwell Care Center (“HMH”) is a skilled nursing facility that provides long-term care and rehabilitation services.

In May 2020, OCR received a complaint alleging that HMH failed to provide a personal representative with access to his mother’s medical records even after HMH received sufficient documentation that the patient’s son who requested the records as his mother’s personal representative.

OCR found that HMH failed to respond timely to a HIPAA right of access request. In September 2023, OCR issued a Notice of Proposed Determination (“HMHPD”) seeking to impose the $100,000 civil money penalty. When HMH waived its right to a hearing and did not contest OCR’s findings, OCR finalized the Notice of Final  Determination imposing the $100,000 CMP.

The OCR investigation found that when Peter Lindsay originally requested copies of the medical records of his mother, Lois Lindsey (“mother”) from WCCC in an April 19, 2020 email, WCCC responded with an April 22, 2020 e-mail denial that requested Mr. Lindsay provide WCCC a copy of a power of attorney, medical proxy or similar document executed by the mother establishing that he was his mother’s personal representative. However, when WCCC still failed to deliver the requested medical records after Mr. Lindsey sent a copy of his mother’s power of attorney via May 23, 2020 e-mail, Mr. Lindsey complained to OCR.

After OCR notified WCCC on October 15, 2020, its investigation of the complaint, WCCC acknowledged that it failed to respond to the complainant’s request for his mother’s medical records within 30 days of receiving the complainant’s written request for the records but still did not deliver the records until December 1, 2020, 161 days after the complainant’s request.

By letter dated March 25, 2022, OCR informed WCCC its investigation found that WCCC failed to provide timely access to protected health information and offered WCCC an opportunity to settle this matter informally.  Although OCR’s letter encouraged WCCC to contact OCR no later than ten days after receipt of the letter, OCR received no response until WCCC responded via e-mail through its attorney on April 29, 2022, that WCCC disagreed with OCR’s proposed resolution, OCR received an email correspondence from the WCCC’s attorney stating WCCC’s disagreement with OCR’s proposed resolution.  OCR then responded by issuing a May 16, 2022 Letter of Opportunity (LOO) informing WCCC that OCR found preliminary indications of non-compliance and providing WCCC with an opportunity to submit written evidence of mitigating factors, affirmative defenses, or waiver factors for OCR’s consideration in determining the CMP amount.

In the June 15, 2022 response to the LOO sent by WCCC’s attorney, WCCC acknowledged receipt of both the April 19, 2020, medical record request and the power of attorney emailed on April 23, 2020.  WCCC also admitted that instead of providing Mr. Lindsay with the requested medical record, WCCC instead sent a copy of the mother’s medical records to another facility to which Ms. Lindsay was transferred. WCCC’s attorney admitted WCCC should have handled the request differently but indicated at the time of the original request, both Mr. Lindsey and his mother were parties to ongoing litigation with WCCC over non-payment for care, that WCCC also was struggling with the COVID-19 pandemic, that Mr. Lindsey filed his complaint with OCR exactly 30 days after his e-mailed request before WCCC’s response to the initial request was due and asserted several affirmative defenses it claimed excused WCCC’s failure to provide the medical documents. 

Based on the above findings of fact, OCR calculated the WCCC CMP at the reasonable cause not corrected tier for WCCC’s failure to provide the requested medical records from June 23, 2020, to December 1, 2020.

WCCC also asserted various affirmative defenses and a right of waiver to avoid or mitigate the amount of the WCCC CMP, all of which OCR found unpersuasive.

• Regarding WCCC’s assertion that HIPAA barred imposition of a CMP in this case, as a matter of law, under the HIPAA affirmative defense for a violation not due to willful neglect and timely corrected, OCR determined that the affirmative defense did not apply as WCCC did not timely correct the violation.  
• OCR also rejected WCCC’s assertion that imposition of a CMP under these circumstances would be arbitrary and capricious and violate the Administrative Procedure Act (the Patient’s AttorneyA). 
• OCR likewise found rejected WCCC’s claim that OCR should waive any possible CMP because assessment of the CMP would be excessive as WCCC only failed to timely respond to a single request for records access, submitted amidine the midst of litigation with the requesting party during the COVID-19 pandemic and WCCC’s personnel mistakenly believed that an appropriate, timely response to the complainant’s medical record request had been made through the transfer of the patient to another facility.

After WCCC waived its right to challenge these OCR determinations in an administrative hearing, OCR issued the Notice of Final Determination on January 12, 2024, which OCR publicly announced  on April 1, 2024.

Phoenix CMP Settlement

OCR’s WCCC CMP announcement came only three days after OCR announced a settlement with Phoenix under which OCR accepted and collected $35,000.00 (“Settlement Amount”) from Phoenix in full satisfaction of a $250,000 CMP under a March 30, 2021 Notice of Final Determination issued against Phoenix for willful violation of the Access Rule. 

The Phoenix CMP and resulting settlement arose from OCR’s investigation of a right of access complaint filed against the Oklahoma multi-facility nursing care organization by a patient’s daughter in April 2019 that Phoenix would not provide the daughter, who serves as a personal representative, with a copy of her mother’s medical records. After Phoenix eventually sent the requested records 323 days after the request on January 30, 2020 and only after OCR attempts to get the records through technical assistance and other efforts, OCR notified Phoenix of its intention to impose a $250,000 civil money penalty (“Phoenix CMP”) against Phoenix for willful violation of the Access Rule along with violations of HIPAA’s business associate requirements. 

Rather than accede to OCR’s proposed imposition of the $250,000 Phoenix CMP, however, Phoenix chose to challenge the proposed Phoenix CMP to an administrative law judge (“ALJ”) in the Civil Remedies Division of the Departmental Appeals Board (“DAB”) of HHS. In Decision No. CR6232, the ALJ on February 16, 2023, upheld the Access Rule violations cited by OCR and OCR’s determinations that Phoenix acted with willful neglect in committing the violations, but reduced the Phoenix CMP amount from the $250,000 proposed by OCR to $75,000.

Despite the ALJ’s reduction of the Phoenix CMP, Phoenix then unsuccessfully challenged the ALJ’s determinations. On August 4, 2023, the HHS Departmental Appeals Board upheld the ALJ’s decision to uphold OCR’s determinations that Phoenix acted with willful neglect in violating the Access Rule and imposition of the reduced $75,000 CMP.

When Phoenix threatened to appeal this determination in federal court and presented evidence of “financial hardship, however, OCR agreed “as a compromise based on the unique facts and circumstances of this matter,” to accept in full satisfaction of the $75,000 CMP assessed due and owing by Phoenix under ALJ Decision affirmed by DAB Decision No. 3105 and DAB Decisions  No. CR6232 in return for Phoenix’s payment of the $35,000 Settlement Amount and Phoenix’s agreement not to further challenge OCR’s assessment and to revise its HIPAA Policies and Procedures to address the Access Rule and business associate agreement requirements, training, and other compliance.

Right Of Access Enforcement Takeaways

OCR’s pursuit of CMPs for Access Rule violations against AMR, WCCC and Phoenix, along with the 46 Access Rule settlements announced by OCR before the Phoenix Settlement makes clear OCR takes seriously and stands prepared to assess substantial CMPs against Covered Entities that violate the Access Rule.  

Like the 46 Access Rule settlements OCR previously announced, the circumstances surrounding the assessment of the AMR CMP and other Access Right Enforcement actions contain several important lessons for Covered Entities and business associates including:

• Ensuring Covered Entities appropriately track and timely respond to access requests is critical;
• Failing to provide timely response to even a single access request can trigger a significant CMP;
• The existence or expectation of a lawsuit or other dispute with the patient or patient’s personal representative does not justify delay or refusal timely to provide requested medical records within 30 days;
• While Covered Entities and business associates have a duty to verify a family member, attorney or other party requesting medical records on behalf of a patient is the personal representative, a Covered Entity is responsible for verifying this and delivering the requested medical records promptly following receipt of a request;
• If a Covered Entity or business associate intends to charge to provide requested medical records in response to an access request, ensure that the proposed charge is calculated following the Access Rule, notification is delivered within 30 days of the original request and deliver the medical records promptly after the payment is received;
• Providing requested medical records to another health care provider or other party does not excuse or substitute for providing the medical records to the requesting patient or personal representative;
• A Covered Entity that fails to meet the 30-day deadline for responding to an access request should fix the problem promptly by delivering the documents as soon as possible and taking documented corrective action to prevent future noncompliance;
• A Covered Entity or business associate that already has not responded within 30 days of receipt of an access request should not withhold delivery of the requested PHI pending the requestor’s payment of the minimal allowed charge that it could have imposed had it timely responded to the access request within 30 days; and
• Consider carefully before declining an offer from OCR to settle through informal resolution.

Covered Entities and business associates also should keep in mind other potentially applicable legal or ethical requirements to provide medical records.  For instance, state medical licensure and ethics rules typically require physicians and other health care providers to provide copies of medical records or other materials that also qualify as protected health information under HIPAA.  Likewise, the Employee Retirement Income Security Act, state insurance rules and other federal or state laws also may require health plans and their insurers, administrators and others with timely access to medical or other records that also are protected heath information under HIPAA.  Covered Entities and business associates should ensure that all applicable deadlines are met and that any charges imposed satisfy all applicable requirements.

Covered Entities and business associates also should keep in mind that the Access Rule is only one of several areas of HIPAA enforcement prioritized by OCR that can trigger costly CMPs. Since HIPAA took effect in April 2003 through April 2024, OCR has:

• Received and resolved 99 percent of the more than 358,975 HIPAA complaints and the more than 1,188 OCR-initiated compliance reviews;
• Required changes in privacy practices and corrective actions in more than 30,839 cases investigated;
• Settled or imposed a civil money penalty in 145 cases resulting in a total dollar amount of $142,663,772.00; and
• OCR referred 2,197 to the Department of Justice (DOJ) for criminal investigation of cases involving the knowing disclosure or obtaining of protected health information in violation of HIPAA.

The compliance issues most often alleged in complaints cumulatively, in order of frequency through April, 2024 have remained consistent across the 20 years since HIPAA became effective.  They include cumulative in order of frequency:

• Impermissible uses and disclosures of protected health information;
• Lack of safeguards of protected health information;
• Lack of patient access to their protected health information;
• Lack of administrative safeguards of electronic protected health information; and
• Use or disclosure of more than the minimum necessary protected health information.

While health care providers are the type of Covered Entity most often subjected to enforcement, OCR data confirms OCR investigations and enforcement has impacted all types of Covered Entities and business associates.  According to this data, the categories of Covered Entities OCR investigations have found to have committed violations are, in order of frequency:

• General Hospitals;
• Private Practices and Physicians;
• Pharmacies;
• Outpatient Facilities; and
• Group Health Plans.

Additionally, while Group Health Plans as a group have the fewest compliance violations to date, OCR enforcement data confirms OCR’s investigation and enforcement of Access Rule violations against Group Health Plans, as well as that Group Health Plans and their business associates historically account for violations of the HIPAA security rules for the protection of electronic health information affecting millions of Americans. With OCR’s even further heightening its prioritization of HIPAA’s security rule oversight and enforcement in response to massive breaches of electronic protected health information systems and data that triggered widespread disruptions of care and payment systems reported by UnitedHealthcare Group’s Change Health, Ascension Health, and others, and recent OCR guidance requiring to update their Notices of Privacy Practices, all Covered Entities and their business associates should ensure seize the opportunity to re-verify the defensibility of their organization’s Access Rule, Security Rule and other HIPAA compliance.

For More Information

We hope this update is helpful. For more information about these or other health or other legal, management, or public policy developments, please get in touch with the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297. 

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

About the Author 

Scribe leading the American Bar Association Joint Committee on Employee Benefits Annual Meeting with the HHS Office of Civil Rights on HIPAA, Cynthia Marcotte Stamer has extensive experience advising and defending health care and life sciences, health plans and insurers, their business associates about HIPAA and other privacy and data security protection, breach response and other compliance and risk management.

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

A Fellow in the American College of Employee Benefit Counsel, Immediate Past Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee and Vice-Chair Elect of its International Employment Law Committee, Immediate Past Chair of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Past Group Chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee; and Chair of the ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership advising healthcare and life sciences, managed care and other insurance and employer-sponsored health benefit, technology, and other highly regulated and data dependent clients about health care and other regulatory, workforce and staffing, health and other employee benefits, safety, contracting, quality assurance, compliance and risk management, and other legal, public policy and operational concerns. She speaks and publishes extensively on these and other related compliance issues.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Author of a multitude of highly regarded publications on HIPAA and other medical record and data privacy and scribe for the ABA JCEB Annual Meeting with the HHS Office of Civil Rights, her experience includes extensive involvement throughout her career in advising health care and life sciences and other clients about preventing, investigating and defending HIPAA, FACTA, GDPR, GLB, and other privacy, data security and information protection and breach; EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state compliance, investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state privacy, data breach and security, employment, employee benefits and insurance, equal opportunity, equity and other laws. 

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here. 

About Solutions Laws Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here, such as:

• Cleveland Clinic Foundation Pays $7.6M To Settle FCA Charges Relating To NIH Grants
• Settlement Alerts Health Industry Employers Against Overreaching Employment Eligibility Verification
• FLSA Salary Threshold Increases, Other Proposed Changes To Rules & Enforcement Alert Health Care Employers To Confirm Salaried Employee Defensibility
• New CMS LTC Staffing Requirements Likely To Increase Workforce Competition, Costs Industry-Wide
• CMS Health Care Disparities Report Released
• Update Change Surprise Billing IDR Resubmission Procedures Effective 5/1/24
• DOJ Sets Minimum Standards For State & Local Government Website, Mobile App Disability Accessibility
• DOJ Sets Minimum Standards For State & Local Government Website, Mobile App Disability Accessibility
• Doctor’s Conviction Illustrates Advisability For Physicians To Know & Follow Federal Health Care Fraud Rules
• April Is National Minority Health Month
• UHG Shares Resumption Timeline For Products Disrupted By Cyberattack
• OCR Updated Guidance Reminds HIPAA Entities Of HIPAA Online Tracking Duties
• Choice Health/UHG Breach Creates HIPAA Headaches For Impacted Health Care Providers & Other HIPAA Covered Entities
• Review & Update Medical Record Confidentiality Policies In Response To Newly Revised Federal Substance Abuse Disorder Confidentiality Rules
• OCR Nails Second HIPAA Covered For Allowing Ransomware Breach
• Nearly $900K FLSA Backpay Award Warns Other Home Health Employers
• 3/4 Dallas Bar Association Virtual Program Covers Disability Accommodation In Education, Facilities, Technology & Beyond
• Hospital System Pays $4.75 Million HIPAA Breach Settlement
• Health Care Facilities Should Ensure Their Patient, Employment and Other Operational Defensibility Against Religious Discrimination Charges Amid Rising Risks
• eBay Paying $59 Million to Settle Controlled Substances Act Allegations About Website Pill Press Sales
• FDA & CMS Partnering To Promote Accurate and Reliable Diagnostic Tests
• 46th OCR HIPAA Right of Access Settlement With Optum Medical Care Warns All HIPAA Entities To Timely Deliver Required Medical Record Access
• Fee Set for Providers & Plans Using No Surprises Act Independent Dispute Resolution To Resolve Post 2/20/24 Disputes
• No Surprises Act IDR Portal Now Open For All Covered Health Claims; Added Deadline Extensions Announced
• Texas Man Charged With Filing $60 Million DME Medicare Fraud Scheme
• Federal Court Orders Manufacturer, President To Recall & Stop Making & Distributing Defective Drugs
• 1st Phishing-Related HIPAA Settlement Sends Other HIPAA Entities Phishing Warning
• New OCR/St. Joseph’s Medical Center Settlement Highlights HIPAA-Covered Entities’ Duty To Prevent Unauthorized PHI Access and Disclosure To Media & Other Third-Parties
• Advanced Practice Registered Nurse Loses License, Sentenced To Prison For Unlawful Distribution of Controlled Substances To Lovers and Others and Health Care Fraud
• Ex-Wife’s 56 Month Sentence For Using Ex-Husband’s Provider Number To Commit Medicaid Fraud Warning To Other Providers

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstances at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules make it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access to this publication. 

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2024 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™