Staph infections are only one category of serious infection risks that patients and their families face when getting health care treatment. Patients can reduce these infection risks by sharing the following tips from the Center for Disease Control:

• Speak up. Talk to your doctor about any questions or worries. Ask what they’re doing to protect you.
• Keep hands clean. Make sure everyone, including friends and family, clean their hands before touching you. If you don’t see your healthcare providers clean their hands, ask them to do so.
• Ask each day if your central line catheter or urinary catheter is necessary. Leaving a catheter in place too long increases the chances you’ll get an infection. Let your doctor or nurse know immediately if the area around the central line becomes sore or red, or if the bandage falls off or looks wet or dirty.
• Prepare for surgery. Let your doctor know about any medical problems you have. Ask your doctor how he/she prevents surgical site infections.
• Ask your healthcare provider, “Will there be a new needle, new syringe, and a new vial for this procedure or injection?” Insist that your healthcare providers never reuse a needle or syringe on more than one patient.
• Get Smart about antibiotics. Antibiotics only treat bacterial infections – they don’t work for viruses like the ones that cause colds and flu. Ask your healthcare provider if there are steps you can take to feel better without using antibiotics. If you’re prescribed an antibiotic, make sure to take the prescribed antibiotic exactly as your healthcare provider tells you and do not skip doses.
• Watch out for deadly diarrhea (aka Clostridium difficile). Tell your doctor if you have 3 or more diarrhea episode services in 24 hours, especially if you’ve been taking an antibiotic.
• Know the signs and symptoms of infection. Some skin infections, such as MRSA, appear as redness, pain, or drainage at an IV catheter site or surgery site and come with a fever. Infections can also lead to sepsis, a complication caused by the body’s overwhelming and life-threatening response to an infection.
• Get Vaccinated. Getting yourself, family, friends, and caregivers vaccinated against the flu and other infections prevents spread of disease.
• Cover your mouth and nose. When you sneeze or cough, germs can travel 3 feet or more. Use a tissue to avoid spreading germs with your hands.

Healthcare-associated infections are not only a problem for healthcare facilities – they represent a public health issue. Learn more about how to be a safe patient. Read: Patient Safety: What You Can Do to Be a Safe Patient.

©2017 Cynthia Marcotte Stamer. Nonexclusive license to republish granted to Solutions Law Press, Inc.

The Centers for Medicare & Medicaid Services (CMS) has merged all up-to-date content from its Road to 10 website to its main ICD-10 site, cms.gov/ICD10.
It expects to finish its  phase out the Road to 10 site by April 3.

In preparation for the merge, health care providers and other interested parties  should update all bookmarks and links for Roadto10.org to point to cms.gov/ICD10 as soon as possible and no later than April 3.

Paul Ryan released the American Health Care Act (Act)-the Republican leaderships’ proposed bill to repeal or reform the Obamacare law, the Patient Protection and Affordable Care Act (ACA).  

When introducing the Act, Speaker Ryan touted the Act as rescuing the US health care system from the ACA driving down costs, encouraging competition, and giving every American access to quality, affordable health insurance. 

Read the Act here and share your specific ideas and thoughts about the Act and your other input on what our health care system should look like going forward, how these proposals relate and the other reforms you believe Congress should make to build a better healthcare system for today that can survive into the future by joining the discussion in the Solutions Law Press, Inc. Coalition for Responsible Health Care Policy LinkedIn Group. 

The U.S. District Court for the Northern District of Texas on December 31, 2016  preliminarily enjoined HHS from enforcing, on a nationwide basis, the provisions of the regulation implementing Section 1557 of the Affordable Care Act that prohibit discrimination based on gender identity or termination of pregnancy. 

The order in Franciscan Alliance, Inc. et al v. Burwell blocks for now HHS implementation or enforcement or rules prohibiting health care providers and others covered by the ACA from discriminating based on gender identity or abortion pending further litigation.
 

A new Center for Medicare and Medicaid Services (CMS) Rule published on December 12 tries to deter  providers from encouraging Medicare and Medicaid eligible dialysis patients to enroll iprivate health insurance  offered through health insurance exchanges that provide higher reimbursement for providers than Medicare and Medicaid.

Issued in response to private health insurer complaints, the Rule requires dialysis centers that help patients pay private insurance premiums either directly or through charities to disclose information about what private plans versus Medicare and Medicaid pay. The Rule requires providers to inform patients that the private plans might not cover certain expenses that might be reimbursable by Medicare or Medicaid.

private insurers have complained that providers steering a patient’s to private coverage to increase reimbursement for the provider for the care is increasing costs and undermining the risk pools for the health insurance exchange plans created by the Patient Protection and Affordable Care Act (ACA). CMS also has sent letters (PDF) to all Medicare-enrolled dialysis facilities warning the facilities that CMS has “concerns” about provider enrollment activities that seek to maximize provider profits.

In addition to complaining to CMS about providers encouraging dialysis patients to enroll in private health plans that have higher reimbursement rates than Medicare or Medicaid pay, some private self insured plans reportedly have sent threatening demand letters to some dialysis providers, accusing the providers of violating the Medicare rules by incentivizing Medicare eligible patients pay some or all of the cost of that coverage.  

Private insurers and self insured plans generally express to cost concerns when Medicare or Medicaid eligible individuals remain enrolled in their programs. Dialysis patients with end-stage renal disease become eligible for Medicare at the time of diagnosis. The Medicare secondary payer rules prohibit group health plans or insurers from incentivizing or requiring Medicare eligible individuals that are the employee or employees spouse to enroll in Medicare or terminate coverage under the group health plan based on their. Under the Medicare secondary payer rules, coverage provided by self insured employeror union sponsored plans generally is considered primary coverage to Medicare and Medicaid. Consequently the group health plan or insurer generally will pay the majority of the cost of care in excess of the deductibles throughout the primary coverage period.  Not only does the private plan pay a greater percentage of the cost of coverage, many private plans provide a higher reimbursement rate than Medicare or Medicaid pay.  As a result private insurers are particularly aware and concerned about the cost of covering Medicare or Medicaid eligible patients under their group and individual health insurance plans.

On August 5, 2016, the agency heads of the U.S. Department of Health and Human Services (HHS), the U.S. Department of Housing and Urban Development (HUD), and the U.S. Department of Justice (DOJ) issued a joint letter warning 

• State and local agencies against treating  immigration status as a bar to providing certain services to protect the life or safety of individuals or to services that are not considered to be a federal public benefit; and 
• Benefit providers to ensure they do not engage in practices that deter eligible members of mixed-status households from accessing benefits essential to life and safety based on their national origin. 

The warnings come to clarify the Obama Administration’s interpretation and enforcement position of the effect of the Personal Responsibility and Work Opportunity Reconciliation Act of 1996 (“PRWORA” or “the Act”) restriction of immigrant access to certain public benefits, taking into account the Act’s exceptions for programs, services, or assistance necessary for the protection of life and safety as specified by the Attorney General. 

In 2001, the U.S. Attorney General issued an Order specifying the programs, services, or assistance determined to be necessary for the protection of life or safety as follows:

• Crisis counseling and intervention programs; services and assistance relating to child protection, adult protective services, violence and abuse prevention, victims of domestic violence or other criminal activity; or treatment of mental illness or substance abuse;
• Short-term shelter or housing assistance for the homeless, for victims of domestic violence, or for runaway, abused, or abandoned children;
• Programs, services or assistance to help individuals during periods of heat, cold, or other adverse weather conditions;
• Soup kitchens, community food banks, senior nutrition programs such as meals on wheels, and other such community nutritional services for persons requiring special assistance;
• Medical and public health services (including treatment and prevention of diseases and injuries) and mental health, disability, or substance abuse assistance necessary to protect life or safety;
• Activities designed to protect the life or safety of workers, children and youths, or community residents; and
• Any other programs, services, or assistance necessary for the protection of life or safety.

The agencies’ August 5, 2016 letter available here reaffirms that immigration status is not a bar to providing certain services to protect the life or safety of individuals.

Concurrent with the agencies publication of the letter,  the HHS Administration for Children and Families’ (ACF) Family and Youth Services Bureau (FYSB) also issued a set of Frequently Asked Questions regarding the availability of services provided by short-term and emergency shelters for victims of domestic violence and their dependents available for review at here. 

State and local agencies and benefit providers regulated by the agencies should affirm their practices comply with this agency position to avoid getting nailed for prohibited discrimination or other program rules. 
 

Sunu Chandy is the new Deputy Director of the Department of Health & Human Services Office for Civil Rights (HHS OCR).  Chandy took over as the new Deputy Director for Civil Rights effective Monday, July 25, 2016.  Chandy will lead the Civil Rights Division team and will be focused on HHS OCR’s ongoing priorities, including the implementation of Section 1557, and will lead OCR’s work on Presidential and Departmental aggressive priority of investigation and enforcement of civil rights laws and regulations within HHS jurisdiction..

Chandy’s career before assuming her role as the HHS OCR Deputy Director for Civil Rights was devoted to the enforcement of civil rights laws in the public interest.  Most recently, Chandy worked as a policy consultant on federal advocacy with the Ms. Foundation, a non-profit organization for women.  Prior to that, she was the General Counsel for the D.C. Office of Human Rights (OHR).  In this role, Chandy advised on all legal matters facing OHR, including investigations of discrimination in the areas of employment, housing, education and public accommodation.  She also previously worked with the United States Equal Employment Opportunity Commission (EEOC) for 15 years, litigating complex civil rights employment matters in federal court through its New York District Office.  While at EEOC, she also spearheaded multiple outreach efforts and education initiatives with advocacy groups.

About The Author

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, current American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, former scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting and JCEB Council Representative, former Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section,  the former Board President and Treasurer of the Richardson Development Center for Children Early Childhood Intervention Agency, and past  Board Compliance Chair of the National Kidney Foundation of North Texas, and Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, the author of this update, attorney Cynthia Marcotte Stamer, is AV-Preeminent (the highest) rated attorney repeatedly recognized for her nearly 30 years of experience and knowledge representing and advising healthcare, health plan and other health industry and others on these and other regulatory, workforce, risk management, technology, public policy and operations matters as a Martindale-Hubble as a “LEGAL LEADER™” and “Texas Top Rated Lawyer” in Health Care Law, Labor and Employment Law, and Business & Commercial Law and among the “Best Lawyers In Dallas” by D Magazine.

Ms. Stamer’s health industry experience includes advising hospitals, nursing home, home health, rehabilitation and other health care providers and health industry clients to establish and administer compliance and risk management policies; prevent, conduct and investigate, and respond to peer review and other quality concerns; and to respond to Board of Medicine, Department of Aging & Disability, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns.

Ms. Stamer also is known for her experience in HIPAA and other privacy and data security and breach concerns.  The scribe for ABA JCEB annual agency meeting with OCR for many years, Ms. Stamer has worked extensively with health care providers, health plans, health care clearinghouses, their business associates, employers and other plan sponsors, banks and other financial institutions, and others on risk management and compliance with HIPAA, FACTA, trade secret and other information privacy and data security rules, including the establishment, documentation, implementation, audit and enforcement of policies, procedures, systems and safeguards, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and enforcement, and a host of other related concerns. Her clients include public and private health care providers, health insurers, health plans, technology and other vendors, and others. In addition to representing and advising these organizations, she also has conducted training on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical  staff performance, quality, governance, reimbursement, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications.

You can get more information about her health industry experience here or contact Ms. Stamer via telephone at (469) 767-8872 or via e-mail here.

About Solutions Law Press Inc.™

Solutions Law Press, Inc.™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns.

If you found these updates of interest, you may be interested in other recent Solutions Law Press, Inc. updates like the following:

• 11 Texans Charged In Record $900M HEAT Healthcare Fraud Takedown
• Home Health Care Providers & Prescribers OIG Health Care Fraud Targets
• Providers, Health Plans Should Confirm Copy Charges Comply With New OCR HIPAA Guidance
• $2 Million+ HIPAA Settlement, FAQ Warn Providers Protect PHI From Media, Other Recording Or Use
• Provider Pays $750K To Settle HIPAA Business Associate Rule Breach Charges
• CDC Public Health Intership Opportunities Announced
• Childcare Providers Brace For More Regulation & Enforcement
• North Memorial Hit With $3.9M HIPAA Fine For HIPAA Violations
• Brace For OCR HIPAA Audits & Enforcement
• North Memorial Health Care Pays $1.5M Plus HIPAA Settlement For Business Associate Agreement Deficiencies
• New CDC Guidance on Opioid Prescribing
• Update Privacy Practices For New OCR HIPAA Enforcement, Security & Records Access Guidance
• OIG Opinion Lets Med Center Pay Some Transport & Short-Term Lodging Costs For Pregnant Medicaid Patients Near Delivery
• Compliance Defects Fuel Record Record $646M Antikickback Penalty
• Provider Pays $750K To Settle HIPAA Business Associate Rule Breach Charges
• CDC Public Health Intership Opportunities Announced
• Childcare Providers Brace For More Regulation & Enforcement
• North Memorial Hit With $3.9M HIPAA Fine For HIPAA Violations
• Brace For OCR HIPAA Audits & Enforcement
• North Memorial Health Care Pays $1.5M Plus HIPAA Settlement For Business Associate Agreement Deficiencies
• New CDC Guidance on Opioid Prescribing
• Update Privacy Practices For New OCR HIPAA Enforcement, Security & Records Access Guidance
• OIG Opinion Lets Med Center Pay Some Transport & Short-Term Lodging Costs For Pregnant Medicaid Patients Near Delivery
• Compliance Defects Fuel Record Record $646M Antikickback Penalty
• OCR’s 2nd-Ever HIPAA CMP Nails Lincare For $239,000
• Redesigned OCR Website Launched
• Providers Get More Flexibility To Report Mental Health Patients To Gun Data Base Under New Privacy Rule
• OIG Modifies Past Ruling, Blesses Two New Medicare Co-Pay Financial Programs
• Obama Administration Proposal Would Extend FLSA Minimum Wage & Overtime Requirements To 5 Million+ Workers
• Businesses Must Confirm & Clean Up Health Plan ACA & Other Compliance Following Supreme Court’s King v. Burwell Decision
• Obama Administration Devoting $1.25 Million To Find Ways To Encourage States To Force Employers To Give Paid Leave
• IRS FAQ Addresses Determination Letter Program As Applied To Multiple Employer Plans
• $1.4M FLSA Back Pay Award Demonstrates Worker Misclassification Risks

Go here to register to receive other Solutions Law Press, Inc. updates and announcements about other upcoming briefings, training or other programs, products, services, and activities or to learn more about Solutions Law Press, Inc., its publications, programs and training, PROJECT COPE: Coalition on Patient Empowerment community service and education projects, event management and other resources and services.

For important information concerning this communication see here. THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS. ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

©2016 Cynthia Marcotte Stamer, P.C. Non-exclusive license to republish granted to Solutions Law Press, Inc. All other rights reserved.

Eleven North Texans are included in the 301 individuals charged with faults billing and other healthcare fraud  in the largest ever healthcare fraud take down in history announced today by the Department of Justice(DOJ), the Department of Health and Human Services Office of Inspector General (OIG) and other agencies.

In the Northern District of Texas, 11 people were charged in cases involving over $47 million in alleged fraud. In one scheme, a physician allowed unlicensed individuals to perform physician services and then billed Medicare as if he performed them. Additionally, the physician certified patients for home health care that was often medically unnecessary. Home health companies submitted approximately $23.3 million in billings to Medicare based on the physician’s fraudulent certifications.   

The charges against the 11 North Texas individuals charges were announced as part of a much larger announcement by HHS and DOJ today  of an unprecedented nationwide sweep led by the Medicare Fraud Strike Force in 36 federal districts, resulting in criminal and civil charges against 301 individuals, including 61 doctors, nurses and other licensed medical professionals, for their alleged participation in health care fraud schemes involving approximately $900 million in false billings. Twenty-three state Medicaid Fraud Control Units also participated in today’s arrests. 

 In addition, the HHS Centers for Medicare & Medicaid Services (CMS) is suspending payment to a number of providers using its suspension authority provided in the Affordable Care Act. This coordinated takedown is the largest in history, both in terms of the number of defendants charged and loss amount. 

The defendants announced today are charged with various health care fraud-related crimes, including conspiracy to commit health care fraud, violations of the anti-kickback statutes, money laundering and aggravated identity theft. The charges are based on a variety of alleged fraud schemes involving various medical treatments and services, including home health care, psychotherapy, physical and occupational therapy, durable medical equipment (DME) and prescription drugs. More than 60 of the defendants arrested are charged with fraud related to the Medicare prescription drug benefit program known as Part D, which is the fastest-growing component of the Medicare program overall.

The takedown reenforces the continuing commitment of federal and state officials to target providers and others the government views as engaging in fraudulent or otherwise aggressive health care billing, referral or other prohibited practices under federal and state healthcare fraud laws.

“As this takedown should make clear, health care fraud is not an abstract violation or benign offense – It is a serious crime,” said Attorney General Lynch. “The wrongdoers that we pursue in these operations seek to use public funds for private enrichment. They target real people – many of them in need of significant medical care. They promise effective cures and therapies, but they provide none. Above all, they abuse basic bonds of trust – between doctor and patient; between pharmacist and doctor; between taxpayer and government – and pervert them to their own ends. The Department of Justice is determined to continue working to ensure that the American people know that their health care system works for them – and them alone.”

Healthcare providers should heed this warning and tighten their compliance and risk management practices, audits and training.

About The Author

Recognized as “LEGAL LEADER™ Texas Top Rated Lawyer” in both Health Care Law and Labor and Employment Law, a “Texas Top Lawyer,” an “AV-Preeminent” and “Top Rated Lawyer” by Martindale-Hubble; as among the “Best Lawyers In Dallas 2015 by D Magazine; and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, the author of this update, attorney Cynthia Marcotte Stamer, has nearly 30 year’s of extensive experience representing and advising health industry clients and others on these and other regulatory, risk management, public policy and operations matters.

Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, Board Certified in Labor & Employment Law, and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer’s experience includes advising hospitals, nursing home, home health, rehabilitation and other health care providers and health industry clients to establish and administer compliance and risk management policies; prevent, conduct and investigate, and respond to peer review and other quality concerns; and to respond to Board of Medicine, Department of Aging & Disability, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. The scribe for the American Bar Association (ABA) Joint Committee on Employee Benefits annual agency meeting with the Department of Health & Human Services Office of Civil Rights, Ms. Stamer has worked extensively with health care providers, health plans, health care clearinghouses, their business associates, employers, banks and other financial institutions, and others on risk management and compliance with HIPAA and other information privacy and data security rules, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and enforcement, and a host of other related concerns. Her clients include public and private health care providers, health insurers, health plans, technology and other vendors, and others. In addition to representing and advising these organizations, she also has conducted training on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.
A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. 

You can get more information about her health industry experience at here or  contact Ms. Stamer via telephone at (469) 767-8872 or via e-mail here.

About Solutions Law Press Inc.™ 

Solutions Law Press, Inc.™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns.

Solutions Law Press, Inc.™ hopes that this information is useful to you. If you found these updates of interest, you also be interested in other recent Solutions Law Press, Inc. training, articles and resources. You can see more articles from this Health Care Update electronic publication, the Coalition for Responsible Health Care Reform electronic publication, our electronic HR & Benefits Update and other publications like the following and get information about training and other resources at http://www.Solutionslawpress.com.  

You also can get access to information about how you can arrange for training on “Building Your Family’s Health Care Toolkit,” using the “PlayForLife” resources to organize low-cost wellness programs in your workplace, school, church or other communities, and other process improvement, compliance and other training and other resources for health care providers, employers, health plans, community leaders and others here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail by creating or updating your profile here. You can access other recent updates and other informative publications and resources here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here. For important information concerning this communication see here. THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS. ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.
©2016 Cynthia Marcotte Stamer, P.C. Non-exclusive license to republish granted to Solutions Law Press, Inc. All other rights reserved.

By: Cynthia Marcotte Stamer

Home health care providers and prescribers beware:  Home health care providers and prescribers remain top targets of interest for the health care fraud investigation and enforcement actions of the Department of Health & Human Services (HHS) and Department of Justice (DOJ).

Despite an ever-lengthening list of widely publicized OIG and DOJ investigations and prosecutions against home health care providers and prescribers in recent months and years, the HHS Office of Inspector General (OIG) is reaffirming that home health care providers and prescribers remain targets for OIG investigation and prosecution by its release of a new Home Health Fraud video as its June 2016 “Eye on Oversight” monthly video monthly video.  The Eye on Oversight monthly videos are a series of videos that OIG releases highlighting “top areas of interest” for the OIG.  Each video highlights an emerging healthcare problem or trend that OIG perceives “social and financial impact, and hurt the American public, as well as its most vulnerable citizens.”

Home health care providers and prescribers should review the video as well as well as monitor other OIG and DOJ audits, enforcement and prosecution, and other regulatory guidance for insights of practices likely to trigger OIG investigation or enforcement interest and take well-documented steps to manage their compliance and associated risks in these areas.

About The Author

Recognized as a “Top” attorney in employee benefits, labor and employment and health care law extensively involved in health and other employee benefit and human resources policy and program design and administration representation and advocacy throughout her career, Cynthia Marcotte Stamer is a practicing attorney and Managing Shareholder of Cynthia Marcotte Stamer, P.C., a member of Stamer│Chadwick│Soefje PLLC, author, pubic speaker, management policy advocate and industry thought leader with more than 28 years’ experience practicing at the forefront of employee benefits and human resources law.

A Fellow in the American College of Employee Benefit Counsel, past Chair and current Welfare Benefit Committee Co-Chair of the American Bar Association (ABA) RPTE Section Employee Benefits Group, Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, former Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, an ABA Joint Committee on Employee Benefits Council Representative and Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, Ms. Stamer is recognized nationally and internationally for her practical and creative insights and leadership on health and other employee benefit, human resources and insurance matters and policy.

Ms. Stamer helps management manage. Ms. Stamer’s legal and management consulting work throughout her nearly 30- year career has focused on helping organizations and their management use the law and process to manage people, process, compliance, operations and risk. Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer helps public and private, domestic and international businesses, governments, and other organizations and their leaders manage their employees, vendors and suppliers, and other workforce members, customers and other’ performance, compliance, compensation and benefits, operations, risks and liabilities, as well as to prevent, stabilize and cleanup workforce and other legal and operational crises large and small that arise in the course of operations.

Ms. Stamer works with businesses and their management, employee benefit plans, governments and other organizations deal with all aspects of human resources and workforce management operations and compliance. She supports her clients both on a real time, “on demand” basis and with longer term basis to deal with daily performance management and operations, emerging crises, strategic planning, process improvement and change management, investigations, defending litigation, audits, investigations or other enforcement challenges, government affairs and public policy. Well known for her extensive work with health care, insurance and other highly regulated entities on corporate compliance, internal controls and risk management, her clients range from highly regulated entities like employers, contractors and their employee benefit plans, their sponsors, management, administrators, insurers, fiduciaries and advisors, technology and data service providers, health care, managed care and insurance, financial services, government contractors and government entities, as well as retail, manufacturing, construction, consulting and a host of other domestic and international businesses of all types and sizes. Common engagements include internal and external workforce hiring, management, training, performance management, compliance and administration, discipline and termination, and other aspects of workforce management including employment and outsourced services contracting and enforcement, sentencing guidelines and other compliance plan, policy and program development, administration, and defense, performance management, wage and hour and other compensation and benefits, reengineering and other change management, internal controls, compliance and risk management, communications and training, worker classification, tax and payroll, investigations, crisis preparedness and response, government relations, safety, government contracting and audits, litigation and other enforcement, and other concerns.

Ms. Stamer uses her deep and highly specialized health, insurance, labor and employment and other knowledge and experience to help employers and other employee benefit plan sponsors; health, pension and other employee benefit plans, their fiduciaries, administrators and service providers, insurers, and others design legally compliant, effective compensation, health and other welfare benefit and insurance, severance, pension and deferred compensation, private exchanges, cafeteria plan and other employee benefit, fringe benefit, salary and hourly compensation, bonus and other incentive compensation and related programs, products and arrangements. She is particularly recognized for her leading edge work, thought leadership and knowledgeable advice and representation on the design, documentation, administration, regulation and defense of a diverse range of self-insured and insured health and welfare benefit plans including private exchange and other health benefit choices, health care reimbursement and other “defined contribution” limited benefit, 24-hour and other occupational and non-occupational injury and accident, expat and medical tourism, onsite medical, wellness and other medical plans and insurance benefit programs as well as a diverse range of other qualified and nonqualified retirement and deferred compensation, severance and other employee benefits and compensation, insurance and savings plans, programs, products, services and activities. As a key element of this work, Ms. Stamer works closely with employer and other plan sponsors, insurance and financial services companies, plan fiduciaries, administrators, and vendors and others to design, administer and defend effective legally defensible employee benefits and compensation practices, programs, products and technology. She also continuously helps employers, insurers, administrative and other service providers, their officers, directors and others to manage fiduciary and other risks of sponsorship or involvement with these and other benefit and compensation arrangements and to defend and mitigate liability and other risks from benefit and liability claims including fiduciary, benefit and other claims, audits, and litigation brought by the Labor Department, IRS, HHS, participants and beneficiaries, service providers, and others. She also assists debtors, creditors, bankruptcy trustees and others assess, manage and resolve labor and employment, employee benefits and insurance, payroll and other compensation related concerns arising from reductions in force or other terminations, mergers, acquisitions, bankruptcies and other business transactions including extensive experience with multiple, high-profile large scale bankruptcies resulting in ERISA, tax, corporate and securities and other litigation or enforcement actions.

Ms. Stamer also is deeply involved in helping to influence the Affordable Care Act and other health care, pension, social security, workforce, insurance and other policies critical to the workforce, benefits, and compensation practices and other key aspects of a broad range of businesses and their operations. She both helps her clients respond to and resolve emerging regulations and laws, government investigations and enforcement actions and helps them shape the rules through dealings with Congress and other legislatures, regulators and government officials domestically and internationally. A former lead consultant to the Government of Bolivia on its Social Security reform law and most recognized for her leadership on U.S. health and pension, wage and hour, tax, education and immigration policy reform, Ms. Stamer works with U.S. and foreign businesses, governments, trade associations, and others on workforce, social security and severance, health care, immigration, privacy and data security, tax, ethics and other laws and regulations. Founder and Executive Director of the Coalition for Responsible Healthcare Policy and its PROJECT COPE: the Coalition on Patient Empowerment and a Fellow in the American Bar Foundation and State Bar of Texas, Ms. Stamer annually leads the Joint Committee on Employee Benefits (JCEB) HHS Office of Civil Rights agency meeting and other JCEB agency meetings. She also works as a policy advisor and advocate to many business, professional and civic organizations.

Author of the thousands of publications and workshops these and other employment, employee benefits, health care, insurance, workforce and other management matters, Ms. Stamer also is a highly sought out speaker and industry thought leader known for empowering audiences and readers. Ms. Stamer’s insights on employee benefits, insurance, health care and workforce matters in Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, Modern Healthcare, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications. Ms. Stamer also regularly serves on the faculty and planning committees for symposia of LexisNexis, the American Bar Association, ALIABA, the Society of Employee Benefits Administrators, the American Law Institute, ISSA, HIMMs, and many other prominent educational and training organizations and conducts training and speaks on these and other management, compliance and public policy concerns.

Ms. Stamer also is active in the leadership of a broad range of other professional and civic organizations. For instance, Ms. Stamer presently serves on an American Bar Association (ABA) Joint Committee on Employee Benefits Council representative; Vice President of the North Texas Healthcare Compliance Professionals Association; Immediate Past Chair of the ABA RPTE Employee Benefits & Other Compensation Committee, its current Welfare Benefit Plans Committee Co-Chair, on its Substantive Groups & Committee and its incoming Defined Contribution Plan Committee Chair and Practice Management Vice Chair; Past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and a current member of its Healthcare Coordinating Council; current Vice Chair of the ABA TIPS Employee Benefit Committee; the former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division; on the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications. She also previously served as a founding Board Member and President of the Alliance for Healthcare Excellence, as a Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; the Board President of the early childhood development intervention agency, The Richardson Development Center for Children; Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee; a member of the Board of Directors of the Southwest Benefits Association. For additional information about Ms. Stamer, see CynthiaStamer.com or StamerChadwickSoefje.com or contact Ms. Stamer via email here or via telephone to (469) 767-8872.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc. ™ resources at Solutionslawpress.com such as:

• North Memorial Hit With $3.9M HIPAA Fine For HIPAA Violations
• Brace For OCR HIPAA Audits & Enforcement
• North Memorial Health Care Pays $1.5M Plus HIPAA Settlement For Business Associate Agreement Deficiencies
• New CDC Guidance on Opioid Prescribing
• Update Privacy Practices For New OCR HIPAA Enforcement, Security & Records Access Guidance
• 3/30 Webex Shares Latest On Security, Patient Access & Other HIPAA Developments
• OIG Opinion Lets Med Center Pay Some Transport & Short-Term Lodging Costs For Pregnant Medicaid Patients Near Delivery
• Compliance Defects Fuel Record Record $646M Antikickback Penalty
• OCR’s 2nd-Ever HIPAA CMP Nails Lincare For $239,000
• Redesigned OCR Website Launched
• Providers Get More Flexibility To Report Mental Health Patients To Gun Data Base Under New Privacy Rule
• OIG Modifies Past Ruling, Blesses Two New Medicare Co-Pay Financial Programs
• IRS Stops Asserting Foreign Reinsurance Tax On Premiums Between Reinsurers
• Lehey Pays $850K After Unencrypted Laptop Stolen
• Health Care Fraud Prosecutions Target Owners, Operators & Other Leaders
• Brace For OCR HIPAA Audits
• Check Health Plan Privacy For New Guidance Compliance
• Marketplace Data Deficiencies Signal Employer ACA Headaches
• SCOTUS: States Can’t Require Reporting of ERISA Health Plan Data
• IRS OK’s Skipping Certain 2015 Form 5500 Questions
• DOL Proposes Changes To Summary of Benefit & Coverage Rules 
• More proof government should stay out of healthcare
• Health Care Quality: Different Meaning For Care Vs. Coverage
• IRS Changes Plan Qualification Procedures, Returns, Other Procedures
• Remember Microsoft: The Need for Effective Risk Management as to Contract Employees
• Obama Administration Proposes Rules Giving Jobseeker Equal Opportunity Protections
• Health Benefit Still Top Employer Benefit Cost
• U.S. Businesses & Their Leaders Face Rising FLSA Collective Action Liability Risks
• Health Care Providers’ ERISA Health Plan Benefit Opportunities & Employee Benefits Compliance Obligations Topic of 9/15 Study Group
• Improve HR Value To Company By Making HR A Performance Rather Than People Department
• Sponsoring Employers Face Excise Taxes, Other Liabilities Unless Health Plans Comply With ACA Out-Of-Pocket & Other Federal Rules
• Legal Review Of Health Plan Documents, Processes Needed To Mitigate Employer’s Excise Tax & Other Health Plan Risks
• EEOC ADA Suit Against Magnolia Health Highlights US Employer’s Growing Disability Discrimination Risks
• Proposed OSHA Regs Will Clarify Employer’s Continuing Duty To Ensure OSHA 300 Log Completeness
• 10 Practical Pointers To Use Law To Better Strengthen The Legal Defensibility Of Your Business & Its Leaders
• Tri-Agencies Update On Planned ACA Transparency Reporting Rules For Non-QHP Issuers & Non-Grandfathered Group Health Plans
• Employers, Plan Administrators Confirm All Form 5500s Timely Filed; Valuable Relief Options Available For Non-Filers
• Health Insurer/Vendor’s Claims & Appeals Deficiencies Could Trigger Significant Employer Excise Tax Liability
• HIPAA Settlement Warns Health Plans, Sponsoring Employers & Business Associates To Manage HIPAA Risks
• Obama Administration Proposal Would Extend FLSA Minimum Wage & Overtime Requirements To 5 Million+ Workers
• Prompt Business Action Needed To Mitigate Post-King Employer Health Benefit Costs & Liabilities

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here. 

©2016 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc. ™. All other rights reserved.

Health care providers, employer and union sponsored health plans,  health insurers, healthcare clearinghouses (Covered Entities) and their business associates should brace for audits and enforcement of the Privacy, Security, and Breach Notification rules by the Department of Health & Human Service Office of Civil Rights (OCR) follow OCR’s 2016 audit program on the heels of its announcement last week of two large HIPAA settlements last week.

OCR confirmed today it is sending emails notifying Covered Entities and their business associates identified as part of the kickoff of its next phase of audits of Covered Entities. In light of the HIPAA verification rules and the notorius spread of opportunistic identity theft and other fraud by opportunistic cybercrimals following these types of announcements, Covered Entities and business associates should carefully verify the requests validity and manage the response to avoid violating HIPAA in responding and position for defensibility against potential penalties. 

2016 Audit Program 

In its 2016 Phase 2 HIPAA Audit Program, OCR will review the policies and procedures adopted and employed by Covered Entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules. These audits will primarily be desk audits, although some on-site audits will be conducted.

According to today’s announcement, the 2016 audit process begins with verification of an entity’s address and contact information. OCR is sending emails to Covered Entities and business associates requesting that contact information be provided to OCR in a timely manner. OCR will then transmit a pre-audit questionnaire to gather data about the size, type, and operations of potential auditees; this data will be used with other information to create potential audit subject pools. Recipients should contact qualified legal counsel immediately for advice and assistance about proper procedures to verify the email is in fact from OCR and for assistance in responding. 

If an entity does not respond to OCR’s request to verify its contact information or pre-audit questionnaire, OCR will use publically available information about the entity to create its audit subject pool. Therefore an entity that does not respond to OCR may still be selected for an audit or subject to a compliance review. Communications from OCR will be sent via email and may be incorrectly classified as spam. If your entity’s spam filtering and virus protection are automatically enabled, OCR expects entities to check their junk or spam email folder for emails from OCR.

 The announcement also reflects that OCR is still developing other aspects of the audit program. OCR will post updated audit protocols on its website closer to conducting the 2016 audits. The audit protocol will be updated to reflect the HIPAA Omnibus Rulemaking and can be used as a tool by organizations to conduct their own internal self-audits as part of their HIPAA compliance activities.
OCR says its audits will enhance industry awareness of compliance obligations and enable OCR to better target technical assistance regarding problems identified through the audits. Through the information gleaned from the audits, OCR will develop tools and guidance to assist the industry in compliance self-evaluation and in preventing breaches. OCR plans to use results and procedures used in the phase 2 audits to develop its permanent HIPAA audit program.

OCR Settlements Show Enforcement Risk

The audit program announcement comes less than a week after OCR announced millions of dollars of new penalties under settlements with two Covered Entities:

• A $1,555,000 settlement with North Memorial Health Care of Minnesota;
• A $3.9 million settlement with Feinstein Institute for Medical Research.

The two settlements drive home again the substantial liability that Covered Entities and their business associates risk for violating HIPAA.

Feinstein Settlement

Feinstein is a biomedical research institute that is organized as a New York not-for-profit corporation and is sponsored by Northwell Health, Inc., formerly known as North Shore Long Island Jewish Health System, a large health system headquartered in Manhasset, New York that is comprised of twenty one hospitals and over 450 patient facilities and physician practices.

OCR’s investigation began after Feinstein filed a breach report indicating that on September 2, 2012, a laptop computer containing the electronic protected health information (ePHI) of approximately 13,000 patients and research participants was stolen from an employee’s car. The ePHI stored in the laptop included the names of research participants, dates of birth, addresses, social security numbers, diagnoses, laboratory results, medications, and medical information relating to potential participation in a research study.

OCR’s investigation discovered that Feinstein’s security management process was limited in scope, incomplete, and insufficient to address potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the entity. Further, Feinstein lacked policies and procedures for authorizing access to ePHI by its workforce members, failed to implement safeguards to restrict access to unauthorized users, and lacked policies and procedures to govern the receipt and removal of laptops that contained ePHI into and out of its facilities. For electronic equipment procured outside of Feinstein’s standard acquisition process, Feinstein failed to implement proper mechanisms for safeguarding ePHI as required by the Security Rule.

“Research institutions subject to HIPAA must be held to the same compliance standards as all other HIPAA-covered entities,” said OCR Director Jocelyn Samuels. “For individuals to trust in the research process and for patients to trust in those institutions, they must have some assurance that their information is kept private and secure.”

The resolution agreement and corrective action plan may be found on the OCR website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/Feinstein/index.html.

North Memorial

The Feinstein settlement announcement foll OCR’s announcement of a $1.5 million plus settlement with North Memorial to resolve HIPAA charges that it failed to implement a business associate agreement with a major contractor and failed to institute an organization-wide risk analysis to address the risks and vulnerabilities to its patient information. North Memorial is a comprehensive, not-for-profit health care system in Minnesota that serves the Twin Cities and surrounding communities. The settlement highlights the importance for Covered Entities and their business associates to comply with HIPAA’s business associate agreement and other HIPAA organizational, risk assessment, privacy and security, and other requirements.

OCR’s announcement emphasizes the importance of meeting these requirements. “Two major cornerstones of the HIPAA Rules were overlooked by this entity,” said Jocelyn Samuels, Director of OCR. “Organizations must have in place compliant business associate agreements as well as an accurate and thorough risk analysis that addresses their enterprise-wide IT infrastructure.”

The settlement comes from charges filed after OCR initiated its investigation of North Memorial following receipt of a breach report on September 27, 2011, which indicated that an unencrypted, password-protected laptop was stolen from a business associate’s workforce member’s locked vehicle, impacting the electronic protected health information (ePHI) of 9,497 individuals.

OCR’s investigation indicated that North Memorial failed to have in place a business associate agreement, as required under the HIPAA Privacy and Security Rules, so that its business associate could perform certain payment and health care operations activities on its behalf. North Memorial gave its business associate, Accretive, access to North Memorial’s hospital database, which stored the ePHI of 289,904 patients. Accretive also received access to non-electronic protected health information as it performed services on-site at North Memorial.

The investigation further determined that North Memorial failed to complete a risk analysis to address all of the potential risks and vulnerabilities to the ePHI that it maintained, accessed, or transmitted across its entire IT infrastructure — including but not limited to all applications, software, databases, servers, workstations, mobile devices and electronic media, network administration and security devices, and associated business processes.

In addition to the $1,550,000 payment, North Memorial is required to develop an organization-wide risk analysis and risk management plan, as required under the Security Rule. North Memorial will also train appropriate workforce members on all policies and procedures newly developed or revised pursuant to this corrective action plan.

The Resolution Agreement and Corrective Action Plan can be found on the HHS website at: http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/north-memorial-health-care/index.html.

Settlements Latest Reminder To Manage HIPAA Risks

Following up on OCR’s imposition of its second-ever HIPAA Civil Monetary Penalty (CMP) and the latest in an ever-growing list of settlements by Covered Entities under HIPAA, the North Memorial settlement is another example of the substantial liability that Covered Entities face for violating HIPAA. To avoid these liabilities, Covered Entities must constantly be diligent to comply with the latest guidance of OCR concerning their obligations under HIPAA. As OCR continues to issue additional guidance as well as supplement this guidance through information shared in settlement agreements like the North Memorial settlement, even if Covered Entities reviewed their practices in the last 12-months, most will want to update this review in response to new OCR guidance and enforcement actions, including new guidance on obligations to provide plan members or other subjects of protected health information with access to or copies of their records and other guidance, as well as the ever expanding list of enforcement actions by OCR.

Since the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) amended HIPAA, Covered Entities face growing responsibilities and liability for maintaining the security of ePHI. In response to HITECH, OCR continues to use a carrot and stick approach to encouraging and enforcing compliance. As demonstrated by OCR’s imposition of the second-ever HIPAA Civil Monetary Penalty (CMP) of $239,000 against Lincare and the ever-growing list of Resolution Agreements OCR announces with other Covered Entities, OCR continues to step up enforcement against Covered Entities that breach the Privacy and Security Rules. See OCR’s 2nd-Ever HIPAA CMP Nails Lincare For $239,000.

On the other hand, OCR also continues to encourage voluntary compliance by Covered Entities by sharing guidance and tools to aid Covered Entities to understand fulfill their HIPAA responsibilities such as the HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework (Crosswalk) unveiled by OCR on February 24, 2016.The crosswalk that maps the HIPAA Security Rule to the standards of the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (the Cybersecurity Framework) as well as mappings to certain other commonly used security frameworks.

While stating that the HIPAA Security Rule does not require use of the NIST Cybersecurity Framework, OCR says it hopes the Crosswalk will provide “a helpful roadmap” for HIPAA Covered Entities and their business associates to understand the overlap between the NIST Cybersecurity Framework, the HIPAA Security Rule, and other security frameworks that can help Covered Entities safeguard health data in a time of increasing risks and help them to identify potential gaps in their programs. At the same time, OCR’s announcement of its release of the Crosswalk also cautions users that “use of the Framework does not guarantee HIPAA compliance.” Rather, OCR says “the crosswalk provides an informative tool for entities to use to help them more comprehensively manage security risks in their environments.

With a USA Today report attributing more than 40 percent of data breaches to the healthcare industry over the last three years 91 percent of all health organizations having reporting breaches over the last two years, OCR has made clear that it intends to zealously investigate and enforce the Security Rules against Covered Entities that violate the Security Rules against Covered Entities that fail to take suitable steps to safeguard the security of PHI as required by the HIPAA Security Rule. To meet these requirements, the HIPAA Security Rule requires that Covered Entities conduct and be prepared to product documentation of their audit and other efforts to comply with the Security Rule Most Covered Entities will want to consider including an assessment of the adequacy of their existing practices under the Crosswalk and other requirements disclosed by OCR in these assessments to help position the Covered Entity to defend or mitigate HIPAA CMP and other liabilities in the event of a HIPAA breach or audit.

Latest Guidance Clarifies Patient Rights To Access PHI & Allowable Charges

In addition to maintaining adequate security, HIPAA also requires Covered Entities to provide individuals with the right to access and receive a copy of their health information from their providers, hospitals, and health insurance plans in accordance with the HIPAA Privacy Rule. In response to recurrent difficulties experienced by individuals in exercising these rights, OCR recently published supplemental guidance to clarify and promote better understanding and compliance with these rules by Covered Entities.

OCR started this process in January, 2015 by releasing a comprehensive fact sheet (Access fact sheet) and the first in a series of topical frequently asked questions (FAQs) addressing patients’ right to access their medical records, which set forth requirements providers must follow in sharing medical records with patients, including that they must do so in a timely manner and in a format that works for the patient.

Earlier this month, OCR followed up by publishing on March 1, 2016 a second set of FAQs addresses additional issues, including the fees individuals may be charged for copies of their health information and the right of individuals to have their health information sent directly to a third party if they so choose.

Covered entities and their business associates should move quickly to review and update their business associate agreements and other practices to comply with this new guidance as well as watch for further guidance and enforcement about these practices from OCR.

Other Key HIPAA Regulatory & Enforcement Changes Raise Responsibilities & Risks

OCR’s new guidance on access to PHI follows a host of other regulatory and enforcement activities. While the particulars of each of these new actions and guidance vary, all send a very clear message: OCR expects Covered Entities and their business associates to comply with HIPAA and is offering tools and other guidance to aid them in that process.. In the event of a breach or audit, Covered Entities and their business associates need to be prepared to demonstrate their efforts to comply. Those that cannot show adequate compliance efforts should be prepared for potentially substantial CMP or Resolution Agreement payments and other sanctions.

Register For 3/30 Webex Briefing

Solutions Law Press, Inc.™ invites to catch up on the latest guidance on the Covered Entities’ responsibility under HIPAA to provide access to patients to PHI by registering here to participate in the “HIPAA Update: The Latest On Security, Patient Access & Other HIPAA Developments” Webex briefing by attorney Cynthia Marcotte Stamer that Solutions Law Press, Inc.™ will host beginning at Noon Central Time on Wednesday, March 30, 2016. Get additional information or register here.T 

About The Speaker

CYNTHIA Marcotte Stamer is a practicing attorney and management consultant, author, public policy advocate and lecturer widely recognized for her extensive work and pragmatic thought leadership, experience, publications and training on HIPAA and other privacy, medical records and data and other health care and health plan concerns.

Recognized as “LEGAL LEADER™ Texas Top Rated Lawyer” in both Health Care Law and Labor and Employment Law, a “Texas Top Lawyer,” an “AV-Preeminent” and “Top Rated Lawyer” by Martindale-Hubble and as among the “Best Lawyers In Dallas” in employee benefits 2015 by D Magazine; Ms. Stamer has more than 28 years of extensive proven, pragmatic knowledge and experience representing and advising health industry clients and others on operational, regulatory and other compliance, risk management, product and process development, public policy and other key concerns.

As a core component of her work as the Managing Shareholder of Cynthia Marcotte Stamer, PC, the Co-Managing Member of Stamer Chadwick Soefje PLLC, Ms. Stamer has worked extensively throughout her nearly 30 year career with health care providers, health plans, health care clearinghouses, their business associates, employers, banks and other financial institutions, their technology and other vendors and service providers, and others on legal and operational risk management and compliance with HIPAA, FACTA, PCI, trade secret, physician and other medical confidentiality and privacy, federal and state data security and data breach and other information privacy and data security rules and concerns; prevention, investigation, response, mitigation and resolution of known or suspected data or privacy breaches or other incidents; defending investigations or other actions by plaintiffs, OCR, FTC, state attorneys’ general and other federal or state agencies; reporting and redressing known or suspected breaches or other violations; business associate and other contracting; insurance or other liability management and allocation; process and product development, contracting, deployment and defense; evaluation, commenting or seeking modification of regulatory guidance, and other regulatory and public policy advocacy; training and discipline; enforcement, and a host of other related concerns for public and private health care providers, health insurers, health plans, technology and other vendors, employers, and others.

Beyond her extensive involvement advising and defending clients on these matters, Ms. Stamer also has served for several years as the scrivener for the ABA JCEB’s meeting with OCR for many years. She returns as Chair of the Southern California ISSA Health Care Privacy & Security Summit for the third year in 2016, as well as speaks and serves on the steering committee of a multitude of other programs.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares shared her thought leadership, experience and advocacy on HIPAA and other concerns by her service in the leadership of a broad range of other professional and civic organization including her involvement as the Vice Chair of the North Texas Healthcare Compliance Association, Executive Director of the Coalition on Responsible Health Policy and its PROJECT COPE; Coalition on Patient Empowerment, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children; former Board Compliance Chair and Board member of the National Kidney Foundation of North Texas, current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, immediate past RPTE Representative to ABA Joint Committee on Employee Benefits Council Representative and current RPTE Representative to the ABA Health Law Coordinating Counsel, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.

Ms. Stamer also is a highly popular lecturer, symposia chair and author, who publishes and speaks extensively on health and managed care industry, human resources, employment and other privacy, data security and other technology, regulatory and operational risk management. Examples of her many highly regarded publications on these matters include “Protecting & Using Patient Data In Disease Management: Opportunities, Liabilities And Prescriptions,” “Privacy Invasions of Medical Care-An Emerging Perspective,” “Cybercrime and Identity Theft: Health Information Security: Beyond HIPAA,” as well as thousands of other publications, programs and workshops these and other concerns for the American Bar Association, ALI-ABA, American Health Lawyers, Society of Human Resources Professionals, the Southwest Benefits Association, the Society of Employee Benefits Administrators, the American Law Institute, Lexis-Nexis, Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, the HCCA, ISSA, HIMSS, Modern Healthcare, Managed Healthcare, Institute of Internal Auditors, Society of CPAs, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other symposia and publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications and speaks and conducts training for a broad range of professional organizations and for clientson the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications. For additional information about Ms. Stamer, see CynthiaStamer.com or the Stamer│Chadwick │Soefje PLLC or contact Ms. Stamer via email to here or via telephone to (469) 767-8872.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources at http://www.solutionslawpress.com such as:

New CDC Guidance on Opioid Prescribing
Update Privacy Practices For New OCR HIPAA Enforcement, Security & Records Access Guidance
3/30 Webex Shares Latest On Security, Patient Access & Other HIPAA Developments
OIG Opinion Lets Med Center Pay Some Transport & Short-Term Lodging Costs For Pregnant Medicaid Patients Near Delivery
Compliance Defects Fuel Record Record $646M Antikickback Penalty
OCR’s 2nd-Ever HIPAA CMP Nails Lincare For $239,000
Redesigned OCR Website Launched
Providers Get More Flexibility To Report Mental Health Patients To Gun Data Base Under New Privacy Rule
OIG Modifies Past Ruling, Blesses Two New Medicare Co-Pay Financial Programs
IRS Stops Asserting Foreign Reinsurance Tax On Premiums Between Reinsurers
Lehey Pays $850K After Unencrypted Laptop Stolen
Health Care Fraud Prosecutions Target Owners, Operators & Other Leaders
Excluded Nurse, Husband Face Decades Imprisonment on $80M Home Health Fraud Convictions
Practitioners Act Now To Request Review of 2016 Value Modifiers Now

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile.
©2016 Cynthia Marcotte Stamer.

Non-exclusive right to republish granted to Solutions Law Press, Inc.™ All other rights reserved.

The Department of Health & Human Services has issued an opinion approving an academic medicine center’s proposed arrangement under which the facility would pay for certain transportation costs to and from the hospital and costs for short-term lodging near the facility prior to delivery.  See  http://ow.ly/YXcc9.  While the opinion provides helpful insights for other facilities interested in offering similar arrangements without violating the Medicare Statute, health care organizations are cautioned that the OIG opinion only provides protection for the specific academic medical center to which it was issued, and then only to the extent that all requirements and assumptions of the opinion are met.  Other organizations interested in adopting a similar practice should consult with qualified legal counsel about pursuing an OIG opinion approving their specific proposed arrangement.

Tardiness in implementation of a meaningful compliance program is a key reason why the United States’ largest distributor of endoscopes and related equipment, Olympus Corp. of the Americas (OCA), will be required to pay a record $623.2 million in criminal and civil penalties and implement other reforms to resolve criminal charges under the Antikickback Statute and related civil claims brought by a whistleblower under the False Claims Act (FCA) for paying kickbacks to doctors and hospitals in the United States and Latin America under the three-year deferred prosecution agreement (DPA) the Justice Department announced March 1, 2016. The combined criminal and civil penalties will be the largest total amount paid in U.S. history for violations involving the AKS by a medical device company.

In addition to the resolution of the AKS criminal charges and FCA civil lawsuit against OCA, an OCA subsidiary, Olympus Latin America (OLA), also agreed to pay $22.8 million to resolve criminal charges relating to the Foreign Corrupt Practices Act (FCPA) in Latin America.

OCA Anti-Kickback Violation Charges & Settlement

OCA agreed to the March 1, 2016 DPA imposing the record $623.2 million in criminal and civil penalties and requiring OCA to implement other reforms resolve criminal charges filed March 1, 2016 against OCA in the Newark, New Jersey District Court charging OCA with conspiracy to violate the Anti-Kickback Statute (AKS) prohibition against health care organizations making payments to induce purchases paid for by federal health care programs.

The criminal complaint against OCA, which OCA agrees in the DPA is true, charges that OCA won more than $600 million in new sales and realized gross profits of more than $230 million by improperly by giving doctors and hospitals kickbacks, including consulting payments, foreign travel, lavish meals, millions of dollars in grants and free endoscopes.  For example, the Justice Department says:

• OCA gave a hospital a $5,000 grant to facilitate a $750,000 sale;
• OCA held up a $50,000 research grant until a second hospital signed a deal to purchase Olympus equipment;
• OCA paid for a trip for three doctors to travel to Japan in 2007 as a quid pro quo for their hospital’s decision to switch from a competitor to Olympus; and
• A doctor with a major role in a New York medical center’s buying decisions received free use of $400,000 in equipment for his private practice.

The criminal complaint alleges that the improper payments happened while Olympus lacked training and compliance programs.  Unlike other medical and surgical products companies, Olympus did not create the position of compliance officer until 2009 and did not hire an experienced compliance professional until August 2010.

To resolve the AKS criminal charges, the Justice Department reports that OCA agreed to enter into a three-year DPA that will allow OCA to avoid conviction under the complaint if it complies with the reform and compliance requirements outlined in the agreement.   To meet the conditions of the DPA, OCA must pay a $312.4 million criminal penalty and an additional $310.8 million to settle civil claims under the federal and various state False Claims Acts, as well as remedy its compliance problems by adopting several compliance measures. The required compliance measures include:

• OCA must enhance its compliance training and maintain an effective compliance program;
• OCA must maintain a confidential hotline and website for OCA employees and customers to report wrongdoing;
• OCA’s chief executive officer and board of directors must certify annually that the program is effective; and
• OCA must adopt an executive financial recoupment program requiring executives who engage in misconduct or fail to promote compliance to forfeit up to three years of performance pay.

Larry Mackey, a former federal prosecutor best known for trying the Oklahoma City bombing cases, is the independent monitor selected by the Justice Department to evaluate and oversee Olympus’ compliance with the DPA.  The DPA and monitor will remain in place for three years and can be extended for another two years if Olympus violates the DPA.

Related OCA FCA Whistleblower Suit Settlement

In addition to resolving the criminal charges brought by the Justice Department, OCA and the Justice Department also entered into a related civil settlement that resolves a whistleblower lawsuit originally filed by John Slowik, the former chief compliance officer of OCA, in the District of New Jersey, under the federal and various state False Claims Acts.  Under the civil settlement, Olympus agrees to pay $310.8 million to the federal government and the states to resolve claims that OCA’s payment of kickbacks caused false claims to be submitted to federal health care programs Medicare, Medicaid and TRICARE, and thus violated not only the AKS but also the federal and various state False Claims Acts.  The federal share of the civil settlement is $267,288,323, and Olympus will pay $43,512,053 million to participating states that contributed to the falsely claimed Medicaid payments at issue.   Since the FCA allows whistleblowers to file suit for false claims against the government entities and to share in any recovery, Mr. Slowik will receive $44,102, 573 million from the federal share and $7 million from the state share of the civil settlement amount.

OLA FCPA Violations & Settlement

Separately, OCA’s Miami-based subsidiary, OLA, entered into a separate three-year DPA with the Justice Department to resolve a separate criminal complaint also filed today in Newark federal court that charged OLA with FCPA violations in connection with improper payments to health officials in Central and South America.  According to court documents, from 2006 until August 2011, OLA implemented a plan to increase medical equipment sales in Central and South America by providing payments to health care practitioners at government-owned health care facilities.  These payments included cash, money transfers, personal grants, personal travel and free or heavily discounted equipment.  The primary method to deliver these illicit benefits was through “training centers,” nominally set up to educate and train doctors, but which OLA used to provide benefits to pre-selected practitioners.  OLA and its conspirators paid nearly $3 million to practitioners to induce the purchase of Olympus products and recognized more than $7.5 million in profits as a result.

According to the Justice Department, OLA entered into a separate DPA with the Criminal Division’s Fraud Section and the U.S. Attorney’s Office of the District of New Jersey to settle these FCPA charges.  The DPA requires OLA to pay a criminal penalty of $22.8 million, retain the same compliance monitor as for OLA (Mr. Mackey) for a period of three years and implement a number of compliance measures.   The Justice Department’s announcement of the charges and settlement indicates that the amount of the required criminal penalty was influenced by a number of factors, including that OLA did not voluntarily disclose the misconduct in a timely manner, but OLA did receive credit of a 20 percent reduction on its penalty for its cooperation, including its extensive internal investigation, translation of numerous foreign language documents and collecting, analyzing and organizing voluminous evidence.

Corporate Integrity Agreement

In addition to the criminal and civil resolutions, OCA executed a corporate integrity agreement (CIA) with the Department of Health and Human Services-Office of Inspector General (HHS-OIG).  The CIA details the compliance program OCA must maintain, which must include:

• compliance responsibilities for OCA management and the board of directors;
• a health care compliance code of conduct that includes certain standards;
• training and education that includes specified standards;
• requirements for consulting arrangements, grants and charitable contributions, management of field assets and review of travel expenses;
• risk assessment and mitigation process; and
• review procedures for testing the compliance program.

Penalties Send Message: Implement Meaningful Compliance Programs

Comments of U.S. Attorney Paul J. Fishman of the District of New Jersey in the Justice Department’s announcement of the OCA DPA send a clear warning to health care providers and suppliers about the their own risks of failing to maintain and the potential benefits of maintaining demonstrably meaningful compliance programs to both prevent violations and to position their organization to resolve or mitigate their liability in the event a violation occurs despite their administration of a robust AKS, FCA or other violation of federal or state health care fraud or other law.

“For years, Olympus Corporation of the Americas and Olympus Latin America dropped the compliance ball and failed to have in place policies and practices that would have prevented the substantial kickbacks and bribes they paid,” said U.S. Attorney Fishman. “It is appropriate that they be punished for that. At the same time, the deferred prosecution agreement takes into account the companies’ cooperation and commitment to fully functional corporate compliance.”

Attorney Fishman’s warning comes amid ever growing success by the Justice Department, the OIG and other federal and state law enforcement and health care regulators in their efforts to uncover and prosecute violations of federal and state health care fraud and other laws through the Health Care Fraud Prevention and Enforcement Action Team (HEAT) initiative announced in May 2009 by the Attorney General and the Secretary of Health and Human Services.  Since January 2009, the Justice Department has recovered a total of more than $27.4 billion through False Claims Act cases, with more than $17.4 billion of that amount recovered in cases involving fraud against federal health care programs. In response to this rigorous enforcement, health care providers and suppliers should remain ever diligent in their efforts to prevent AKS, FCA and other violations of federal and state health care laws.

About The Author

Recognized as “LEGAL LEADER™ Texas Top Rated Lawyer” in both Health Care Law and Labor and Employment Law, a “Texas Top Lawyer,” an “AV-Preeminent” and “Top Rated Lawyer” by Martindale-Hubble; as among the “Best Lawyers In Dallas 2015 by D Magazine; and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, the author of this update, attorney Cynthia Marcotte Stamer, more than 28 years of extensive experience representing and advising health industry clients and others on these and other regulatory, risk management, public policy and operations matters.

Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, Board Certified in Labor & Employment Law, and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer’s experience includes advising hospitals, nursing home, home health, rehabilitation and other health care providers and health industry clients to establish and administer compliance and risk management policies; prevent, conduct and investigate, and respond to peer review and other quality concerns; and to respond to Board of Medicine, Department of Aging & Disability, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. The scribe for the American Bar Association (ABA) Joint Committee on Employee Benefits annual agency meeting with the Department of Health & Human Services Office of Civil Rights, Ms. Stamer has worked extensively with health care providers, health plans, health care clearinghouses, their business associates, employers, banks and other financial institutions, and others on risk management and compliance with HIPAA and other information privacy and data security rules, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and enforcement, and a host of other related concerns. Her clients include public and private health care providers, health insurers, health plans, technology and other vendors, and others. In addition to representing and advising these organizations, she also has conducted training on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. You can get more information about her health industry experience here. If you need assistance responding to concerns about the matters discussed in this publication or other health care concerns, wish to obtain information about arranging for training or presentations by Ms. Stamer, wish to suggest a topic for a future program or update, or wish to request other information or materials, please contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press

Solutions Law Press, Inc.™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns.

Other Helpful Resources & Other Information

Solutions Law Press, Inc.™ hopes that this information is useful to you. If you found these updates of interest, you also be interested in  other recent Solutions Law Press, Inc. training, articles and resources.  You can see more articles from this Health Care Update electronic publication, the Coalition for Responsible Health Care Reform electronic publication, our electronic HR & Benefits Update and other publications like the following and get information about training and other resources at www.Solutionslawpress.com:

• OCR’s 2nd-Ever HIPAA CMP Nails Lincare For$239,000
• Redesigned OCR Website Launched
• Providers Get More Flexibility To Report Mental Health Patients To Gun Data Base Under New Privacy Rule
• OIG Modifies Past Ruling, Blesses Two New Medicare Co-Pay Financial Programs
• IRS Stops Asserting Foreign Reinsurance Tax On Premiums Between Reinsurers
• Lehey Pays $850K After Unencrypted Laptop Stolen
• Health Care Fraud Prosecutions Target Owners, Operators & Other Leaders
• Excluded Nurse, Husband Face Decades Imprisonment on $80M Home Health Fraud Convictions
• Practitioners Act Now To Request Review of 2016 Value Modifiers Now
• Civil Rights Settlement Highlights Health Industry Discrimination Risks As OCR Prepares To Broaden Requirements
• Use Free Cyber Security Awareness Month Resources To Boost HIPAA & Other Cyber Security Training & Skills
• NLRB 29 Unfair Labor Practice Charges Against Community Health Systems, Inc. Shows Industry Labor Risks
• OCR’s Proposed Sex & Other Discrimination Rules Spell Headaches & New Risks For Health Care Providers, Insurers & Others

You also can get access to information about how you can arrange for training on “Building Your Family’s Health Care Toolkit,” using the “PlayForLife” resources to organize low-cost wellness programs in your workplace, school, church or other communities, and other process improvement, compliance and other training and other resources for health care providers, employers, health plans, community leaders and others here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail by creating or updating your profile here. You can access other recent updates and other informative publications and resources here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here. For important information concerning this communication see here. THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS. ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

©2016 Cynthia Marcotte Stamer, P.C. Non-exclusive license to republish granted to Solutions Law Press, Inc. All other rights reserved.

Home respiratory care, infusion therapy, and medical equipment provider Lincare, Inc. (Lincare) must pay the $239,000 second-ever civil monetary penalty (CMP) imposed under the Health Insurance Portability & Accountability Act (HIPAA) Privacy Rules by the Department of Health & Human Services (HHS) Office of Civil Rights (OCR) for HIPAA violations OCR found Lincare committed under the January 13, 2015 summary judgment ruling of HHS Administrative Law Judge Carolyn Cozad Hughes (ALJ).  The ALJ’s ruling in Director of the Office for Civil Rights, Petitioner, v. Lincare, Inc rejecting Lincare’s appeal of only the second ever CMP OCR ever assessed against a health care provider, health plan, heathcare clearinghouse (“covered entity”) for violating HIPAA, the Lincare case contains many important lessons for home health care and other covered entities and their business associates about their HIPAA responsibilities both to act properly to protect PHI used or accessed by members of their workforce outside the covered entities’ offices as well as to ensure that workforce members know that their duty to protect PHI against improper disclosure extends to preventing disclosure to their spouses and other family or friends with potential access to systems or records containing PHI.

Lincare Facts & Decision

The Lincare CMP resulted from HIPAA violations that OCR found when it investigated a HIPAA complaint filed by the estranged spouse of Lincare’s Wynne, Arkansas Center Manager, Faith Shaw. Ms. Shaw’s estranged husband, Richard reported to Lincare and OCR that Ms. Shaw left behind documents containing the protected health information (PHI) of 278 patients a when Ms. Shaw moved out of the marital home in August 2008.  During OCR’s investigation, Ms. Shaw and her manager both told OCR she and other Lincare employees regularly were required to and regularly removed records containing PHI from Lincare’s offices to use to provide home health care services.  In fact, Ms. Shall and her manager told OCR that Lincare told center managers like Ms. Shaw to maintain copies of the procedures manual “secured” in their vehicles so that company employees would have access to patient contact information if a center office were destroyed or otherwise made inaccessible. Ms. Shaw said she followed these practices when she the manual and other documents containing PHI out of the office and admitting to keeping documents containing PHI in her car during her marriage even though she knew that her then husband had keys to the car. Ms. Shaw also admitted that when she moved out of the marital home in August 2008, she left the documents behind without realizing it. In fact, she told the OCR investigator that, when she left, she didn’t even know where the car was parked and that neither Ms. Shaw nor anyone else from Lincare realized that Ms. Shaw had left the documents behind until notified by her estranged spouse, Richard Shaw – who all parties agreed was not authorized to see the PHI – reported to Lincare and then to OCR that he had them in his possession.

Based on these and other findings, OCR concluded that Lincare violated HIPAA by among other things, having inadequate policies and procedures in place to safeguard patient information taken offsite when it knew employees regularly removed material with PHI from the business premises to deliver home healthcare services. OCR also found that Lincare had an unwritten policy requiring certain employees to store PHI in their own vehicles for extended periods of time without making adequate provision for the security and protection.  OCR concluded that these and other actions violated HIPAA and that Lincare’s failure to take prompt corrective action satisfactory to OCR warranted the assessment of the $239,000 CMP.

Lincare disagreed and appealed to the ALJ to have the CMP overturned based on HIPAA § 1176(a)(1, which provides OCR may not impose a CMP if the covered entity shows:

• The covered entity did not know about the violation and, by exercising reasonable diligence, would not have known about the violation; or
• Each of the following:
  • Despite the exercise of ordinary business care and prudence, circumstances made it unreasonable for the covered entity to comply with the violated provision;
  • The violation was not caused by “willful neglect”; and
  • The covered entity corrected the deficiency within 30 days of the date the covered entity knew or should have known about it.

See 45 C.F.R. § 160.410(b).

Lincare argued that it was excused from liability for payment of a CMP because it was the victim of a theft, for which it should not be held accountable. Specifically, Lincare claimed that complainant Richard Shaw “stole” the manual and attempted to use it as leverage to induce his estranged wife to return to him.

In her order upholding OCR’s imposition of the CMP upon summary judgement, the ALJ rejected this argument. Characterizing Lincare’s “defense” as unsupported by any evidence and “just as damaging -perhaps even more damaging -than the OCR version of events,” the ALJ found the undisputed evidence established that Manager Shaw, a Lincare workforce member, removed her patients’ PHI from the company office, left it in places to which her husband, an unauthorized person, had access, and then abandoned it altogether so neither she nor anyone else at Lincare even knew that the information was missing until months later. Accordingly, the ALJ granted OCR’s motion for summary judgment and upheld OCR’s assessment of the $239,800 CMP.

Lessons For Other Covered Entities & Business Associates 

Other covered entities and business associates should learn several key lessons from the Lincare decision including:

• HIPAA requires covered entities and their business associates to take reasonable steps to protect its PHI from theft;
• Covered entities and business associates that allow employee or other workforce members have a duty to establish and enforce apprvacopriate safeguards to protect these records from theft or other improper use or access.
• The duty to maintain the privacy of HIP includes a duty to take proper steps to protect PHI from improper disclosure includes a duty to prevent is disclosure to or use by he spouse or other family member of the workforce member.

All covered entities and their business associates should verify the adequacy of their compliance with these new rules.

Revenue Ruling 2016-03 announces that the Internal Revenue Service (IRS) has reconsidered Revenue Ruling 2008-15, 2008-1 C.B. 633, in view of the decision of the United States Court of Appeals for the District of Columbia Circuit in the case of Validus Reinsurance, Ltd. v. United States, 786 F.3d 1039 (2015). As a result, the IRS will no longer apply the one-percent excise tax imposed by section 4371(3) to premiums paid on a policy of reinsurance issued by one foreign reinsurer to another foreign insurer or reinsurer under the situations described in Rev. Rul. 2008-15. Rev. Rul. 2008-15 is hereby revoked.  

Rev. Rule 2016-3 will be in IRB 2016-3, dated Jan. 19, 2016.

Tufts Medical School affiliate Lahey Hospital and Medical Center (Lahey) must pay an $850,000 resolution payment and adopt and implement a robust corrective action plan to settle charges that it engaged in widespread noncompliance with the Privacy & Security Rules of the Health Insurance Portability & Accountability Act (HIPAA) brought by the Department of Health & Human Services Office of Civil Rights (OCR) as a result of an OCR investigation into Lahey’s report of a stolen, unencrypted laptop. The Resolution Agreement and Corrective Action Plan (Resolution Agreement) with Lahey announced by OCR on November 25, 2015, should remind health care providers and their business associates of the importance of ensuring proper encryption of all portable laptop or other devices that may contain electronic protected health information (ePHI) including those used in connection with or as part of diagnostic equipment or devices.

Lahey entered into the to settle OCR charges brought as a result of an OCR investigation prompted by Lahey’s report in 2011 of a stolen laptop that operated a portable computerized tomography (“CT”) scanner and produced images for viewing through Lahey’s Radiology Information System and Picture Archiving and Communication System.
The stolen laptop was unencrypted and contained electronic protected health information (ePHI) of approximately 599 individuals. It was stolen from an unlocked treatment room off of the inner corridor of Lahey’s Radiology Department while out of use overnight.

According to OCR’s November 25, 2015 announcement of the Lahey Resolution Agreement, OCR’s investigation into the theft uncovered evidence of widespread non-compliance with the HIPAA rules, including:
• Failure to conduct a thorough risk analysis of all of its ePHI;
• Failure to physically safeguard a workstation that accessed ePHI;
• Failure to implement and maintain policies and procedures regarding the safeguarding of ePHI maintained on workstations utilized in connection with diagnostic/laboratory equipment;
• Lack of a unique user name for identifying and tracking user identity with respect to the workstation at issue in this incident;
• Failure to implement procedures that recorded and examined activity in the workstation at issue in this incident; and
• Impermissible disclosure of 599 individuals’ PHI.

In addition to the $850,000 settlement, the Resolution Agreement requires Lahey to address its history of noncompliance with the HIPAA Rules by providing OCR with a comprehensive, enterprise-wide risk analysis and corresponding risk management plan, as well as reporting certain events and providing evidence of compliance.

OCR’s announcement of the Resolution Agreement drives home the importance of proper laptop or other mobile device encryption.  “It is essential that covered entities apply appropriate protections to workstations associated with medical devices such as diagnostic or laboratory equipment,” said OCR Director Jocelyn Samuels. “Because these workstations often contain ePHI and are highly portable, such ePHI must be considered during an entity’s risk analysis, and entities must ensure that necessary safeguards that conform to HIPAA’s standards are in place.”

The Lahey Resolution Agreement is the latest in a series of OCR Resolution Agreements that drive home the requirement that health care providers properly secure laptops and other mobile devices that may contain ePHI. While OCR has made clear that these security efforts should begin with proper encryption of the devices, other safeguards also may be warranted.

For More Information Or Assistance

If you need assistance reviewing or responding to these or other health care related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, may be able to help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, Board Certified in Labor & Employment Law, and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 27 years’ experience advising health industry clients about these and other matters. Her experience includes advising hospitals, nursing home, home health, rehabilitation and other health care providers and health industry clients to establish and administer compliance and risk management policies; prevent, conduct and investigate, and respond to peer review and other quality concerns; and to respond to Board of Medicine, Department of Aging & Disability, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. The scribe for the American Bar Association (ABA) Joint Committee on Employee Benefits annual agency meeting with the Department of Health & Human Services Office of Civil Rights, Ms. Stamer has worked extensively with health care providers, health plans, health care clearinghouses, their business associates, employers, banks and other financial institutions, and others on risk management and compliance with HIPAA and other information privacy and data security rules, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and enforcement, and a host of other related concerns. Her clients include public and private health care providers, health insurers, health plans, technology and other vendors, and others. In addition to representing and advising these organizations, she also has conducted training on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. You can get more information about her health industry experience here. If you need assistance responding to concerns about the matters discussed in this publication or other health care concerns, wish to obtain information about arranging for training or presentations by Ms. Stamer, wish to suggest a topic for a future program or update, or wish to request other information or materials, please contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns.
Other Helpful Resources & Other Information.

We hope that this information is useful to you. If you found these updates of interest, you also be interested in one or more of the following other recent articles published on the Coalition for Responsible Health Care Reform electronic publication available here, our electronic Solutions Law Press Health Care Update publication available here, or our HR & Benefits Update electronic publication available here. You also can get access to information about how you can arrange for training on “Building Your Family’s Health Care Toolkit,” using the “PlayForLife” resources to organize low-cost wellness programs in your workplace, school, church or other communities, and other process improvement, compliance and other training and other resources for health care providers, employers, health plans, community leaders and others here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail by creating or updating your profile here. You can access other recent updates and other informative publications and resources here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here. For important information concerning this communication see here. THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS. ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

©2015 Cynthia Marcotte Stamer, P.C. Non-exclusive license to republish granted to Solutions Law Press, Inc. All other rights reserved.