CardioNet $2.5M HIPAA Resolution Agreement Schools HIPAA Entities To Clean Up Their Acts

April 26, 2017

Remote cardiac monitoring provider CardioNet is paying $2.5 million and implementing a corrective action plan to settle potential charges of noncompliance with the Health Insurance and Portability Act (HIPAA) Privacy and Security Rules by the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) based on the impermissible disclosure of unsecured electronic protected health information (ePHI).

The first OCR HIPAA settlement involving a wireless health services provider, the CardioNet Resolution Agreement and Corrective Action Plan  (Resolution Agreement) announced by OCR on April 24, 2017 clearly illustrates for all covered entities and their business associates of the substantial liability risks of failing to finalize and actually adopt, implement, administer and maintain the necessary HIPAA Privacy and Security policies and procedures required by HIPAA as well as some of the steps OCR expects to fulfill these requirements.

CardioNet Charges & Settlement

As has become increasingly common in recent years, the CardioNet settlement arose from concerns initially brought to OCR’s attention in connection with a HIPAA breach notification report.  On January 10, 2012, OCR received notification from the provider of remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias that a workforce member’s laptop with the ePHI of 1,391 individuals was stolen from a parked vehicle outside of the employee’s home. CardioNet subsequently notified OCR of a second breach of ePHI 2,219 individuals, respectively.

Likewise, the HIPAA breaches uncovered by OCR in the course of investigating these CardioNet breaches occur in the operations of many other covered entities.  According to the OCR’s investigation in response to these breach reports revealed a series of continuing compliance concerns, including:

  • CardioNet failed to conduct an accurate and thorough risk analysis to assess the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI and failed to plan for and implement security measures sufficient to reduce those risks and vulnerabilities;
  • CardioNet’s policies and procedures implementing the standards of the HIPAA Security Rule were in draft form and had not been implemented;
  • CardioNet was unable to produce any final policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices;
  • CardioNet failed to implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of its facilities, the encryption of such media, and the movement of these items within its facilities until March 2015; and
  • CardioNet failed to safeguard against the impermissible disclosure of protected health information by its employees, thereby permitting access to that information by an unauthorized individual, and failed to take sufficient steps to immediately correct the disclosure.

To resolve these OCR charges, CardioNet agrees in the Resolution Agreement to pay $2.5 million to OCR and implement a corrective action plan.  Among other things, the corrective action plan requires CardioNet to complete the following actions to the satisfaction of OCR:

  • Prepare a current, comprehensive and thorough Risk Analysis of security risks and vulnerabilities that incorporates its current facility or facilities and the electronic equipment, data systems, and applications controlled, currently administered or owned by CardioNet, that contain, store, transmit, or receive electronic protected health information (“ePHI”) and update that Risk Analysis annually or more frequently, if appropriate in response to environmental or operational changes affecting the security of ePHI.
  • Assess whether its existing security measures are sufficient to protect its ePHI and revise its Risk Management Plan, Policies and Procedures, and training materials and implement additional security measures, as needed.
  • Develop and implement an organization-wide Risk Management Plan to address and mitigate any security risks and vulnerabilities found in the Risk Analysis as required by the Risk Management Plan.
  • Review and, to the extent necessary, revise, its current Security Rule Policies and Procedures (“Policies and Procedures”) based on the findings of the Risk Analysis and the implementation of the Risk Management Plan to comply with the HIPAA Security Rule.
  • Provide certification to OCR that all laptops, flashdrives, SD cards, and other portable media devices are encrypted, together with a description of the encryption methods used (“Certification”).
  • Review, revise its HIPAA Security training to include a focus on security, encryption, and handling of mobile devices and out-of-office transmissions and other policies and practices require to address the issues identified in the Risk Assessment and otherwise comply with the Risk Management Plan and HIPAA train its workforce on these policies and practices.
  • Investigate all potential violations of its HIPAA policies and procedures and notify OCR in writing within 30 days of any violation.
  • Submit annual reports to OCR, which must be signed by an owner or officer of CardioNet attesting that he or she has reviewed the annual report, has made a reasonable inquiry regarding its content and believes that, upon such inquiry, the information is accurate and truthful.
  • Maintain for inspection and copying, and provide to OCR, upon request, all documents and records relating to compliance with the corrective action plan for six years.

Implications For Covered Entities & Business Associates

The CardioNet Resolution Agreement contains numerous lessons for other Covered entities and their business associates, including but not limited to the following.

  • Like many previous resolution agreements announced by OCR, the Resolution Agreement reiterates the responsibility of covered entities and business associates to properly secure their ePHI and that as part of this process, OCR expects all laptop computers and other mobile devices containing or with access to ePHI be properly encrypted and secured.
  • It also reminds covered entities and their business associates to be prepared for, and expect an audit from OCR when OCR receives a report that their organization experienced a large breach of unsecured ePHI.
  • The Resolution Agreement’s highlighting of the draft status of CardioNet’s privacy and security policies also reflects OCR expects covered entities  to actually final policies, procedures and training in place for maintaining compliance with HIPAA.
  • The discussion and requirements in the Corrective Action Plan relating to requirements to conduct comprehensive risk assessments at least annually and in response to other events, and to update policies and procedures in response to findings of these risk assessments also drives home the importance of conducting timely, documented risk analyses of the security of their ePHI, taking prompt action to address known risks and periodically updating the risk assessment and the associated privacy and security policies and procedures in response to the findings of the risk assessment and other changing events.
  • The requirement in the Resolution Agreement of leadership attestation and certification on the required annual report reflects OCR’s expectation that leadership within covered entities and business associates will make HIPAA compliance a priority and will take appropriate action to oversee compliance.
  • Finally, the $2.5 million settlement payment required by the Resolution Agreement and its implementation against CardiNet makes clear that OCR remains serious about HIPAA enforcement.

Of course, covered entities and business associates need to keep in mind that that actions and inactions that create HIPAA liability risks also carry many other potential legal and business risks.  For instance, since PHI records and data involved in such breaches usually incorporates Social Security Numbers, credit card or other debt or payment records or other personal consumer information, and other legally sensitive data, covered entities and business associates generally also may face investigation, notification and other responsibilities and liabilities under confidentiality, privacy or data security rules of the Fair and Accurate Credit Transaction Act (FACTA), the Internal Revenue Code, the Social Security Act, state identity theft, data security, medical confidentiality, privacy and ethics, insurance, consumer privacy, common law or other state privacy claims and a host of other federal or state laws.  Depending on the nature of the covered entity or its business associates, the breach or other privacy event also may trigger fiduciary liability exposures for health plan fiduciaries in the case of a health plan, professional ethics or licensing investigations or actions against health care providers, insurance companies, administrative service providers or brokers, shareholder or other investor actions, employment or vendor termination or disputes and a host of other indirect legal consequences.

Beyond, and regardless of the technical legal defensibility of its actions under these and other laws, however, the most material and often most intractable consequences of a HIPAA or other data or other privacy breach report or public accusation, investigation, admission also typically are the most inevitable:

  • The intangible, but critical loss of trust and reputation covered entities and business associates inevitably incur among their patients, participants, business partners, investors and the community; and
  • The substantial financial expenses and administrative and operational disruptions of investigating, defending the actions of the organization and implementation of post-event corrective actions following a data or other privacy breach, audit, investigation, or charge.

In light of these risks, covered entities business associates and their management should use the experiences of CardioNet and other covered entities or business associates caught violating HIPAA or other privacy and security standards to reduce their HIPAA and other privacy and data security exposures.   Management of covered entities and their business associates should take steps to ensure that their organizations policies, practices and procedures currently are up-to-date, appropriately administered and monitored, and properly documented.  Management should ensure that their organizations carefully evaluate and strengthen as necessary their current HIPAA risk assessments, policies, practices, record keeping and retention and training in light of these and other reports as they are announced in a well-documented manner.  The focus of these activities should be both to maintain compliance and position their organizations efficiently and effectively to respond to and defend their actions against a data breach, investigation, audit or accusation of a HIPAA or other privacy or security rule violation with a minimum of liability, cost and reputational and operational damages.

As the conduct of these activities generally will involve the collection and analysis of legally sensitive matters, most covered entities and business associates will want to involve legal counsel experienced with these matters and utilize appropriate procedures to be able to use and assert attorney-client privilege and other evidentiary privileges to mitigate risks associated with these processes.  To help plan for and mitigate foreseeable expenses of investigating, responding to or mitigating a known, suspected or asserted breach or other privacy event, most covered entities and business associates also will want to consider the advisability of tightening privacy and data security standards, notification, cooperation and indemnification protections in contracts between covered entities and business associates, acquiring or expanding data breach or other liability coverage, or other options for mitigating the financial costs of responding to a breach notification, investigation or enforcement action.

About The Author

Recognized by LexisNexis® Martindale-Hubbell® as a “AV-Preeminent” (Top 1%/ the highest) and “Top Rated Lawyer,” with special recognition as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Health Care,” “Labor & Employment,” “Tax: Erisa & Employee Benefits” and “Business and Commercial Law” by D Magazine, the author of this update is widely known for her 29 plus years’ of work in health care, health benefit, health policy and regulatory affairs and other health industry concerns as a practicing attorney and management consultant, thought leader, author, public policy advocate and lecturer.

Throughout her adult life and nearly 30-year legal career, Ms. Stamer’s legal, management and governmental affairs work has focused on helping health industry, health benefit and other organizations and their management use the law, performance and risk management tools and process to manage people, performance, quality, compliance, operations and risk. Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer supports these organizations and their leaders on both a real-time, “on demand” basis as well as outsourced operations or special counsel on an interim, special project, or ongoing basis with strategic planning and product and services development and innovation; workforce and operations management, crisis preparedness and response as well as to prevent, stabilize and cleanup legal and operational crises large and small that arise in the course of operations.

As a core component of her work, Ms. Stamer has worked extensively throughout her career with health care providers, health plans and insurers, managed care organizations, health care clearinghouses, their business associates, employers, banks and other financial institutions, management services organizations, professional associations, medical staffs, accreditation agencies, auditors, technology and other vendors and service providers, and others on legal and operational compliance, risk management and compliance, public policies and regulatory affairs, contracting, payer-provider, provider-provider, vendor, patient, governmental and community relations and matters including extensive involvement advising, representing and defending public and private hospitals and health care systems; physicians, physician organizations and medical staffs; specialty clinics and pharmacies; skilled nursing, home health, rehabilitation and other health care providers and facilities; medical staff, accreditation, peer review and quality committees and organizations; billing and management services organizations; consultants; investors; technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, insurers, self-insured health plans and other payers; and other health industry clients to manage and defend compliance, public policy, regulatory, staffing and other operations and risk management concerns. A core focus of this work includes work to establish and administer compliance and risk management policies; comply with requirements, investigate and respond to Board of Medicine, Health, Nursing, Pharmacy, Chiropractic, and other licensing agencies, Department of Aging & Disability, FDA, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; dealings with JCHO and other accreditation and quality organizations; investigation and defense of private litigation and other federal and state health care industry investigations and enforcement; insurance or other liability management and allocation; process and product development; managed care, physician and other staffing, business associate and other contracting; evaluation, commenting or seeking modification of regulatory guidance, and other regulatory and public policy advocacy; training and discipline; and a host of other related concerns for public and private health care providers, health insurers, health plans, technology and other vendors, employers, and others.

In the course of this work, Ms. Stamer has accumulated extensive experience helping health industry clients manage workforce, medical staff, vendors and suppliers, medical billing, reimbursement, claims and other provider-payer relations, business partners, and their recruitment, performance, discipline, compliance, safety, compensation, benefits, and training, board, medical staff and other governance; compliance and internal controls; strategic planning, process and quality improvement; change management; assess, deter, investigate and address staffing, quality, compliance and other performance; meaningful use, EMR, HIPAA and other data security and breach and other health IT and data; crisis preparedness and response; internal, government and third-party reporting, audits, investigations and enforcement; government affairs and public policy; and other compliance and risk management, government and regulatory affairs and operations concerns.

Author of leading works on HIPAA and other privacy and data security works and the scribe leading the American Bar Association Joint Committee on Employee Benefits Annual Agency Meeting with OCR, her experience includes extensive compliance, risk management and data breach and other crisis event investigation, response and remediation under HIPAA and other data security, privacy and breach laws.  Heavily involved in health care and health information technology, data and related process and systems development, policy and operations innovation and a Scribe for ABA JCEB annual agency meeting with OCR for many years who has authored numerous highly-regarded works and training programs on HIPAA and other data security, privacy and use, Ms. Stamer also is widely recognized for her extensive work and leadership on leading edge health care and benefit policy and operational issues including meaningful use and EMR, billing and reimbursement, quality measurement and reimbursement, HIPAA, FACTA, PCI, trade secret, physician and other medical confidentiality and privacy, federal and state data security and data breach and other information privacy and data security rules and many other concerns.

In connection with this work, Ms. Stamer has worked extensively with health care providers, health plans, health care clearinghouses, their business associates, employers and other plan sponsors, banks and other financial institutions, and others on risk management and compliance with HIPAA, FACTA, trade secret and other information privacy and data security rules, including the establishment, documentation, implementation, audit and enforcement of policies, procedures, systems and safeguards, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and enforcement, and a host of other related concerns. Her clients include public and private health care providers, health insurers, health plans, technology and other vendors, and others.

Her work includes both regulatory and public policy advocacy and thought leadership, as well as advising and representing a broad range of health industry and other clients about policy design, drafting, administration, business associate and other contracting, risk assessments, audits and other risk prevention and mitigation, investigation, reporting, mitigation and resolution of known or suspected violations or other incidents and responding to and defending investigations or other actions by plaintiffs, DOJ, OCR, FTC, state attorneys’ general and other federal or state agencies, other business partners, patients and others.

In addition to representing and advising these organizations, she also has conducted training on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, MGMA, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

A former lead consultant to the Government of Bolivia on its Pension Privatization Project with extensive domestic and international public policy concerns in Pensions, healthcare, workforce, immigration, tax, education and other areas.

The American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting, former Vice President of the North Texas Health Care Compliance Professionals Association, past Chair of the ABA Health Law Section Managed Care & Insurance Section, past ABA JCEB Council Representative, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has worked closely with a diverse range of physicians, hospitals and healthcare systems, DME, Pharma, clinics, health care providers, managed care, insurance and other health care payers, quality assurance, credentialing, technical, research, public and private social and community organizations, and other health industry organizations and their management deal with governance; credentialing, patient relations and care; staffing, peer review, human resources and workforce performance management; outsourcing; internal controls and regulatory compliance; billing and reimbursement; physician, employment, vendor, managed care, government and other contracting; business transactions; grants; tax-exemption and not-for-profit; licensure and accreditation; vendor selection and management; privacy and data security; training; risk and change management; regulatory affairs and public policy and other concerns.

Past Chair of the ABA Managed Care & Insurance Interest Group and, a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also has extensive health care reimbursement and insurance experience advising and defending health care providers, payers, and others about Medicare, Medicaid, Medicare and Medicaid Advantage, Tri-Care, self-insured group, association, individual and group and other health benefit programs and coverages including but not limited to advising public and private payers about coverage and program design and documentation, advising and defending providers, payers and systems and billing services entities about systems and process design, audits, and other processes; provider credentialing, and contracting; providers and payer billing, reimbursement, claims audits, denials and appeals, coverage coordination, reporting, direct contracting, False Claims Act, Medicare & Medicaid, ERISA, state Prompt Pay, out-of-network and other “nonpar,” insured, and other health care claims, prepayment, post-payment and other coverage, claims denials, appeals, billing and fraud investigations and actions and other reimbursement and payment related investigation, enforcement, litigation and actions.

A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, privacy and data security, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her thought leadership, experience and advocacy on these and other related concerns by her service in the leadership of the Solutions Law Press, Inc. Coalition for Responsible Health Policy, its PROJECT COPE: Coalition on Patient Empowerment, and a broad range of other professional and civic organizations including North Texas Healthcare Compliance Association, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children (now Warren Center For Children); current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, past Representative and chair of various committees of ABA Joint Committee on Employee Benefits; a ABA Health Law Coordinating Council representative, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.

Ms. Stamer also is a highly popular lecturer, symposium and chair, faculty member and author, who publishes and speaks extensively on health and managed care industry, human resources, employment and other privacy, data security and other technology, regulatory and operational risk management. Examples of her many highly regarded publications on these matters include “Protecting & Using Patient Data In Disease Management: Opportunities, Liabilities And Prescriptions,” “Privacy Invasions of Medical Care-An Emerging Perspective,” “Cybercrime and Identity Theft: Health Information Security: Beyond HIPAA,” as well as thousands of other publications, programs and workshops these and other concerns for the American Bar Association, ALI-ABA, American Health Lawyers, Society of Human Resources Professionals, the Southwest Benefits Association, the Society of Employee Benefits Administrators, the American Law Institute, Lexis-Nexis, Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, the HCCA, ISSA, HIMSS, Modern Healthcare, Managed Healthcare, Institute of Internal Auditors, Society of CPAs, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other symposia and publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, Insurance Thought Leadership and many other prominent publications and speaks and conducts training for a broad range of professional organizations.

For more information about Ms. Stamer or her health industry and other experience and involvements, see here or contact Ms. Stamer via telephone at (469) 767-8872 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources here.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

©2017 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ All other rights reserved. For information about republication or other use, please contact Ms. Stamer here.


3/30 Webex Shares Latest On Security, Patient Access & Other HIPAA Developments

March 9, 2016

Solutions Law Press, Inc. ™ Invites You To A Special WebEx Briefing  

HIPAA Update: The Latest On Security, Patient Access & Other HIPAA Developments

Wednesday, March 30, 2016

1:00 P.M.-2:00 P.M. Eastern | 12:00 P.M.-1:00 P.M. Central 11:00 A.M-12:00 P.M. Mountain | 10:00 A.M-11:00 A.M. Pacific

Health care providers, health plans, health care clearinghouses and their business associates (Covered Entities) face new imperatives to review and tighten their practices to ensure their practices comply with recently released guidance from the U.S. Department of Health & Human Services Office of Civil Rights (OCR)) emphasizing and clarifying the responsibilities of health care providers, health plans and the healthcare clearinghouses under the Health Insurance Portability & Accountability Act of 1996 (HIPAA) to provide access to individuals that are the subject of protected health information or “PHI” to access or copies of their PHI in accordance with HIPAA’s rules and other recent HIPAA guidance and enforcement. With OCR’s recent release of added guidance and OCR enforcement statistics continuing to show HIPAA access rule violations among the most common HIPAA violations and OCR stepping up HIPAA enforcement, health care providers, health plans, healthcare clearinghouses can expect heightened scrutiny and enforcement of these requirements. Additionally, Covered Entities also should evaluate the adequacy of their other practices in light of other recent OCR guidance and enforcement actions.

Solutions Law Press, Inc.™ invites to catch up on the latest guidance on HIPAA’s requirements to provide access to patients to PHI by registering here to participate in the Solutions Law Press, Inc.™ “HIPAA Update: The Latest On Security, Patient Access & Other HIPAA Developments” WebEx briefing from Cynthia Marcotte Stamer on Friday, March 18, 2016.   During the Briefing, Ms. Stamer will provide participants with:

√ An update on OCR enforcement actiions and guidance over past 12 months

√ A detailed discussion of OCR’s new guidance about when Covered Entities must provide PHI access or copies to patients

√ Discuss rules and best practices for verifying the identity and credentials of an individual requesting PHI as a patient or personal representative of a patient

√ Share tips for contracting and dealing with business associates to facilitate administration of patient PHI access and security compliance activities

√ Share other practical considerations & best practices for compliance and risk management

√ Respond to participant questions on a time permitting basis

√ More

ABOUT THE SPEAKER

Recognized as “Legal Leader™ Texas Top Rated Lawyer” in both Health Care Law and Labor and Employment Law, a “Texas Top Lawyer,” and an “AV-Preeminent” and “Top Rated Lawyer” by Martindale-Hubble, singled out as among the “Best Lawyers In Dallas” in employee benefits 2015 by D Magazine;, Cynthia Marcotte Stamer is a practicing attorney and management consultant, author, public policy advocate and lecturer widely recognized for her more than 28 years extensive work and pragmatic thought leadership, experience, publications and training on HIPAA and other privacy, medical records and data and other health care, health plan and employee benefits, workforce and related regulatory and other compliance, performance management, risk management, product and process development, public policy and other key operational concerns.

As a core component of her work as the Managing Shareholder of Cynthia Marcotte Stamer, PC, the Co-Managing Member of Stamer Chadwick Soefje PLLC, Ms. Stamer has worked extensively throughout her nearly 30 year career with health care providers, health plans, health care clearinghouses, their business associates, employers, banks and other financial institutions, their technology and other vendors and service providers, and others on legal and operational risk management and compliance including extensive involvement with HIPAA, FACTA, PCI, trade secret, physician and other medical confidentiality and privacy, federal and state data security and data breach and other information privacy and data security rules and concerns; prevention, investigation, response, mitigation and resolution of known or suspected data or privacy breaches or other incidents; defending investigations or other actions by plaintiffs, OCR, FTC, state attorneys’ general and other federal or state agencies; reporting and redressing known or suspected breaches or other violations; business associate and other contracting; insurance or other liability management and allocation; process and product development, contracting, deployment and defense; evaluation, commenting or seeking modification of regulatory guidance, and other regulatory and public policy advocacy; training and discipline; enforcement, and a host of other related concerns for public and private health care providers, health insurers, health plans, technology and other vendors, employers, and others. Ms. Stamer also has worked extensively domestically and internationally on public policy and regulatory advocacy on HIPAA and other privacy and data security risks and requirements as well as a broad range of other health, employee benefits, human resources, insurance, tax, compliance and other matters and representing clients in dealings with the US Congress, Departments of Labor, Treasury, Health & Human Services, Federal Trade Commission, HUD and Justice, as well as a state legislatures attorneys general, insurance, labor, worker’s compensation, and other agencies and regulators as well supports clients in defending litigation as lead strategy counsel, special counsel and as an expert witness.

Beyond her extensive involvement advising and defending clients on these matters, Ms. Stamer also has served as the scrivener for the ABA JCEB’s meeting with OCR on HIPAA for many years. She returns as Chair of the Southern California ISSA Health Care Privacy & Security Summit for the third year in 2016, as well as speaks and serves on the steering committee of a multitude of other programs.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares shared her thought leadership, experience and advocacy on HIPAA and other concerns by her service in the leadership of a broad range of other professional and civic organization including her involvement as the Vice Chair of the North Texas Healthcare Compliance Association, Executive Director of the Coalition on Responsible Health Policy and its PROJECT COPE; Coalition on Patient Empowerment, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children; former Board Compliance Chair and Board member of the National Kidney Foundation of North Texas, current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, immediate past RPTE Representative to ABA Joint Committee on Employee Benefits Council Representative and current RPTE Representative to the ABA Health Law Coordinating Counsel, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.

Ms. Stamer also is a highly popular lecturer, symposia chair and author, who publishes and speaks extensively on health and managed care industry, human resources, employment and other privacy, data security and other technology, regulatory and operational risk management. Examples of her many highly regarded publications on these matters include “Protecting & Using Patient Data In Disease Management: Opportunities, Liabilities And Prescriptions,” “Privacy Invasions of Medical Care-An Emerging Perspective,” “Cybercrime and Identity Theft: Health Information Security: Beyond HIPAA,” as well as thousands of other publications, programs and workshops these and other concerns for the American Bar Association, ALI-ABA, American Health Lawyers, Society of Human Resources Professionals, the Southwest Benefits Association, the Society of Employee Benefits Administrators, the American Law Institute, Lexis-Nexis, Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, the HCCA, ISSA, HIMSS, Modern Healthcare, Managed Healthcare, Institute of Internal Auditors, Society of CPAs, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other symposia and publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications and speaks and conducts training for a broad range of professional organizations and for clients, serves on the faculty and planning committee of many workshops, seminars, and symposia, and on the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications. For additional information about Ms. Stamer, see CynthiaStamer.com or the Stamer│Chadwick │Soefje PLLC or contact Ms. Stamer via email to here or via telephone to (469) 767-8872.

 REGISTRATION & PROGRAM DETAILS

Registration Fee per course is $75.00 per person. Registration Fee Discounts available for groups of three or more participants from the same organization. Limited opportunities for participation. Registration accommodated on a first come basis. Completed registration and payment required via website registration 48 hours in advance of the program. No checks or cash accepted. Persons not registered with completed payment at least 48 hours in advance will only participate subject to availability and completed registration and payment. Payment only accepted via website PayPal. Register Here!

The Webex will be conducted over the internet. Participants will receive access code and instructions for sign on to participate in the Webex and/or dial in to participate in the program via telephone after processing of completed registration. Participants must have access to a computer with internet access and to telephone access to dial in via telephone to participate in the program. Solutions Law Press, Inc. is not responsible for any interruption or interference in participation resulting from limitations in the internet connectivity, computer, telephone or other equipment used by the participant to access and participate in the program.

ABOUT SOLUTIONS LAW PRESS, INC.™

Solutions Law Press, Inc.™ provides business and management information, tools and solutions, training and education, services and support to help organizations and their leaders better anticipate legal and operational issues impacting their organization’s performance, regulatory compliance and risk management, data and information protection and risk management and other key management objectives. Solutions Law Press, Inc.™ also conducts and assist businesses and associations to design, present and conduct customized programs and training targeted to their specific audiences and needs. For additional information about upcoming programs, to inquire about becoming a presenting sponsor for an upcoming event, e-mail your request to info@Solutionslawpress.com.   These programs, publications and other resources are provided only for general informational and educational purposes, the applicability of which to any particular circumstances may be impacted by legal changes, the specific facts and circumstances or other factors. Consequently, neither the distribution or presentation of these programs and materials to any party nor any statement or information provided in or in connection with this communication, the program or associated materials are not intended to or shall not be construed as establishing an attorney-client relationship, to constitute legal advice or a substitute for legal advice, or otherwise provide any assurance or expectation from Solutions Law Press, Inc., the presenter or any related parties that any participant or any other party can rely upon the information or any statements presented herein. If you or someone else you know would like to receive future Alerts or other information about developments, publications or programs or other updates, send your request to info@solutionslawpress.com. If you would prefer not to receive communications from Solutions Law Press, Inc. send an e-mail with “Solutions Law Press Unsubscribe” in the Subject to support@solutionslawyer.net. CIRCULAR 230 NOTICE: The following disclaimer is included to comply with and in response to U.S. Treasury Department Circular 230 Regulations. ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN. If you are an individual with a disability who requires accommodation to participate, please let us know at the time of your registration so that we may consider your request.   ©2016 Solutions Law Press, Inc.

 

 

 


NLRB Helps Union Force Another Health Care Employer To Recognize & Bargain With Union

March 13, 2014

Hospitals, skilled nursing and other health care organizations need to be concerned about union organizing of  their employees in light of the growing success of unions with the aid of the pro-union support and agenda of the National Labor Relations Board (NLRB)  under the Obama Administration’s leadership.  The Administration’s goal of telling health care providers what to do extends well beyond Medicare and Medicaid into their workforce and terms and conditions of employment.

 On February 21, 2014, for instance, the Obama Administration helped the Service Employees International Union (the Union) force Holy Cross Youth and Family Services, Inc., d/b/a Kairos Healthcare (the Employer), a provider of drug and alcohol rehabilitation services, to recognize and bargain with the  over terms and conditions of employees with the Union by securing a court order forcing the employer to recognize and bargain with the Union.

 Ruling in a lawsuit filed by the NLRB against the Employer on February 21,  a federal court judge for the Eastern District of Michigan ordered upheld the allegations made in August 23, 2013 by the National Labor Relations Board (NLRB) Detroit, Michigan Regional Office that the Employer violated the National Labor Relations Act when it withdrew recognition from Local 517M, made unilateral changes to employees’ terms and conditions of employment without affording the Union an opportunity to bargain over those changes, and failed to provide relevant information to the Union to help in its bargaining with the Employer on behalf of the employees.

The Regional Office sought, and the Board authorized, seeking interim injunctive relief to return the parties to the bargaining table pending final resolution of the matter, to require the Employer to provide the Union with the information it requested and, upon request, to rescind the unilateral changes made to employees’ terms and conditions of employment.

On February 21, 2014, the District upheld the Regional Office’s action.  It ruled that an interim injunction was appropriate to prevent loss of Union support, to keep the employees’ right to bargain with their Employer through their chosen bargaining representative, and to provide the Union with the information it needs to evaluate and make bargaining proposals while the administrative case is pending before the Board.

The case is one of a growing number of actions where the NLRB has used is powers to help Unions force health care and other employers to yield to union demands.  See e.g., Specialty Healthcare and Rehabilitation of Mobile, Board Case No. 15-CA-68248 (reported at 357 NLRB No. 174) (6th Cir. decided August 15, 2013 under the name Kindred Nursing Centers East, LLC f/k/a Specialty Healthcare and Rehabilitation of Mobile v. NLRB).

These decisions should remind health care and other employers of the highly union-friendly bent of the NLRB under the current administration, as well as the hazards of mishandling efforts to defend against union organizing and other protected activities under the NLRA.  Beyond the obligation to recognize and bargain with properly certified collective bargaining unions, the NLRB and other federal labor laws also grant employees a host of other protections.  Among these are recently affirmed rights-even for a worker not represented by a union – to insist another employee be present when participating in disciplinary and certain other meetings with management, rules limit the ability of employers to prohibit or restrict employees requiring employees to keep confidential and not discuss among each other  salary, wages or other terms of compensation or employment  terms and conditions, and others.  The Obama Administration has made known its desire to expand these rights further and has carried out an aggressive legislative, regulatory and enforcement campaign in pursuit of this goal since taking office.  For this reason, health care or other organizations should seek the advice and assistance of qualified legal counsel experienced with labor management relations matters to review policies for compliance, to prepare and administer anti-organizing activities, and to evaluate and respond to union organizing or bargaining activities.

For More Information Or Assistance

If you need assistance responding to health industry staffing and workforce, regulatory, enforcement or other developments, reviewing or tightening your policies and procedures, conducting training or audits, responding to or defending an investigation or other enforcement action or with other health care related risk management, compliance, training, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, may be able to help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 25 years experience advising health industry clients about these and other matters. Her experience includes extensive work advising, representing and training health industry and other clients on HIPAA and other privacy, data protection and breach and other related matters.  She also advises hospitals, nursing home, home health, rehabilitation and other health care providers and health industry clients to establish and administer compliance and risk management policies; prevent, conduct and investigate, and respond to peer review and other quality concerns; and to respond to Board of Medicine, Department of Aging & Disability, Drug Enforcement Agency, OCR Privacy and Civil Rights, HHS, DOD, and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. A popular lecturer and widely published author on health industry concerns, Board Certified in Labor and Employment Law, Ms. Stamer’s experience includes continuous involvement in advising and representing health care organizations about employment, labor-management, peer review and staffing and other workforce management and compensation concerns.  Ms. Stamer also continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Scribe for the ABA JCEB annual Technical Sessions meeting with OCR for the past three years, Ms. Stamer also is recognized for her extensive publications and programs including numerous highly regarding publications and programs on HIPAA and other privacy and data security concerns as well as a wide range of other workshops, programs and publications on other compliance, operational and risk management, and other health industry matters. Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications.  You can get more information about her health industry experience here. If you need assistance responding to concerns about the matters discussed in this publication or other health care concerns, wish to obtain information about arranging for training or presentations by Ms. Stamer, wish to suggest a topic for a future program or update, or wish to request other information or materials, please contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here. If you or someone else you know would like to receive future updates about developments on these and other concerns from Ms. Stamer, see  here.

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources including:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here. For important information about this communication click here.  THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS.  ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.  

©2013 Cynthia Marcotte Stamer, P.C.  Non-exclusive license to republish granted to Solutions Law Press.  All other rights reserved.


APDerm To Pay $150k To Settle 1st HIPAA Breach Rule Charges

December 27, 2013

A new settlement agreement announced by the Department of Health & Human Services (HHS) Office of Civil Rights (OCR) shows health plans, health care providers, health care clearinghouses and their business associates the perils of failing to properly implement the necessary policies and procedures to comply with the breach notification requirements added to the Health Insurance Portability & Accountability Act of 1996 (HIPAA) added by the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of American Recovery and Reinvestment Act of 2009 (ARRA).

APDerm Settlement Overview

Private dermatology practice, Adult & Pediatric Dermatology, P.C., (APDerm) has agreed to pay $150,000 and implement a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy,  Security, and Breach Notification Rules.  The APDerm Settlement  marks the first settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions of the HITECH Act.

According to its December 26, 2013 announcement of the settlement, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) opened an investigation of APDerm upon receiving a report that an unencrypted thumb drive containing the electronic protected health information (ePHI) of approximately 2,200 individuals was stolen from a vehicle of one its staff members. The thumb drive was never recovered.  The investigation revealed that APDerm had not conducted an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI as part of its security management process.  Further, APDerm did not fully comply with requirements of the Breach Notification Rule to have in place written policies and procedures and train workforce members.

Enforcement Actions Highlight Growing HIPAA Exposures For Covered Entities

The APDerm settlement provides more evidence of the growing exposures that health care providers, health plans, health care clearinghouses and their business associates need to carefully and appropriately manage their HIPAA responsibilities. See HIPAA Heats Up: HITECH Act Changes Take Effect & OCR Begins Posting Names, Other Details Of Unsecured PHI Breach Reports On WebsiteIt joins the  growing list of settlement or resolution agreements under HIPAA announced by OCR.

The APDerm also is notable both as it settles the first ever charges against a covered entity for failing to adopt required Breach Notification policies and procedures and the relatively most settlement payment required in comparison to other announced settlement.  Other settlements have been significantly higher.  For instance,  OCR required that Blue Cross Blue Shield of Tennessee (BCBST) to pay $1.5 million to resolve HIPAA violations charges.

In response to these expanding exposures, all covered entities and their business associates should review critically and carefully the adequacy of their current HIPAA Privacy and Security compliance policies, monitoring, training, breach notification and other practices taking into consideration OCR’s audit,  investigation and enforcement actions, emerging litigation and other enforcement data, their own and reports of other security and privacy breaches and near misses, evolving rules and technology, and other developments to determine if additional steps are necessary or advisable. For tips, see here.

For Representation, Training & Other Resources

If you need assistance monitoring HIPAA and other health and health plan related regulatory policy or enforcement developments, or to review or respond to these or other health care or health IT related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.

For More Information Or Assistance

If you need assistance reviewing or responding to these or other health care related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, may be able to help.

Board Certified in Labor & Employment Law, Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 23 years experience advising health industry clients about these and other matters.

Throughout her career, Ms. Stamer has advised and represented health care providers and other health industry clients to establish and administer compliance and risk management policies and to respond to health care, human resources, tax, privacy, safety, antitrust, civil rights, and other laws as well as with internal investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns including a number of programs and publications on OCR Civil Rights rules and enforcement actions. Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications.  You can get more information about her health industry experience here. If you need assistance with these or other compliance concerns, wish to inquire about arranging for compliance audit or training, or need legal representation on other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here.

Other Resources

If you found this update of interest, you also may be interested in reviewing some of the other updates and publications authored by Ms. Stamer available including:

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources available at www.solutionslawpress.com.

THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS.  ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

©2011 Cynthia Marcotte Stamer, P.C.  Non-exclusive license to republish granted to Solutions Law Press. All other rights reserved.


[1] WHD’s announcement of the planned rule notes that this draft shared December 15 remains subject to change before formally published in the Federal Register


CMS Releases New Eligible Professionals Guide On Stage 2 EHR Incentive Program

September 18, 2013

CMS just released An Eligible Professional’s Guide to Stage 2 of the EHR Incentive Programs, which provides a comprehensive overview of Stage 2 of the EHR Incentive Programs for eligible professionals. The guide outlines criteria for Stage 2 meaningful use, 2014 clinical quality measure reporting, and 2014 EHR certification including Chapters on;

  • What is Stage 2 of the EHR Incentive Programs?
  • What are the requirements under Stage 2 of Meaningful Use?
  • How will clinical quality measures (CQMs) change?
  • Resources

The guide can be found on the Educational Resources page of the EHR website.

Health care providers and their vendors and advisors using these resources also are reminded to ensure that their business associate agreements, privacy practices notices and other privacy and data security processes, policies, and procedures are updated to comply with changes to the Privacy, Security, Breach Notification and other requirements he for the protection and handling of personal health information including electronic personal health information of the Health Insurance Portability & Accountability Act (HIPAA) as amended by the HITECH Act.  The Final Omnibus Regulations published by the Office of Civil Rights (OCR) generally took effect earlier this year except that the regulations set next Monday, September 23, 2013 as the deadline for updating business associate agreements and the effective date for the extension of most HIPAA requirements to business associates.  As demonstrated by recent enforcement actions by OCR, Health care providers and other covered entities, their business associates and advisors continuously reconfirm that their systems and arrangements continue to comply with these requirements as they make updates.

For More Information Or Assistance

If you need assistance responding to EHR, HIPAA or other health industry regulatory, enforcement or other developments, reviewing or tightening your policies and procedures, conducting training or audits, responding to or defending an investigation or other enforcement action or with other health care related risk management, compliance, training, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, may be able to help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 25 years experience advising health industry clients about these and other matters. Her experience includes extensive work advising, representing and training health industry and other clients on HIPAA and other privacy, data protection and breach and other related matters.  She also advises hospitals, nursing home, home health, rehabilitation and other health care providers and health industry clients to establish and administer compliance and risk management policies; prevent, conduct and investigate, and respond to peer review and other quality concerns; and to respond to Board of Medicine, Department of Aging & Disability, Drug Enforcement Agency, OCR Privacy and Civil Rights, HHS, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Scribe for the ABA JCEB annual Technical Sessions meeting with OCR for the past three years, Ms. Stamer also is recognized for her extensive publications and programs including numerous highly regarding publications and programs on HIPAA and other privacy and data security concerns as well as a wide range of other workshops, programs and publications on other compliance, operational and risk management, and other health industry matters. Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications.  You can get more information about her health industry experience here. If you need assistance responding to concerns about the matters discussed in this publication or other health care concerns, wish to obtain information about arranging for training or presentations by Ms. Stamer, wish to suggest a topic for a future program or update, or wish to request other information or materials, please contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here. If you or someone else you know would like to receive future updates about developments on these and other concerns from Ms. Stamer, see  here.

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources including:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here. For important information on this communication click here.  THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS.  ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.  

©2013 Cynthia Marcotte Stamer, P.C.  Non-exclusive license to republish granted to Solutions Law Press.  All other rights reserved.


OCR Shares Model Privacy Notices 1 Week Before Deadline For Updated Business Associate Agreements

September 16, 2013

A week before the September 23, 2013 deadline for all health care providers, health plans, health care clearinghouses (Covered Entities) and their business associates to have updated their business associate agreements to comply with the Final Omnibus HIPAA Rule, the Department of Health & Human Services Office of the National Coordinator for Health Information Technology (ONC) and the Office for Civil Rights (OCR) today (September 16, 2013) released Model Notices of Privacy Practices (Notices) for health care providers and health plans to use to communicate with their patients and plan members. With penalties and enforcement continuing to rise, Covered Entities and their business associates should take appropriate steps to review and update their privacy and breach notification policies and procedures, privacy officer appointments, notices of privacy practices, business associate agreements and other HIPAA compliance and risk management documentation, practices, procedures and coverage, breach notification and other HIPAA compliance and risk management practice.

Model HIPAA Notices

Developed collaboratively by ONC and OCR the Notices available here designed in the following three different styles are designed for users to customize to fit their specific needs and practices:

  • A notice in the form of a booklet;
  • A layered notice with a summary of the information on the first page and full content on the following pages; and
  • A notice with the design elements of the booklet, but that is formatted for full-page presentation.

Use of these model Notices is optional.  While the agencies designed the Notices to let Covered Entities to use these models by entering some of their own information into the model, such as contact information, and then printing for distribution and posting on their websites, Covered Entities should consult with legal counsel to determine the suitability of the Notices generally for their entity’s use and any customization, if any, that may be recommended or required to a Notice if the Covered Entity decides rely upon a model Notice to prepare its Notice of Privacy Practices.  To facilitate any tailoring, the agencies provided a text-only version for Covered Entities wishing only wish to use the content with or without tailoring.

September 23 Business Associate Agreement Update Deadline

September 23, 2013 also is the final deadline established in the Final Omnibus HIPAA Rule for Covered Entities and their business associations to update the business associate agreements required by HIPAA to reflect application of the breach notification, business associate, and many of HIPAA’s requirements to directly cover business associates and other aspects of the Health Information Technology for Economic and Clinical Health (HITECH) Act enacted as part of the American Recovery and Reinvestment Act of 2009.  While HHS published a Sample Business Associate Agreement last June to aid Covered Entities and their business associates with understanding the business associate agreement requirements as impacted by the Omnibus Final HIPAA Rule, it also made clear that Covered Entities and their business associates should tailor their business associate agreements to fit their specific circumstances and relationships.  OCR National Office and regional officials speaking about their findings about past business associate agreement compliance have indicated that their audit and enforcement activities show widespread compliance issues among Covered Entities and business associates with the original business associate agreements.  OCR clearly expects Covered Entities and their business associates to address and resolve these compliance issues going forward.

Covered Entities and their business associates are increasingly at peril if caught violating HIPAA’s Privacy, Security or Breach Notification rules.  With the HITECH Act Breach Notification rules now requiring Covered Entities to self-disclose breaches, OCR becomes aware of breaches much more easily.  Coupled with the HITECH Act’s increase in sanctions for HIPAA violations, Covered Entities and, beginning September 23, 2013, their business associates face rising risks for violating HIPAA.  See, e.g. HHS Settles with Health Plan in Photocopier Breach Case; WellPoint Settles HIPAA Security Case for $1,700,000; Shasta Regional Medical Center Settles HIPAA Security Case for $275,000; Idaho State University Settles HIPAA Security Case for $400,000; and HHS announces first HIPAA breach settlement involving less than 500 patients.

In response to the updated Final Regulations and these expanding HIPAA enforcement and exposures, all Covered Entities should review critically and carefully the adequacy of their current HIPAA Privacy and Security compliance policies, monitoring, training, breach notification and other practices taking into consideration OCR’s investigation and enforcement actions, emerging litigation and other enforcement data; their own and reports of other security and privacy breaches and near misses; and other developments to decide if additional steps are necessary or advisable.   In response to these expanding exposures, all covered entities and their business associates should review critically and carefully the adequacy of their current HIPAA Privacy and Security compliance policies, monitoring, training, breach notification and other practices taking into consideration OCR’s investigation and enforcement actions, emerging litigation and other enforcement data; their own and reports of other security and privacy breaches and near misses, and other developments to decide if tightening their policies, practices, documentation or training is necessary or advisable.

For More Information Or Assistance

If you need assistance responding to HIPAA or other health industry regulatory, enforcement or other developments, reviewing or tightening your policies and procedures, conducting training or audits, responding to or defending an investigation or other enforcement action or with other health care related risk management, compliance, training, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, may be able to help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 25 years experience advising health industry clients about these and other matters. Her experience includes extensive work advising, representing and training health industry and other clients on HIPAA and other privacy, data protection and breach and other related matters.  She also advises hospitals, nursing home, home health, rehabilitation and other health care providers and health industry clients to establish and administer compliance and risk management policies; prevent, conduct and investigate, and respond to peer review and other quality concerns; and to respond to Board of Medicine, Department of Aging & Disability, Drug Enforcement Agency, OCR Privacy and Civil Rights, HHS, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Scribe for the ABA JCEB annual Technical Sessions meeting with OCR for the past three years, Ms. Stamer also is recognized for her extensive publications and programs including numerous highly regarding publications and programs on HIPAA and other privacy and data security concerns as well as a wide range of other workshops, programs and publications on other compliance, operational and risk management, and other health industry matters. Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications.  You can get more information about her health industry experience here. If you need assistance responding to concerns about the matters discussed in this publication or other health care concerns, wish to obtain information about arranging for training or presentations by Ms. Stamer, wish to suggest a topic for a future program or update, or wish to request other information or materials, please contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here. If you or someone else you know would like to receive future updates about developments on these and other concerns from Ms. Stamer, see  here.

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources including:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here. For important information on this communication click here.  THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS.  ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.  

©2013 Cynthia Marcotte Stamer, P.C.  Non-exclusive license to republish granted to Solutions Law Press.  All other rights reserved.


CMS To Host Provider Webinar To Celebrate National Health IT Week

September 13, 2013

In celebration of the third annual National Health IT Week is September 16-20, the Centers for Medicare & Medicaid Services (CMS) will host several webinars and launching new eHealth tools and resources that it intends to help providers participate in eHealth programs.  These programs may be of interest to providers as well as payers who are interested in what providers are doing to use eHealth tools.

Details of Webinar

The eHealth Provider Webinar will be held on Thursday, September 19th from 12:00 p.m. to 1:30 p.m. ET.  CMS plans to present an overview of the eHealth programs and its eHealth initiative—an initiative that aligns health IT and electronic standards programs on:

  • Administrative Simplification
  • eRx Incentive Program
  • ICD-10
  • Quality Measurement

A portion of the webinar will also be dedicated to Q&A.

Registration Information

Space is limited.  Register now to secure your spot for the eHealth Provider WebinarOnce registration is complete, you will receive a follow-up email with step-by-step instructions on how to log-in to the webinar.  Listserv messages are sent prior to each webinar session with registration information.

If you’d like to view past webinars, the PowerPoint presentations and recordings can now be accessed on the Resources page of the eHealth website.  For more information about CMS’ eHealth Initiatives, visit the CMS eHealth website for the latest news and updates on CMS’ eHealth initiatives.

For More Information Or Assistance

If you need assistance responding to this invitation or with other health industry regulatory, enforcement or other developments, reviewing or tightening your policies and procedures, conducting training or audits, responding to or defending an investigation or other enforcement action or with other health care related risk management, compliance, training, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, may be able to help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 25 years experience advising health industry clients about these and other matters. Her experience includes extensive work advising, representing and training health industry and other clients on HIPAA and other privacy, data protection and breach and other related matters.  She also advises hospitals, nursing home, home health, rehabilitation and other health care providers and health industry clients to establish and administer compliance and risk management policies; prevent, conduct and investigate, and respond to peer review and other quality concerns; and to respond to Board of Medicine, Department of Aging & Disability, Drug Enforcement Agency, OCR Privacy and Civil Rights, HHS, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Scribe for the ABA JCEB annual Technical Sessions meeting with OCR for the past three years, Ms. Stamer also is recognized for her extensive publications and programs including numerous highly regarding publications and programs on HIPAA and other privacy and data security concerns as well as a wide range of other workshops, programs and publications on other compliance, operational and risk management, and other health industry matters. Ms. Stamer also has extensive other public policy and regulatory experience with HHS and other U.S. federal and state agencies as well as internationally. Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications.  You can get more information about her health industry experience here. If you need assistance responding to concerns about the matters discussed in this publication or other health care concerns, wish to obtain information about arranging for training or presentations by Ms. Stamer, wish to suggest a topic for a future program or update, or wish to request other information or materials, please contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here. If you or someone else you know would like to receive future updates about developments on these and other concerns from Ms. Stamer, see  here.

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources including:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here. For important information about this communication click here.  THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS.  ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.  

©2013 Cynthia Marcotte Stamer, P.C.  Non-exclusive license to republish granted to Solutions Law Press.  All other rights reserved.


Tell HHS What You Think-Comment On HHS Strategic Plan Now!

September 9, 2013

Health care providers, health plans, employers and others concerned about the regulatory and enforcement activities of the Department of Health & Human Services (HHS) can make their concerns known by speaking up now.  Share your input on the draft HHS strategic plan that will guide HHS’ regulatory and enforcement agenda for the next 4 years.

Every 4 years, HHS updates its strategic plan, which describes its work to address complex, multifaceted, and ever-evolving health and human service issues, including:

  • Health Care
  • Research and Innovation
  • Prevention and Wellness

HHS is inviting public input on the draft HHS Strategic Plan for FY 2014-2018. The comment period is open until October 15, 2013.  Individuals or organizations wishing to respond to this invitation can read the HHS Strategic Plan FY 2014-2018 (Draft) and submit your comments several ways including:

For More Information Or Assistance

If you need assistance responding to this invitation for comment or other health industry regulatory, enforcement or other developments, reviewing or tightening your policies and procedures, conducting training or audits, responding to or defending an investigation or other enforcement action or with other health care related risk management, compliance, training, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, may be able to help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 25 years experience advising health industry clients about these and other matters. Her experience includes extensive work advising, representing and training health industry and other clients on HIPAA and other privacy, data protection and breach and other related matters.  She also advises hospitals, nursing home, home health, rehabilitation and other health care providers and health industry clients to establish and administer compliance and risk management policies; prevent, conduct and investigate, and respond to peer review and other quality concerns; and to respond to Board of Medicine, Department of Aging & Disability, Drug Enforcement Agency, OCR Privacy and Civil Rights, HHS, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Scribe for the ABA JCEB annual Technical Sessions meeting with OCR for the past three years, Ms. Stamer also is recognized for her extensive publications and programs including numerous highly regarding publications and programs on HIPAA and other privacy and data security concerns as well as a wide range of other workshops, programs and publications on other compliance, operational and risk management, and other health industry matters. Ms. Stamer also has extensive other public policy and regulatory experience with HHS and other U.S. federal and state agencies as well as internationally. Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications.  You can get more information about her health industry experience here. If you need assistance responding to concerns about the matters discussed in this publication or other health care concerns, wish to obtain information about arranging for training or presentations by Ms. Stamer, wish to suggest a topic for a future program or update, or wish to request other information or materials, please contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here. If you or someone else you know would like to receive future updates about developments on these and other concerns from Ms. Stamer, see  here.

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources including:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here. For important information about this communication click here.  THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS.  ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.  

©2013 Cynthia Marcotte Stamer, P.C.  Non-exclusive license to republish granted to Solutions Law Press.  All other rights reserved.


Court Upholds NLRB Certification of CNAs As Bargaining Union Based On NLRB Modified Community Of Interest Test

August 21, 2013

Hospitals, skilled nursing and other health care organizations facing or concerned about union organizing or their nursing  or other staffs employees should consider an apparent change in National Labor Relations Board (NLRB) certification policy upheld when the  Sixth Circuit ruling upheld the NLRB’s certification of a bargaining unit consisting exclusively of certified nursing assistants (CNAs) at Specialty Healthcare and Rehabilitation of Mobile (Specialty) nursing home and enforced the Board’s order finding that Specialty’s refusal to bargain with the certified unit violated Section 8(a)(5) and (1) of the National Labor Relations Act (NLRA).

Specialty Healthcare and Rehabilitation of Mobile, Board Case No. 15-CA-68248 (reported at 357 NLRB No. 174) (6th Cir. decided August 15, 2013 under the name Kindred Nursing Centers East, LLC f/k/a Specialty Healthcare and Rehabilitation of Mobile v. NLRB), arose after the union had petitioned to represent a unit of 53 full-time and part-time CNAs, Specialty claimed that the smallest appropriate unit must include 86 other service and maintenance employees.  The NLRB Regional Director found the unit appropriate and conducted the election, which the union won.  The NLRB granted review, asked the parties and public for their views on eight questions on community of interest unit determinations in the non-acute care healthcare industry, and ultimately issued a decision upholding the unit determination and the union’s election victory.

In its decision, the Board overruled Park Manor Care Center, 305 NLRB 872 (1991), which applied a “pragmatic or empirical community of interests approach” to determining unit appropriateness in nursing homes.  Instead, the Board ruled that it would apply the traditional test to evaluate appropriateness, which examines whether a proposed unit is readily identifiable and shares a community of interest distinct from other employees.  Then, the Board explained, if “a party contends that a petitioned-for unit containing employees readily identifiable as a group who share a community of interest is nevertheless inappropriate because it does not contain additional employees, the burden is on the party so contending to show that the excluded employees share an overwhelming community of interest with the included employees.”  Because the CNA-only unit was readily identifiable and shared a distinct community of interest, and because Specialty failed to show that the excluded service and maintenance employees shared an overwhelming community of interest with the CNAs, the Board certified the unit and the union’s victory.  Specialty refused to bargain, and this technical NLRA Section 8(a)(5) proceeding followed.

The Sixth Circuit affirmed the Board’s order and its clarification of the community-of-interest test.  First, rejecting Specialty’s argument that the Board did not merely embrace the traditional community-of-interest test but instead improperly created an entirely new framework, the court held that the Board permissibly “adopted a community-of-interest test based on some of the Board’s prior precedents, and . . . did explain its reasons for doing so.”  In so holding, the court explicitly recognized the ambiguity in the Act’s command that bargaining units must be “appropriate,” and observed that the Board merely granted Judge Posner’s “wish that the Board would give [the traditional community-of-interest test] ‘a precise meaning.’” Slip op. at 13 (quoting Cont’l Web Press v. NLRB, 742 F.2d 1087, 1090 (7th Cir. 1984)).

Next, the court concluded that the Board acted within its discretion in requiring a party claiming that the smallest appropriate unit must include additional employees to show that the excluded employees share an “overwhelming community of interest” with the proposed unit.  Indeed, the court explained that “[t]he Board has used the overwhelming-community-of-interest standard before, so its adoption [here] is not new.”  After citing numerous cases, including the D.C. Circuit’s Blue Man Vegas LLC v. NLRB, 529 F.3d 417 (D.C. Cir. 2008), the court agreed that the Board merely clarified existing law, overruled any inconsistent precedent, appropriately placed the burden of proving overwhelming community of interest on the employer (who typically possesses the information to make that case), and explained its reasons for doing all of the above.

Turning to Specialty’s third defense, the court concluded that the Board’s test did not run afoul of Section 9(c)(5), which prohibits the Board from finding “the extent to which the employees have organized . . . controlling” in making unit determinations.  To the contrary, the court noted that the Board first engaged in an independent community of interest determination to find out whether the proposed CNA-only unit was appropriate “aside from the fact that the union had organized it.”  Further, “[a]s long as the Board applies the overwhelming community of interest standard only after the proposed unit has been shown to be prima facie appropriate, the Board does not run afoul of the statutory injunction that the extent of the union’s organization not be given controlling weight.”  Slip op. at 19 (internal quotations omitted and emphasis in original).

Finally, the court held that “the Board did not abuse its discretion in adopting a generally applicable rule through adjudication instead of rule making because NLRB v. Bell Aerospace Co. Div. of Textron, Inc., 416 U.S. 267, 294 (1974), holds both that ‘the Board is not precluded from announcing new principles in an adjudicative proceeding and that the choice between rule making and adjudication lies in the first instance within the Board’s discretion.’”

The Court’s opinion is available here.

The Speciality ruling reminds health care and other employers of the highly union-friendly bent of the NLRB under the current administration, as well as the hazards of mishandling efforts to defend against union organizing and other protected activities under the NLRA.  Beyond the obligation to recognize and bargain with properly certified collective bargaining unions, the NLRB and other federal labor laws also grant employees a host of other protections.  Among these are recently affirmed rights-even for a worker not represented by a union – to insist another employee be present when participating in disciplinary and certain other meetings with management, rules limit the ability of employers to prohibit or restrict employees requiring employees to keep confidential and not discuss among each other  salary, wages or other terms of compensation or employment  terms and conditions, and others.  For this reason, health care or other organizations should seek the advice and assistance of qualified legal counsel experienced with labor management relations matters to review policies for compliance, to prepare and administer anti-organizing activities, and to evaluate and respond to union organizing or bargaining activities.

For More Information Or Assistance

If you need assistance responding to HIPAA or other health industry regulatory, enforcement or other developments, reviewing or tightening your policies and procedures, conducting training or audits, responding to or defending an investigation or other enforcement action or with other health care related risk management, compliance, training, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, may be able to help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 25 years experience advising health industry clients about these and other matters. Her experience includes extensive work advising, representing and training health industry and other clients on HIPAA and other privacy, data protection and breach and other related matters.  She also advises hospitals, nursing home, home health, rehabilitation and other health care providers and health industry clients to establish and administer compliance and risk management policies; prevent, conduct and investigate, and respond to peer review and other quality concerns; and to respond to Board of Medicine, Department of Aging & Disability, Drug Enforcement Agency, OCR Privacy and Civil Rights, HHS, DOD, and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. A popular lecturer and widely published author on health industry concerns, Board Certified in Labor and Employment Law, Ms. Stamer’s experience includes continuous involvement in advising and representing health care organizations about employment, labor-management, peer review and staffing and other workforce management and compensation concerns.  Ms. Stamer also continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Scribe for the ABA JCEB annual Technical Sessions meeting with OCR for the past three years, Ms. Stamer also is recognized for her extensive publications and programs including numerous highly regarding publications and programs on HIPAA and other privacy and data security concerns as well as a wide range of other workshops, programs and publications on other compliance, operational and risk management, and other health industry matters. Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications.  You can get more information about her health industry experience here. If you need assistance responding to concerns about the matters discussed in this publication or other health care concerns, wish to obtain information about arranging for training or presentations by Ms. Stamer, wish to suggest a topic for a future program or update, or wish to request other information or materials, please contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here. If you or someone else you know would like to receive future updates about developments on these and other concerns from Ms. Stamer, see  here.

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources including:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here. For important information about this communication click here.  THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS.  ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.  

©2013 Cynthia Marcotte Stamer, P.C.  Non-exclusive license to republish granted to Solutions Law Press.  All other rights reserved.


$1.2M HIPAA Settlement Results From Improper Copier Disposal

August 15, 2013

Be careful when repurposing or disposing of copiers and other equipment and media that may contain protected health information.  That’s the message the Office of Civil Rights is sending health care providers, health plans, health care clearinghouses (Covered Entities) and their business associates in its August 14, 2013 announcement of a $1.2 million plus settlement agreement with Affinity Health Plan, Inc. (Affinity) under the Health Insurance Portability & Accountability Act Privacy and Security Rules.

According to OCR, the non-profit New York area managed care plan Affinity will pay $1,215,780 and take other corrective actions to settle alleged HIPAA violations under the Affinity Resolution Agreement and CAP (Affinity Settlement).  The settlement comes as the September 24, 2013 deadline for health plans, health care providers, health care clearinghouses (Covered Entities) and their business associates to update the written business associate agreements that HIPAA requires exist before business associates can be allowed to create, use, access or disclose personally identifiable health care information protected by HIPAA (PHI) to carry out HIPAA-covered functions on behalf of a Covered Entity to comply with changes to HIPAA’s implementing regulations adopted by OCR earlier this year.  Health plans and other Covered Entities should take timely action to confirm that their existing procedures appropriate safeguards to protect PHI when using or disposing of copiers or other equipment or media as well as to implement business associate or other policy, procedures or training updates required to comply with the updated HIPAA rules.

HIPAA Updates Require Breach Notification, Tightened Other HIPAA Requirements

HIPAA generally requires that Covered Entities (and after September 24, 2013, their business associates) safeguard and restrict the use, access or disclosure of PHI as required by HIPAA.  The HITECH Act amended these requirements to tighten certain of these requirements and restrictions, to expand the sanctions for violation of these requirements, to require Covered Entities and their business associates to provide notification of breaches of unsecured PHI to individuals whose information was breached, OCR and in some cases, the media, and made certain other changes to the original requirements of HIPAA.  Earlier this year, OCR amended and restated its original Privacy and Security Rules here (2013 Final Rule) to comply with changes in the regulations resulting from these HITECH Act amendments beginning last March, but set the deadline for updating business associate agreements to meet these updated requirements at September 23, 2013.

The 2013 Final Rule and other OCR guidance makes clear that OCR expects Covered Entities and their business associates appropriately to safeguard PHI stored in computers, hard drives, and other digital media until it is properly disposed in accordance with the updated standards required by HIPAA as implemented under the 2013 Final Rule. HITECH Breach Notification Rule requires HIPAA-covered entities to notify HHS of a breach of unsecured protected health information, including breaches resulting from failure to properly secure PHI stored in digital format until it has been destroyed in accordance with the standards established by the 2013 Final Rule.   OCR previously has sanctioned other Covered Entities for failed to properly destroy or safeguard PHI stored in digital format on computer or other equipment before abandoning or disposing of that equipment.  The Affinity Settlement reaffirms OCR’s concern that Covered Entities meet these disposal requirements when replacing or abandoning equipment containing electronic PHI.

Affinity Settlement Highlights

According to the August 14, 2013 OCR announcement of the settlement, the settlement resulted from an investigation initiated after Affinity filed a breach report with OCR on April 15, 2010, as required by the Health Information Technology for Economic and Clinical Health Act (HITECH Act.)

In its breach report, Affinity indicated that it was informed by a representative of CBS Evening News that, as part of an investigatory report, CBS had purchased a photocopier previously leased by Affinity.  CBS informed Affinity that the copier that Affinity had used contained confidential medical information on the hard drive.

Affinity estimated in its breach report that up to 344,579 individuals may have been affected by this breach. OCR’s investigation indicated that Affinity impermissibly disclosed the protected health information of these affected individuals when it returned multiple photocopiers to leasing agents without erasing the data contained on the copier hard drives.  In addition, OCR reports its investigation revealed that Affinity failed to incorporate the electronic protected health information (ePHI) stored on photocopier hard drives in its analysis of risks and vulnerabilities as required by the Security Rule, and failed to implement policies and procedures when returning the photocopiers to its leasing agents.

In addition to the $1,215,780 payment, the Affinity Settlement includes a corrective action plan requiring Affinity to use its best efforts to retrieve all hard drives that were contained on photocopiers previously leased by the plan that remain in the possession of the leasing agent, and to take certain measures to safeguard all ePHI.

Learn From Affinity Lesson On Proper Disposal Procedures

Like prior OCR settlements stemming from inadequate security for PHI when transitioning equipment, media or facilities, the Affinity Settlement sends another reminder to Covered Entities and their business associates again of the importance of using appropriate procedures to protect or dispose of PHI when replacing or redeploying equipment or media that may contain PHI.

“This settlement illustrates an important reminder about equipment designed to retain electronic information: Make sure that all personal information is wiped from hardware before it’s recycled, thrown away or sent back to a leasing agent,” said OCR Director Leon Rodriguez.  “HIPAA covered entities are required to undertake a careful risk analysis to understand the threats and vulnerabilities to individuals’ data, and have appropriate safeguards in place to protect this information.”

OCR has published guidance concerning HIPAA’s requirements for the proper safeguarding and disposal of media and equipment in the 2013 Final Rule and other guidance.  Concerning the proper disposition of copiers that may have PHI stored on their hard drives or in other digital formal, OCR in the Affinity Settlement recommended that Covered Entities and their associates also review the Federal Trade Commission’s Guidance On Safeguarding Sensitive Data Stored In The Hard Drives Of Digital Copiers and the National Institute of Standards and Technology has issued Guidance On Assessing The Security Of Multipurpose Office Machines.  Covered Entities and their business associates should use this and other guidance to ensure that they can demonstrate that appropriate practices and procedures have been used to when disposing of or repurposing copies or other equipment that may contain electronic PHI.

HIPAA Regulation Updates Require Other Updates Beyond Disposal Procedures

In addition to addressing the concerns that lead to the Affinity Settlement, Covered Entities and their business associates also should verify that their practices, policies, privacy notices, business associate agreements, and training also are updated to comply with updates to the updated 2013 Final Rule adopted by OCR earlier this year here.

Since passage of the HITECH Act, OCR officials have warned Covered Entities to expect an omnibus restatement of its original regulations.  While OCR had issued certain regulations implementing some of the HITECH Act changes, it waited to publish certain regulations necessary to implement other HITECH Act changes until it could complete a more comprehensive restatement of its previously published HIPAA regulations to reflect both the HITECH Act amendments and other refinements to  its HIPAA Rules. The 2013 Regulations published today fulfill  that promise by restating OCR’s HIPAA Regulations to reflect the HITECH Act Amendments and other changes and clarifications to OCR’s interpretation and enforcement of HIPAA.

In response to the updated Final Regulations and these expanding HIPAA enforcement and exposures, all Covered Entities should review critically and carefully the adequacy of their current HIPAA Privacy and Security compliance policies, monitoring, training, breach notification and other practices taking into consideration OCR’s investigation and enforcement actions, emerging litigation and other enforcement data; their own and reports of other security and privacy breaches and near misses; and other developments to decide if additional steps are necessary or advisable.   In response to these expanding exposures, all covered entities and their business associates should review critically and carefully the adequacy of their current HIPAA Privacy and Security compliance policies, monitoring, training, breach notification and other practices taking into consideration OCR’s investigation and enforcement actions, emerging litigation and other enforcement data; their own and reports of other security and privacy breaches and near misses, and other developments to decide if tightening their policies, practices, documentation or training is necessary or advisable.

For More Information Or Assistance

If you need assistance responding to HIPAA or other health industry regulatory, enforcement or other developments, reviewing or tightening your policies and procedures, conducting training or audits, responding to or defending an investigation or other enforcement action or with other health care related risk management, compliance, training, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, may be able to help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 25 years experience advising health industry clients about these and other matters. Her experience includes extensive work advising, representing and training health industry and other clients on HIPAA and other privacy, data protection and breach and other related matters.  She also advises hospitals, nursing home, home health, rehabilitation and other health care providers and health industry clients to establish and administer compliance and risk management policies; prevent, conduct and investigate, and respond to peer review and other quality concerns; and to respond to Board of Medicine, Department of Aging & Disability, Drug Enforcement Agency, OCR Privacy and Civil Rights, HHS, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Scribe for the ABA JCEB annual Technical Sessions meeting with OCR for the past three years, Ms. Stamer also is recognized for her extensive publications and programs including numerous highly regarding publications and programs on HIPAA and other privacy and data security concerns as well as a wide range of other workshops, programs and publications on other compliance, operational and risk management, and other health industry matters. Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications.  You can get more information about her health industry experience here. If you need assistance responding to concerns about the matters discussed in this publication or other health care concerns, wish to obtain information about arranging for training or presentations by Ms. Stamer, wish to suggest a topic for a future program or update, or wish to request other information or materials, please contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here. If you or someone else you know would like to receive future updates about developments on these and other concerns from Ms. Stamer, see  here.

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources including:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here. For important information concerning this communication click here.  THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS.  ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.  

©2013 Cynthia Marcotte Stamer, P.C.  Non-exclusive license to republish granted to Solutions Law Press.  All other rights reserved.


Former White House Cybersecurity Coordinator Schmidt, Stamer & Others Share Key HIPAA & Other Privacy & Data Security Insights 5/21 In LA

May 3, 2013

SLP Readers Get Discount: Go to
blocked::http://securitysummitla.eventbrite.com/” href=”http://securitysummitla.eventbrite.com/” data-mce-href=”http://securitysummitla.eventbrite.com/”://securitysummitla.eventbrite.com/ and enter Promotional Code: Health_Summit_125

Former White House Cybersecurity Coordinator Howard Schmidt and Solutions Law Press, Inc. editor attorney Cynthia Marcotte Stamer are two of an impressive lineup of leaders scheduled to share key HIPAA & other privacy and data security compliance and risk management strategies at the Healthcare HITECH Privacy and Security Summit at the Fifth Annual Information Security Summit on May 21 in Los Angeles.  The program offers essential insights for hospitals, physicians, and other health care providers, health plans and insurers, employers and other health plan sponsors, fiduciaries and administrators, their business associates and other business partners and others on what their organizations should do to cope with the rapidly changing and expanding privacy and data security obligations of HIPAA and other federal and state laws.

With  the rapidly approaching and privacy and data breach penalties and enforcement rising, health care providers, health plans, health care clearinghouses and their business associates must get moving to update business associate contracts, policies and notices and processes to meet changing HIPAA rules while managing ongoing compliance and risks.

Former Cybersecurity Coordinator Schmidt Keynotes

The Healthcare HITECH Privacy and Security Summit will bring together leaders in Privacy and Security within government and private industry for a day of collaboration, networking and presentations by leading Privacy and Security professionals sharing who HIPAA covered entities and business associates need to know to  comply with new HITECH rules and  OCR investigations.

Stamer Speaks On Latest HIPAA Rules & Developments

Solutions Law Press, Inc. editor attorney Cynthia Marcotte Stamer will help lay the foundation for the workshop by briefing participants on changes made to HIPAA rules by the new Omnibus HIPAA Rulemaking changes that the Office of Civil Rights (OCR) plans to start enforcing in September, 2013.

Armed with the latest insights from serving as the scribe for the ABA JCEB annual agency meeting with the Office of Civil Rights (OCR), Ms. Stamer, a practicing attorney and widely published author and speaker, will discuss required changes and other recommended steps and strategies that covered entities and their business associates should take to maintain HIPAA compliance and manage HIPAA and other related risks  in light of the Omnibus HIPAA Rulemaking changes, new OCR guidance for health care providers about disclosures to avert threats to health or safety, recent audit and enforcement activities and other changing risks and responsibilities including:

  • The latest on OCR’s regulatory guidance, audit and investigation and enforcement rules, actions and strategies and their implications on covered entities and business associates;
  • Changes to breach notification rules and their implications on covered entities and their business associates;
  • Practical implications of new rules on who is covered and their responsibilities;
  • Required and recommended updates to policies, business associate and other agreements, privacy notices and other HIPAA compliance arrangements;
  • Effective training and other risk management strategies;
  • Planning for, investigating and mitigating PHI privacy breaches and other compliance concerns under new rules other selected events; and
  • Other selected strategies for coordinating HIPAA and other privacy and data breach responsibilities and risk management; and
  • Participant questions.

For a complete agenda, to register, to get details on sponsorship or for other information, see here.

For More Information Or Assistance

If you need assistance reviewing or responding to these or other health care related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, may be able to help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 25 years experience advising health industry clients about these and other matters.

A board certified labor and employment attorney widely known for her extensive and creative knowledge and experience with health plan privacy and data security matters, Ms. Stamer serves as the scribe for the ABA JCEB Annual Technical Session meeting with OCR each May and has worked, spoken and published extensively on these and other privacy and data security concerns and controls.  Extensively published and a popular speaker on HIPAA and other data security matters, Ms. Stamer works extensively with health care providers, health plans, employers, insurance and financial services, technology and other clients on privacy, data seurity and other privacy and cybercrime concerns.  She also serves as the Scribe for the ABA JCEB Agency Techical Sessions Meetings with the Office of Civil Rights which occur each May in Washington, D.C.

Ms. Stamer has extensive experience advising and assisting health care providers and other health industry clients to establish and administer compliance and risk management policies and to respond to DEA and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns including a number of programs and publications on OCR Civil Rights rules and enforcement actions. Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications.  You can get more information about her health industry experience here. If you need assistance with these or other compliance concerns, wish to ask about arranging for compliance audit or training, or need legal representation on other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here. For important information about this communication click here.

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources including:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here. For important information concerning this communication click here. 

THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS.  ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.   ©2013 Cynthia Marcotte Stamer, P.C.  Non-exclusive license to republish granted to Solutions Law Press.  All other rights reserved.


Massachusetts Ear Group To Pay $1.5 Million To Resolve HIPAA Charges

September 17, 2012

Physician practices and other health care providers, health plans, health care clearinghouses and their business associates have yet another $1 million plus reminder of the importance of taking proper steps to secure electronic protected health information and take other steps required to comply with the Health Insurance Portability & Accountability Act of 1996 (HIPAA).

Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (collectively referred to as “MEEI”) will pay the U.S. Department of Health and Human Services’ (HHS) $1.5 million and take a series of corrective actions to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule under the resolution agreement available here (“Resolution Agreement”) announced by the Department of Health & Human Services (HHS) Office of Civil Rights (OCR) on September 17, 2012. 

MEEI Resolution Agreement

The Resolution Agreement settles charges that resulted from an OCR investigation commenced in response to a HIPAA breach report submitted by MEEI reporting the theft of an unencrypted personal laptop containing the electronic protected health information (ePHI) of MEEI patients and research subjects.  The laptop information included patient prescriptions and clinical information. 

OCR’s investigation indicated that MEEI failed to take necessary steps to comply with certain requirements of the HIPAA Security Rule, such as conducting a thorough analysis of the risk to the confidentiality of ePHI maintained on portable devices, implementing security measures sufficient to ensure the confidentiality of ePHI that MEEI created, maintained, and transmitted using portable devices, adopting and implementing policies and procedures to restrict access to ePHI to authorized users of portable devices , and adopting and implementing policies and procedures to address security incident identification, reporting, and response.  OCR’s investigation indicated that these failures continued over an extended period of time, demonstrating a long-term organizational disregard for the requirements of the Security Rule.

To settle the charges, MEEI will pay a $1.5 million settlement to OCR.  In addition, the Resolution Agreement also requires MEEI to adhere to a corrective action plan which includes reviewing, revising and maintaining policies and procedures to ensure compliance with the Security Rule, and retaining an independent monitor who will conduct assessments of MEEI’s compliance with the corrective action plan and render semi-annual reports to HHS for a 3-year period.

High Dollar Resolution Agreements Increasingly Common

The MEEI Resolution Agreement follows on the resolution agreement previously announced this year with Arizona-based Phoenix Cardiac Surgery, P.C. (PCS). That resolution agreement required PCS to pay $100,000  and take corrective action to implement policies and procedures to safeguard the protected health information of its patients to settle OCR charges PCS violated HIPAA.

Health care providers and other HIPAA-covered entities should heed the MEEI, PSC and other recent settlements as the latest signal of the risks that health care providers and other covered entities run by failing to adequately implement and administer appropriate HIPAA compliance practices.

Following the announcement by OCR last month that Blue Cross Blue Shield of Tennessee (BCBST) would pay $1,500,000 to resolve HIPAA violations charges, and the latest in a series of Resolution Agreements announced by OCR in recent years, the PCS highlights the willingness to sanction health care providers and other covered entities of all sizes.  “The case is significant because it highlights a multi-year, continuing failure on the part of this provider to comply with the requirements of the Privacy and Security Rules,” said Leon Rodriguez, director of OCR. “We hope that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.”

Enforcement Actions Highlight Growing HIPAA Exposures For Covered Entities

Like the PCS, BCBST and other announced resolution agreements, the MEEI Resolution Agreement provides more evidence of the growing exposures that health care providers, health plans, health care clearinghouses and their business associates need to carefully and appropriately manage their HIPAA responsibilities. See HIPAA Heats Up: HITECH Act Changes Take Effect & OCR Begins Posting Names, Other Details Of Unsecured PHI Breach Reports On WebsiteCovered entities are urged to heed these warning by strengthening their HIPAA compliance and adopting other suitable safeguards to minimize HIPAA exposures.  For tips, see here.

For Help With Monitoring Developments, Compliance, Investigations Or Other Needs

If you need assistance monitoring federal health reform, policy or enforcement developments, or to review or respond to these or other health care or health IT related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, can help.  Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 24 years experience advising health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical privacy and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. She regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others.   

Ms. Stamer also regularly works with OCR and other agencies, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns.  Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications.   For instance, Ms. Stamer for the second year will serve as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR.  Her insights on HIPAA risk management and compliance frequently appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.

You can get more information about her HIPAA and other experience here or contact Ms Stamer here or at (469) 767-8872.


[1] The Breach Notification Rule also requires that covered entities report smaller breaches annually to OCR as part of a consolidated disclosure.

For more tips, see here.

Other Recent Updates & Resources

If you found this information of interest, you also may be interested in the following recent updates on health care, health plan and employee benefits, human resources and other risk management and compliance matters.  Recent examples on health care compliance and risk management matters include:

For additional resources and publications training materials by Ms. Stamer, see here.  

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here. For important information concerning this communication click here.  If you do not wish to receive these updates in the future, send an e-mail with the word “Remove” in the Subject to here.

©2012 Cynthia Marcotte Stamer, P.C. nonexclusive license to republish granted to Solutions Law Press, Inc.  All other rights reserved.


[*] The Breach Notification Rule also requires that covered entities report smaller breaches annually to OCR as part of a consolidated disclosure.


Director of Texas Office of e-Health Coodination To Discuss Texas HIE Strategy in 3/14 HHS Sponsored Teleconference

March 14, 2012

On Wednesday, March 14, 2012 at 1 p.m. EDT, National eHealth Collaborative’s NeHC University will host Stephen Palmer, Director of the Office of e-Health Coordination at the Texas Health and Human Services Commission, to describe the HIE strategy being pursued by the state of Texas. Palmer will be joined by Kem McClelland of the Integrated Care Collaboration, Tony Gilman of the Texas Health Services Authority, and Bryan White of the North Texas Accountable Healthcare Partnership to showcase the Texas strategy in action and detail the progress that has been made on the ground. 

To participate register and join NeHC University’s Spotlight on the Texas Statewide HIE Strategy.

For Help With Monitoring Developments, Compliance, Investigations Or Other Needs

If you need assistance monitoring federal health reform, policy or enforcement developments, or to review or respond to these or other health care or health IT related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, can help.  Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 24 years experience advising health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical privacy and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. She regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others.   

Ms. Stamer also regularly works with OCR and other agencies, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns.  Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications.   For instance, Ms. Stamer for the second year will serve as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR.  Her insights on HIPAA risk management and compliance frequently appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.

You can get more information about her HIPAA and other experience here.

If you need assistance with these or other compliance concerns, wish to inquire about arranging for compliance audit or training, or need legal representation on other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here.

If you need help investigating or responding to a known or suspected compliance, litigation or enforcement or other risk management concern, assistance with reviewing, updating, administering or defending a current or proposed employment, employee benefit, compensation or other management practice, wish to inquire about federal or state regulatory compliance audits, risk management or training, or need legal representation on other matters please contact Ms Stamer here or at (469) 767-8872.


[1] The Breach Notification Rule also requires that covered entities report smaller breaches annually to OCR as part of a consolidated disclosure.

For more tips, see here.

For Help With Monitoring Developments, Compliance, Investigations Or Other Needs

If you need assistance monitoring federal health reform, policy or enforcement developments, or to review or respond to these or other health care or health IT related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, can help.  Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 24 years experience advising health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical privacy and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. She regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others.   

Ms. Stamer also regularly works with OCR and other agencies, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns.  Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications.   For instance, Ms. Stamer for the second year will serve as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR.  Her insights on HIPAA risk management and compliance frequently appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.

You can get more information about her HIPAA and other experience here.

If you need assistance with these or other compliance concerns, wish to inquire about arranging for compliance audit or training, or need legal representation on other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here.

If you need help investigating or responding to a known or suspected compliance, litigation or enforcement or other risk management concern, assistance with reviewing, updating, administering or defending a current or proposed employment, employee benefit, compensation or other management practice, wish to inquire about federal or state regulatory compliance audits, risk management or training, or need legal representation on other matters please contact Ms Stamer here or at (469) 767-8872.

Other Recent Updates & Resources

If you found this information of interest, you also may be interested in the following recent updates on health care, health plan and employee benefits, human resources and other risk management and compliance matters.  Recent examples on health care compliance and risk management matters include:

For additional resources and publications training materials by Ms. Stamer, see here.  

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here. For important information concerning this communication click here.  If you do not wish to receive these updates in the future, send an e-mail with the word “Remove” in the Subject to here.

©2012 Cynthia Marcotte Stamer, P.C. nonexclusive license to republish granted to Solutions Law Press, Inc.  All other rights reserved.


[*] The Breach Notification Rule also requires that covered entities report smaller breaches annually to OCR as part of a consolidated disclosure.


$1.5 Million HIPAA Settlement Reached To Resolve 1st OCR Enforcement Action Prompted By HITECH Act Breach Report

March 13, 2012

Resolution Agreement Also 1st Announced With Health Plan

Health care providers, health plans and other covered entities beware and prepare! Reporting a large breach under the HITECH Act breach notification rules will trigger a Department of Health & Human Services (HHS) Office of Civil Rights (OCR) investigation into whether OCR should impose civil monetary penalties against the reporting covered entity under the Privacy and Security Rules of the Health Insurance Portability & Accountability Act of 1996 (HIPAA).

Blue Cross Blue Shield of Tennessee (BCBST) has agreed to pay OCR $1,500,000 and to take certain other actions specified in a corrective action plan to avoid civil monetary penalties for charges of HIPAA violations.  The BCBST Resolution Agreement is particularly significant, both as:

  • The first reported enforcement action directly resulting from the filing by a covered entity of a breach report required by the Health Information Technology for Economic and Clinical Health (HITECH) Act Breach Notification Rule; and
  • The first reported resolution agreement reached with a covered entity that is a health plan.

These notable enforcement firsts show the HITECH Breach Notification Rule’s significance as an OCR HIPAA enforcement tool, the heightened exposure to an OCR opening a HIPAA civil monetary penalty (CMP) investigation following a report, as well as the willingness of OCR to sanction health plans as well as other covered entities that breach HIPAA’s Privacy or Security Rules.

BCBST Investigation Began In Response to HITECH Act Breach Notification Rule Report

The OCR investigation that lead to the BCBST settlement began in response to BCBST making a report required under the Breach Notification Rule of the theft of 57 unencrypted computer hard drives from a leased facility in Tennessee, which contained the protected health information (PHI) of over 1 million individuals.  Read more details here.

The Breach Notification Rule enacted as part of amendments to HIPAA under the HITECH Act requires covered entities to report an impermissible use or disclosure of protected health information, or a “breach,” of 500 individuals or more to HHS and the media as well as an annual consolidated report of smaller breaches to HHS.[1]  Along with the Breach Notification Rules, the HITECH Act also increased the civil monetary penalties (CMPs) that covered entities like BCBST can incur for HIPAA violations. When it imposed its first ever CMP last year, OCR imposed a $4.3 million CMP against Cignet Health of Prince George’s County, Md. (Cignet).

In an apparent effort to impose a potentially larger CMP assessment arising from the investigation of its breach report, BCBST greed to pay $1,500,000 and adopt other corrective actions detailed in a corrective action plan.

Enforcement Actions Highlight Growing HIPAA Exposures For Covered Entities

The BCBST Resolution Agreements, like the Cignet CMP and other high dollar Resolution Agreements OCR has announced against various health care providers highlight the significance of the HITECH Act amendments to HIPAA’s enforcement and CMP rules, as well as the significance of its Breach Notification Rule as a tool in OCR’s investigation and enforcement efforts.

“This settlement sends an important message that OCR expects health plans and health care providers to have in place a carefully designed, delivered, and monitored HIPAA compliance program,” said OCR Director Leon Rodriguez. “The HITECH Breach Notification Rule is an important enforcement tool and OCR will continue to vigorously protect patients’ right to private and secure health information.” 

The BCBST Resolution Agreement provides yet another reminder to covered entities and their business associates of the need to carefully and appropriately manage their HIPAA responsibilities. See HIPAA Heats Up: HITECH Act Changes Take Effect & OCR Begins Posting Names, Other Details Of Unsecured PHI Breach Reports On WebsiteCovered entities are urged to heed these warning by strengthening their HIPAA compliance and adopting other suitable safeguards to minimize HIPAA exposures.  Fortips, see here.

For Help With Monitoring Developments, Compliance, Investigations Or Other Needs

If you need assistance monitoring federal health reform, policy or enforcement developments, or to review or respond to these or other health care or health IT related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, can help.  Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 24 years experience advising health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical privacy and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. She regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others.   

Ms. Stamer also regularly works with OCR and other agencies, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns.  Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications.   For instance, Ms. Stamer for the second year will serve as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR.  Her insights on HIPAA risk management and compliance frequently appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.

You can get more information about her HIPAA and other experience here.

If you need assistance with these or other compliance concerns, wish to inquire about arranging for compliance audit or training, or need legal representation on other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here.

If you need help investigating or responding to a known or suspected compliance, litigation or enforcement or other risk management concern, assistance with reviewing, updating, administering or defending a current or proposed employment, employee benefit, compensation or other management practice, wish to inquire about federal or state regulatory compliance audits, risk management or training, or need legal representation on other matters please contact Ms Stamer here or at (469) 767-8872.


[1] The Breach Notification Rule also requires that covered entities report smaller breaches annually to OCR as part of a consolidated disclosure.

For more tips, see here.

For Help With Monitoring Developments, Compliance, Investigations Or Other Needs

If you need assistance monitoring federal health reform, policy or enforcement developments, or to review or respond to these or other health care or health IT related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, can help.  Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 24 years experience advising health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical privacy and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. She regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others.   

Ms. Stamer also regularly works with OCR and other agencies, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns.  Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications.   For instance, Ms. Stamer for the second year will serve as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR.  Her insights on HIPAA risk management and compliance frequently appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.

You can get more information about her HIPAA and other experience here.

If you need assistance with these or other compliance concerns, wish to inquire about arranging for compliance audit or training, or need legal representation on other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here.

If you need help investigating or responding to a known or suspected compliance, litigation or enforcement or other risk management concern, assistance with reviewing, updating, administering or defending a current or proposed employment, employee benefit, compensation or other management practice, wish to inquire about federal or state regulatory compliance audits, risk management or training, or need legal representation on other matters please contact Ms Stamer here or at (469) 767-8872.

Other Recent Updates & Resources

If you found this information of interest, you also may be interested in the following recent updates on health care, health plan and employee benefits, human resources and other risk management and compliance matters.  Recent examples on health care compliance and risk management matters include:

For additional resources and publications training materials by Ms. Stamer, see here.  

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here. For important information concerning this communication click here.  If you do not wish to receive these updates in the future, send an e-mail with the word “Remove” in the Subject to here.

©2012 Cynthia Marcotte Stamer, P.C. nonexclusive license to republish granted to Solutions Law Press, Inc.  All other rights reserved.


[*] The Breach Notification Rule also requires that covered entities report smaller breaches annually to OCR as part of a consolidated disclosure.


Monday 9/13 Deadline To Comment Proposed HITECH Act HIPAA Privacy Rules; 9/14 Meeting Studies Proposed Changes

September 10, 2010

 9/14 NTHCPA Meeting on Strategies for Managing HIPAA Privacy Compliance After The HITECH Act

Health care providers, payers, healthcare clearinghouses and their businesses associates (Covered Entities) face a Monday, September 13, 2010 deadline to comment on proposed changes to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Enforcement Rules proposed by the U.S. Department of Health & Human Services Office for Civil Rights (OCR) on July 8, 2010 in response to amendments enacted under the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. If adopted as proposed, the more than 220 page Notice of Proposed Rulemaking (NPRM) will significantly tighten the requirements that existing Standards for Privacy of Individually Identifiable Health Information (Privacy Rule); the Security Standards for the Protection of Electronic Protected Health Information (Security Rule); and the rules pertaining to Compliance and Investigations, Imposition of Civil Money Penalties, and Procedures for Hearings (Enforcement Rule) applicable to Covered Entities under HIPAA. With the risks of HIPAA noncompliance highlighted by OCR’s August announcement that drugstore giant RiteAid would pay $1 million to settle OCR charges that it violated the existing HIPAA’s Privacy & Security Rules  and considering , Covered Entities Learn more about Rite Aid Resolution Agreement here. Learn more about Breach Notification Rules here.

The North Texas Health Care Compliance Professionals Association invites health industry compliance professionals share and learn Strategies for Managing HIPAA Privacy Compliance After the HITECH Act by participating in its September 14, 2010 meeting from 11:30 a.m. – 1:30 p.m. hosted by Cynthia Marcotte Stamer, P.C., at One Hanover Park, 16633 North Dallas Parkway, 6th Floor, Addison Room, Addison, Texas 75001.

The author of this update, attorney Cynthia Marcotte Stamer, has extensive experience advising and assisting health care providers and other health industry clients with HIPAA and other privacy and data security, reimbursement, compliance, public policy, regulatory, staffing, and other operations and risk management matters. Ms. Stamer also regularly conducts training on HIPAA and other health industry compliance, management and operations matters.  You can get more information about her health industry experience here.  If you need assistance with these or other compliance concerns, wish to inquire about arranging for compliance audit or training, or need legal representation on other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here

Other Recent Developments

If you found this information of interest, you also may be interested in reviewing some of the following recent Updates available online by clicking on the article title:

For More Information

We hope that this information is useful to you. If you need assistance evaluating or responding to the Health Care Reform Law or health care compliance, risk management, transactional, operational, reimbursement, or public policy concerns, please contact the author of this update, Cynthia Marcotte Stamer, at (469) 767-8872, cstamer@Solutionslawyer.net.

Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 23 years experience advising health industry clients about these and other matters. A popular lecturer and widely published author on health industry and human resources matters, Ms. Stamer continuously advises health industry clients about health industry and other related concerns. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. For additional information about Ms. Stamer, her experience, involvements, programs or publications, see here.

You can review other recent health care and internal controls resources and additional information about the health industry and other experience of Ms. Stamer here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile at here or e-mailing this information here. To unsubscribe, e-mail here.

©2010 Solutions Law Press. All rights reserved.


%d bloggers like this: