Bankrupt Oncology Provider’s $2.3M Settlement Payment & Other HIPAA Breach Consequences Shows Why To Prioritize HIPAA Compliance In 2018

December 29, 2017

The just-announced agreement $2.3 million (Resolution Amount) settlement by now bankrupt radiation oncology and cancer care provider 21st Century Oncology, Inc. (21CO)  is paying to settle Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules violation charges and other continuing post-breach fallout that helped push 21CO to file for Chapter 11 bankruptcy protection demonstrates again why HIPAA-covered health care providers, health plans, health care clearinghouses and their business associates (covered entities) must make HIPAA compliance and risk management a high priority in 2018.

Distinctive as the first HIPAA resolution agreement requiring bankruptcy court approval  and for the bankruptcy court’s order including a direction to the covered entity’s cyber liability insurer to pay the Resolution Payment and other investigation defense expenses, the 21CO resolution agreement resolves potential civil monetary penalty exposures the Fort Myers, Florida based provider of cancer care services and radiation oncology could have faced from the Department of Health & Human Services Office of Civil Rights (OCR) charges it violated HIPAA’s Privacy and Security Rules arising from the hacking and misappropriation of records containing sensitive electronic protected health information (ePHI) of up to 2,213597 individuals.

When their own 2018 HIPAA or other compliance investigation activities or planning HIPAA compliance and risk management activities, covered entities and their business associates and their leaders should use 21CO’s painful post-breach lessons experience to minimize their own HIPAA breach exposures, as well as consider how amendments to Internal Revenue Code Section 162(f) might impact the tax deductibility of certain compliance expenditures.

 21CO HIPAA Breaches & Fallout

The OCR charges against 21CO arose from an OCR investigation commenced after the Federal Bureau of Investigation (FBI) notified 21CO on November 13, 2015 and a second time on December 13, 2015 than unauthorized third party illegally obtained 21CO sensitive patient information and produced 21CO patient files purchased by a FBI informant.  As part of its internal investigation, 21CO hired a third party forensic auditing firm in November 2015. 21CO determined that the attacker may have accessed 21CO’s network SQL database as early as October 3, 2015, through Remote Desktop Protocol from an Exchange Server within 21CO’s network. 21CO determined that it is possible that 2,213,597 individuals may have been affected by the impermissible access to their names, social security numbers, physicians’ names, diagnoses, treatment and insurance information.

Although it knew of the breaches in November and December, 2015, 21CO delayed notifying patients of the data breach for more than three months after the FBI notified it of the breaches before it sent HIPAA or other breach notifications about the data breach to patients or notified investors in March, 2016. Its March 4, 2016 Securities and Exchange Commission 8-K on Data Security Incident (Breach 8-K) states 21CO delayed notification at the request of the FBI to avoid interfering in the criminal investigation of the breach.

When announcing the breach, 21CO provided all individuals affected by the breach with a free one-year subscription to the Experian ProtectMyID fraud protection service. At that time, 21CO said it had no evidence that any patient information actually had been misused.  However victims of the breach subsequently are claiming being victimized by a variety of scams since the breach in news reports and lawsuits about the breach.

At the time of the breach and its March 4, 2016 announcement of the breach, 21CO already was working to resolve other compliance issues.  On December 16, 2015, 21CO announced that a 21CO  subsidiary had agreed to pay $19.75 million to the United States and $528,000 in attorneys’ fees and costs and comply with a corporate integrity agreement related to a qui tam action in which it was accused of making false claims to Medicare and other federal health programs. See 21CO 8-K Re: Entry into a Material Definitive Agreement (December 22, 2015).  Among other things, the corporate integrity agreement required by that settlement required 21CO to appoint a compliance officer and take other steps to maintain compliance with federal health care laws.  In addition, five days after releasing the March 4, 2017 Breach 8-K, 21CO notified investors that its subsidiary, 21st Century Oncology, Inc. (“21C”), had agreed to pay $37.4 million to settle health care fraud law charges relating to billing and other protocols of certain staff in the utilization of state-of-the-art radiation dose calculation system used by radiation oncologists called GAMMA.  See 21CO 8-K Re: GAMMA Settlement March 9, 2016 ;  See also United States Settles False Claims Act Allegations Against 21st Century Oncology for $34.7 Million.

As the breaches impacted more than 500 individuals, 21CO’s HIPAA breaches were considered large breaches for purposes of the Breach Notification Rules.  It is the policy of OCR to investigate all large breach notifications filed under the HIPAA Breach Notification Rules.

Based on OCR’s subsequent investigation into these breaches, OCR found:

  • 21CO impermissibly disclosed certain PHI of 2,213,597 of its patients in violation of 45 C.F.R. § 164.502(a);
  • 21CO failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the electronic protected health information (ePHI) held by 21CO in violation of 45 C.F.R. § 164.308(a)(1)(ii)(A);
  • 21CO failed to implement certain security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with 45 C.F.R. § 164.306(A) in violation of 45 C.F.R. § 164.308(a)(1)(ii)(B);
  •  21CO failed to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports as required by 45 C.F.R. §164.308(a)(1)(ii)(D);
  • 21CO disclosed protected health information to a third party vendors, acting as its business associates, without obtaining satisfactory assurances in the form of a written business associate agreement in violation of HIPAA’s business associate rule requirements under 45 C.F.R. §§ 164.502(e) and 164.308(b)(3).

The Resolution Agreement settles potential charges and exposures to potentially much higher civil monetary penalties that 21CO could have faced had OCR successfully prosecuted charges against 21CO for the breaches.   In return for OCR’s agreement not to further pursue charges or penalties relating to the breach investigation, the Resolution Agreement requires that 21CO pay OCR a $2.3 million Resolution Amount and implement to OCR’s satisfaction a corrective action plan that among other things requires that 21CO complete  the following corrective actions to the satisfaction of OCR:

  • To complete a risk analysis and risk management plan;
  • To revise its HIPAA policies and procedures regarding information system activity review to require the regular review of audit logs, access reports, and security incident tracking reports pursuant to 45 C.F.R. § 164.308(a)(1)(ii)(D);
  • To revise its policies and procedures regarding access establishment and modification and termination pursuant to 45 C.F.R. § 164.308(a)(4)(ii)(C) and 45 C.F.R. § 164.308(a)(3)(ii)(C) to include protocols for access to 21CO’s e-PHI by affiliated physicians, their practices, and their employees.
  • To distribute its policies to and educate its workforce on the updated and other HIPAA policies and procedures;
  • To provide OCR with an accounting of 21CO’s business associates that includes names of business associates, a description of services provided, a description of the business associate’s handling of 21CO’s PHI, the date services began and copies of the actual business associate agreement with each business associate; and
  • Submit an internal monitoring plan to OCR.

In addition to  the OCR investigation that lead to the new HIPAA resolution agreement announced by OCR on December 28, 2017, 21CO experienced other fallout following its March 4, 2016 public disclosure of the breach.  Not surprisingly, the breach notification led to a multitude of class-action civil lawsuits by breach victims and shareholders.  See, e.g., 16 Data Breach Class Action Lawsuits Filed Against 21st Century Oncology Consolidated; 21st Century Oncology data breach prompts multiple lawsuits.  Reports of spoofing and other misleading contacts made to 21CO patients following the breach prompted the Federal Trade Commission (FTC) to issue a specific notice alerting victims about potential false breach notifications and other misleading contacts.  See April 4, 2016 FTC Announcement Re: 21st Century Oncology breach exposes patients’ info.

These and other developments also had significant consequences on 21CO’s financial status and leadership.  By March 31, 2015, 21CO notified the SEC and investors that it needed added time to complete its financial statements.  Subsequent SEC filings document its restatement of financial statements, the departure of board members and other leaders,  default on credit terms, and ultimately its filing for Chapter 11 bankruptcy protection in the United States Bankruptcy Court for the Southern District of New York on May 25, 2017.

Insurer Funding $2.3 Million Settlement Payment For Bankrupt 21CO

The 21CO resolution agreement required bankruptcy court approval,  Funds for payment of the required $2.3 million resolution payment and other charges associated with the investigation apparently are being provided in part from breach liability insurance coverage provided under a policy issued by Beazley Insurance, as the Bankruptcy Court order directs Beazley Breach Response Policy No. W140E2150301 to make immediate payment to the OCR of the resolution amount and the payment of fees incurred by 21CO in connection with regulatory defense issues.

Settlements Highlight Growing Risks Of Noncompliance, Lack Data Security

One of a growing multitude of multimillion dollar HIPAA resolution agreements to avoid HIPAA civil monetary sanctions that OCR already has announced, the 21CO resolution agreement announcement also comes when a steady stream of reports of massive data breaches at Alteryx, eBay, Paypal owner TIO Networks, Uber, Equifax and a long list of other previously trusted prominent businesses are stoking government and public awareness and concern over health care and other data privacy and cybersecurity.  Beyond their potenital HIPAA enforcement exposures, health care or other covered entities experiencing breaches often also face FTC or other government investigations and enforcement under the Fair and Accurate Credit Transactions Act (FACTA) and other federal or state identity theft, data privacy and security, electronic crimes and other rules as well as business losses and disruptiuons; civil litigation from breach victims, shareholders and investors, and business partners as well as OCR, FTC, and state data security regulation enforcement.  Amid this growing concern, OCR has indicated that it intends to continue to diligently both seek to support and encourage voluntary compliance by covered entities and their business associates and  investigate and enforce HIPAA against HIPAA covered entities and their business associates that fail to adequately safeguard PHI and ePHI in accordance with HIPAA. In the face of these growing risks and liabilities, covered entities and their business leaders face a strong imperative to clean up and maintain their HIPAA compliance and other data security to minimize their exposure to similar consequences.

In light of these rises, leaders, investors, insurers, lenders and others involved with covered entities and their business associates should take steps to verify that the covered entities and their business associates not only maintain compliance with HIPAA, but also maintain appropriate practices, insurance and other safeguards to prevent, respond to and mitigate exposures in the event of a breach of protected heatlh information or other sensitive data.

As a part of this planning, covered entities and their business associates also generally will want to add consideration of changes to federal tax rules on the deductibility of compliance penalty and other related compliance expenditures.  While the Internal Revenue Code traditionally has prohibited businesses and individuals from deducting penalties, fines and other expenditures arising from violations of federal or state laws under Section 162(f) of the Internal Revenue Code, Section Section 13306 of the Tax Cuts and Jobs Creation Act creates a new exception for amounts  (other than amounts paid or incurred any amount paid or incurred as reimbursement to the government or entity for the costs of any investigation or litigation) that a taxpayer establishes meet the following requirements:

  • Constitute restitution (including remediation of property) for damage or harm which was or may be caused by the violation of any law or the potential violation of any law, or
  • Are paid to come into compliance with any law which was violated or otherwise involved in the investigation or inquiry into a violation or potential violation of any law;
  • Are identified as restitution or as an amount paid to come into compliance with such law, as the case may be, in the court order or settlement agreement, and
  • In the case of any amount of restitution for failure to pay any tax imposed under this title in the same manner as if such amount were such tax, would have been allowed as a deduction under this chapter if it had been timely paid.

Because the true effect of these modifications will be impacted by implementing regulations and a number of other special conditions and rules may impact the deductibility of these payments and the reporting obligations attached to their payment, covered entities will want to consult with legal counsel about these rules and monitor their implementation to understand their potential implications on compliance expenditures and penalties.

About The Author

Repeatedly recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, a Fellow in the American College of Employee Benefit Council, the American Bar Foundation and the Texas Bar Foundation and board certified in labor and employment law by the Texas Board of Legal Specialization, Cynthia Marcotte Stamer is a practicing attorney, management consultant, author, public policy advocate and lecturer widely known for health and managed care, employee benefits, insurance and financial services, data and technology and other management work, public policy leadership and advocacy, coaching, teachings, and publications. Nationally recognized for her work, experience, leadership and publications on HIPAA and other medical privacy and data use and security, FACTA, GLB, trade secrets and other privacy and data security concerns, Ms. Stamer has worked extensively with clients and the government on cybersecurity, technology and processes and other issues involved in the use and management of medical, insurance and other financial, workforce, trade secrets and other sensitive data and information throughout her career.  Scribe or co-scribe of the ABA Joint Committee on Employee Benefits Agency meeting with OCR since 2011 and author of a multitude of highly regarded publications on HIPAA and other health care, insurance, financial and other privacy and data security, Ms. Stamer is widely known for her extensive and leading edge experience, advising, representing, training and coaching health care providers, health plans, healthcare clearinghouses, business associates, their information technology and other solutions providers and vendors, and others on HIPAA and other privacy, data security and cybersecurity design, documentation, administration, audit and oversight, business associate and other data and technology contracting, breach investigation and response, and other related concerns including extensive involvement representing clients in dealings with OCR and other Health & Human Services, Federal Trade Commission, Department of Labor, Department of Treasury, state health, insurance and attorneys’ general, Congress and state legislators and other federal officials.

Ms. Stamer also has an extensive contributes her leadership and insights with other professionals, industry leaders and lawmakers.    Her insights on HIPAA risk management and compliance often appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, SHRM, HIMMS, the American Bar Association, the Health Care Compliance Association, a multitude of health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.  You can get more information about her HIPAA and other experience here. For additional information about Ms. Stamer, see here, e-mail her here or telephone Ms. Stamer at (214) 452-8297.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources here including:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2017 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.


Healthcare Fraud Exposures Significant & Rising For Owners, Execs & Other Leaders

October 17, 2016

Owners, operators, and leaders of health care organizations face an ever-growing imperative to lock down compliance by the organization and its employees and agents both to protect their organizations and its investors and themselves personally against the criminal, civil and administrative sanctions that result when health care organizations or their people break the rules.

The Departmnet of Health and Human Services Office of Inspector General (OIG) and the Department of Justice (DOJ) increasingly are going after owners, operators and other leaders of healthcare organizations for participating in, failing to act to prevent or inadequately investigating and redressing fraud or other illegal conduct in their organizations or by members of their organization’s team. Leaders and owners need to learn the rules and what to do to manage their risk. Owners and leaders must get informed about their expectations and exposures and learn and take the right steps to adopt compliance plans, monitor and enforce compliance, investigate and redress concerns and deal with these responsibilities and risk

The latest slew of federal health care fraud prosecutions reported by DOJ and OIG during the first two weeks of October illustrate some of the risks owners and executives face when they, their organization or employees or agents violate these rules.  DOJ and federal regulators like OIG have made clear that they construe these rules to require leaders both to abstain from violating these laws and to adopt and administer effective compliance plans, oversight and other actions to train and prevent their employees and agents from violating these rules.  See, e.g., Practical Guidance for Health Care Governing Boards on Compliance Oversight.

Of course, owners and management leaders inevitably face significant financial loss and other fallout if their organizations or members of their teams are found to have violated federal or state health care fraud laws.  Over the past decade, however, owners and leaders increasingly also face growing risks of personal prosecution when their organization or someone on their team breaks the rules.

Owners, executives or other leaders who may be tempted to underesktimate the significance of these warnings should note DOJ’s increasingly aggressive and heavy handed prosecution of owners, executives and other leaders who either directly participate in, or by failing to adopt or administer meaningful compliance and investigation practices, are perceived to have allowed, encouraged or facilitated employees or agents to engage in actions hat DOJ, OIG or other federal regulators consider fraudulent.

DOJ’s growing emphasis on holding health care executives accountable for health care fraud or other violations of federal health care and other laws is clearly reflected in the prosecutions and convictions it announced during the first two weeks of October clearly demonstrate the critical need for health care organization owners, officers and other leaders (executives) to safeguard themselves personally, as well as their organizations against becoming targeted or convicted of health care fraud or other violations of federal health care laws by ensuring their organization adopts and administers effective compliance programs and taking other meaningful, well-documented steps , efforts to ensure the effectiveness of these compliance efforts.

Federal criminal and civil health care fraud laws both prohibit owners, operators and executives from participating in or conspiring to violate federal anti-kickback, anti-referral, false claims and other health care fraud laws, as well as provide various mechanisms that impose liability against owners and executives that fail to adopt and administer appropriate compliance, audit and other oversight and enforcement processes and procedures.  Since October 1, 2016, for instance, DOJ has announced the following healthcare charges, convictions and settlements involving owners and executives.

Of course, the costs and liabilities of federal criminal or civil investigations and prosecutions are only part of the challenges an organization and its leaders generally face when their healthcare organization or its actions are questioned under federal health care fraud or other laws.  Whistleblower or other claims of employees and agents claiming to have been penalized for questioning practices, shareholder or other investor lawsuits, federal program disqualification, loss of position or reputation, the financial and other burdens of responding to and defending investigations and charges and a parade of other horribles that typically attend investigations and prosecutions also often exact a heavy toll on health care organization owners and leaders caught up in federal fraud investigations or prosecutions.

In the face of these growing risks, healthcare owners, executives and other leaders need a clear and up to date understanding of health care fraud laws and the obligations and expectations that these rules create not only for their organizations, but also increasingly them personally.  Owners and other leaders need to understand the health care fraud rules, the ways that liability can attach not only to their organization but also themselves and their leaders under these rules, the burdens of proof and assumptions that create special challenges in responding to challenges or defending charges and actions and strategies they should take before, during, and after compliance issue or prosecution arises to strengthen their ability to defend or mitigate their and their organization’s liability exposures.  As part of these efforts, owners and leaders not only should ensure that their organization adopt, train staff and others on and meaningfully administer up-to-date compliance programs in a manner that clearly documents the commitment of their organization and its leaders to compliance. Owners, executives and leaders also should become educated about the expectations of DOJ, HHS and other agencies and whistleblowers are likely to expect concerning their role and actions as owners and leaders both in establishing a clear expectation of compliance, as well as adopting, overseeing and enforcing practices and policies to maintain compliance, investigate and redress potential wrongdoing and otherwise maintain the compliance and culture expected and required under federal law.  Owners and leaders should ensure that they and others in their organization are trained to recognize potential compliance issues, understand the steps they and their organization need to take when a potential compliance concern arises, and how to conduct and document investigations and other actions to strengthen their and their organization’s ability to defend against potential charges or other claims..

Owners, executives and other leaders also should anticipate, and prepare in advance for the likelihood that they and their organizations will need to respond investigations, suspected violations, whistleblower claims and other events that could create substantial exposure for their organizations and themselves personally.  Leaders need to understand that the nature and risks associated with these potential health care fraud liabilities may make ill-advised commonly used settlement or other practices for resolving quickly disputes or other concerns.   Owners and leaders bearing these responsibilities should seek specific advice and training about their responsibilities, as well as recommended strategies for investigating and responding to concerns that may carry or give rise to these risks.  Most leaders also will want to ensure that their employment, shareholder and other agreements include sufficient flexibility and protections to protect the executive or other leader for termination, retaliation or other loss or injury for taking appropriate steps to investigate and respond to a compliance concern as well as plan in advance by arranging for their organization to provide indemnification, insurance or other coverage, and/or securing personally coverage to provide coverage needed to fund what often may be substantial legal fees arising out of investigation and defense of investigations, charges, or other actions and the corporate, employment and other fallout that often accompanies such events.


About The Author

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, current American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, former scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting and JCEB Council Representative, former Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section,  the former Board President and Treasurer of the Richardson Development Center for Children Early Childhood Intervention Agency, and past  Board Compliance Chair of the National Kidney Foundation of North Texas, and Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, the author of this update, attorney Cynthia Marcotte Stamer, is AV-Preeminent (the highest) rated attorney repeatedly recognized for her nearly 30 years of experience and knowledge representing and advising healthcare, health plan and other health industry and others on these and other regulatory, workforce, risk management, technology, public policy and operations matters as a Martindale-Hubble as a “LEGAL LEADER™” and “Texas Top Rated Lawyer” in Health Care Law, Labor and Employment Law, and Business & Commercial Law and among the “Best Lawyers In Dallas” by D Magazine.

Ms. Stamer’s health industry experience includes advising hospitals, nursing home, home health, rehabilitation and other health care providers and health industry clients to establish and administer compliance and risk management policies; prevent, conduct and investigate, and respond to peer review and other quality concerns; and to respond to Board of Medicine, Department of Aging & Disability, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns.

Ms. Stamer also is known for her experience in HIPAA and other privacy and data security and breach concerns.  The scribe for ABA JCEB annual agency meeting with OCR for many years, Ms. Stamer has worked extensively with health care providers, health plans, health care clearinghouses, their business associates, employers and other plan sponsors, banks and other financial institutions, and others on risk management and compliance with HIPAA, FACTA, trade secret and other information privacy and data security rules, including the establishment, documentation, implementation, audit and enforcement of policies, procedures, systems and safeguards, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and enforcement, and a host of other related concerns. Her clients include public and private health care providers, health insurers, health plans, technology and other vendors, and others. In addition to representing and advising these organizations, she also has conducted training on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical  staff performance, quality, governance, reimbursement, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications.

You can get more information about her health industry experience here or contact Ms. Stamer via telephone at (469) 767-8872 or via e-mail here.

About Solutions Law Press Inc.™

Solutions Law Press, Inc.™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns.

If you found these updates of interest, you may be interested in other recent Solutions Law Press, Inc. updates like the following:

Go here to register to receive other Solutions Law Press, Inc. updates and announcements about other upcoming briefings, training or other programs, products, services, and activities or to learn more about Solutions Law Press, Inc., its publications, programs and training, PROJECT COPE: Coalition on Patient Empowerment community service and education projects, event management and other resources and services.

For important information concerning this communication see here. THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS. ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

©2016 Cynthia Marcotte Stamer, P.C. Non-exclusive license to republish granted to Solutions Law Press, Inc. All other rights reserved.


Health Care Org’s ERISA Health Plan Reimbursement Opportunities & Compliance Obligations Free 9/15 Study Group Topic

September 9, 2015

Solutions Law Press, Inc. is happy to share information about this upcoming free health industry study group meeting on 9/15/2015 in Irving, Texas.

NORTH TEXAS HEALTHCARE COMPLIANCE PROFESSIONALS ASSOCIATION

Invites Members and Guests to Our Next Group Luncheon

Employee Benefit Security Administration Insights On Healthcare Organization’s Health & Other Employee Benefit Plan Rights & Responsibilities Under Employee Retirement Income Security Act

Featuring

Kristi Gotcher

U.S. Department of Labor Employee Benefit Security Administration Investigator

Tuesday, September 15, 2015

11:30 a.m. to 1:30 p.m.

DFW Hospital Council Offices

250 Decker Drive

Irving, Texas

RSVP here  by Noon on September 14, 2015

Space Limited!  Register Early To Reserve Your Spot To Participate!

 

Please share this invitation with others who might be interested in this topic or other NTHCPA events!

The North Texas Healthcare Compliance Professionals Association (NTHCPA) invites members and other interested health care compliance professionals to join us on Tuesday, September 15, 2015 from 11:30 a.m. to 1:30 p.m. for our Study Group Luncheon featuring a program on “Employee Benefit Security Administration Insights On Healthcare Organization’s Health & Other Employee Benefit Plan Rights & Responsibilities Under Employee Retirement Income Security Act” from U.S. Department of Labor Employee Benefit Security Administration (EBSA) Investigator Kristi Gotcher.

The health and other employee benefit plan rules of the Employee Retirement Income Security Act (ERISA) generally offer important protections and create significant compliance challenges for health care organizations and providers.  On one hand, health care providers generally rely heavily on their or their patient’s ability to obtain health benefits promised under employer or union-sponsored health plans covering their patients to help reimbursement provider charges.  Meanwhile, health care providers and their leaders also can incur significant liability for failing to comply with ERISA’s rules when establishing and maintaining health or other employee benefit programs for their own employees.  Drawing on her involvement as investigator with the Department of Labor agency primarily responsible for both interpreting and enforcing ERISA’s rules, EBSA Ms. Gotcher will share key updates and insights on both how ERISA and the EBSA can help patients and providers enforce benefit rights under ERISA-covered health plans and key health and highlight employee benefit compliance responsibilities that health care organizations and their leaders need to ensure that their own health and other employee benefit programs meet to avoid violating ERISA.

About the Speaker

Kristi A. Gotcher is an Investigator with the United States Department of Labor, Employee Benefits Security Administration (EBSA) in the Dallas Regional Office.   Kristi began working for EBSA in the Dallas Regional Office in November 2007 as a Benefits Advisor.  She earned her Bachelor of Arts in Social Political Relations from St. Edwards University and a J.D. from Texas Wesleyan University School of Law (now Texas A&M University School of Law).  Ms. Gotcher is licensed to practice law in the State of Texas.

Registration & Meeting Details

The meeting scheduled from 11:30 a.m. to 1:30 p.m. on Tuesday, September 15, 2015 at the DFW Hospital Council Offices located at 250 Decker Drive, Irving Texas.  Participants who timely R.S.V.P. will enjoy a complimentary luncheon. Networking and lunch service will begin at 11:30. Our program will begin at Noon.

NTHCPA encourages members and other interested health care compliance professionals to register early to reserve their spot to participate and to share this invitation with others in the industry who might benefit from participation.

There is no charge to participate in the meeting.  However space is limited and available only on a first come, first serve basis.  To ensure your spot and help us to arrange for adequate space and refreshments for this meeting, R.S.V.P. here as soon as possible and no later than Noon on September 14, 2015.  Walk in guests will be accommodated on a space-available basis only.

Thanks To Meeting Underwriter Stamer ׀ Chadwick ׀ Soefje, PLLC

NTHCPA and its members extend our thanks to Cynthia Marcotte Stamer, P.C. and the other members of Stamer ׀ Chadwick ׀ Soefje PLLC for underwriting this month’s study group luncheon and other support of NTHCPA.

A boutique firm of exceptionally experienced and skilled “big-firm” lawyers committed to changing the way law firms serve their clients, Stamer │Chadwick │Soefje, PLLC delivers sophisticated legal advice and innovative solutions to the most challenging and complex problems. Simply put, Stamer │Chadwick │Soefje, PLLC attorneys are “Solutions Lawyers™.”

Stamer │Chadwick │Soefje, PLLC attorneys deliver sophisticated legal advice and innovative solutions to the most challenging and complex problems. Stamer │Chadwick │Soefje, PLLC attorneys possess the breadth of experience to respond to the unique legal and operational challenges health industry and other clients face and help guide them toward pragmatic resolutions that make sense for them. “Solutions Lawyers™ possess the breadth of experience to respond to the unique challenges our corporate and individual clients face and help guide them toward pragmatic resolutions that make sense for them.

Founded by nationally-known, healthcare and labor & employment attorney Cynthia Marcotte Stamer; labor & employment attorney Robert G. Chadwick; and professional liability and civil litigation attorney Timothy B. Soefje, Stamer │Chadwick │Soefje, PLLC focuses on advising and representing businesses and professionals nationally in the areas of healthcare, cyber liability, ERISA, employee benefits, labor & employment, corporate and commercial litigation, professional liability, construction litigation, and insurance defense.  All three attorneys are rated AV® Preeminent™ by Martindale-Hubbell® Peer Review Ratings™ Ms. Stamer and Mr. Chadwick are both Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, are Fellows in the American Bar Foundation, and recognized as “Top Lawyers” in Labor and Employment Law.  Ms. Stamer also has received recognition as a “Top” attorney in health care and employee benefits law and is a Fellow in the American College of Employee Benefit Council.

Ms. Stamer more than 28 years’ experience advising and representing health industry and employee benefit clients on a wide range of legal, public policy, management and operational concerns as well as extensive leadership and management experience serving in on the board of health industry nonprofit organizations. Nationally recognized for her legal work, advocacy, publications, writings and presentations on health industry concerns, Ms. Stamer provides legal and management advice, training and coaching, defense, public policy and regulatory advocacy to health industry and other clients on health and other regulatory and operational compliance, federal and state public policy and enforcement, managed care and other contracting, reimbursement, fraud, quality, employment, staffing and other workforce, benefits, licensing, credentialing and peer review, safety, disaster preparedness and response, HIPAA and other privacy and data security, corporate governance, investigations and internal controls, and a host of other health industry compliance and risk management and other legal and operational concerns. In addition to her legal experience, Ms. Stamer also contributes her experience and talents to serving in a number of health industry and other civil and professional groups.  Among other things, Ms. Stamer serves as Vice President of the NTHCPA, the RPTE representative to the American Bar Association (ABA) Joint Committee on Employee Benefits Council and scrivener for its annual agency meeting with the Office of Civil Rights, the ABA International Section Life Sciences and Health Law Committee Vice President of Policy, RPTE Liaison to the ABA Health Care Coordinating Counsel, TIPS Employee Benefit Committee Vice Chair, Founder and Executive Director of the Project COPE:  The Coalition on Patient Empowerment, and National Physicians Council for Healthcare Policy.  She also previously served as President and Founding Board Member of the Alliance for Health Care Excellence and its Health Care Heroes and Patient Empowerment Programs, as RPTE Employee Benefits & Other Compensation Group Chair and Welfare Benefit Committee Vice Chair, Exempt Organizations Coordinator of the Gulf States Area TEGE Council, Board President and Audit Committee Chair of the Richardson Development Center for Children ECI Agency, National Kidney Foundation of North Texas Board Audit Committee Chair, the United Way of North Texas Long Range Planning Committee.  She also has and continues to serve in the leadership of many other civic and professional boards, seminar faculties, editorial advisory boards and publishes and speaks extensively on health industry and employee benefit related concerns.

Mr. Chadwick has extensive experience advising and defending health industry and other clients on OSHA and other occupational health and safety, employee benefits, compensation and other labor and employment  concerns as well as defending boards and other management leaders against management liability claims.

Mr. Soefje has extensive experience advising and representing health industry clients and professionals on medical malpractice, officers and directors liability and other professional liability, errors and omissions, construction defect and other litigation and disputes.

For additional information, contact Ms. Stamer cstamer@solutionslawyer.net

About the NTHCPA

NTHCPA exists to champion ethical practice and compliance standards and to provide the necessary resources for ethics and compliance Professionals and others in North Texas who share these principles.  The vision of NTHCPA is to be a pre-eminent compliance and ethics group promoting lasting success and integrity of organizations within North Texas.

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns.

Other Helpful Resources & Other Information

We hope that this information is useful to you.   If you found these updates of interest, you also be interested in one or more of the following other recent articles published on the Coalition for Responsible Health Care Reform electronic publication available here, our electronic Solutions Law Press Health Care Update publication available here, or our HR & Benefits Update electronic publication available hereYou also can get access to information about how you can arrange for training on “Building Your Family’s Health Care Toolkit,”  using the “PlayForLife” resources to organize low-cost wellness programs in your workplace, school, church or other communities, and other process improvement, compliance and other training and other resources for health care providers, employers, health plans, community leaders and others here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail by creating or updating your profile here. You can reach other recent updates and other informative publications and resources.

Examples of some of these recent health care related publications include:


Check Defensibility Of Policies & Practices Given New HHS/DOJ Joint Disability Law Technical Assistance

August 10, 2015

Child welfare agencies, health care providers and their contactors and other service providers should evaluate the adequacy and defensibility of their existing practices for accommodating and providing other services to individuals with disabilities and their families in light of the new joint technical assistance to state and local child welfare agencies and courts on the requirements of Title II of the Americans with Disabilities Act (ADA) and Section 504 of the Rehabilitation Act jointly announced by the Departments of Health & Human Services (HHS) and the Justice (DOJ) under a new HHS/DOJ partnership intended to help child welfare agencies protect the welfare of children and ensure compliance with nondiscrimination laws announced here August 10, 2015.

Federal child welfare and discrimination laws generally prohibit discrimination on the basis of disability, and require providers of government programs, services, and activities to make reasonable modifications to their policies and practices when necessary to avoid discrimination on the basis of disability, unless such modifications would fundamentally alter the nature of the program or the services.  The new joint technical assistance addresses disability discrimination complaints that HHS and DOJ say the agencies have received from parents who have had their children taken away or otherwise have not been given equal opportunities to become foster or adoptive parents.

The technical assistance provides an overview of Title II of the ADA and Section 504 and examples about how to apply them in the child welfare system, including child welfare investigations, assessments, guardianship, removal of children from their homes, case planning, adoption, foster care, and family court hearings, such as termination of parental rights proceedings.  It also underscores that Title II and Section 504 prohibit child welfare agencies from acting based on unfounded assumptions, generalizations, or stereotypes regarding persons with disabilities.

HHS and DOJ hope “[p]roviding this technical assistance to state and local agencies and courts will help ensure that families who have a member with a disability get equal access to vital child welfare services,” said Mark Greenberg, HHS’ Administration for Children and Families’ Acting Assistant Secretary.

The new child welfare technical assistance is part of a broader ongoing emphasis on investigation and enforcement of disability and other discrimination laws by HHS, DOJ and other agencies under the Obama Administration. Under the Obama Administration, HHS, DOJ and other agencies already have heavily sanctioned many child welfare, health care and other agencies and providers for alleged violation of these and other federal disability discrimination laws.  See, e.g., Health Care Employer’s Discrimination Triggers Medicare, EEOC Prosecutions; Hospital Will Pay $75K For Refusing To Hire Disabled Worker;  OCR Settlements Show Health Care & Disabled Housing Providers Face Growing Disability Discrimination RisksGenesis Healthcare Disability HHS OCR Discrimination Settlement Reminder To Use Interpreters, Other Needed Accommodations For Disabled.   In the face of this emphasis, child welfare, health care and other agencies and their legal counsel and other service providers should expect greater deference and enforcement to the needs of children and parents with disabilities in child custody, adoption, divorce and other proceedings, as well as continued investigation and enforcement of disability and other discrimination laws against child welfare, health care, and other social service agencies, their legal counsel and other advocates and others providing services.  These and other organizations and service providers should  evaluate the defensibility of the existing policies, practices and recordkeeping practices of their own organization, as well as those of their contractors and subcontractors in light of these and other disability discrimination laws, regulations and enforcement practices.

For More Advice, Assistance Or More Information

If you need assistance reviewing or responding to these or other health care related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, may be able to help. Ms. Stamer is a highly regarded practicing attorney with extensive health industry legal and policy experience, also recognized as a knowledgeable and highly popular health industry thought and policy leader, who writes and publishes extensively  on health industry concerns. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, recognized as a “Top” lawyer in Health Care, Labor and Employment and Employee Benefits Law, Board Certified in Labor & Employment Law, and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 27 years experience advising health industry clients about these and other matters. Her experience includes advising and defending hospitals, nursing home, home health, physicians and other health care professionals, rehabilitation and other health care providers and health industry clients to establish and administer compliance and risk management policies and programs in response under CMS, OCR, HHS, FDA, IRS, DOJ, DEA, NIH, licensing, and other regulations; prevent, conduct and investigate, and respond to Board of Medicine, OIG, DOJ, DEA, DOD, DOL, Department of Health, Department of Aging & Disability, IRS, Department of Insurance, and other federal and state regulators; ERISA and private insurance, prompt pay and other reimbursement and contracting; peer review and other quality concerns; and other health care industry investigation, and enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. This experience includes extensive work advising and defending physicians, practices, hospitals and other health care organizations and others about Medicare and other health care billing and reimbursement practices,  as well as advising and defending providers against Medicare, Medicaid, Tricare and other audits, prepayment suspensions, provider exclusions and provider number revocation, and counseling and defending providers, medical staff and peer review committees, hospitals, medical practices and other health care organizations and others in relation to the conduct of audits and investigations, peer review investigations and discipline, employment, licensing board and other associated events.

The scribe for the American Bar Association (ABA) Joint Committee on Employee Benefits annual agency meeting with the Department of Health & Human Services Office of Civil Rights,  past Board President of the Richardson Development for Children and former Board Audit Committee Chair of the National Kidney Foundation of North Texas, Ms. Stamer has lead, advised, represented and conducted training and investigations of disability and other legal and operations risk management and compliance for early childhood intervention (ECI) and other childcare, health care, public and private schools, social service and other public and private organizations.  Ms. Stamer also  has worked extensively with health care providers, health plans, health care clearinghouses, their business associates, employers, banks and other financial institutions, and others on risk management and compliance with HIPAA and other information privacy and data security rules, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and enforcement, and a host of other related concerns.  Her clients include public and private health care providers, health insurers, health plans, technology and other vendors, and others.  In addition to representing and advising these organizations, she also has conducted training on Privacy & The Pandemic for the Association of State & Territorial Health Plans,  as well as  HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for  Los Angeles County Health Department, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others. Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications.  You can get more information about her health industry experience here. If you need assistance responding to concerns about the matters discussed in this publication or other health care concerns, wish to obtain information about arranging for training or presentations by Ms. Stamer, wish to suggest a topic for a future program or update, or wish to request other information or materials, please contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you or someone else you know would like to receive future updates about developments on these and other concerns from Ms. Stamer such as the following, see here:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here. For important information about this communication click here.THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS.  ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN. ©2015 Cynthia Marcotte Stamer.  Non-exclusive right to republish granted to Solutions Law Press, Inc.  All other rights reserved.


Latest OCR Resolution Agreement Hits Public Health Department, Shows Needs To Stay Up-To-Date

March 16, 2014

Health Department HIPAA Violations Cost County $250,000, Requires Sweeping HIPAA Reforms

Hear Update On Resolution Agreement & Other New HIPAA Developments At 3/18 North Texas Healthcare Professionals Association Meeting – 

RSVP here by Noon on March 17, 2014

Skagit County, Washington will pay a $215,000 monetary settlement and work closely with the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) to correct deficiencies in its HIPAA compliance program to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules by the Skagit County Public Health Department (Health Department) under a Resolution Agreement announced by OCR on March 7, 2014.  The Resolution Agreement makes clear the need for health care providers, health plans, health care clearinghouses and their business associates to update and maintain their policies and practices in compliance with the constantly evolving OCR guidance and resolution agreements, as well as to timely investigate and report breaches.   Interested persons are invited to hear a briefing on a series of new developments including this latest Resolution Agreement at the March 18, 2014 North Texas Healthcare Professionals Association Meeting.

OCR investigated the Health Department after receiving a breach report that unknown parties accessed money receipts with electronic protected health information (ePHI) of seven individuals after the ePHI had been inadvertently moved to a publicly accessible server maintained by the County.

OCR reports its investigation revealed a broader exposure of protected health information involved in the incident, which included the ePHI of 1,581 individuals. Many of the accessible files involved sensitive information, including protected health information about the testing and treatment of infectious diseases.

OCR’s investigation further uncovered general and widespread non-compliance by Skagit County with the HIPAA Privacy, Security, and Breach Notification Rules.

Specifically, the Resolution Agreement between OCR and the Health Department states that OCR found the following conduct occurred (“Covered Conduct”).

  • From approximately September 14, 2011 until September 28, 2011, Skagit County disclosed the ePHI of 1,581 individuals in violation of the Privacy Rule by providing access to ePHI on its public web server;
  • From      November 28, 2011 until present, Skagit County failed to provide notification as required by the Breach Notification Rule to all of the individuals for whom it knew or should have known that the privacy or security of the individual’s ePHI had been compromised as a result of the breach incident;
  • From April 20, 2005 until present, Skagit County failed to implement sufficient policies and procedures to prevent, detect, contain, and correct security violations;
  • From April 20, 2005 until June 1, 2012, Skagit County failed to implement and  maintain in written or electronic form policies and procedures reasonably designed to ensure compliance with the Security Rule; and
  • From April 20, 2005 until present, Skagit County failed to provide security awareness  and training to all workforce members, including its Information Security staff members, as necessary and appropriate for the workforce members to carry out their functions within Skagit County.

To resolve OCR’s allegations of these breaches, Skagit County agrees under the Resolution Agreement to pay HHS $215,000.00 and to ensure that the Health Department implements a series of corrective actions.  Among other things, the Resolution Agreement requires that the Health Department:

  • Provide substitute Breach Notification to individuals not previously notified of the breach of their ePHI in accordance with the Resolution Agreement
  • Revise to the satisfaction of OCR and adopt revised accounting for disclosure, hybrid entity designations, policies on safeguarding PHI, including its sample business associate agreements;
  • Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by the covered health care components of Skagit County as identified in its hybrid entity documentation approved by HHS and implement security measures sufficient to reduce the risks and vulnerabilities identified in the risk analysis to a reasonable and appropriate level.
  • Create and revise, as necessary, written policies and procedures for its covered health care components to comply with the Federal standards that govern the privacy, security, and breach notification of individually identifiable health information;
  • Comply with strict workforce training requirements;
  • Notify and OCR of the occurrence of some reported breaches, its investigation and corrective actions;
  • Provide a summary of the reported events and the status of any corrective and preventative action relating to all such Reportable Events; and
  • Provide OCR with an attestation signed by an officer of Skagit County attesting that he or she has reviewed the Annual Report, has made a reasonable inquiry regarding its content and believes that, upon such inquiry, the information is accurate and truthful.

In addition to bringing its policies and practices up to date with OCR regulations in effect at the time of the breach that resulted in the Resolution Agreement, the Health Department also will have to update its polic9ies and practices to meet changes to OCR’s HIPAA rules that have taken effect since the breach under the revised rules published by OCR in its Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule (Omnibus Final Rule) OCR published January 25, 2013 as well as a series of recently issued OCR rules such as the following:

With OCR stepping up both audits and enforcement and penalties for violations higher than ever since the HITECH Act amended HIPAA, Covered Entities and business associates should act quickly to review and update their policies, practices and training to implement any adjustments needed to maintain compliance and manage other risks under these ever-evolving HIPAA standards.

Covered Entities & Business Associates Should Review & Tighten Practices in Response To Resolution Agreement & Other New Guidance

Other covered entities and their business associates should carefully evaluate and tighten their existing practices in response to the Resolution Agreement and other recent guidance.  In the past, OCR officials have stated it expects that other health care providers, health plans, health care clearinghouses and their business associates will review resolution agreements like this one along with other emerging OCR guidance and update their practices as necessary to address concerns within their own organization that might be similar to those reflected in the applicable resolution agreement.  The Resolution Agreement documents this expectation by specifically incorporating this requirement as part of its terms.

When conducting these efforts, Covered Entities and business associates not only carefully watch for and react promptly to new OCR guidance and enforcement actions, but also document their commitment and ongoing compliance and risk management activities to help support their ability to show their organization maintains the necessary “culture of compliance” commitment needed to mitigate risks in the event of a breach or other HIPAA violation and take well-documented, reasonable steps to encourage their business associates to do the same.    When carrying out these activities, most covered entities and business associates also will want to take steps to monitor potential responsibilities and exposures under other federal and state laws like the privacy and data security requirements that often apply to personal financial information, trade secrets or other sensitive data under applicable federal and state laws and judicial precedent.

Hear Stamer’s Update On Resolution Agreement & Other New HIPAA Developments At 3/18 North Texas Healthcare Professionals Association Meeting

Scribe for the American Bar Association Annual Agency Meeting with OCR for the fourth year, attorney Cynthia Marcotte Stamer will overview these and other HIPAA developments when she presents “Tutoring On OCR’s Latest HIPAA Homework” at the North Texas Healthcare Professionals Association Study Group Luncheon on Tuesday,  March 18, 2014 from 11:30 p.m. to 1:00 p.m. at the offices of the Dallas Ft Worth Hospital Council, 250 Decker Drive, Irving, TX 75062-2706.  A complimentary luncheon will be served to guests to who register in advance.  There is no charge to particulate but space is limited.  RSVP here by Noon on March 17, 2014.

For More Information Or Assistance

If you need assistance reviewing or responding to these or other health care related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, may be able to help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 24 years experience advising health industry clients about these and other matters. Her experience includes advising hospitals, nursing home, home health, rehabilitation and other health care providers and health industry clients to establish and administer compliance and risk management policies; prevent, conduct and investigate, and respond to peer review and other quality concerns; and to respond to Board of Medicine, Department of Aging & Disability, Drug Enforcement Agency, OCR Privacy and Civil Rights, HHS, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns.

A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her presentations and programs include a wide range of other workshops, programs and publications on fraud and other compliance, operational and risk management, and other health industry matters.

Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications.  You can get more information about her health industry experience here. If you need assistance responding to concerns about the matters discussed in this publication or other health care concerns, wish to obtain information about arranging for training or presentations by Ms. Stamer, wish to suggest a topic for a future program or update, or wish to request other information or materials, please contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

If you or someone else you know would like to receive future updates about developments on these and other concerns from Ms. Stamer, see  here.

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources including:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here. For important information about this communication click here. 

THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS.  ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

©2014 Cynthia Marcotte Stamer, P.C.  Non-exclusive license to republish granted to Solutions Law Press.  All other rights reserved.


OCR Assigns More HIPAA Compliance Work To Health Care Providers

March 5, 2014

Think your health care organization or health plan has health care privacy covered?  Think again.

A series of supplemental guidance issued by the Department of Health & Human Services Office of Civil Rights (OCR) in recent weeks is giving health care providers, health plans, health care clearinghouses (Covered Entities) and their business associates even more to do in reviewing and updating their policies, practices and training for handing protected health information (PHI) beyond bringing their policies and practices into line with OCR’s restatement and update to the Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule (Omnibus Final Rule) OCR published January 25, 2013.

Covered Entities generally have been required to comply with most requirements the Omnibus Final Rule’s restated regulations restating OCR’s regulations implementing the Health Insurance Portability & Accountability Act (HIPAA) Privacy, Security and Breach Notification Rules to reflect HIPAA amendments enacted by the Health Information Technology for Economic and Clinical Health (HITECH) Act since the Omnibus Final Rule took effect on March 26, 2013 and to have updated business associate agreements in place since September 23, 2013.  Meanwhile, the Omnibus Final Rule generally has required business associates have updated business associate agreements in place and otherwise to have come into compliance with all of the applicable requirements of the Omnibus Final Rule since September 23, 2013.  Although these deadlines are long past, many Covered Entities and business associates have yet to complete the policy, process and training updates required to comply with the modifications implemented in    the Omnibus Final Rule.

Even if a Covered Entity or business associate completed the updates required to comply with the Omnibus Final Rule, however, recent supplemental guidance published by OCR means that most organizations now have even more work to do on HIPAA compliance. This includes the following supplemental guidance concerning its interpretation and enforcement of HIPAA against Covered Entities and business associates published by OCR since January 1, 2014 alone:

Beyond this 2014 guidance, Covered Entities and their business associates also should look at enforcement actions and data as well as other guidance OCR issued during 2013 after publishing the Omnibus Final Rule such as:

With OCR stepping up both audits and enforcement and penalties for violations higher than ever since the HITECH Act amended HIPAA, Covered Entities and business associates should act quickly to review and update their policies, practices and training to implement any adjustments needed to maintain compliance and manage other risks under these ever-evolving HIPAA standards.

When conducting these efforts, Covered Entities and business associates not only carefully watch for and react promptly to new OCR guidance and enforcement actions, but also document their commitment and ongoing compliance and risk management activities to help support their ability to demonstrate their organization maintains the necessary “culture of compliance” commitment needed to mitigate risks in the event of a breach or other HIPAA violation and take well-documented, reasonable steps to encourage their business associates to do the same.    When carrying out these activities, most covered entities and business associates also will want to take steps to monitor potential responsibilities and exposures under other federal and state laws like the privacy and data security requirements that often apply to personal financial information, trade secrets or other sensitive data under applicable federal and state laws and judicial precedent.

For More Information Or Assistance

If you need assistance reviewing or responding to these or other health care related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, may be able to help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 24 years experience advising health industry clients about these and other matters. Her experience includes advising hospitals, nursing home, home health, rehabilitation and other health care providers and health industry clients to establish and administer compliance and risk management policies; prevent, conduct and investigate, and respond to peer review and other quality concerns; and to respond to Board of Medicine, Department of Aging & Disability, Drug Enforcement Agency, OCR Privacy and Civil Rights, HHS, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns.

A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her presentations and programs include a wide range of other workshops, programs and publications on fraud and other compliance, operational and risk management, and other health industry matters.

Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications.  You can get more information about her health industry experience here. If you need assistance responding to concerns about the matters discussed in this publication or other health care concerns, wish to obtain information about arranging for training or presentations by Ms. Stamer, wish to suggest a topic for a future program or update, or wish to request other information or materials, please contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

If you or someone else you know would like to receive future updates about developments on these and other concerns from Ms. Stamer, see  here.

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources including:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here. For important information about this communication click here. 

THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS.  ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

©2014 Cynthia Marcotte Stamer, P.C.  Non-exclusive license to republish granted to Solutions Law Press.  All other rights reserved.


“Health Care Compliance Spooks & Goblins: Honing Your Compliance Ghost-Busting Skills” Topic of 10/19 NTHCPA Meeting

October 18, 2011

 

NORTH TEXAS HEALTHCARE COMPLIANCE PROFESSIONAL ASSOCIATION

Invites Members and Guests to Our Next Study Group & Complimentary Halloween Month Luncheon

“Health Care Compliance Spooks & Goblins:  Honing Your Compliance Ghost-Busting Skills”

Moderated By

Texas Health Resources Regional Director Compliance & Privacy Tauna Shelton, FACHE, CHC,MHSM,MS

Wednesday, October 19, 2011
11:30 a.m. to 1:00 p.m.
Dallas Ft Worth Hospital Council

250 Decker Drive, Irving, TX 75062-2706

RSVP here

 

Recent high profile enforcement actions against prominent health care organizations in Dallas are a stark reminder of just a few of the many spooks and goblins the keep up health care compliance professionals and their organizations up at night.

Reload your compliance ghost busting skills by joining the North Texas Healthcare Compliance Professional Association (NTHCPA) on Wednesday, October 19, 2011 from 11:30 a.m. to 1:00 p.m. at the for a complimentary lunch and a lively round table discussion with other health care compliance professionals of risk management compliance processes, practices and other ideas for managing their organization’s health care compliance spooks and goblins.  This discussion of “Health Care Compliance Spooks & Goblins:  Honing Your Compliance Ghost-Busting Skills” moderated by Texas Health Resources Regional Director Compliance & Privacy Tauna Shelton, FACHE, CHC,MHSM,MS will focus on processes and other tips to help manage intractable risks and uncertainties inherent in identifying, balancing, managing and mitigating compliance amid operational, financial, time, lack of clarity, competing obligations and responsibilities, and other practical limits on your resources and controls.

In celebration of Halloween, a complimentary light lunch will be provided by Cynthia Marcotte Stamer, P.C. for those who R.S.V.P. for the meeting here by 8:00 a.m. on Wednesday, October 19.

NTHCPA meetings are open to all NTHCPA members and other interested health care compliance professionals. Participation in the meeting is complimentary. Participants are responsible for any parking charges incurred. 

RSVP & Register For Invites & Updates

To help us to notify you about upcoming meetings and to arrange for adequate space for this and other meetings, interested persons are encouraged to forward their current contact information including e-mail to Vice-President Cynthia Marcotte Stamer at R.S.V.P. for the meeting here or by e-mail here by 8:00 a.m. on Wednesday, October 19.  .  Stay on top of information about upcoming meetings and share and dialogue with other NTHCPA members about health care compliance challenges and developments by joining our Linked In Group herePlease feel free to share this invitation with others who may be interested. 

About the NTHCPA & Involvement

NTHCPA exists to champion ethical practice and compliance standards and to provide the necessary resources for ethics and compliance Professionals and others in North Texas who share these principles.  The vision of NTHCPA is to be a pre-eminent compliance and ethics group promoting lasting success and integrity of organizations within North Texas.  To register or update your registration or to receive notice of future meetings, e-mail here.

Would you like to get more involved?  We encourage persons interested in serving on the steering committee, sponsoring refreshments for an upcoming meeting, wish to suggesting topics or speakers, or seeking more information about membership or involvement with the NTHCPA to contact:

NTHCPA President Erma Lee at (817) 927-1232 or by e-mail here or

Vice-President Cynthia Marcotte Stamer at (469) 767-8872 or by e-mail here

This communication may be considered a marketing communication for certain purposes.  If you wish to update your e-mail for purposes of or would prefer not to receive future e-mail concerning meetings or other activities of the North Texas Healthcare Compliance Professionals Association or other marketing and promotional mailings from it, please send an email with the word “unsubscribe” in its subject heading here.

 

Please share this invitation with others who might be interested in this topic or other NTHCPA events!


%d bloggers like this: